0

I've been trying to get credentials hashes on a windows meterpreter session, but each time i run "run post/windows/gather/hashdump" i get the following error:

Post failed: NoMethodError undefined method unpack' for nil:NilClass Call stack: /usr/share/metasploit-framework/modules/post/windows/gather/hashdump.rb:42:inrun'

the unpack() method is used through all of the hashdump.rb script but as the meterpeter session tells it's not defined.

I've never used ruby before, so i don't know whether it's a predefined method or should i define it, nor how to do it.

Any help is appreciated. Thanks.

oguz ismail
  • 1
  • 16
  • 47
  • 69
Shedreth
  • 11
  • 3
  • first of all if you want to use `metasploit` I highly recommend learning ruby first. (script kiddies are generally frowned upon) :). Secondly `capture_boot_key` (line 39 same file) is returing `nil` where a `String` is expected [`#unpack`](https://ruby-doc.org/core-2.3.0/String.html#method-i-unpack) is a `String` method and in this case it trying to take the captured "boot key" and unpack it as a hexidecimal (high nibble first). If none of this makes sense again I would recommend learning what you are doing first – engineersmnky Aug 09 '17 at 14:03
  • Thank you for your reply. I tried to look for the function to try and change its return type, but couln't find it on the script, i only found the capture_hboot_key() Isn't there a built-in method like ToString() for C#. – Shedreth Aug 09 '17 at 14:38
  • [`Msf::Post::Windows::Priv#capture_book_key`](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/post/windows/priv.rb#L231). Additionally yes `ruby` does have a `to_s` but `ruby` does not generally rely on return types but rather uses duck typing to allow for a more dynamic implementation. – engineersmnky Aug 09 '17 at 14:54
  • Your issue here is not that it does not return a `String` per se but rather that `capture_boot_key` cannot find (and/or access *privileges*) the appropriate registry key in one of the following locations "System\\CurrentControlSet\\Control\\Lsa\\JD", "System\\CurrentControlSet\\Control\\Lsa\\Skew1", "System\\CurrentControlSet\\Control\\Lsa\\GBG","System\\CurrentControlSet\\Control\\Lsa\\Data" – engineersmnky Aug 09 '17 at 14:54
  • So based on your words, there's nothing i can do ? – Shedreth Aug 09 '17 at 15:00
  • Not my words. Chances are that @eiko is correct and that you do not have the appropriate privileges to access the registry as it seems highly unlikely that those keys would be missing since they are reasonably imperative. To access the registry you would need system level privileges first thus the answer posted. Now actually my words *"Please understand what you are doing. Especially when using what could be considered **malicious** software in the opinion of many."* My comments are for code edification only and I cannot condone what you are doing since you don't even know what you are doing. – engineersmnky Aug 09 '17 at 15:06
  • please don't get me wrong , when i said "nothing i can do " i was referring to code modification in order to get it to work. As for your words, i do know what i'm doing since i'm testing on my vm( i'm an intern at an infosec company) for educational purpose, and i may not know all that there is to know, ,but not knowing comes before knowing .. – Shedreth Aug 09 '17 at 15:16
  • I meant nothing insulting by my comments. One who thinks they know everything knows nothing at all. While you are correct in saying *"not knowing comes before knowing"* not understanding (conceptually speaking) is different than not knowing and makes the tools become far more dangerous. You cannot learn without first understanding. I may not know how to use a handgun but I can understand the process. (If I cannot then the gun is exponentially more dangerous than I). Understand and learn `ruby`. Understand and learn exploitation be the dangerous one and not the one in danger. Good Luck – engineersmnky Aug 09 '17 at 17:26

1 Answers1

1

It looks like hashdump is failing to retrieve the boot key from the system registry. My best guess is that you're trying to run hashdump without system privileges.

With insufficient access, the script returns nil instead of the boot key, then tries to unpack nil which causes a fairly unhelpful NoMethodError.

Try running getsystem before you run hashdump.

eiko
  • 5,110
  • 6
  • 17
  • 35
  • 1
    i have already tried all the privileges escalation methods, none work – Shedreth Aug 09 '17 at 15:07
  • @Shedreth ah, then that's a different problem entirely! stackoverflow isn't really the place for it though. you might want to head over to [the security stackexchange](https://security.stackexchange.com/questions) to ask about privilege escalation. but keep in mind that some attacks simply fail because some machines simply aren't vulnerable. – eiko Aug 09 '17 at 15:21