You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Initial tests revealed a bug. No idea if it's the same issue @craigsblackie ?
Junk bytes are appended to recovered passwords. Observe the output below. The passwords are password and redacted, where as the module returns password |\~ and redactedC[+ QE
Test system in Windoes 7 SP1 x64; with session upgraded via exploit/windows/local/bypassuac and getsystem. Metasploit is latest version from git, running on Ruby 2.3.0.
msf5 exploit(windows/local/bypassuac) > use post/windows/gather/lsa_secrets
msf5 post(windows/gather/lsa_secrets) > set session 2
session => 2
msf5 post(windows/gather/lsa_secrets) > run
[*] Executing module against WIN-SGBSD5TQUTQ
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] Vista or above system
[-] Could not retrieve LSA key. Are you SYSTEM?
[*] Post module execution completed
msf5 post(windows/gather/lsa_secrets) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
Background session 2? [y/N]
msf5 post(windows/gather/lsa_secrets) > run
[*] Executing module against WIN-SGBSD5TQUTQ
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] Vista or above system
[+] Key: DefaultPassword
Decrypted Value: password |\~
[+] Key: DPAPI_SYSTEM
Decrypted Value: ,?<lJ.f$*qghGuf2H
[+] Key: _SC_MSSQL$SQLEXPRESS
Username: NT Service\MSSQL$SQLEXPRESS
Decrypted Value: M"Y=aD
[+] Key: _SC_MSSQLSERVER
Username: NT Service\MSSQLSERVER
Decrypted Value: _;N5kN.
[+] Key: _SC_redacted
Username: .\redacted
Decrypted Value: redactedC[+ QE
[*] Writing to loot...
[*] Data saved in: /root/.msf4/loot/20180728232749_default_172.16.191.153_registry.lsa.sec_660233.txt
[*] Post module execution completed
Compared to kiwi lsa_dump_secrets which returns the correct value.
meterpreter > lsa_dump_secrets
[+] Running as SYSTEM
[*] Dumping LSA secrets
Domain : WIN-SGBSD5TQUTQ
SysKey : 9f288f41951f8dedc8c2011fcef7627f
Local name : WIN-SGBSD5TQUTQ ( S-1-5-21-3721788700-3134539918-2111365127 )
Domain name : WORKGROUP
Policy subsystem is : 1.11
LSA Key(s) : 1, default {b76bab56-d62d-7863-136e-0a0c1ca4bb73}
[00] {b76bab56-d62d-7863-136e-0a0c1ca4bb73} 6afee2d5c13d317fe515c521f7c165180feba991f27dd8212d6ce93c68383da0
Secret : DefaultPassword
cur/text: password
old/text: ROOT#123
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 1d 01 9d 3f 3c 80 6c dc 4a 2e d6 66 24 a0 04 af c2 07 2a d8 71 67 13 99 68 ed 47 75 66 32 b9 12 7f 48 c4 f9 a0 be 04 02
full: 1d019d3f3c806cdc4a2ed66624a004afc2072ad87167139968ed47756632b9127f48c4f9a0be0402
m/u : 1d019d3f3c806cdc4a2ed66624a004afc2072ad8 / 7167139968ed47756632b9127f48c4f9a0be0402
old/hex : 01 00 00 00 c9 22 d6 0b 83 9e dd 98 a7 ad 7a 5a c5 ff 4e bb 8a d2 6f 01 61 be bf d4 bc 70 54 70 fd df 46 12 a8 c5 e5 2d 98 6c 79 71
full: c922d60b839edd98a7ad7a5ac5ff4ebb8ad26f0161bebfd4bc705470fddf4612a8c5e52d986c7971
m/u : c922d60b839edd98a7ad7a5ac5ff4ebb8ad26f01 / 61bebfd4bc705470fddf4612a8c5e52d986c7971
Secret : _SC_MSSQL$SQLEXPRESS / service 'MSSQL$SQLEXPRESS' with username : NT Service\MSSQL$SQLEXPRESS
Secret : _SC_MSSQLSERVER / service 'MSSQLSERVER' with username : NT Service\MSSQLSERVER
Secret : _SC_redacted / service 'redacted' with username : .\redacted
cur/text: redacted
The text was updated successfully, but these errors were encountered:
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
bcoles
added
not-stale
Label to stop an issue from being auto closed
and removed
Stale
Marks an issue as stale, to be closed if no action is taken
labels
Dec 2, 2020
A report on Twitter indicates that
lsadump on Metasploit is broken
.Initial tests revealed a bug. No idea if it's the same issue @craigsblackie ?
Junk bytes are appended to recovered passwords. Observe the output below. The passwords are
password
andredacted
, where as the module returnspassword |\~
andredactedC[+ QE
Test system in Windoes 7 SP1 x64; with session upgraded via
exploit/windows/local/bypassuac
andgetsystem
. Metasploit is latest version from git, running on Ruby 2.3.0.Compared to kiwi
lsa_dump_secrets
which returns the correct value.The text was updated successfully, but these errors were encountered: