startring refactor on jtr_mssql

started work on the mssql hash cracker fixed some minor bugs with the underlying mixin crackers now runs. still have to have the cred objects created
2014-06-18 14:50:08 -05:00 · 2014-06-18 14:50:08 -05:00 · 62f4054858
parent 641559ec12
commit 62f4054858
3 changed files with 35 additions and 57 deletions
--- a/lib/metasploit/framework/jtr/cracker.rb
+++ b/lib/metasploit/framework/jtr/cracker.rb
@ -78,7 +78,7 @@ module Metasploit
        # @return [String] the path to the selected JtR binary
        def binary_path
          # Always prefer a manually entered path
-          if john_path && ::File.file? john_path
+          if john_path && ::File.file?(john_path)
            bin_path = john_path
          else
            # Look in the Environment PATH for the john binary
--- a/lib/msf/core/auxiliary/jtr.rb
+++ b/lib/msf/core/auxiliary/jtr.rb
@ -34,7 +34,7 @@ module Auxiliary::JohnTheRipper
        OptBool.new('USE_CREDS',            [false, 'Use existing credential data saved in the database', true]),
        OptBool.new('USE_DB_INFO',          [false, 'Use looted database schema info to seed the wordlist', true]),
        OptBool.new('USE_DEFAULT_WORDLIST', [false, 'Use the default metasploit wordlist', true]),
-        OptBool.new['USE_HOSTNAMES',        [false, 'Seed the wordlist with hostnames from the workspace', true]],
+        OptBool.new('USE_HOSTNAMES',        [false, 'Seed the wordlist with hostnames from the workspace', true]),
        OptBool.new('USE_ROOT_WORDS',       [false, 'Use the Common Root Words Wordlist', true])
      ], Msf::Auxiliary::JohnTheRipper
    )
@ -59,7 +59,7 @@ module Auxiliary::JohnTheRipper
  # @return [nilClass] if there is no active framework db connection
  # @return [Metasploit::Framework::JtR::Cracker] if it successfully creates a JtR Cracker object
  def new_john_cracker
-    return nil unless framework.db.active?
+    return nil unless framework.db.active
    Metasploit::Framework::JtR::Cracker.new(
        config: datastore['CONFIG'],
        john_path: datastore['JOHN_PATH'],
@ -75,11 +75,10 @@ module Auxiliary::JohnTheRipper
  # @return [nilClass] if there is no active framework db connection
  # @return [Rex::Quickfile] if it successfully wrote the wordlist to a file
  def wordlist_file
-    return nil unless framework.db.active?
+    return nil unless framework.db.active
    wordlist = Metasploit::Framework::JtR::Wordlist.new(
        custom_wordlist: datastore['CUSTOM_WORDLIST'],
        mutate: datastore['MUTATE'],
-        pot: datastore['POT'],
        use_creds: datastore['USE_CREDS'],
        use_db_info: datastore['USE_DB_INFO'],
        use_default_wordlist: datastore['USE_DEFAULT_WORDLIST'],
--- a/modules/auxiliary/analyze/jtr_mssql_fast.rb
+++ b/modules/auxiliary/analyze/jtr_mssql_fast.rb
@ -5,6 +5,7 @@


 require 'msf/core'
+require 'msf/core/auxiliary/jtr'

 class Metasploit3 < Msf::Auxiliary

@ -28,62 +29,40 @@ class Metasploit3 < Msf::Auxiliary
  end

  def run
-    @wordlist = Rex::Quickfile.new("jtrtmp")
+    @formats = Set.new
+    cracker = new_john_cracker

-    @wordlist.write( build_seed().flatten.uniq.join("\n") + "\n" )
-    @wordlist.close
-    print_status("Cracking MSSQL Hashes")
-    crack("mssql")
-    print_status("Cracking MSSQL05 Hashes")
-    crack("mssql05")
+    #generate our wordlist and close the file handle
+    wordlist = wordlist_file
+    wordlist.close
+    cracker.wordlist = wordlist.path
+    cracker.hash_path = hash_file

-  end
-
-
-
-
-  def crack(format)
-
-    hashlist = Rex::Quickfile.new("jtrtmp")
-    ltype= "#{format}.hashes"
-    myloots = myworkspace.loots.where('ltype=?', ltype)
-    unless myloots.nil? or myloots.empty?
-      myloots.each do |myloot|
-        begin
-          mssql_array = CSV.read(myloot.path).drop(1)
-        rescue Exception => e
-          print_error("Unable to read #{myloot.path} \n #{e}")
-        end
-        mssql_array.each do |row|
-          hashlist.write("#{row[0]}:0x#{row[1]}:#{myloot.host.address}:#{myloot.service.port}\n")
-        end
-      end
-      hashlist.close
-
-      print_status("HashList: #{hashlist.path}")
-      print_status("Trying Wordlist: #{@wordlist.path}")
-      john_crack(hashlist.path, :wordlist => @wordlist.path, :rules => 'single', :format => format)
-
-      print_status("Trying Rule: All4...")
-      john_crack(hashlist.path, :incremental => "All4", :format => format)
-
-      print_status("Trying Rule: Digits5...")
-      john_crack(hashlist.path, :incremental => "Digits5", :format => format)
-
-      cracked = john_show_passwords(hashlist.path, format)
-
-      print_status("#{cracked[:cracked]} hashes were cracked!")
-      cracked[:users].each_pair do |k,v|
-        print_good("Host: #{v[1]} Port: #{v[2]} User: #{k} Pass: #{v[0]}")
-        report_auth_info(
-          :host  => v[1],
-          :port => v[2],
-          :sname => 'mssql',
-          :user => k,
-          :pass => v[0]
-        )
+    @formats.each do |format|
+      cracker.format = format
+      cracker.crack do |line|
+        print_status line
      end
    end
+
  end

+  def hash_file
+    hashlist = Rex::Quickfile.new("hashes_tmp")
+    Metasploit::Credential::NonreplayableHash.joins(:cores).where(metasploit_credential_cores: { workspace_id: myworkspace.id }, jtr_format: ['mssql', 'mssql05']).each do |hash|
+      # Track the formats that we've seen so we do not attempt a format that isn't relevant
+      @formats << hash.jtr_format
+      hash.cores.each do |core|
+        user = core.public.username
+        hash_string = "0x#{hash.data}"
+        id = core.id
+        hashlist.puts "#{user}:#{hash_string}:#{id}:"
+      end
+    end
+    hashlist.close
+    print_status "Hashes Written out to #{hashlist.path}"
+    hashlist.path
+  end
+
+
 end