Re: hashdump problems

[<stevekg () cox net>]

The Metasploit runs on the BackTrack 4 R2 environment.

We did the tests all on our own controlled Windows target systems (one XP, one Win 7 32-bit & one Win 7 64-bit all are 
members of our own test domain).  We use the Domain Admin account to  "compromise" all three Windows systems.  So we 
can't see 1. the UAC is in the way, 2. the AV is in the way, either.  Since all tests produce the same hashes on each 
systems, except that these hashes are all different between all the 3 Windows systems.  Only the Win XP system hash, we 
could use to crack the password.(using the Rainbow table )

I am not sure the AV is the issue since I was able to "run" the "run hashdump" meterpreter script and dump the hash.
So it really boils down to is there any differences between the LM and NTLM hashes stored on the XP different from that 
on the Win 7?
 If so, we are still confused that why the hahses dumped from both the win 7 systems (one 32-bit and 64-bit) are 
different?  

BTW, is there any difference between the XP rainbow table different from the Vista rainbow table?

---- Ty Miller <tyronmiller () gmail com> wrote: 
> Are you running metasploit from Windows or Linux? I have had issues running
> it before from Windows, then switched to Linux and it worked fine.
>
> Make sure that AV isn't running on the victim host. I have been able to
> compromise a host running AV before, but when trying to dump the hashes it
> got in the way. You will have to re-exploit the host after AV has been
> killed. Running killav isn't always good enough since most AVs start back
> up. Looping around to kill the AV processes seemed to work fine and the
> hashes could get dumped with minimal interference. Some weird characters did
> come through.
>
> Try using the Vista rainbow tables rather than the XP ones.
>
> Ty
>
>
> On Sat, Jan 29, 2011 at 4:49 AM, <stevekg () cox net> wrote:
>
> > Thanks for point that out.  I already note that before I did the "run
> > hashdump" script on our  test Win 7 systems one win 7 32-bit and one win 7
> > 64-bit.
> > So here is what I did to ensure UAC is not the issue:
> > I use the domain admin account and passoword in the psexec exploit.  (BTW,
> > both Win 7 systems are part of the test domain)
> > Then I did the new bypassuac exploit.  But, I still got the same hash
> > results.
> >
> > So now I may suspect that the "run hashdump" script might not be working
> > right on Win 7 systems be it 32-bit o r 64-bit.
> >
> >
> > ---- Lukas Kuzmiak <metasploit () backstep net> wrote:
> > > Are you sure it has sufficient privileges for lsass inject?
> > > That may be your problem in the UAC world :)
> > >
> > > Lukas
> > >
> > > Only wimps use tape backup: _real_ men just upload their important stuff
> > on
> > > ftp, and let the rest of the world mirror it ;). Torvalds, Linus
> > > (1996-07-20).
> > >
> > >
> > > On Fri, Jan 28, 2011 at 4:44 AM, <stevekg () cox net> wrote:
> > >
> > > > The same account and password was created on WinXP, Win 7 32-bit and
> > Win 7
> > > > 64-bit systems.  When run hashdump script against these systems, only
> > the
> > > > hash returned from the WinXP are useable and correct.  Both Win 7
> > systems
> > > >  return different hash values and can not be cracked using Rainbow
> > table.
> > > > I did try wce on win 7 32-bit system, and it returns errors saying it
> > can't
> > > > eject the code.
> > > > So wce does not work on Win 7 32-bit system even though the auther
> > claims
> > > > it works on win 7 and win 2008 systems..
> > > >
> > > >
> > > > ---- Terrence <secretpackets () gmail com> wrote:
> > > > > as I was told that the run hashdump script takes the hashes out of
> > the
> > > > > registry where hashdump does the traditional injection method into
> > lsass.
> > > > if
> > > > > the password changes then the registry is not updated and the hash
> > will
> > > > be
> > > > > incorrect. use wce windows credential editor to get the hashes out of
> > 7.
> > > > > --
> > > > > tuna
> > > > > 65617420646120706f6f20706f6f
> > > > >
> > > > >
> > > > > On Thu, Jan 27, 2011 at 20:31, <stevekg () cox net> wrote:
> > > > >
> > > > > > When we execute the Meterpreter script "run hashdump" on a
> > compromised
> > > > > > Windows XP and on  a Windows 7.  The HASH results are different
> > even
> > > > though
> > > > > > the same account (e.g. local Administrator) has the same password.
> >  For
> > > > > > example, the password "pass-w0rd" will have the following values on
> > > > Windows
> > > > > > XP:
> > > > > > a824903ef6ab871802657a8d8ef025e2:fac374e2461f3e432 cd4c560dd183671
> > > > > > which can be easily cracked using the Rainbow table.  However, the
> > hash
> > > > > > value returned from the Windows 7 seem random on different Win 7
> > > > systems,
> > > > > > for example, the following hash value is returned from running the
> > "run
> > > > > > hashdump" script on one of our Win 7 system and can no longer be
> > > > cracked by
> > > > > > the Rainbow table even though it is the same password:
> > > > > > be7248be0caf22327a7798efba346fb7:1a9d81b177c19a206 5eaee8cbe9689ce
> > > > > >
> > > > > > My question is, does Win 7 system encrypt the hash so "run hashdum"
> > can
> > > > not
> > > > > > return the correct value as the one on the Win XP system?
> > > > > > _______________________________________________
> > > > > > https://mail.metasploit.com/mailman/listinfo/framework
> > > >
> > > > _______________________________________________
> > > > https://mail.metasploit.com/mailman/listinfo/framework
> >
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework