Home page logo

metasploit logo Metasploit mailing list archives

Re: Hashdump
From: Matt Gardenghi <mtgarden () gmail com>
Date: Mon, 19 Apr 2010 16:20:52 -0400

Thank you all for your assistance. Let me tell you what I did to get this to work (accidentally).

I had a Domain Admin account, so I logged into the DC. I didn't have any sort of exploit for this box, so I uploaded and ran a meterpreter payload (unchecking the limited privs box under "run as"). Then from my Metasploit, I opened the session (exploit/multi/handler). I used getsystem to elevate my privs, I migrated to explorer.exe and ran "run metsvc -A." I then closed out my session and logged off RDP.

From the new session, I could now run "hashdump" proper and dump all domain credentials. Not sure why that worked, but it did.

Thank you for everything.  Cracking now...


On 4/17/2010 7:50 AM, Giorgio Casali wrote:
Hi Matt,
to get the domain users hashes you can try to upload gsecdump (http://www.truesec.com/PublicStore/catalog/Downloads,223.aspx) to the Domain Controller and execute it with system privileges (-a) or if It doesn't work you might have some antivirus blocking you. In that case you can try to stop the AV service or if you don't have the privileges you might try to use the tools *Instrsrv.exe and **Srvany.exe from *windows resource kit (http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en <http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en>) and install your batch file e.g (sc stop <antivirus service>) as a service.


2010/4/16 Jonathan Cran <jcran () 0x0e org <mailto:jcran () 0x0e org>>

    see HD's blog post from Jan 1
    http://blog.metasploit.com/2010/01/safe-reliable-hash-dumping.html for
    background info. the registry extraction method (linked in the
    blog) is handy.


    On Fri, Apr 16, 2010 at 1:47 PM, Matt Gardenghi
    <mtgarden () gmail com <mailto:mtgarden () gmail com>> wrote:

        Interesting.  That technique obtained the Administrator and
        Guest hashes.  There are other users on the box and not all of
        them are domain accounts.  Still it was better then what I had
        been getting.


        On 4/16/2010 9:39 AM, HD Moore wrote:

            On 4/16/2010 7:57 AM, Matt Gardenghi wrote:

                Why would this be failing?  It seems as if MS has
                changed something to
                fight back.  Also, I've been unable to open a shell on
                the box, once
                I've elevated my privs to system: execute -f cmd.exe
                -c -t .

                Any pointers would be helpful.  Thanks.

            Try "run hashdump" to use the registry method, this only
            supports local
            accounts and not domains right now.


-- Jonathan Cran
    jcran () 0x0e org <mailto:jcran () 0x0e org>



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]