Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/analyze/crack_osx.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::PasswordCracker

8


9
  def initialize

10
    super(

11
      'Name' => 'Password Cracker: OSX',

12
      'Description' => %(

13
          This module uses John the Ripper or Hashcat to identify weak passwords that have been

14
        acquired from OSX systems. The module will only crack xsha from OSX 10.4-10.6, xsha512

15
        from 10.7, and PBKDF2 from OSX 10.8+.

16
        XSHA is 122 in hashcat.

17
        XSHA512 is 1722 in hashcat.

18
        PBKDF2 (PBKDF2-HMAC-SHA512) is 7100 in hashcat.

19
      ),

20
      'Author' => [

21
        'h00die' # hashcat integration

22
      ],

23
      'License' => MSF_LICENSE, # JtR itself is GPLv2, but this wrapper is MSF (BSD)

24
      'Actions' => [

25
        ['john', { 'Description' => 'Use John the Ripper' }],

26
        ['hashcat', { 'Description' => 'Use Hashcat' }],

27
      ],

28
      'DefaultAction' => 'john',

29
      'Notes' => {

30
        'Stability' => [CRASH_SAFE],

31
        'SideEffects' => [],

32
        'Reliability' => []

33
      }

34
    )

35


36
    register_options(

37
      [

38
        OptBool.new('XSHA', [false, 'Include XSHA hashes from 10.4-10.6', true]),

39
        OptBool.new('XSHA512', [false, 'Include XSHA512 hashes from 10.7', true]),

40
        OptBool.new('PBKDF2', [false, 'Include PBKDF2-HMAC-SHA512 hashes from 10.8+', true]),

41
        OptBool.new('INCREMENTAL', [false, 'Run in incremental mode', true]),

42
        OptBool.new('WORDLIST', [false, 'Run in wordlist mode', true])

43
      ]

44
    )

45
  end

46


47
  def show_command(cracker_instance)

48
    return unless datastore['ShowCommand']

49


50
    if action.name == 'john'

51
      cmd = cracker_instance.john_crack_command

52
    elsif action.name == 'hashcat'

53
      cmd = cracker_instance.hashcat_crack_command

54
    end

55
    print_status("   Cracking Command: #{cmd.join(' ')}")

56
  end

57


58
  def check_results(passwords, results, hash_type, method)

59
    passwords.each do |password_line|

60
      password_line.chomp!

61
      next if password_line.blank?

62


63
      fields = password_line.split(':')

64
      cred = { 'hash_type' => hash_type, 'method' => method }

65
      # If we don't have an expected minimum number of fields, this is probably not a hash line

66
      if action.name == 'john'

67
        next unless fields.count >= 3

68


69
        cred['username'] = fields.shift

70
        cred['core_id'] = fields.pop

71
        unless hash_type == 'PBKDF2-HMAC-SHA512'

72
          4.times { fields.pop } # Get rid of extra :

73
        end

74
        cred['password'] = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it

75
      elsif action.name == 'hashcat'

76
        next unless fields.count >= 3

77


78
        cred['core_id'] = fields.shift

79
        cred['hash'] = fields.shift

80
        cred['password'] = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it

81
        next if cred['core_id'].include?("Hashfile '") && cred['core_id'].include?("' on line ") # skip error lines

82


83
        # we don't have the username since we overloaded it with the core_id (since its a better fit for us)

84
        # so we can now just go grab the username from the DB

85
        cred['username'] = framework.db.creds(workspace: myworkspace, id: cred['core_id'])[0].public.username

86
      end

87
      results = process_cracker_results(results, cred)

88
    end

89


90
    results

91
  end

92


93
  def run

94
    tbl = tbl = cracker_results_table

95


96
    # array of hashes in jtr_format in the db, converted to an OR combined regex

97
    hash_types_to_crack = []

98
    hash_types_to_crack << 'xsha' if datastore['XSHA']

99
    hash_types_to_crack << 'xsha512' if datastore['XSHA512']

100
    hash_types_to_crack << 'PBKDF2-HMAC-SHA512' if datastore['PBKDF2']

101
    jobs_to_do = []

102


103
    # build our job list

104
    hash_types_to_crack.each do |hash_type|

105
      job = hash_job(hash_type, action.name)

106
      if job.nil?

