PWDump6 (http://www.foofus.net/fizzgig/pwdump)
Based on the wildly popular pwdump3e, it's been updated and modernized a
bit to suit our needs, and has been useful to other folks in the security
assessment community as well. It runs very much in a similar fashion as 3e,
but has the following changes:
・Locates any available, writable share, not just ADMIN$
・Replaces the remote registry method of remote communication with a named
pipe method
・Eliminates dependency on the CryptoAPI, which appeared to cause certain
problems for us in rare circumstances
・Marks itself as executable when writing to the LSASS process, thereby
avoiding some NX problems
If you've had trouble with pwdump crashing some boxen, give pwdump6 a try.
fgdump (http://www.foofus.net/fizzgig/fgdump)
fgdump really started as a simple wrapper around pwdump. Certain AV
programs reacted poorly to pwdump; the worst cases resulted in an AV solution
consuming 100% of the CPU, requiring a reboot typically. So initially, fgdump
simply shut down AV before running pwdump, but now it does much more. Major
features include:
・Support for multiple hosts using text files
・Automatic binding/unbinding to IPC$
・Detection, automatic shutdown and restart of a number of common AV
solutions
・Password dumping using pwdump6
・Cached credential dumping using cachedump
・Ability to write results to a log, including summaries