Metasploit mailing list archives
Re: hashdump problems
From: Lukas Kuzmiak <metasploit () backstep net>
Date: Fri, 28 Jan 2011 16:48:55 +0100
Are you sure it has sufficient privileges for lsass inject? That may be your problem in the UAC world :) Lukas Only wimps use tape backup: _real_ men just upload their important stuff on ftp, and let the rest of the world mirror it ;). Torvalds, Linus (1996-07-20). On Fri, Jan 28, 2011 at 4:44 AM, <stevekg () cox net> wrote:
The same account and password was created on WinXP, Win 7 32-bit and Win 7 64-bit systems. When run hashdump script against these systems, only the hash returned from the WinXP are useable and correct. Both Win 7 systems return different hash values and can not be cracked using Rainbow table. I did try wce on win 7 32-bit system, and it returns errors saying it can't eject the code. So wce does not work on Win 7 32-bit system even though the auther claims it works on win 7 and win 2008 systems.. ---- Terrence <secretpackets () gmail com> wrote:as I was told that the run hashdump script takes the hashes out of the registry where hashdump does the traditional injection method into lsass.ifthe password changes then the registry is not updated and the hash willbeincorrect. use wce windows credential editor to get the hashes out of 7. -- tuna 65617420646120706f6f20706f6f On Thu, Jan 27, 2011 at 20:31, <stevekg () cox net> wrote:When we execute the Meterpreter script "run hashdump" on a compromised Windows XP and on a Windows 7. The HASH results are different eventhoughthe same account (e.g. local Administrator) has the same password. For example, the password "pass-w0rd" will have the following values onWindowsXP: a824903ef6ab871802657a8d8ef025e2:fac374e2461f3e432 cd4c560dd183671 which can be easily cracked using the Rainbow table. However, the hash value returned from the Windows 7 seem random on different Win 7systems,for example, the following hash value is returned from running the "run hashdump" script on one of our Win 7 system and can no longer becracked bythe Rainbow table even though it is the same password: be7248be0caf22327a7798efba346fb7:1a9d81b177c19a206 5eaee8cbe9689ce My question is, does Win 7 system encrypt the hash so "run hashdum" cannotreturn the correct value as the one on the Win XP system? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- hashdump problems stevekg (Jan 27)
- Re: hashdump problems Terrence (Jan 27)
- Re: hashdump problems stevekg (Jan 27)
- Re: hashdump problems Lukas Kuzmiak (Jan 28)
- Re: hashdump problems stevekg (Jan 28)
- Re: hashdump problems stevekg (Jan 27)
- Re: hashdump problems Terrence (Jan 27)
- <Possible follow-ups>
- Re: hashdump problems stevekg (Jan 30)
- Re: hashdump problems Ty Miller (Jan 30)
- Re: hashdump problems Carlos Perez (Jan 30)