Home / malware

PDF

HackTool:Win32/PTHToolkit

First posted on 04 November 2010.
Source: SecurityHome

Aliases :

There are no other names known for HackTool:Win32/PTHToolkit.

Explanation :

HackTool:Win32/PTHToolkit is a tool used within a command-line interface to alter information about the current user's logged on session while communicating over a Windows network. The tool is also known as the "Pass-The-Hash" Toolkit.
Top

HackTool:Win32/PTHToolkit is a tool used within a command-line interface to alter information about the current user's logged on session while communicating over a Windows network. When run, the tool allows a user to change values such as the user name, domain or workgroup name, and the NTLM (NT LanMan) hashes used to authenticate with remote services using Windows authentication over the network. HackTool:Win32/PTHToolkit may be present as the following files: <toolkit>\iam\iam.exe <toolkit>\iam\iamdll.dll <toolkit>\whosthere\whosthere.exe <toolkit>\genhash\genhash.exe The components are used for the following purposes:

"iam.exe" is used to assume the properties and credentials of another logged on user to the same machine

"whosthere.exe" is used to identify currently logged on users and to dump the associated password hashes

"genhash.exe" is used to generate hashes if a user name is known

Additional InformationThe tool is also known as the "Pass-The-Hash" Toolkit.

Analysis by Vincent Tiu

Last update 04 November 2010

 

TOP