Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
#!/usr/bin/env ruby
2

3
#
4
# This script scans a memory dump or firmware image for any password hashes that
5
# happen to match the "master password" list generated by vxmaster. This is a
6
# simple way to determine whether a device has a hardcoded password.
7
#
8
# (C) 2010 Rapid7
9
#
10

11
def usage
12
  $stderr.puts "usage: #{$0} [dump-file] <master password list>"
13
  exit
14
end
15

16
# Force binary encoding for Ruby versions that support it
17
if(Object.const_defined?('Encoding') and ::Encoding.respond_to?('default_external='))
18
  ::Encoding.default_external = ::Encoding.default_internal = "binary"
19
end
20

21
dump = ARGV.shift || usage()
22
list = ARGV.shift || File.join(File.dirname(__FILE__), "..", "data", "wordlists", "vxworks_collide_20.txt")
23

24
$stderr.puts "[*] Loading master password list..."
25
ohashes = []
26
hashes  = []
27
File.read(list).split("\n").each do |x|
28
  xid,enc,raw = x.split("|", 3)
29
  xid = xid.to_i
30
  next if raw =~ /invalid/
31
  raw,tmp = raw.split("\x00")
32
  ohashes << [xid, enc, raw]
33
end
34

35
$stderr.puts "[*] Loading memory dump..."
36
data = File.read(dump)
37

38
$stderr.puts "[*] Digging through memory dump..."
39

40
hashes = ohashes
41

42
tot = hashes.length
43
cur = 0
44
hashes.each do |r|
45
  x,k,h = r
46

47
  cur += 1
48
  pct = cur/tot.to_f
49
  pct = (pct * 100).to_i
50
  $stdout.write("                                      \r[*] Progress: #{pct}% (#{cur}/#{tot})")
51
  $stdout.flush
52

53
  next if not data.index(k)
54
  $stdout.write("\n")
55
  $stdout.flush
56
  puts "[+]"
57
  puts "[+] Password hash '#{k}' (##{x}) can be accessed with #{h.unpack("C*").map{|i| "\\x%.2x" % i}} [ '#{h}' ]"
58
  puts "[+]"
59
end
60

61