5

Safe, Reliable, Hash Dumping

http://blog.metasploit.com

The Metasploit Meterpreter has supported the "hashdump" command (through the Priv extension) since before version 3.0. The "hashdump" command is an in-memory version of the pwdump tool, but instead of loading a DLL into LSASS.exe, it allocates memory inside the process, injects raw assembly code, executes its via CreateRemoteThread, and then reads the captured hashes back out of memory. This avoids writing files to the drive and by the same token avoids being flagged by antivirus (AV) and intrusion prevention (HIPS) products.

Over the last few years, many AV and HIPS products have added hooks to detect this behavior and block it at the API level. Unfortunately, the hooks are often implemented in a way that causes LSASS.exe to crash, which forces the entire system to either halt or reboot. This has made the "hashdump" command (along with pwdump and its friends) somewhat risky to use during a penetration test.


Read »
Created by martha23 1 year 50 weeks ago – Made popular 1 year 50 weeks ago
Category: Utilities   Tags:

Similar stories

Easily Customize a Fresh Install of Ubuntu 10.04 With a Script 1 year 30 weeks ago
Is Canonical becoming the New Microsoft? 1 year 50 weeks ago
Exporting the Registry for Fun and Profit 1 year 50 weeks ago
Script To Install Hamachi With GUI In Ubuntu 10.04 Lucid Lynx Or ... 1 year 36 weeks ago

add cool to google

Add to Google

Cool's blog feed

site feed

Syndicate content

don't forget to vote if you find something useful!!

Best karma users

  1. mr-Z
  2. Ian_js
  3. dave-d
  4. gamer2k2
  5. links9
Custom Search