Metasploit mailing list archives
Re: hashdump problems
From: <stevekg () cox net>
Date: Sun, 30 Jan 2011 12:27:47 -0800
The Metasploit runs on the BackTrack 4 R2 environment. We did the tests all on our own controlled Windows target systems (one XP, one Win 7 32-bit & one Win 7 64-bit all are members of our own test domain). We use the Domain Admin account to "compromise" all three Windows systems. So we can't see 1. the UAC is in the way, 2. the AV is in the way, either. Since all tests produce the same hashes on each systems, except that these hashes are all different between all the 3 Windows systems. Only the Win XP system hash, we could use to crack the password.(using the Rainbow table ) I am not sure the AV is the issue since I was able to "run" the "run hashdump" meterpreter script and dump the hash. So it really boils down to is there any differences between the LM and NTLM hashes stored on the XP different from that on the Win 7? If so, we are still confused that why the hahses dumped from both the win 7 systems (one 32-bit and 64-bit) are different? BTW, is there any difference between the XP rainbow table different from the Vista rainbow table? ---- Ty Miller <tyronmiller () gmail com> wrote:
Are you running metasploit from Windows or Linux? I have had issues running it before from Windows, then switched to Linux and it worked fine. Make sure that AV isn't running on the victim host. I have been able to compromise a host running AV before, but when trying to dump the hashes it got in the way. You will have to re-exploit the host after AV has been killed. Running killav isn't always good enough since most AVs start back up. Looping around to kill the AV processes seemed to work fine and the hashes could get dumped with minimal interference. Some weird characters did come through. Try using the Vista rainbow tables rather than the XP ones. Ty On Sat, Jan 29, 2011 at 4:49 AM, <stevekg () cox net> wrote:Thanks for point that out. I already note that before I did the "run hashdump" script on our test Win 7 systems one win 7 32-bit and one win 7 64-bit. So here is what I did to ensure UAC is not the issue: I use the domain admin account and passoword in the psexec exploit. (BTW, both Win 7 systems are part of the test domain) Then I did the new bypassuac exploit. But, I still got the same hash results. So now I may suspect that the "run hashdump" script might not be working right on Win 7 systems be it 32-bit o r 64-bit. ---- Lukas Kuzmiak <metasploit () backstep net> wrote:Are you sure it has sufficient privileges for lsass inject? That may be your problem in the UAC world :) Lukas Only wimps use tape backup: _real_ men just upload their important stuffonftp, and let the rest of the world mirror it ;). Torvalds, Linus (1996-07-20). On Fri, Jan 28, 2011 at 4:44 AM, <stevekg () cox net> wrote:The same account and password was created on WinXP, Win 7 32-bit andWin 764-bit systems. When run hashdump script against these systems, onlythehash returned from the WinXP are useable and correct. Both Win 7systemsreturn different hash values and can not be cracked using Rainbowtable.I did try wce on win 7 32-bit system, and it returns errors saying itcan'teject the code. So wce does not work on Win 7 32-bit system even though the autherclaimsit works on win 7 and win 2008 systems.. ---- Terrence <secretpackets () gmail com> wrote:as I was told that the run hashdump script takes the hashes out oftheregistry where hashdump does the traditional injection method intolsass.ifthe password changes then the registry is not updated and the hashwillbeincorrect. use wce windows credential editor to get the hashes out of7.-- tuna 65617420646120706f6f20706f6f On Thu, Jan 27, 2011 at 20:31, <stevekg () cox net> wrote:When we execute the Meterpreter script "run hashdump" on acompromisedWindows XP and on a Windows 7. The HASH results are differenteventhoughthe same account (e.g. local Administrator) has the same password.Forexample, the password "pass-w0rd" will have the following values onWindowsXP: a824903ef6ab871802657a8d8ef025e2:fac374e2461f3e432 cd4c560dd183671 which can be easily cracked using the Rainbow table. However, thehashvalue returned from the Windows 7 seem random on different Win 7systems,for example, the following hash value is returned from running the"runhashdump" script on one of our Win 7 system and can no longer becracked bythe Rainbow table even though it is the same password: be7248be0caf22327a7798efba346fb7:1a9d81b177c19a206 5eaee8cbe9689ce My question is, does Win 7 system encrypt the hash so "run hashdum"cannotreturn the correct value as the one on the Win XP system? _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- hashdump problems stevekg (Jan 27)
- Re: hashdump problems Terrence (Jan 27)
- Re: hashdump problems stevekg (Jan 27)
- Re: hashdump problems Lukas Kuzmiak (Jan 28)
- Re: hashdump problems stevekg (Jan 28)
- Re: hashdump problems stevekg (Jan 27)
- Re: hashdump problems Terrence (Jan 27)
- <Possible follow-ups>
- Re: hashdump problems stevekg (Jan 30)
- Re: hashdump problems Ty Miller (Jan 30)
- Re: hashdump problems Carlos Perez (Jan 30)