Metasploit Pro PWDump Report
I have been testing Rapid7's new Metasploit Pro product. While I am finishing up the review, you can check here for the HackMiami review of Metasploit Express.
Added to the features are VPN pivoting and 2 new attack vectors of Web Attacks and Social Engineering.
On Nov 2nd, HD had a webcast to showcase the new features of Pro. One of the questions received was about taking the hashes collected and converting them into plain text passwords. HD said that in the next update, one could export data that had been looted to a PWDump format.
While at a client site last week, I got an opportunity to use this feature. It is quite simple.
Step 1:
Under the Reports tab, Go down to Generated Reports and select Generate a Report.
Under the Report Format Select PWDump.
The output looks like this.
Running this through your favorite program (I like ophcrack) results in the plain-text passwords.
This is often helpful when explaining the risks to the non-technical company management. Hashes may not mean anything to them. It is often very effective when you ask if "Fluffy2010" is also their VPN, Facebook, and personal email password.
Spoiler Alert: It was!