Source: http://www.darkoperator.com/
A couple of months ago I was asked by the NWN guys from the pentest team to help them automate dumping windows hashes depending on the role and privilege level, for them I wrote hashdump2 a Meterpreter Script to automate what back then was required. Mubix this week wrote a blog post on his experience and process for when dumping hashes on x64 systems, specially Windows 2008 R2 Domain Controllers. I re-wrote the hashdump2 script and added the logic that Mubix came up with plus added the ability to escalate privileges using the getsystem API call and reworked the logic of the script and ported the result to a post module both called smart_hashdump. The way the module and script works is as follows
- It first checks the Privilege Level and OS.
- It will check if the target is a Domain Controller.
- Based on this information it will prefer the reading of the registry to get the hashes if possible, if not possible it will inject in to the lsass process if possible. For Domain Controllers it will use the injection to lsass.
- If the target is a Windows 2008 server and the process is running with admin privileges it will attempt to get system privilege using getsystem, if it gets SYSTEM privilege do to the way the token privileges are set it can still not inject in to the lsass process so the code will migrate to a process already running as SYSTEM and then inject in to the lsass process.
- If the code detects that it is running on a Windows 7/Vista box with UAC disabled and it is running as local admin it will run getsystem and it will use the read registry method.
- On Windows 2003/2000/XP it will use getsystem and if successful it will use the read registry method.
Tags: Ethical, Exploitation, Metasploit, smart_hashdump
Read more http://feedproxy.google.com/~r/Toolswatch/~3/PugcqMjG3ag/