1
00:00:00,630 --> 00:00:06,570
So after successfully elevating privileges, what do you do, you can dump password hashes on the target

2
00:00:06,570 --> 00:00:06,960
system.

3
00:00:08,250 --> 00:00:15,360
So Interpreter provides some commands and post modules that will help you to extract the username and

4
00:00:15,360 --> 00:00:17,100
password hashes from the system.

5
00:00:18,620 --> 00:00:21,440
To dump the security account manager database.

6
00:00:22,370 --> 00:00:24,980
You will need to run as system.

7
00:00:26,380 --> 00:00:34,150
To get around the registry restrictions and also dumped the protected SAM storage that contains windows,

8
00:00:34,150 --> 00:00:35,770
usernames and passwords.

9
00:00:37,280 --> 00:00:42,230
But you already have elevated your privileges, so this is not a problem for you so far.

10
00:00:44,100 --> 00:00:49,730
Interpretor has many ways to use for extracting hashes on the target system.

11
00:00:51,140 --> 00:00:52,430
The hash dome command.

12
00:00:53,890 --> 00:00:55,090
The hash dome script.

13
00:00:56,290 --> 00:00:57,460
And the post module's.

14
00:00:59,490 --> 00:01:07,210
And by the way, extraction is not limited to Windows machines, you can also extract Linux hashes to

15
00:01:07,230 --> 00:01:07,710
do this.

16
00:01:08,550 --> 00:01:12,120
Interpretor has the hash dump post module's.

17
00:01:13,350 --> 00:01:16,620
The problem here is which one of them should you use?

18
00:01:18,360 --> 00:01:21,440
So let me tell you this, you can use them in order.

19
00:01:22,530 --> 00:01:28,950
So first, start with the simplest one, hash dump, just type hash dump to extract hashes from the

20
00:01:28,950 --> 00:01:29,430
target.

21
00:01:30,660 --> 00:01:33,000
And here are the hashes on masse, voidable three.

22
00:01:34,410 --> 00:01:38,730
And background the session and let's look at the credentials stored in the Métis boy database.

23
00:01:39,690 --> 00:01:40,110
Kret.

24
00:01:41,430 --> 00:01:43,050
OK, so there's no credential yet.

25
00:01:43,920 --> 00:01:48,300
This means that these hashes aren't added to the Métis Boyd database.

26
00:01:49,480 --> 00:01:55,390
So you may ask about the credentials that you've gathered during other phases of this course.

27
00:01:56,410 --> 00:01:59,370
So I'll delete them to give a clear view to you now.

28
00:02:00,640 --> 00:02:02,790
OK, interact with the session again.

29
00:02:05,270 --> 00:02:08,030
The second option is the hashed script.

30
00:02:09,040 --> 00:02:10,630
And this is an interpreter, Shoukhrat.

31
00:02:11,600 --> 00:02:14,570
Now, somehow the Hashd command doesn't work.

32
00:02:15,660 --> 00:02:17,610
So let's try this.

33
00:02:18,880 --> 00:02:19,960
Run, Hashd dump.

34
00:02:26,290 --> 00:02:29,170
And these are the harshest on Métis voidable three.

35
00:02:30,680 --> 00:02:33,400
Sensation in the background by using G.

36
00:02:35,170 --> 00:02:42,070
Credit and still, there are no credentials added, so interpretor again.

37
00:02:44,660 --> 00:02:47,750
And Métis Point also has post modules together hashes.

38
00:02:48,770 --> 00:02:51,450
One of these modules is the hash dump module.

39
00:02:52,580 --> 00:02:57,170
Yeah, the names are the same because they both dump the hashes, right.

40
00:02:58,250 --> 00:03:00,980
So let's first look at the information about this module.

41
00:03:07,020 --> 00:03:12,270
It only needs a valid interpretor session, so now we can run this module.

42
00:03:13,330 --> 00:03:16,030
Run post windows.

43
00:03:17,110 --> 00:03:19,090
Gather ash dump.

44
00:03:20,140 --> 00:03:21,070
And hit enter.

45
00:03:22,240 --> 00:03:23,410
May take a few seconds.

46
00:03:30,300 --> 00:03:35,640
OK, and the hashes are here, so let's have a quick look at the credentialled database.

47
00:03:37,920 --> 00:03:41,830
And sure enough, finally, the hashes are added to the Métis boy database.

48
00:03:43,110 --> 00:03:47,940
So now you can crack them with the built in John the Ripper module.

49
00:03:49,260 --> 00:03:50,930
But don't let me get ahead of myself.

50
00:03:51,270 --> 00:03:53,850
I want to mention the other hash dumping module.

51
00:03:54,950 --> 00:03:56,570
First interactor, the session.

52
00:03:58,340 --> 00:04:04,340
Info post Windows Gather Smart Ashtown.

53
00:04:06,870 --> 00:04:13,440
Well, this one has another name at least, so when you look at the options of this module, there is

54
00:04:13,440 --> 00:04:15,900
a variable here named Get System.

55
00:04:16,980 --> 00:04:24,600
So this module can try to get the system level access to extract the hashes if you directly set this

56
00:04:24,600 --> 00:04:25,080
variable.

57
00:04:26,040 --> 00:04:31,710
Or it will assume that it has the access already, so let's run it without any option.

58
00:04:38,100 --> 00:04:40,550
Thanks a little more time when you compare it to the others.

59
00:04:44,290 --> 00:04:46,480
But OK, great, the hashes do come.

60
00:04:47,660 --> 00:04:52,700
Now, you can try to crack these hashes, send it to the background.

61
00:04:54,600 --> 00:04:55,520
Creds again.

62
00:04:57,140 --> 00:04:58,850
And here are the credentials that you gathered.