Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: How to use hashdump in Vista?

  1. #1
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default How to use hashdump in Vista?

    Hi, I'm on BT3, using msf v3.3-dev. Victim is using M$ Vista (it's crap, I know). I'm fine until I got the meterpreter session using reverse TCP. Now, after "use priv", I like to dump the SAM, so used hashdump which shows error:
    meterpreter > hashdump
    [-] priv_passwd_get_sam_hashes: Operation failed: 87
    I tried this on XP box and it works perfectly. Do we have any other command in meterpreter to dump the remote hash for vista? Cheers.
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  2. #2
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    OK, let me rephrase the question. What's the best approach for privilege escalationion in vista after getting a meterpreter session?
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  3. #3
    Member cr1spyj0nes's Avatar
    Join Date
    Sep 2008
    Posts
    164

    Default

    Quote Originally Posted by kazalku View Post
    OK, let me rephrase the question. What's the best approach for privilege escalationion in vista after getting a meterpreter session?
    thats a good question mate, i try'd to even dump the hashes with other programes and hade little to no luck, just thinking about it not, maby UAC is locking the hash files? let me no how you go,,
    I would rather be hated for what i am,
    Then loved for what i am not.

  4. #4

    Default

    are you running that as system and its failing? admin and its failing or a user and its failing?

  5. #5
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Tried both, even tried without UAC... no luck
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  6. #6

    Default

    vista has protections as well as windows 2008, you have to be system to be able to dump the hashes, you can do this by either using an exploit that gives you system or use schtasks to schedule a meterpreter payload to be ran as system if you are administrator on the box, if UAC is enabled you will not be able to schedule it from shell in the video where I cover my winenum script you can see me use at the end use scheduleme script to achieve this
    Windows Enumeration Script for Meterpreter on Vimeo

  7. #7
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    That's great.... worked like a charm. Thank you so much.
    Just one small point: for the scheduleme command, I used the same meterpreter exe to connect back to my box. So, I had to open another ./msfconsole to listen for the connection. As you showed in your nice video that it can be done with the same session. Possibly, the exe is different than what I am using. You mentioned to google someone's video but unfortunately I can't get the name. If you kindly mention the name here that will be great. Cheers
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  8. #8
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    19

    Default

    Hi kazalku, I dont know if you have found your question regarding someone`s video that BadKarmaPR mentioned.
    I am a newbee and I think Iam even not qualified to post the link below but I just want to share.
    I think BadKarmaPR mention John Strand, his videos are in http :// w w w.vimeo.com/user595761/videos . Cheers
    "If it doesn't sleep, doesn't eat, doesn't take **** breaks and plays poker 24 hours a day - it's a bot!"

  9. #9
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Thank you so much for the name & the link... I was eagerly waiting for the answer... Cheers
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  10. #10
    Junior Member
    Join Date
    Feb 2007
    Posts
    74

    Default

    The easiest way for me to accomplish this was to upload pwdump6 which has provisions for Vista both 32 and 64-bit hash dumping. Then open a hidden command prompt and dump the hashes to a file and then download the file through MS, delete files after.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •