The assumption of the matching password hashes is based on the
idea that no two pieces of data will ever generate the same hash
value. If two pieces of data do generate the same hash value, called
a
collision
, elements of information security start to be exposed to
compromise. The problem of collisions is considered through a
mathematical/statistical problem called the Birthday Paradox.
One function of Meterpreter is
hashdump
. This function provides a list of the users
and password hashes from the system. In the case of Linux, these details are stored in
the
/etc/shadow
file. In the case of Windows, the details are stored in the Security
Account Manager (SAM), an element of the Windows Registry. In either operating
system, you will get the username, user ID, and the password hash just for a start.
Example 6-9
shows running
hashdump
against the Metasploitable 3 system after it
had been compromised with the EternalBlue exploit. You will see the username in the
first field, followed by the user ID, and then the password hash. To get the password
back from the hash, you need to run a password cracker. Hashes are one-way func‐
tions, meaning the hash can’t be reversed to regenerate the data that created the hash.
Instead, you can generate hashes from potential passwords and compare the resulting
hash with what you know. When you get a match, you will have the password, or at
least a password that will work to get you access as that user.
Example 6-9. Grabbing password hashes
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b5
0b:::
anakin_skywalker:1011:aad3b435b51404eeaad3b435b51404ee:c706f83a7b17a0230e55cde2f3de94
fa:::
artoo_detoo:1007:aad3b435b51404eeaad3b435b51404ee:fac6aada8b7afc418b3afea63b7577b4:::
ben_kenobi:1009:aad3b435b51404eeaad3b435b51404ee:4fb77d816bce7aeee80d7c2e5e55c859:::
boba_fett:1014:aad3b435b51404eeaad3b435b51404ee:d60f9a4859da4feadaf160e97d200dc9:::
chewbacca:1017:aad3b435b51404eeaad3b435b51404ee:e7200536327ee731c7fe136af4575ed8:::
c_three_pio:1008:aad3b435b51404eeaad3b435b51404ee:0fd2eb40c4aa690171ba066c037397ee:::
Getting password hashes is not the only thing we can do with Meterpreter when it
comes to users. You may need to figure out who you are after you have compromised
a system. Knowing who you are will tell you what permissions you have. It will also
tell you whether you need to escalate your privileges to get administrative rights to be
able to do more interesting things, which may include maintaining access to the sys‐
tem post-exploitation. To get the ID of the user you are, you use
getuid
. This tells you
the user that Meterpreter is running as on your target host.
Another technique that can be used to gather credentials is the post-exploitation
module
check_credentials
. This not only acquires password hashes but also acquires
tokens on the system. A
token
on a Windows system is an object that contains infor‐
