CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/analyze/crack_linux.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::PasswordCracker7include Msf::Exploit::Deprecated8moved_from 'auxiliary/analyze/jtr_linux'910def initialize11super(12'Name' => 'Password Cracker: Linux',13'Description' => %{14This module uses John the Ripper or Hashcat to identify weak passwords that have been15acquired from unshadowed passwd files from Unix/Linux systems. The module will only crack16MD5, BSDi and DES implementations by default. However, it can also crack17Blowfish and SHA(256/512), but it is much slower.18MD5 is format 500 in hashcat.19DES is format 1500 in hashcat.20BSDI is format 12400 in hashcat.21BLOWFISH is format 3200 in hashcat.22SHA256 is format 7400 in hashcat.23SHA512 is format 1800 in hashcat.24},25'Author' => [26'theLightCosine',27'hdm',28'h00die' # hashcat integration29],30'License' => MSF_LICENSE, # JtR itself is GPLv2, but this wrapper is MSF (BSD)31'Actions' => [32['john', { 'Description' => 'Use John the Ripper' }],33['hashcat', { 'Description' => 'Use Hashcat' }],34],35'DefaultAction' => 'john',36)3738register_options(39[40OptBool.new('MD5', [false, 'Include MD5 hashes', true]),41OptBool.new('DES', [false, 'Indlude DES hashes', true]),42OptBool.new('BSDI', [false, 'Include BSDI hashes', true]),43OptBool.new('BLOWFISH', [false, 'Include BLOWFISH hashes (Very Slow)', false]),44OptBool.new('SHA256', [false, 'Include SHA256 hashes (Very Slow)', false]),45OptBool.new('SHA512', [false, 'Include SHA512 hashes (Very Slow)', false]),46OptBool.new('INCREMENTAL', [false, 'Run in incremental mode', true]),47OptBool.new('WORDLIST', [false, 'Run in wordlist mode', true])48]49)50end5152def show_command(cracker_instance)53return unless datastore['ShowCommand']5455if action.name == 'john'56cmd = cracker_instance.john_crack_command57elsif action.name == 'hashcat'58cmd = cracker_instance.hashcat_crack_command59end60print_status(" Cracking Command: #{cmd.join(' ')}")61end6263def run64def check_results(passwords, results, hash_type, method)65passwords.each do |password_line|66password_line.chomp!67next if password_line.blank?6869fields = password_line.split(':')70cred = { 'hash_type' => hash_type, 'method' => method }7172if action.name == 'john'73next unless fields.count >= 3 # If we don't have an expected minimum number of fields, this is probably not a hash line7475cred['username'] = fields.shift76cred['core_id'] = fields.pop774.times { fields.pop } # Get rid of extra :78cred['password'] = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it79elsif action.name == 'hashcat'80next unless fields.count >= 2 # If we don't have an expected minimum number of fields, this is probably not a hash line8182cred['core_id'] = fields.shift83cred['hash'] = fields.shift84cred['password'] = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it85next if cred['core_id'].include?("Hashfile '") && cred['core_id'].include?("' on line ") # skip error lines8687# we don't have the username since we overloaded it with the core_id (since its a better fit for us)88# so we can now just go grab the username from the DB89cred['username'] = framework.db.creds(workspace: myworkspace, id: cred['core_id'])[0].public.username90end91results = process_cracker_results(results, cred)92end93results94end9596tbl = tbl = cracker_results_table9798# array of hashes in jtr_format in the db, converted to an OR combined regex99hash_types_to_crack = []100hash_types_to_crack << 'md5crypt' if datastore['MD5']101hash_types_to_crack << 'descrypt' if datastore['DES']102hash_types_to_crack << 'bsdicrypt' if datastore['BSDI']103hash_types_to_crack << 'bcrypt' if datastore['BLOWFISH']104hash_types_to_crack << 'sha256crypt' if datastore['SHA256']105hash_types_to_crack << 'sha512crypt' if datastore['SHA512']106107jobs_to_do = []108109# build our job list110hash_types_to_crack.each do |hash_type|111job = hash_job(hash_type, action.name)112if job.nil?113print_status("No #{hash_type} found to crack")114else115jobs_to_do << job116end117end118119# bail early of no jobs to do120if jobs_to_do.empty?121print_good("No uncracked password hashes found for: #{hash_types_to_crack.join(', ')}")122return123end124125# array of arrays for cracked passwords.126# Inner array format: db_id, hash_type, username, password, method_of_crack127results = []128129cracker = new_password_cracker(action.name)130131# generate our wordlist and close the file handle.132wordlist = wordlist_file133unless wordlist134print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')135return136end137138wordlist.close139print_status "Wordlist file written out to #{wordlist.path}"140141cleanup_files = [wordlist.path]142jobs_to_do.each do |job|143format = job['type']144hash_file = Rex::Quickfile.new("hashes_#{job['type']}_")145hash_file.puts job['formatted_hashlist']146hash_file.close147cracker.hash_path = hash_file.path148cleanup_files << hash_file.path149150# dupe our original cracker so we can safely change options between each run151cracker_instance = cracker.dup152cracker_instance.format = format153154if action.name == 'john'155cracker_instance.fork = datastore['FORK']156end157158# first check if anything has already been cracked so we don't report it incorrectly159print_status "Checking #{format} hashes already cracked..."160results = check_results(cracker_instance.each_cracked_password, results, format, 'Already Cracked/POT')161vprint_good(append_results(tbl, results)) unless results.empty?162job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list163next if job['cred_ids_left_to_crack'].empty?164165if action.name == 'john'166print_status "Cracking #{format} hashes in single mode..."167cracker_instance.mode_single(wordlist.path)168show_command cracker_instance169cracker_instance.crack do |line|170vprint_status line.chomp171end172results = check_results(cracker_instance.each_cracked_password, results, format, 'Single')173vprint_good(append_results(tbl, results)) unless results.empty?174job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list175next if job['cred_ids_left_to_crack'].empty?176177print_status "Cracking #{format} hashes in normal mode..."178cracker_instance.mode_normal179show_command cracker_instance180cracker_instance.crack do |line|181vprint_status line.chomp182end183results = check_results(cracker_instance.each_cracked_password, results, format, 'Normal')184vprint_good(append_results(tbl, results)) unless results.empty?185job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list186next if job['cred_ids_left_to_crack'].empty?187end188189if datastore['INCREMENTAL']190print_status "Cracking #{format} hashes in incremental mode..."191cracker_instance.mode_incremental192show_command cracker_instance193cracker_instance.crack do |line|194vprint_status line.chomp195end196results = check_results(cracker_instance.each_cracked_password, results, format, 'Incremental')197vprint_good(append_results(tbl, results)) unless results.empty?198job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list199next if job['cred_ids_left_to_crack'].empty?200end201202next unless datastore['WORDLIST']203204print_status "Cracking #{format} hashes in wordlist mode..."205cracker_instance.mode_wordlist(wordlist.path)206# Turn on KoreLogic rules if the user asked for it207if action.name == 'john' && datastore['KORELOGIC']208cracker_instance.rules = 'KoreLogicRules'209print_status 'Applying KoreLogic ruleset...'210end211show_command cracker_instance212cracker_instance.crack do |line|213vprint_status line.chomp214end215216results = check_results(cracker_instance.each_cracked_password, results, format, 'Wordlist')217vprint_good(append_results(tbl, results)) unless results.empty?218job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list219next if job['cred_ids_left_to_crack'].empty?220end221222# give a final print of results223print_good(append_results(tbl, results))224225if datastore['DeleteTempFiles']226cleanup_files.each do |f|227File.delete(f)228end229end230end231end232233234