Closed stavsher closed 1 month ago
It sounds like you're saying this should be clarified:
We could change it to "Dumps the contents of the SAM database by injecting into LSASS". It's technically accurate as it does what it says it does it just doesn't call out how it does it, e.g. LSASS injection vs registry access (as auxiliary/gather/windows_secrets_dump
uses).
It's not only about the method, but about the contents, too. The SAM database (registry) contains local credentials only, and does not contain domain credentials. These are stored in the NTDS.dit file.
This is not to say that the method is unimportant, as the current description implies registry access, whereas the actual method is injection into LSASS, which may be more "dangerous".
Well we're using the Security Account Manager interface defined in MS-SAMR to dump the data. The functions can be seen here in dump_sam.c. This Microsoft article calls out the methods we're using and states the following:
The tool uses the following APIs from "samsrv.dll" to dumps password hashes from the Security Account Manager (SAM) database:
- SamIConnect
- SamrOpenDomain
- SamrOpenUser
- SamrQueryInformationUser
- SamrEnumerateUsersInDomain
The history around the hashdump
command is that it's a port of the old pwdump
tool IIRC, so that's probably why that description so accurately describes what we're doing.
We can change the description though to be more intuitive. What would you prefer it to be?
I appreciate the clarification provided, and the swift response. After reading the referenced documentation and article, it appears I had a misunderstanding regarding the definition of the SAM database and its contents. I think this issue can be closed, the description is fitting.
Steps to reproduce
In my case I was using version 6.3.4-dev of the framework and console, and running against Windows Server 2012R2.
Were you following a specific guide/tutorial or reading documentation?
No.
Expected behavior
According to the command description, hashdump "Dumps the contents of the SAM database", which should not include domain accounts.
Current behavior
Domain account credentials are dumped.
Metasploit version
Console and framework version 6.3.4-dev
Additional Information
Unfortunately I cannot copy and paste debug information, as my environment is disconnected from the internet. From my limited understanding after skimming through the source code, the command injects a DLL into lsass, and extracts the data from there rather than from the SAM.
I think the command description should be updated to match the actual behavior, rather than the other way around.