Home page logo

metasploit logo Metasploit mailing list archives

Re: Hashdump
From: Giorgio Casali <giorgio.casali () gmail com>
Date: Sat, 17 Apr 2010 13:50:15 +0200

Hi Matt,
to get the domain users hashes you can try to upload gsecdump (
http://www.truesec.com/PublicStore/catalog/Downloads,223.aspx) to the Domain
Controller and execute it with system privileges (-a) or if It doesn't work
you might have some antivirus blocking you.
In that case you can try to stop the AV service or if you don't have the
privileges you might try to use the tools *Instrsrv.exe and **Srvany.exe
from *windows resource kit (
and install your batch file e.g (sc stop <antivirus service>) as a service.


2010/4/16 Jonathan Cran <jcran () 0x0e org>

see HD's blog post from Jan 1
http://blog.metasploit.com/2010/01/safe-reliable-hash-dumping.html for
background info. the registry extraction method (linked in the blog) is


On Fri, Apr 16, 2010 at 1:47 PM, Matt Gardenghi <mtgarden () gmail com>wrote:

Interesting.  That technique obtained the Administrator and Guest hashes.
 There are other users on the box and not all of them are domain accounts.
 Still it was better then what I had been getting.


On 4/16/2010 9:39 AM, HD Moore wrote:

On 4/16/2010 7:57 AM, Matt Gardenghi wrote:

Why would this be failing?  It seems as if MS has changed something to
fight back.  Also, I've been unable to open a shell on the box, once
I've elevated my privs to system: execute -f cmd.exe -c -t .

Any pointers would be helpful.  Thanks.

Try "run hashdump" to use the registry method, this only supports local
accounts and not domains right now.


Jonathan Cran
jcran () 0x0e org



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]