.

help with hashdump

<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Sun Jun 19, 2011 8:50 pm

help with hashdump

I've been preparing a simple demonstration and wanted to show pass the hash.  After getting a meterpreter session, I run hashdump to get the hashes, but it only seems to display the local SAM database.  Is there a way to get the SAM hash for domain users as well?  I am exploiting a Windows XP box that is on an Active Directory domain with a domain user currently logged in.

Thanks!
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Mon Jun 20, 2011 2:11 am

Re: help with hashdump

I believe you'd need to exploit a domain controller for that.
GSEC, eCPPT, Sec+
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Mon Jun 20, 2011 3:24 am

Re: help with hashdump

true, the credentials are stored on the domain controller. Hack that and you will be king of the network!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

Data_Raid

User avatar

Full Member
Full Member

Posts: 165

Joined: Fri Nov 09, 2007 5:55 am

Post Mon Jun 20, 2011 3:35 am

Re: help with hashdump

This should be of interest if the DC is Win2k8: http://www.room362.com/blog/2011/5/15/d ... ploit.html
and check out smart_hashdump: http://www.darkoperator.com/blog/2011/5 ... hdump.html
All men by nature desire knowledge.

Aristotle
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Mon Jun 20, 2011 8:55 am

Re: help with hashdump

Thanks everyone.  I did come across those links but they don't really help in my case since this is just a standard XP box.  Good to know that what I came across - need domain controller to get these - is what you came up with as well. 

However, I thought I was able to do this using the pass the hash toolkit from CORE, but it doesn't look like that is part of meterpreter (can anyone confirm?).

I think even if I don't get this fully functional I can still show the local hashes and get my point across (i.e. HEREZ THE ADMINISTRATOR GUYZZ!!!), so no worries.  :)  I was mainly asking for my own learning purposes.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Jun 20, 2011 9:07 am

Re: help with hashdump

There is a module in metasploit to do it, but it's separate from meterpretery. Mubix displayed it here http://www.room362.com/blog/2009/8/26/p ... -demo.html
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Jun 20, 2011 9:08 am

Re: help with hashdump

There is a module in metasploit to do it, but it's separate from meterpreter. Mubix displayed it here http://www.room362.com/blog/2009/8/26/p ... -demo.html
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Mon Jun 20, 2011 9:12 am

Re: help with hashdump

cd1zz beat me to it hehe.  Here's a section in Metasploit Unleashed that explains "pass the hash" as well:

http://www.offensive-security.com/metas ... s_The_Hash
GSEC, eCPPT, Sec+
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Mon Jun 20, 2011 9:21 am

Re: help with hashdump

Thanks, I did come across the Metasploit Unleased link, which I was successful doing, and the video is helpful as well.

This still relies on having a local account (the video uses "andrew") that has the same username and password as a domain user.  I want to assume there are no local accounts on the XP box.

One would think that somewhere the domain credentials have to be cached for offline login...
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Jun 20, 2011 9:27 am

Re: help with hashdump

<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Mon Jun 20, 2011 10:39 am

Re: help with hashdump

Cachedump, yep that worked.  I came across references to this script but didn't investigate.  Thanks!!!
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

hernano

Newbie
Newbie

Posts: 3

Joined: Tue Jun 21, 2011 8:40 am

Post Tue Jun 21, 2011 8:59 am

Re: help with hashdump

Hi!,

I'm the author of the defunct pass-the-hash toolkit, and also of the  Windows Credentials Editor (WCE).

I wrote the pass-the-hash toolkit and I can tell you it does not longer work. It only works on xp/2003, without current patches, and it does not work on windows 7/2008, etc etc.  So you should not expect it to work anymore.

I did write a new tool called Windows Credentials Editor, it's a much improved version of the pass-the-hash toolkit and it supports windows 7/2008. It also supports Pass-the-ticket for Kerberos which is something new I implemented..

You can download it here:
http://www.ampliasecurity.com/research/wce_v1_2.tgz

A presentation about how it works, features, etc:
http://www.ampliasecurity.com/research/ ... curity.pdf

Also, I'd like to point out a few things:

1-With WCE you don't need to own a Domain Controller to obtain the hashes. That's one of the good things about these tools I wrote. You can compromise a regular machine, like a backup server, and if at some point a domain administrator (or any other domain user) remotely accessed that machine using RDP for example, those hashes can remain in memory (even after the session is terminated, because of a bug in windows), and WCE will steal those hashes from memory. WCE (and previously pth toolkit) does not touch the SAM database, it steals everything from memory.

hashes are stored in memory not just by RDP sessions, but also by the runas command, services that login using an specific windows account, etc etc

2-cachedump is not the same as WCE. With cachedump you are obtaining hashes
cached. This functionality can be disabled. WCE 'steals' hashes from memory.. you can have the cache disabled, and WCE will still give you hashes..
The tools are stealing credentials from different places..

3-WCE provides 'native' pass-the-hash. You are not dependant on a third-party SMB implementation, like a modified smbclient or a SMB stack written in ruby or python which have limited functionality (can be enough for some things, but it is limited), which WCE, besides 'stealing' hashes, you can also use those hashes and do pass-the-hash directly from windows, and access remote shares using thoses hashes, etc etc

4-with WCE you can also steal kerberos tickets and reuse them on another windows box or a unix box.. but that's another story..

I hope it helps.

Thank you!
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Jun 21, 2011 9:04 am

Re: help with hashdump

Kick ass. Thank you.
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Tue Jun 21, 2011 12:57 pm

Re: help with hashdump

That's interesting, hernano.  Thank you for the update about the successor of your well-known Pass-the-Hash toolkit.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software