CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/auxiliary/analyze/apply_pot.md
Views: 11784

Vulnerable Application

This module applies a john the ripper (or hashcat) style .pot file to hashes in the database. This will allow very fast cracking of all supported hash types which have already been cracked.

Verification Steps

  1. Have at least one set of hashes in the database

  2. Start msfconsole

  3. Do: use auxiliary/analyze/apply_pot

  4. Do: run

  5. You should hopefully crack a password.

Actions

john

Use john the ripper (default).

hashcat

Use hashcat.

Options

CONFIG

The path to a John config file (JtR option: --config). Default is metasploit-framework/data/john.conf

JOHN_PATH

The absolute path to the John the Ripper executable. Default behavior is to search path for john and john.exe.

POT

The path to a John POT file (JtR option: --pot) to use instead. The pot file is the data file which records cracked password hashes. Kali linux's default location is /root/.john/john.pot. Default is ~/.msf4/john.pot.

DeleteTempFiles

This option will prevent deletion of the wordlist and file containing hashes. This may be useful for running the hashes through john if it wasn't cracked, or for debugging. Default is false.

Scenarios

In this scenario, we fill a bunch of different hash types into the creds db. You'll need a .pot file with the cracked hashes, the following can be used:

rEK1ecacw.7.c:password _J9..K0AyUubDrfOgO4s:password $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe:password yhMEAyLkfWqeQ:se $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/:password $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5:password $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1:password 0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8:foo 0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908:toto 0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254:FOO 0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16:Password1! 445ff82636a7ba59:probe *5AD8F88516BD021DD43F171E2C785C69F8E54ADB:tere O$SIMON#4f8bc1809cb2af77:A O$SYSTEM#9eedfa0ad26c6d52:THALES 8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A:epsilon $oracle12c$e3243b98974159cc24fd2c9a8b30ba62e0e83b6ca2fc7c55177c3a7f82602e3bdd17ceb9b9091cf9dad672b8be961a9eac4d344bdba878edc5dcb5899f689ebd8dd1be3f67bff9813a464382381ab36b:epsilon $dynamic_1034$be86a79bf2043622d58d5453c47d4860$HEX$24556578616d706c65:password $LM$ac404c4ba2c66533:ASE $LM$4a3b108f3fa6cb6d:D $LM$e52cac67419a9a22:PASSWOR $NT$8846f7eaee8fb117ad06bdd830b7586c:password
resource (hashes_pot.rb)> creds -d Credentials =========== host origin service public private realm private_type JtR Format ---- ------ ------- ------ ------- ----- ------------ ---------- resource (hashes_pot.rb)> creds add user:des_password hash:rEK1ecacw.7.c jtr:des resource (hashes_pot.rb)> creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5 resource (hashes_pot.rb)> creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi resource (hashes_pot.rb)> creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt resource (hashes_pot.rb)> creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt resource (hashes_pot.rb)> creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf resource (hashes_pot.rb)> creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm resource (hashes_pot.rb)> creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt resource (hashes_pot.rb)> creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05 resource (hashes_pot.rb)> creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql resource (hashes_pot.rb)> creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12 resource (hashes_pot.rb)> creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql resource (hashes_pot.rb)> creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1 resource (hashes_pot.rb)> creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle resource (hashes_pot.rb)> creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle resource (hashes_pot.rb)> creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle resource (hashes_pot.rb)> creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle resource (hashes_pot.rb)> creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c resource (hashes_pot.rb)> creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860 resource (hashes_pot.rb)> use auxiliary/analyze/apply_pot resource (hashes_pot.rb)> run [*] Hashes Written out to /tmp/hashes_tmp20190203-16380-1974mdz [*] Checking bcrypt hashes against pot file [+] blowfish_password:password [*] Checking bsdicrypt hashes against pot file [+] bsdi_password:password [*] Checking crypt hashes against pot file Warning: hash encoding string length 46, type id $d appears to be unsupported on this system; will not load such hashes. [+] des_password:password [+] md5_password:password [+] sha256_password:password [+] sha512_password:password [*] Checking descrypt hashes against pot file [+] des_password:password [*] Checking lm hashes against pot file [+] lm_password:password [*] Checking nt hashes against pot file [+] lm_password:password [+] nt_password:password [*] Checking md5crypt hashes against pot file [+] md5_password:password [*] Checking mysql hashes against pot file [+] mysql_probe:probe [*] Checking mysql-sha1 hashes against pot file [+] mysql-sha1_tere:tere [*] Checking mssql hashes against pot file [+] mssql_foo:FOO [*] Checking mssql05 hashes against pot file [+] mssql05_toto:toto [+] mssql_foo:foo [*] Checking mssql12 hashes against pot file [+] mssql12_Password1!:Password1! [*] Checking oracle hashes against pot file [+] simon:A [+] SYSTEM:THALES [*] Checking oracle11 hashes against pot file [+] DEMO:epsilon [+] oracle11_epsilon:epsilon [*] Checking oracle12c hashes against pot file [+] oracle12c_epsilon:epsilon [*] Checking dynamic_1506 hashes against pot file [*] Checking dynamic_1034 hashes against pot file [+] example:password [*] Auxiliary module execution completed resource (hashes_pot.rb)> creds Credentials =========== host origin service public private realm private_type JtR Format ---- ------ ------- ------ ------- ----- ------------ ---------- des_password password Password des_password rEK1ecacw.7.c Nonreplayable hash des md5_password password Password md5_password $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ Nonreplayable hash md5 bsdi_password password Password bsdi_password _J9..K0AyUubDrfOgO4s Nonreplayable hash bsdi sha256_password password Password sha256_password $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 Nonreplayable hash sha256,crypt sha512_password password Password sha512_password $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 Nonreplayable hash sha512,crypt blowfish_password password Password blowfish_password $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe Nonreplayable hash bf lm_password password Password lm_password e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c NTLM hash nt,lm nt_password password Password nt_password aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c NTLM hash nt,lm mssql05_toto toto Password mssql05_toto 0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 Nonreplayable hash mssql05 mssql_foo foo Password mssql_foo FOO Password mssql_foo 0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 Nonreplayable hash mssql mssql12_Password1! Password1! Password mssql12_Password1! 0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 Nonreplayable hash mssql12 mysql_probe probe Password mysql_probe 445ff82636a7ba59 Nonreplayable hash mysql mysql-sha1_tere tere Password mysql-sha1_tere *5AD8F88516BD021DD43F171E2C785C69F8E54ADB Nonreplayable hash mysql-sha1 simon A Password simon 4F8BC1809CB2AF77 Nonreplayable hash des,oracle SYSTEM THALES Password SYSTEM 9EEDFA0AD26C6D52 Nonreplayable hash des,oracle DEMO epsilon Password DEMO S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Nonreplayable hash raw-sha1,oracle oracle11_epsilon epsilon Password oracle11_epsilon S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Nonreplayable hash raw-sha1,oracle oracle12c_epsilon epsilon Password oracle12c_epsilon H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B Nonreplayable hash pbkdf2,oracle12c example password Password example md5be86a79bf2043622d58d5453c47d4860 Postgres md5 raw-md5,postgres