Postexploitation
◾
251
Dumping the Hashes
So now that we are done with understanding Windows hashes, the protocol weaknesses, and
where they are actually located, the next step is to dump hashes so we can use offline methods to
actually crack them; the great thing about offline cracking methods is that they are completely
stealthy. There are various ways to dump password hashes, and it depends upon the situation you
are in. Let’s take a look at some of the scenarios.
Scenario 1—Remote Access
So we have managed to exploit a target and have remote access to it, we can either use a Meterpreter
script “
Hashdump
” to dump the hashes from the SAM file or use programs such as PWDUMP
and Fgdump to dump the hashes and copy the file to your system and attempt to crack the hashes.
Personally, I would prefer the first method as it’s easier.
Hashdump is a script available inside of Metasploit that can help us dump the hashes from the
SAM file. On a Windows XP machine you need to have at least administrator privileges to dump
the hashes. On Windows 7 you would need the highest privileges (SYSTEM) to dump hashes.
Here is how the output of a hashdump looks like; the first hash is the LM hash followed by the “:”
sign and then the NTLM hash, since LM hashing is not disabled in Windows by default.
Scenario 2—Local Access
In this scenario, we would assume that we don’t have remote access to our target machine; how-
ever, we have physical access to it. In this case we can use pwdump or fgdump to obtain hashes.
pwdump has the capability to bypass all the restrictions and obtain hashes from the SAM file.
Fgdump is the updated version of pwdump; it was updated because many antivirus programs were
able to detect pwdump. So fgdump can bypass some of the restrictions. Windows 7 has an updated
version of pwdump named pwdump7.
Note
: You need to have at least administrator privileges to run Pwdump or fgdump.
Dostları ilə paylaş: 
