September 15th, 2010, 12:09 AM
unable to dump hashes in win7 with meterpreter
I got a meterpreter session on a win7 box; however, I'm unable to use hashdump. I get insufficient privileges. So I tried to use the "keylogrecorder" script, but I need to migrate to winlogon.exe for that, and again, I'm unable to migrate due to insufficient prvs. I used "getprivs," and "set priv" then tried again with same results. I noticed that "getsystem" is not avaiable.... the user that I got my meterpreter session is member of the admin group, yet I'm not able to get any of this command working. I wonder if is b/c UAC, which can be turned off. Is there any script that turn off UAC?...... any help appreciated
meterpreter > use priv
Loading extension priv...success.
meterpreter > run hashdump[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY b9106b7575965755275b237fe2b54acd...
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_create_key: Operation failed: 5
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)
September 15th, 2010, 08:41 PM
My bet would be UAC. You could try disabling it manually on the box [since it is your system, right? ] for troubleshooting purposes. I have heard that it is theoretically possible to disable UAC remotely, but have never seen a proof of concept.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
September 15th, 2010, 11:00 PM
I've google for it, but nothing.... but I'm looking for different ways to dump the hashes... I'll let you know
Originally Posted by westin
By cheyenne1212 in forum Miscellaneous Security Discussions
Last Post: February 1st, 2012, 01:51 PM
By Irongeek in forum The Security Tutorials Forum
Last Post: July 22nd, 2007, 09:28 AM
By gore in forum Operating Systems
Last Post: January 12th, 2006, 05:20 PM
By foxyloxley in forum Tech Humor
Last Post: August 2nd, 2004, 09:53 PM
By Tiger Shark in forum The Security Tutorials Forum
Last Post: March 4th, 2004, 04:00 PM