The Metasploit Meterpreter has supported the "hashdump" command (through the Priv extension) since before version 3.0. The "hashdump" command is an in-memory version of the pwdump tool, but instead of loading a DLL into LSASS.exe, it allocates memory inside the process, injects raw assembly code, executes its via CreateRemoteThread, and then reads the captured hashes back out of memory. This avoids writing files to the drive and by the same token avoids being flagged by antivirus (AV) and intrusion prevention (HIPS) products.
Over the last few years, many AV and HIPS products have added hooks to detect this behavior and block it at the API level. Unfortunately, the hooks are often implemented in a way that causes LSASS.exe to crash, which forces the entire system to either halt or reboot. This has made the "hashdump" command (along with pwdump and its friends) somewhat risky to use during a penetration test.
don't forget to vote if you find something useful!!
9 weeks 6 days ago
11 weeks 1 day ago
12 weeks 3 hours ago
12 weeks 2 days ago
12 weeks 2 days ago
12 weeks 2 days ago
12 weeks 5 days ago
12 weeks 6 days ago
13 weeks 3 hours ago
13 weeks 4 hours ago