CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/analyze/crack_osx.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::PasswordCracker78def initialize9super(10'Name' => 'Password Cracker: OSX',11'Description' => %(12This module uses John the Ripper or Hashcat to identify weak passwords that have been13acquired from OSX systems. The module will only crack xsha from OSX 10.4-10.6, xsha51214from 10.7, and PBKDF2 from OSX 10.8+.15XSHA is 122 in hashcat.16XSHA512 is 1722 in hashcat.17PBKDF2 (PBKDF2-HMAC-SHA512) is 7100 in hashcat.18),19'Author' => [20'h00die' # hashcat integration21],22'License' => MSF_LICENSE, # JtR itself is GPLv2, but this wrapper is MSF (BSD)23'Actions' => [24['john', { 'Description' => 'Use John the Ripper' }],25['hashcat', { 'Description' => 'Use Hashcat' }],26],27'DefaultAction' => 'john',28)2930register_options(31[32OptBool.new('XSHA', [false, 'Include XSHA hashes from 10.4-10.6', true]),33OptBool.new('XSHA512', [false, 'Include XSHA512 hashes from 10.7', true]),34OptBool.new('PBKDF2', [false, 'Include PBKDF2-HMAC-SHA512 hashes from 10.8+', true]),35OptBool.new('INCREMENTAL', [false, 'Run in incremental mode', true]),36OptBool.new('WORDLIST', [false, 'Run in wordlist mode', true])37]38)39end4041def show_command(cracker_instance)42return unless datastore['ShowCommand']4344if action.name == 'john'45cmd = cracker_instance.john_crack_command46elsif action.name == 'hashcat'47cmd = cracker_instance.hashcat_crack_command48end49print_status(" Cracking Command: #{cmd.join(' ')}")50end5152def run53def check_results(passwords, results, hash_type, method)54passwords.each do |password_line|55password_line.chomp!56next if password_line.blank?5758fields = password_line.split(':')59cred = { 'hash_type' => hash_type, 'method' => method }60# If we don't have an expected minimum number of fields, this is probably not a hash line61if action.name == 'john'62next unless fields.count >= 36364cred['username'] = fields.shift65cred['core_id'] = fields.pop66unless hash_type == 'PBKDF2-HMAC-SHA512'674.times { fields.pop } # Get rid of extra :68end69cred['password'] = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it70elsif action.name == 'hashcat'71next unless fields.count >= 37273cred['core_id'] = fields.shift74cred['hash'] = fields.shift75cred['password'] = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it76next if cred['core_id'].include?("Hashfile '") && cred['core_id'].include?("' on line ") # skip error lines7778# we don't have the username since we overloaded it with the core_id (since its a better fit for us)79# so we can now just go grab the username from the DB80cred['username'] = framework.db.creds(workspace: myworkspace, id: cred['core_id'])[0].public.username81end82results = process_cracker_results(results, cred)83end84results85end8687tbl = tbl = cracker_results_table8889# array of hashes in jtr_format in the db, converted to an OR combined regex90hash_types_to_crack = []91hash_types_to_crack << 'xsha' if datastore['XSHA']92hash_types_to_crack << 'xsha512' if datastore['XSHA512']93hash_types_to_crack << 'PBKDF2-HMAC-SHA512' if datastore['PBKDF2']94jobs_to_do = []9596# build our job list97hash_types_to_crack.each do |hash_type|98job = hash_job(hash_type, action.name)99if job.nil?100print_status("No #{hash_type} found to crack")101else102jobs_to_do << job103end104end105106# bail early of no jobs to do107if jobs_to_do.empty?108print_good("No uncracked password hashes found for: #{hash_types_to_crack.join(', ')}")109return110end111112# array of arrays for cracked passwords.113# Inner array format: db_id, hash_type, username, password, method_of_crack114results = []115116cracker = new_password_cracker(action.name)117118# generate our wordlist and close the file handle.119wordlist = wordlist_file120unless wordlist121print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')122return123end124125wordlist.close126print_status "Wordlist file written out to #{wordlist.path}"127128cleanup_files = [wordlist.path]129130jobs_to_do.each do |job|131format = job['type']132hash_file = Rex::Quickfile.new("hashes_#{job['type']}_")133hash_file.puts job['formatted_hashlist']134hash_file.close135cracker.hash_path = hash_file.path136cleanup_files << hash_file.path137# dupe our original cracker so we can safely change options between each run138cracker_instance = cracker.dup139cracker_instance.format = format140if action.name == 'john'141cracker_instance.fork = datastore['FORK']142end143144# first check if anything has already been cracked so we don't report it incorrectly145print_status "Checking #{format} hashes already cracked..."146results = check_results(cracker_instance.each_cracked_password, results, format, 'Already Cracked/POT')147vprint_good(append_results(tbl, results)) unless results.empty?148149if action.name == 'john'150print_status "Cracking #{format} hashes in single mode..."151cracker_instance.mode_single(wordlist.path)152show_command cracker_instance153cracker_instance.crack do |line|154vprint_status line.chomp155end156results = check_results(cracker_instance.each_cracked_password, results, format, 'Single')157vprint_good(append_results(tbl, results)) unless results.empty?158job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list159next if job['cred_ids_left_to_crack'].empty?160161print_status "Cracking #{format} hashes in normal mode..."162cracker_instance.mode_normal163show_command cracker_instance164cracker_instance.crack do |line|165vprint_status line.chomp166end167results = check_results(cracker_instance.each_cracked_password, results, format, 'Normal')168vprint_good(append_results(tbl, results)) unless results.empty?169job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list170next if job['cred_ids_left_to_crack'].empty?171end172173if datastore['INCREMENTAL']174print_status "Cracking #{format} hashes in incremental mode..."175cracker_instance.mode_incremental176show_command cracker_instance177cracker_instance.crack do |line|178vprint_status line.chomp179end180results = check_results(cracker_instance.each_cracked_password, results, format, 'Incremental')181vprint_good(append_results(tbl, results)) unless results.empty?182job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list183next if job['cred_ids_left_to_crack'].empty?184end185186if datastore['WORDLIST']187print_status "Cracking #{format} hashes in wordlist mode..."188cracker_instance.mode_wordlist(wordlist.path)189# Turn on KoreLogic rules if the user asked for it190if action.name == 'john' && datastore['KORELOGIC']191cracker_instance.rules = 'KoreLogicRules'192print_status 'Applying KoreLogic ruleset...'193end194show_command cracker_instance195cracker_instance.crack do |line|196vprint_status line.chomp197end198199results = check_results(cracker_instance.each_cracked_password, results, format, 'Wordlist')200vprint_good(append_results(tbl, results)) unless results.empty?201job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list202next if job['cred_ids_left_to_crack'].empty?203end204205# give a final print of results206print_good(append_results(tbl, results))207end208if datastore['DeleteTempFiles']209cleanup_files.each do |f|210File.delete(f)211end212end213end214end215216217