Metasploit mailing list archives
Re: hashdump problems
From: Ty Miller <tyronmiller () gmail com>
Date: Mon, 31 Jan 2011 08:47:33 +1100
XP rainbow tables crack the LM hash. In Vista they dumped support for LM hashes, so you have to crack the NT hash. Check out: http://ophcrack.sourceforge.net/tables.php http://www.irongeek.com/i.php?page=security/vistasamcrack Thx, Ty On Mon, Jan 31, 2011 at 7:27 AM, <stevekg () cox net> wrote:
The Metasploit runs on the BackTrack 4 R2 environment. We did the tests all on our own controlled Windows target systems (one XP, one Win 7 32-bit & one Win 7 64-bit all are members of our own test domain). We use the Domain Admin account to "compromise" all three Windows systems. So we can't see 1. the UAC is in the way, 2. the AV is in the way, either. Since all tests produce the same hashes on each systems, except that these hashes are all different between all the 3 Windows systems. Only the Win XP system hash, we could use to crack the password.(using the Rainbow table ) I am not sure the AV is the issue since I was able to "run" the "run hashdump" meterpreter script and dump the hash. So it really boils down to is there any differences between the LM and NTLM hashes stored on the XP different from that on the Win 7? If so, we are still confused that why the hahses dumped from both the win 7 systems (one 32-bit and 64-bit) are different? BTW, is there any difference between the XP rainbow table different from the Vista rainbow table? ---- Ty Miller <tyronmiller () gmail com> wrote:Are you running metasploit from Windows or Linux? I have had issuesrunningit before from Windows, then switched to Linux and it worked fine. Make sure that AV isn't running on the victim host. I have been able to compromise a host running AV before, but when trying to dump the hashesitgot in the way. You will have to re-exploit the host after AV has been killed. Running killav isn't always good enough since most AVs start back up. Looping around to kill the AV processes seemed to work fine and the hashes could get dumped with minimal interference. Some weird charactersdidcome through. Try using the Vista rainbow tables rather than the XP ones. Ty On Sat, Jan 29, 2011 at 4:49 AM, <stevekg () cox net> wrote:Thanks for point that out. I already note that before I did the "run hashdump" script on our test Win 7 systems one win 7 32-bit and onewin 764-bit. So here is what I did to ensure UAC is not the issue: I use the domain admin account and passoword in the psexec exploit.(BTW,both Win 7 systems are part of the test domain) Then I did the new bypassuac exploit. But, I still got the same hash results. So now I may suspect that the "run hashdump" script might not beworkingright on Win 7 systems be it 32-bit o r 64-bit. ---- Lukas Kuzmiak <metasploit () backstep net> wrote:Are you sure it has sufficient privileges for lsass inject? That may be your problem in the UAC world :) Lukas Only wimps use tape backup: _real_ men just upload their importantstuffonftp, and let the rest of the world mirror it ;). Torvalds, Linus (1996-07-20). On Fri, Jan 28, 2011 at 4:44 AM, <stevekg () cox net> wrote:The same account and password was created on WinXP, Win 7 32-bitandWin 764-bit systems. When run hashdump script against these systems,onlythehash returned from the WinXP are useable and correct. Both Win 7systemsreturn different hash values and can not be cracked using Rainbowtable.I did try wce on win 7 32-bit system, and it returns errors sayingitcan'teject the code. So wce does not work on Win 7 32-bit system even though the autherclaimsit works on win 7 and win 2008 systems.. ---- Terrence <secretpackets () gmail com> wrote:as I was told that the run hashdump script takes the hashes outoftheregistry where hashdump does the traditional injection methodintolsass.ifthe password changes then the registry is not updated and thehashwillbeincorrect. use wce windows credential editor to get the hashesout of7.-- tuna 65617420646120706f6f20706f6f On Thu, Jan 27, 2011 at 20:31, <stevekg () cox net> wrote:When we execute the Meterpreter script "run hashdump" on acompromisedWindows XP and on a Windows 7. The HASH results are differenteventhoughthe same account (e.g. local Administrator) has the samepassword.Forexample, the password "pass-w0rd" will have the followingvalues onWindowsXP: a824903ef6ab871802657a8d8ef025e2:fac374e2461f3e432cd4c560dd183671which can be easily cracked using the Rainbow table. However,thehashvalue returned from the Windows 7 seem random on different Win7systems,for example, the following hash value is returned from runningthe"runhashdump" script on one of our Win 7 system and can no longerbecracked bythe Rainbow table even though it is the same password: be7248be0caf22327a7798efba346fb7:1a9d81b177c19a2065eaee8cbe9689ceMy question is, does Win 7 system encrypt the hash so "runhashdum"cannotreturn the correct value as the one on the Win XP system? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- hashdump problems stevekg (Jan 27)
- Re: hashdump problems Terrence (Jan 27)
- Re: hashdump problems stevekg (Jan 27)
- Re: hashdump problems Lukas Kuzmiak (Jan 28)
- Re: hashdump problems stevekg (Jan 28)
- Re: hashdump problems stevekg (Jan 27)
- Re: hashdump problems Terrence (Jan 27)
- <Possible follow-ups>
- Re: hashdump problems stevekg (Jan 30)
- Re: hashdump problems Ty Miller (Jan 30)
- Re: hashdump problems Carlos Perez (Jan 30)