startring refactor on jtr_mssql
started work on the mssql hash cracker fixed some minor bugs with the underlying mixin crackers now runs. still have to have the cred objects created
This commit is contained in:
parent
641559ec12
commit
62f4054858
|
@ -78,7 +78,7 @@ module Metasploit
|
|||
# @return [String] the path to the selected JtR binary
|
||||
def binary_path
|
||||
# Always prefer a manually entered path
|
||||
if john_path && ::File.file? john_path
|
||||
if john_path && ::File.file?(john_path)
|
||||
bin_path = john_path
|
||||
else
|
||||
# Look in the Environment PATH for the john binary
|
||||
|
|
|
@ -34,7 +34,7 @@ module Auxiliary::JohnTheRipper
|
|||
OptBool.new('USE_CREDS', [false, 'Use existing credential data saved in the database', true]),
|
||||
OptBool.new('USE_DB_INFO', [false, 'Use looted database schema info to seed the wordlist', true]),
|
||||
OptBool.new('USE_DEFAULT_WORDLIST', [false, 'Use the default metasploit wordlist', true]),
|
||||
OptBool.new['USE_HOSTNAMES', [false, 'Seed the wordlist with hostnames from the workspace', true]],
|
||||
OptBool.new('USE_HOSTNAMES', [false, 'Seed the wordlist with hostnames from the workspace', true]),
|
||||
OptBool.new('USE_ROOT_WORDS', [false, 'Use the Common Root Words Wordlist', true])
|
||||
], Msf::Auxiliary::JohnTheRipper
|
||||
)
|
||||
|
@ -59,7 +59,7 @@ module Auxiliary::JohnTheRipper
|
|||
# @return [nilClass] if there is no active framework db connection
|
||||
# @return [Metasploit::Framework::JtR::Cracker] if it successfully creates a JtR Cracker object
|
||||
def new_john_cracker
|
||||
return nil unless framework.db.active?
|
||||
return nil unless framework.db.active
|
||||
Metasploit::Framework::JtR::Cracker.new(
|
||||
config: datastore['CONFIG'],
|
||||
john_path: datastore['JOHN_PATH'],
|
||||
|
@ -75,11 +75,10 @@ module Auxiliary::JohnTheRipper
|
|||
# @return [nilClass] if there is no active framework db connection
|
||||
# @return [Rex::Quickfile] if it successfully wrote the wordlist to a file
|
||||
def wordlist_file
|
||||
return nil unless framework.db.active?
|
||||
return nil unless framework.db.active
|
||||
wordlist = Metasploit::Framework::JtR::Wordlist.new(
|
||||
custom_wordlist: datastore['CUSTOM_WORDLIST'],
|
||||
mutate: datastore['MUTATE'],
|
||||
pot: datastore['POT'],
|
||||
use_creds: datastore['USE_CREDS'],
|
||||
use_db_info: datastore['USE_DB_INFO'],
|
||||
use_default_wordlist: datastore['USE_DEFAULT_WORDLIST'],
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/auxiliary/jtr'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
@ -28,62 +29,40 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def run
|
||||
@wordlist = Rex::Quickfile.new("jtrtmp")
|
||||
@formats = Set.new
|
||||
cracker = new_john_cracker
|
||||
|
||||
@wordlist.write( build_seed().flatten.uniq.join("\n") + "\n" )
|
||||
@wordlist.close
|
||||
print_status("Cracking MSSQL Hashes")
|
||||
crack("mssql")
|
||||
print_status("Cracking MSSQL05 Hashes")
|
||||
crack("mssql05")
|
||||
#generate our wordlist and close the file handle
|
||||
wordlist = wordlist_file
|
||||
wordlist.close
|
||||
cracker.wordlist = wordlist.path
|
||||
cracker.hash_path = hash_file
|
||||
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
def crack(format)
|
||||
|
||||
hashlist = Rex::Quickfile.new("jtrtmp")
|
||||
ltype= "#{format}.hashes"
|
||||
myloots = myworkspace.loots.where('ltype=?', ltype)
|
||||
unless myloots.nil? or myloots.empty?
|
||||
myloots.each do |myloot|
|
||||
begin
|
||||
mssql_array = CSV.read(myloot.path).drop(1)
|
||||
rescue Exception => e
|
||||
print_error("Unable to read #{myloot.path} \n #{e}")
|
||||
end
|
||||
mssql_array.each do |row|
|
||||
hashlist.write("#{row[0]}:0x#{row[1]}:#{myloot.host.address}:#{myloot.service.port}\n")
|
||||
end
|
||||
end
|
||||
hashlist.close
|
||||
|
||||
print_status("HashList: #{hashlist.path}")
|
||||
print_status("Trying Wordlist: #{@wordlist.path}")
|
||||
john_crack(hashlist.path, :wordlist => @wordlist.path, :rules => 'single', :format => format)
|
||||
|
||||
print_status("Trying Rule: All4...")
|
||||
john_crack(hashlist.path, :incremental => "All4", :format => format)
|
||||
|
||||
print_status("Trying Rule: Digits5...")
|
||||
john_crack(hashlist.path, :incremental => "Digits5", :format => format)
|
||||
|
||||
cracked = john_show_passwords(hashlist.path, format)
|
||||
|
||||
print_status("#{cracked[:cracked]} hashes were cracked!")
|
||||
cracked[:users].each_pair do |k,v|
|
||||
print_good("Host: #{v[1]} Port: #{v[2]} User: #{k} Pass: #{v[0]}")
|
||||
report_auth_info(
|
||||
:host => v[1],
|
||||
:port => v[2],
|
||||
:sname => 'mssql',
|
||||
:user => k,
|
||||
:pass => v[0]
|
||||
)
|
||||
@formats.each do |format|
|
||||
cracker.format = format
|
||||
cracker.crack do |line|
|
||||
print_status line
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def hash_file
|
||||
hashlist = Rex::Quickfile.new("hashes_tmp")
|
||||
Metasploit::Credential::NonreplayableHash.joins(:cores).where(metasploit_credential_cores: { workspace_id: myworkspace.id }, jtr_format: ['mssql', 'mssql05']).each do |hash|
|
||||
# Track the formats that we've seen so we do not attempt a format that isn't relevant
|
||||
@formats << hash.jtr_format
|
||||
hash.cores.each do |core|
|
||||
user = core.public.username
|
||||
hash_string = "0x#{hash.data}"
|
||||
id = core.id
|
||||
hashlist.puts "#{user}:#{hash_string}:#{id}:"
|
||||
end
|
||||
end
|
||||
hashlist.close
|
||||
print_status "Hashes Written out to #{hashlist.path}"
|
||||
hashlist.path
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue