Dump Password Hashes using hashdump in Meterpreter

Introduction

In this lab, you will learn one of the most common post-exploitation techniques: dumping password hashes from a compromised Windows target. Specifically, you will use the hashdump command available in Metasploit's Meterpreter payload. These hashes, once obtained, can be cracked offline to reveal user passwords, enabling further privilege escalation or lateral movement within a network.

For this educational exercise, we will work within a simulated Metasploit Framework environment. This allows you to learn the exact commands and workflow without needing to set up a complex victim/attacker network. You will start with a pre-established Meterpreter session on a simulated Windows machine.

Your goals are to:

• Access an active Meterpreter session.
• Use the hashdump command to extract password hashes.
• Understand the structure of the dumped hashes.
• Save the hashes to a file for future use.

Gain a Meterpreter session with SYSTEM privileges

In this step, you will start the simulated Metasploit console and interact with the pre-existing Meterpreter session. In a real-world scenario, gaining this session would involve exploiting a vulnerability on the target machine. For this lab, the session has been prepared for you.

First, navigate into the simulation directory that was created by the setup script.

cd ~/project/metasploit-simulation

Now, start the simulated Metasploit console by executing the msfconsole script.

./msfconsole

You should see a welcome banner and the msf6 > prompt. This indicates you are in the main Metasploit console. To see active sessions, use the sessions command with the -l (list) flag.

sessions -l

You will see the following output, showing one active session with an ID of 1.

Active sessions
===============

  Id  Name  Type                     Information                  Connection
  --  ----  ----                     -----------                  ----------
  1         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ WIN-PC  10.0.2.15:4444 -> 10.0.2.16:49152

The output shows that we have a meterpreter session running as NT AUTHORITY\SYSTEM, which is the highest privilege level on a Windows system. This is crucial for dumping hashes.

Now, interact with this session using its ID.

sessions -i 1

Your prompt will change from msf6 > to meterpreter >, confirming that you are now inside the Meterpreter session on the target machine.

Load the priv standard API extension if needed

In this step, you will load the priv extension. This Meterpreter extension provides commands for privilege escalation and for accessing sensitive parts of the operating system, such as the Security Account Manager (SAM) database where password hashes are stored.

While many modern Meterpreter payloads load necessary extensions automatically when a command is called, it is good practice to know how to load them manually. This ensures you have the required functionality.

Inside the meterpreter > prompt, type the following command to load the priv extension:

load priv

The simulator will confirm that the extension has been loaded successfully.

[+] Loading extension priv...
[+] Loaded extension: priv

With the priv extension loaded, you now have access to commands like hashdump.

Run the hashdump post-exploitation module

In this step, you will execute the hashdump command. This command is the primary reason we loaded the priv extension. It works by reading the SAM database directly from the system's memory, bypassing on-disk protections. This is possible because our session is running with SYSTEM privileges.

Now that you are in the Meterpreter prompt and have loaded the priv extension, simply run the hashdump command.

hashdump

The command will execute and print a list of usernames and their corresponding password hashes to the screen.

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
labex-user:1001:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::

You have successfully extracted the password hashes from the simulated Windows machine. In the next step, we will analyze the structure of this output.

Observe the dumped NTLM hashes from the SAM database

In this step, you will learn to interpret the output of the hashdump command. Understanding this format is essential for knowing what to do with the hashes you've collected.

Let's examine one line from the output you generated in the previous step:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

This string is colon-delimited and has several fields:

1. Username: Administrator

   • This is the user account name.

2. Relative Identifier (RID): 500

   • This is a unique ID for the account within the domain. The RID 500 is always the default administrator account.

3. LM Hash: aad3b435b51404eeaad3b435b51404ee

   • This is the hash for the older LAN Manager authentication protocol. On modern Windows systems, this is often a blank or "null" hash, as seen here. This specific value indicates that no LM hash is stored.

4. NTLM Hash: 31d6cfe0d16ae931b73c59d7e0c089c0

   • This is the NT LAN Manager hash, which is used by all modern versions of Windows. This is the hash you would use in an offline password cracking tool like John the Ripper or Hashcat.

5. Comment and Home Directory: :::

   • These last three fields are typically empty and are not used for cracking.

By observing this output, you can identify the active user accounts and, most importantly, their NTLM hashes, which represent their passwords in a non-reversible format.

Save the hashes to a file for offline cracking

In this final step, you will save the collected hashes to a text file. It is standard practice to save evidence and loot from a compromised system for later analysis and use. Storing the hashes in a file makes it easy to feed them into password cracking software.

First, you need to exit the simulated msfconsole environment to return to your regular Linux shell. Type exit in the meterpreter > prompt to return to the msf6 > prompt, and then type exit again.

exit

You should now be back at the meterpreter > prompt. Type exit again to leave the simulation.

exit

You should now be back in your ~/project/metasploit-simulation directory.

Next, create a new file named hashes.txt using the nano text editor.

nano hashes.txt

Now, copy the hash output from your terminal (the output from the hashdump command in Step 3) and paste it into the nano editor. The content should look like this:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
labex-user:1001:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::

Press Ctrl+X to exit nano, then Y to confirm you want to save the changes, and finally Enter to confirm the filename.

To verify that the file was saved correctly, you can display its contents with the cat command.

cat hashes.txt

You have successfully saved the password hashes to a file, ready for offline cracking.

Summary

In this lab, you successfully performed a classic post-exploitation technique using a simulated Meterpreter session.

You learned how to:

• Navigate and interact with sessions in the Metasploit Framework console.
• Load Meterpreter extensions like priv to gain additional functionality.
• Execute the hashdump command to extract NTLM password hashes from a Windows target.
• Understand the format of the dumped hashes, identifying the username, RID, and NTLM hash.
• Save the collected hashes to a file for offline use with password cracking tools.

This skill is a fundamental part of penetration testing, as it often provides the keys needed to expand access across a network.