search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.1k stars 13.76k forks source link

Meterpreter hashdump extracts hashes from LSASS, and not from the SAM database #19162

Closed stavsher closed 1 month ago

stavsher commented 1 month ago

Steps to reproduce

  1. Run the hashdump command in a meterpreter session where the target is a domain controller
  2. Get domain account hashes (which do not exist in the SAM)

In my case I was using version 6.3.4-dev of the framework and console, and running against Windows Server 2012R2.

Were you following a specific guide/tutorial or reading documentation?

No.

Expected behavior

According to the command description, hashdump "Dumps the contents of the SAM database", which should not include domain accounts.

Current behavior

Domain account credentials are dumped.

Metasploit version

Console and framework version 6.3.4-dev

Additional Information

Unfortunately I cannot copy and paste debug information, as my environment is disconnected from the internet. From my limited understanding after skimming through the source code, the command injects a DLL into lsass, and extracts the data from there rather than from the SAM.

I think the command description should be updated to match the actual behavior, rather than the other way around.

smcintyre-r7 commented 1 month ago

It sounds like you're saying this should be clarified:

https://github.com/rapid7/metasploit-framework/blob/0b9d4654a46b5fe40250384b36b1881a1209a946/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb#L25

We could change it to "Dumps the contents of the SAM database by injecting into LSASS". It's technically accurate as it does what it says it does it just doesn't call out how it does it, e.g. LSASS injection vs registry access (as auxiliary/gather/windows_secrets_dump uses).

stavsher commented 1 month ago

It's not only about the method, but about the contents, too. The SAM database (registry) contains local credentials only, and does not contain domain credentials. These are stored in the NTDS.dit file.
This is not to say that the method is unimportant, as the current description implies registry access, whereas the actual method is injection into LSASS, which may be more "dangerous".

smcintyre-r7 commented 1 month ago

Well we're using the Security Account Manager interface defined in MS-SAMR to dump the data. The functions can be seen here in dump_sam.c. This Microsoft article calls out the methods we're using and states the following:

The tool uses the following APIs from "samsrv.dll" to dumps password hashes from the Security Account Manager (SAM) database:

  • SamIConnect
  • SamrOpenDomain
  • SamrOpenUser
  • SamrQueryInformationUser
  • SamrEnumerateUsersInDomain

The history around the hashdump command is that it's a port of the old pwdump tool IIRC, so that's probably why that description so accurately describes what we're doing.

We can change the description though to be more intuitive. What would you prefer it to be?

stavsher commented 1 month ago

I appreciate the clarification provided, and the swift response. After reading the referenced documentation and article, it appears I had a misunderstanding regarding the definition of the SAM database and its contents. I think this issue can be closed, the description is fitting.