Metasploit mailing list archives
Re: hashdump problems
From: <stevekg () cox net>
Date: Thu, 27 Jan 2011 19:44:41 -0800
The same account and password was created on WinXP, Win 7 32-bit and Win 7 64-bit systems. When run hashdump script against these systems, only the hash returned from the WinXP are useable and correct. Both Win 7 systems return different hash values and can not be cracked using Rainbow table. I did try wce on win 7 32-bit system, and it returns errors saying it can't eject the code. So wce does not work on Win 7 32-bit system even though the auther claims it works on win 7 and win 2008 systems.. ---- Terrence <secretpackets () gmail com> wrote:
as I was told that the run hashdump script takes the hashes out of the registry where hashdump does the traditional injection method into lsass. if the password changes then the registry is not updated and the hash will be incorrect. use wce windows credential editor to get the hashes out of 7. -- tuna 65617420646120706f6f20706f6f On Thu, Jan 27, 2011 at 20:31, <stevekg () cox net> wrote:When we execute the Meterpreter script "run hashdump" on a compromised Windows XP and on a Windows 7. The HASH results are different even though the same account (e.g. local Administrator) has the same password. For example, the password "pass-w0rd" will have the following values on Windows XP: a824903ef6ab871802657a8d8ef025e2:fac374e2461f3e432 cd4c560dd183671 which can be easily cracked using the Rainbow table. However, the hash value returned from the Windows 7 seem random on different Win 7 systems, for example, the following hash value is returned from running the "run hashdump" script on one of our Win 7 system and can no longer be cracked by the Rainbow table even though it is the same password: be7248be0caf22327a7798efba346fb7:1a9d81b177c19a206 5eaee8cbe9689ce My question is, does Win 7 system encrypt the hash so "run hashdum" can not return the correct value as the one on the Win XP system? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- hashdump problems stevekg (Jan 27)
- Re: hashdump problems Terrence (Jan 27)
- Re: hashdump problems stevekg (Jan 27)
- Re: hashdump problems Lukas Kuzmiak (Jan 28)
- Re: hashdump problems stevekg (Jan 28)
- Re: hashdump problems stevekg (Jan 27)
- Re: hashdump problems Terrence (Jan 27)
- <Possible follow-ups>
- Re: hashdump problems stevekg (Jan 30)
- Re: hashdump problems Ty Miller (Jan 30)
- Re: hashdump problems Carlos Perez (Jan 30)