Meterpreter
83
a 7-character password instead of a 14-character one. In NTLM, regardless
of the password size,
password123456
would be stored as a hash value of
password123456
.
NOTE
We’re using a super complex password here that we would not be able to crack in a rea-
sonable amount of time. Our password is larger than the 14-character maximum that
LM supports, so it has automatically converted itself to an NTLM-based hash value.
Even with rainbow tables or a super powerful cracking machine, it would take a signif-
icant amount of time to crack these passwords.
In the following code, we extract a username and password hash for the
Administrator
user account with UID 500 (the Windows Administrator system
default). The strings that follow
Administrator:500
are two hashes of the
Administrator
password. This shows an example of a simple extract of a user-
name and password hashes. Shortly, we will extract our own username and
password hashes from our Windows XP system.
Administrator:500:e52cac67419a9a22cbb699e2fdfcc59e :30ef086423f916deec378aac42c4ef0c :::
The first hash at is an LM hash, and the second at is an NTLM hash.
Dumping the Password Hash
On your target machine, change your password to something complex, such
as
thisisacrazylongpassword&&!!@@##
and use Meterpreter to dump the user-
name and password hashes (shown in the preceding code listing) from the
target again. We will leverage the
use priv
command, which means we are
running as a privileged user account.
To dump the Security Account Manager (SAM) database, we need to be
running as SYSTEM to get around the registry restrictions and dump the pro-
tected SAM storage that contains our Windows usernames and passwords, as
shown next. Try performing this scenario on a test virtual machine to see if
you can dump the username and password hashes. In this listing, we execute
the
hashdump
command, which dumps all the usernames and password hashes
from the system.
meterpreter >
use priv
Loading extension priv...success.
meterpreter >
run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b75989f65d1e04af7625ed712ac36c29:::
A hash value that starts with
aad3b435
is simply an empty or
null hash value—a placeholder for an empty string. (Something like
Administrator:500:NOPASSWD:ntlmhash
is also null.) Because our password