107
        print_status("No #{hash_type} found to crack")

108
      else

109
        jobs_to_do << job

110
      end

111
    end

112


113
    # bail early of no jobs to do

114
    if jobs_to_do.empty?

115
      print_good("No uncracked password hashes found for: #{hash_types_to_crack.join(', ')}")

116
      return

117
    end

118


119
    # array of arrays for cracked passwords.

120
    # Inner array format: db_id, hash_type, username, password, method_of_crack

121
    results = []

122


123
    cracker = new_password_cracker(action.name)

124


125
    # generate our wordlist and close the file handle.

126
    wordlist = wordlist_file

127
    unless wordlist

128
      print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')

129
      return

130
    end

131


132
    wordlist.close

133
    print_status "Wordlist file written out to #{wordlist.path}"

134


135
    cleanup_files = [wordlist.path]

136


137
    jobs_to_do.each do |job|

138
      format = job['type']

139
      hash_file = Rex::Quickfile.new("hashes_#{job['type']}_")

140
      hash_file.puts job['formatted_hashlist']

141
      hash_file.close

142
      cracker.hash_path = hash_file.path

143
      cleanup_files << hash_file.path

144
      # dupe our original cracker so we can safely change options between each run

145
      cracker_instance = cracker.dup

146
      cracker_instance.format = format

147
      if action.name == 'john'

148
        cracker_instance.fork = datastore['FORK']

149
      end

150


151
      # first check if anything has already been cracked so we don't report it incorrectly

152
      print_status "Checking #{format} hashes already cracked..."

153
      results = check_results(cracker_instance.each_cracked_password, results, format, 'Already Cracked/POT')

154
      vprint_good(append_results(tbl, results)) unless results.empty?

155


156
      if action.name == 'john'

157
        print_status "Cracking #{format} hashes in single mode..."

158
        cracker_instance.mode_single(wordlist.path)

159
        show_command cracker_instance

160
        cracker_instance.crack do |line|

161
          vprint_status line.chomp

162
        end

163
        results = check_results(cracker_instance.each_cracked_password, results, format, 'Single')

164
        vprint_good(append_results(tbl, results)) unless results.empty?

165
        job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list

166
        next if job['cred_ids_left_to_crack'].empty?

167


168
        print_status "Cracking #{format} hashes in normal mode..."

169
        cracker_instance.mode_normal

170
        show_command cracker_instance

171
        cracker_instance.crack do |line|

172
          vprint_status line.chomp

173
        end

174
        results = check_results(cracker_instance.each_cracked_password, results, format, 'Normal')

175
        vprint_good(append_results(tbl, results)) unless results.empty?

176
        job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list

177
        next if job['cred_ids_left_to_crack'].empty?

178
      end

179


180
      if datastore['INCREMENTAL']

181
        print_status "Cracking #{format} hashes in incremental mode..."

182
        cracker_instance.mode_incremental

183
        show_command cracker_instance

184
        cracker_instance.crack do |line|

185
          vprint_status line.chomp

186
        end

187
        results = check_results(cracker_instance.each_cracked_password, results, format, 'Incremental')

188
        vprint_good(append_results(tbl, results)) unless results.empty?

189
        job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list

190
        next if job['cred_ids_left_to_crack'].empty?

191
      end

192


193
      if datastore['WORDLIST']

194
        print_status "Cracking #{format} hashes in wordlist mode..."

195
        cracker_instance.mode_wordlist(wordlist.path)

196
        # Turn on KoreLogic rules if the user asked for it

197
        if action.name == 'john' && datastore['KORELOGIC']

198
          cracker_instance.rules = 'KoreLogicRules'

199
          print_status 'Applying KoreLogic ruleset...'

200
        end

201
        show_command cracker_instance

202
        cracker_instance.crack do |line|

203
          vprint_status line.chomp

204
        end

205


206
        results = check_results(cracker_instance.each_cracked_password, results, format, 'Wordlist')

207
        vprint_good(append_results(tbl, results)) unless results.empty?

208
        job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list

209
        next if job['cred_ids_left_to_crack'].empty?

210
      end

211


212
      # give a final print of results

213
      print_good(append_results(tbl, results))

214
    end

215
    if datastore['DeleteTempFiles']

216
      cleanup_files.each do |f|

217
        File.delete(f)

218
      end

219
    end

220
  end

221
end

222


223