from the doc : "pwdump3 provides enhanced protection of the password hash information by encrypting the data before it is passed across the network. It uses Diffie-Hellman key agreement to generate a shared key that is not passed across the network, and employs the Windows Crypto API to protect the hashes. The Crypto API, which is available on Windows 2000 or on NT Service Pack 3 and up, must be present on the machine where pwdump3e is running, and on the remote machine. The enhanced protection of the hash information effectively prevents network snoopers from obtaining this data. This version should be preferred whenever it is possible to use it. Developed by Phil Staubs, a Polivec, Inc. senior developer, and Erik Hjelmstad, senior security engineer for Polivec, pwdump3 enhances the existing pwdump and pwdump2 programs developed by Jeremy Allison and Todd Sabin, respectively. The first version, allowed users with administrator privileges to extract password hashes from a remote NT system, but did not work if syskey was enabled. The second version worked whether or not syskey was enabled, but only on the local machine. Pwdump3 works across the network and whether or not syskey is enabled. Like the previous pwdump utilities, pwdump3 does not represent a new exploit since administrative privileges are still required on the remote system. One of the largest improvements with pwdump3 over pwdump2 is that it allows network administrators to retrieve hashes from a remote NT system. Administrators are no longer required to run the program directly on each machine. In addition, pwdump3 prints password hashes in upper case letters to ensure all hashes are interpreted correctly by L0pht Heavy Industries' L0phtcrack. Pwdump3 also correctly identifies accounts without passwords and allows administrators to enter a username if a connection to the remote machine does not exist, minimizing connection steps for the administrator."
Pwdump [McAfee]
-1533267128.exepwdump3.exepwservice.exe
lsaext.dll