It first checks the Privilege Level and OS.
It will check if the target is a Domain Controller.
Based on this information it will prefer the reading of the registry to get the hashes if possible, if not possible it will inject in to the lsass process if possible. For Domain Controllers it will use the injection to lsass.
If the target is a Windows 2008 server and the process is running with admin privileges it will attempt to get system privilege using getsystem, if it gets SYSTEM privilege do to the way the token privileges are set it can still not inject in to the lsass process so the code will migrate to a process already running as SYSTEM and then inject in to the lsass process.
If the code detects that it is running on a Windows 7/Vista box with UAC disabled and it is running as local admin it will run getsystem and it will use the read registry method.
On Windows 2003/2000/XP it will use getsystem and if successful it will use the read registry method.
[cc lang=”bash”]meterpreter > run smart_hasdump -h
Meterpreter Script for automating the dumping of local accounts from
the SAM Database and if the targets host is a Domain Controller the
Domain Account Database using the proper technique depending on
privilage level, OS and Role of host.
-h Help menu.