Home page logo
/

metasploit logo Metasploit mailing list archives

Re: Hashdump
From: Matt Gardenghi <mtgarden () gmail com>
Date: Tue, 20 Apr 2010 06:56:44 -0400

Well, not quite. Even after migrating to Explorer as System, it failed. It failed until I use metsvc to reopen the connection as root.

And yes, I do usually use rainbow tables, but not right now as I was rebuilding the cracking box. Besides, john swiped the important creds in 2-3 minutes anyway. :-D

On 4/20/2010 3:34 AM, Giorgio Casali wrote:
Happy to help you, btw the reason it worked is because you were SYSTEM on the DC, by issuing getsystem.

Krgrds,

Giorgio.


2010/4/19 Matt Gardenghi <mtgarden () gmail com <mailto:mtgarden () gmail com>>

    Thank you all for your assistance.  Let me tell you what I did to
    get this to work (accidentally).

    I had a Domain Admin account, so I logged into the DC.  I didn't
    have any sort of exploit for this box, so I uploaded and ran a
    meterpreter payload (unchecking the limited privs box under "run
    as").  Then from my Metasploit, I opened the session
    (exploit/multi/handler).  I used getsystem to elevate my privs, I
    migrated to explorer.exe and ran "run metsvc -A."  I then closed
    out my session and logged off RDP.

    From the new session, I could now run "hashdump" proper and dump
    all domain credentials.  Not sure why that worked, but it did.

    Thank you for everything.  Cracking now...

    Matt


    On 4/17/2010 7:50 AM, Giorgio Casali wrote:
    Hi Matt,
    to get the domain users hashes you can try to upload gsecdump
    (http://www.truesec.com/PublicStore/catalog/Downloads,223.aspx)
    to the Domain Controller and execute it with system privileges
    (-a) or if It doesn't work you might have some antivirus blocking
    you.
    In that case you can try to stop the AV service or if you don't
    have the privileges you might try to use the tools *Instrsrv.exe
    and **Srvany.exe from *windows resource kit
    (http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
    <http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en>)
    and install your batch file e.g (sc stop <antivirus service>) as
    a service.


    Giorgio




    2010/4/16 Jonathan Cran <jcran () 0x0e org <mailto:jcran () 0x0e org>>

        see HD's blog post from Jan 1
        http://blog.metasploit.com/2010/01/safe-reliable-hash-dumping.html for
        background info. the registry extraction method (linked in
        the blog) is handy.

        jcran


        On Fri, Apr 16, 2010 at 1:47 PM, Matt Gardenghi
        <mtgarden () gmail com <mailto:mtgarden () gmail com>> wrote:

            Interesting.  That technique obtained the Administrator
            and Guest hashes.  There are other users on the box and
            not all of them are domain accounts.  Still it was better
            then what I had been getting.

            Matt


            On 4/16/2010 9:39 AM, HD Moore wrote:

                On 4/16/2010 7:57 AM, Matt Gardenghi wrote:

                    Why would this be failing?  It seems as if MS has
                    changed something to
                    fight back.  Also, I've been unable to open a
                    shell on the box, once
                    I've elevated my privs to system: execute -f
                    cmd.exe -c -t .

                    Any pointers would be helpful.  Thanks.

                Try "run hashdump" to use the registry method, this
                only supports local
                accounts and not domains right now.
                _______________________________________________
                https://mail.metasploit.com/mailman/listinfo/framework


            _______________________________________________
            https://mail.metasploit.com/mailman/listinfo/framework




-- Jonathan Cran
        jcran () 0x0e org <mailto:jcran () 0x0e org>
        515.890.0070

        _______________________________________________
        https://mail.metasploit.com/mailman/listinfo/framework




_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]