Metasploit mailing list archives

Re: hashdump problems

From: Ty Miller <tyronmiller () gmail com>
Date: Mon, 31 Jan 2011 08:47:33 +1100

XP rainbow tables crack the LM hash. In Vista they dumped support for LM
hashes, so you have to crack the NT hash.

Check out:

http://ophcrack.sourceforge.net/tables.php
http://www.irongeek.com/i.php?page=security/vistasamcrack

Thx,
Ty


On Mon, Jan 31, 2011 at 7:27 AM, <stevekg () cox net> wrote:

The Metasploit runs on the BackTrack 4 R2 environment.

We did the tests all on our own controlled Windows target systems (one XP,
one Win 7 32-bit & one Win 7 64-bit all are members of our own test domain).
 We use the Domain Admin account to  "compromise" all three Windows systems.
 So we can't see 1. the UAC is in the way, 2. the AV is in the way, either.
 Since all tests produce the same hashes on each systems, except that these
hashes are all different between all the 3 Windows systems.  Only the Win XP
system hash, we could use to crack the password.(using the Rainbow table )

I am not sure the AV is the issue since I was able to "run" the "run
hashdump" meterpreter script and dump the hash.
So it really boils down to is there any differences between the LM and NTLM
hashes stored on the XP different from that on the Win 7?
 If so, we are still confused that why the hahses dumped from both the win
7 systems (one 32-bit and 64-bit) are different?

BTW, is there any difference between the XP rainbow table different from
the Vista rainbow table?

---- Ty Miller <tyronmiller () gmail com> wrote:

Are you running metasploit from Windows or Linux? I have had issues

running

it before from Windows, then switched to Linux and it worked fine.

Make sure that AV isn't running on the victim host. I have been able to
compromise a host running AV before, but when trying to dump the hashes

it

got in the way. You will have to re-exploit the host after AV has been
killed. Running killav isn't always good enough since most AVs start back
up. Looping around to kill the AV processes seemed to work fine and the
hashes could get dumped with minimal interference. Some weird characters

did

come through.

Try using the Vista rainbow tables rather than the XP ones.

Ty


On Sat, Jan 29, 2011 at 4:49 AM, <stevekg () cox net> wrote:

Thanks for point that out.  I already note that before I did the "run
hashdump" script on our  test Win 7 systems one win 7 32-bit and one

win 7

64-bit.
So here is what I did to ensure UAC is not the issue:
I use the domain admin account and passoword in the psexec exploit.

 (BTW,

both Win 7 systems are part of the test domain)
Then I did the new bypassuac exploit.  But, I still got the same hash
results.

So now I may suspect that the "run hashdump" script might not be

working

right on Win 7 systems be it 32-bit o r 64-bit.


---- Lukas Kuzmiak <metasploit () backstep net> wrote:

Are you sure it has sufficient privileges for lsass inject?
That may be your problem in the UAC world :)

Lukas

Only wimps use tape backup: _real_ men just upload their important

stuff

on

ftp, and let the rest of the world mirror it ;). Torvalds, Linus
(1996-07-20).


On Fri, Jan 28, 2011 at 4:44 AM, <stevekg () cox net> wrote:

The same account and password was created on WinXP, Win 7 32-bit

and

Win 7

64-bit systems.  When run hashdump script against these systems,

only

the

hash returned from the WinXP are useable and correct.  Both Win 7

systems

 return different hash values and can not be cracked using Rainbow

table.


I did try wce on win 7 32-bit system, and it returns errors saying

it

can't

eject the code.
So wce does not work on Win 7 32-bit system even though the auther

claims

it works on win 7 and win 2008 systems..


---- Terrence <secretpackets () gmail com> wrote:

as I was told that the run hashdump script takes the hashes out

of

the

registry where hashdump does the traditional injection method

into

lsass.

if

the password changes then the registry is not updated and the

hash

will

be

incorrect. use wce windows credential editor to get the hashes

out of

7.


--
tuna
65617420646120706f6f20706f6f


On Thu, Jan 27, 2011 at 20:31, <stevekg () cox net> wrote:

When we execute the Meterpreter script "run hashdump" on a

compromised

Windows XP and on  a Windows 7.  The HASH results are different

even

though

the same account (e.g. local Administrator) has the same

password.

For

example, the password "pass-w0rd" will have the following

values on

Windows

XP:
a824903ef6ab871802657a8d8ef025e2:fac374e2461f3e432

cd4c560dd183671

which can be easily cracked using the Rainbow table.  However,

the

hash

value returned from the Windows 7 seem random on different Win

systems,

for example, the following hash value is returned from running

the

"run

hashdump" script on one of our Win 7 system and can no longer

be

cracked by

the Rainbow table even though it is the same password:
be7248be0caf22327a7798efba346fb7:1a9d81b177c19a206

5eaee8cbe9689ce


My question is, does Win 7 system encrypt the hash so "run

hashdum"

can

not

return the correct value as the one on the Win XP system?
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

hashdump problems stevekg (Jan 27)
- Re: hashdump problems Terrence (Jan 27)
  - Re: hashdump problems stevekg (Jan 27)
    - Re: hashdump problems Lukas Kuzmiak (Jan 28)
    - Re: hashdump problems stevekg (Jan 28)
- <Possible follow-ups>
- Re: hashdump problems stevekg (Jan 30)
  - Re: hashdump problems Ty Miller (Jan 30)
  - Re: hashdump problems Carlos Perez (Jan 30)