We now have a mailing list for all of our foofus.net tools! If you'd like to join, please see the mailman page at http://lists.foofus.net/listinfo.cgi/foofus-tools-foofus.net. This is a great way to get help on using the tools, report bugs, make feature requests and find out about new releases first!

As of version 1.7.0, pwdump6 supports getting hashes from 64-bit targets. There really isn't much different other than making sure we're not trying to mix 32- and 64-bit code during the LSASS injection phase.

When you target a 64-bit host, you must pass a -x on the command line (this is documented in the usage statement as well as the readme file). This indicates that the target is running a 64-bit operating system. Note that IT DOES NOT MATTER which operating system you are running pwdump.exe on, the only thing that matters is your target. IF YOU ARE RUNNING LOCALLY ON A 64-BIT OS, YOU MUST USE -x.

Here's a matrix that maybe explains it better. "Source" is the machine running pwdump.exe, "Target" is the target of the dump:

Target -> Source     |     V	(localhost)	32-bit	64-bit
32-bit (Windows 2000, Windows XP, Windows 2003, Windows Vista)	No -x	No -x	-x
64-bit (Windows XP 64-bit, Windows 2003 64-bit, Windows Vista 64-bit)	-x	No -x	-x

Make sense? If you fail to do this, chances are that the machine running pwdump.exe will simply hang, though I haven't seen any ill effects on the targets recently. If you end up screwing up the -x flag and something hangs, just Control-C out of pwdump, and go to the target and delete the pwdump service (you should be able to identify it by having a goofy-looking GUID for a name, such as "{AAAAAAAA-BBBB...}", etc). The service name will be random, and should stick out to anyone actually looking for it. You can do this remotely (if you are running Windows XP, 2003 or have one of the fancy toolkits installed that provides the "sc" program) by issuing the following commands:

1. net use \\your-host\ipc$ /u:your-admin-user (hit return and enter pwd)
2. sc \\your-host query (locate the service name that will be a series of random letters)
3. sc \\your-host delete (service name identified in step 2)
4. net use \\your-host\ipc$ /del

The following files are now used by pwdump6 to carry out its tasks. As usual, they should all be stored in the same location together. pwdump.exe will select the proper service and DLL to upload based on the -x flag. 

• pwdump.exe (32-bit exe, works on 32- and 64-bit OSes)
• servpw.exe (32-bit service, given a random name on the target)
• servpw64.exe (64-bit service, given a random name on the target)
• lsremora.dll (32-bit DLL)
• lsremora64.dll (64-bit DLL)