#5 Bug report: srv_system list password on WinNT

Javier Aroche
Plug-ins (10)
Javier Aroche

We are conducting a lab this week and one of the tasks
is to lift the SAM file from a DNS server. I have had
some success installing and using BO2k ver 1.1.2.

However, one of the issues that I have noticed is that
the "List Password" command does not return the
correct hashes. (the are not off by one or two
characters but totally different.)

I can get the correct hashes for the Admin and user
accounts when using PWDUMP3 but when I use BO2k,
the Hashes are different. Since a LANMAN hash should
be the same regardless of what tool is used to lift it, is
there anything you can tell me as to why the BO2k
versions are incorrect ( I have used Lophcrack 4 to
crack the PWDUMP3 version and know them to be

Also the hashes returned by BO2k have spaces in some
cases (if the provides any clue)?

It would really help with my research if you could give
me some idea why this is happening.

Thanks for your time....

PS the boxes we are attacking at Windows NT and this
problem has occured in every case not just once.


Reported by: Capt Craft