21 KiB
21 KiB
Vulnerable Application
This module applies a john the ripper (or hashcat) style .pot file to hashes in the database. This will allow very fast cracking of all supported hash types which have already been cracked.
Verification Steps
- Have at least one set of hashes in the database
- Start msfconsole
- Do:
use auxiliary/analyze/apply_pot - Do:
run - You should hopefully crack a password.
Actions
john
Use john the ripper (default).
hashcat
Use hashcat.
Options
CONFIG
The path to a John config file (JtR option: --config). Default is metasploit-framework/data/john.conf
JOHN_PATH
The absolute path to the John the Ripper executable. Default behavior is to search path for john and john.exe.
POT
The path to a John POT file (JtR option: --pot) to use instead. The pot file is the data file which
records cracked password hashes. Kali linux's default location is /root/.john/john.pot.
Default is ~/.msf4/john.pot.
DeleteTempFiles
This option will prevent deletion of the wordlist and file containing hashes. This may be useful for
running the hashes through john if it wasn't cracked, or for debugging. Default is false.
Scenarios
In this scenario, we fill a bunch of different hash types into the creds db. You'll need a .pot file with the cracked hashes, the following can be used:
rEK1ecacw.7.c:password
_J9..K0AyUubDrfOgO4s:password
$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe:password
yhMEAyLkfWqeQ:se
$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/:password
$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5:password
$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1:password
0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8:foo
0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908:toto
0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254:FOO
0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16:Password1!
445ff82636a7ba59:probe
*5AD8F88516BD021DD43F171E2C785C69F8E54ADB:tere
O$SIMON#4f8bc1809cb2af77:A
O$SYSTEM#9eedfa0ad26c6d52:THALES
8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A:epsilon
$oracle12c$e3243b98974159cc24fd2c9a8b30ba62e0e83b6ca2fc7c55177c3a7f82602e3bdd17ceb9b9091cf9dad672b8be961a9eac4d344bdba878edc5dcb5899f689ebd8dd1be3f67bff9813a464382381ab36b:epsilon
$dynamic_1034$be86a79bf2043622d58d5453c47d4860$HEX$24556578616d706c65:password
$LM$ac404c4ba2c66533:ASE
$LM$4a3b108f3fa6cb6d:D
$LM$e52cac67419a9a22:PASSWOR
$NT$8846f7eaee8fb117ad06bdd830b7586c:password
resource (hashes_pot.rb)> creds -d
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
resource (hashes_pot.rb)> creds add user:des_password hash:rEK1ecacw.7.c jtr:des
resource (hashes_pot.rb)> creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
resource (hashes_pot.rb)> creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
resource (hashes_pot.rb)> creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
resource (hashes_pot.rb)> creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
resource (hashes_pot.rb)> creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
resource (hashes_pot.rb)> creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
resource (hashes_pot.rb)> creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
resource (hashes_pot.rb)> creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
resource (hashes_pot.rb)> creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
resource (hashes_pot.rb)> creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12
resource (hashes_pot.rb)> creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
resource (hashes_pot.rb)> creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
resource (hashes_pot.rb)> creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
resource (hashes_pot.rb)> creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
resource (hashes_pot.rb)> creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
resource (hashes_pot.rb)> creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
resource (hashes_pot.rb)> creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
resource (hashes_pot.rb)> creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
resource (hashes_pot.rb)> use auxiliary/analyze/apply_pot
resource (hashes_pot.rb)> run
[*] Hashes Written out to /tmp/hashes_tmp20190203-16380-1974mdz
[*] Checking bcrypt hashes against pot file
[+] blowfish_password:password
[*] Checking bsdicrypt hashes against pot file
[+] bsdi_password:password
[*] Checking crypt hashes against pot file
Warning: hash encoding string length 46, type id $d
appears to be unsupported on this system; will not load such hashes.
[+] des_password:password
[+] md5_password:password
[+] sha256_password:password
[+] sha512_password:password
[*] Checking descrypt hashes against pot file
[+] des_password:password
[*] Checking lm hashes against pot file
[+] lm_password:password
[*] Checking nt hashes against pot file
[+] lm_password:password
[+] nt_password:password
[*] Checking md5crypt hashes against pot file
[+] md5_password:password
[*] Checking mysql hashes against pot file
[+] mysql_probe:probe
[*] Checking mysql-sha1 hashes against pot file
[+] mysql-sha1_tere:tere
[*] Checking mssql hashes against pot file
[+] mssql_foo:FOO
[*] Checking mssql05 hashes against pot file
[+] mssql05_toto:toto
[+] mssql_foo:foo
[*] Checking mssql12 hashes against pot file
[+] mssql12_Password1!:Password1!
[*] Checking oracle hashes against pot file
[+] simon:A
[+] SYSTEM:THALES
[*] Checking oracle11 hashes against pot file
[+] DEMO:epsilon
[+] oracle11_epsilon:epsilon
[*] Checking oracle12c hashes against pot file
[+] oracle12c_epsilon:epsilon
[*] Checking dynamic_1506 hashes against pot file
[*] Checking dynamic_1034 hashes against pot file
[+] example:password
[*] Auxiliary module execution completed
resource (hashes_pot.rb)> creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
des_password password Password
des_password rEK1ecacw.7.c Nonreplayable hash des
md5_password password Password
md5_password $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ Nonreplayable hash md5
bsdi_password password Password
bsdi_password _J9..K0AyUubDrfOgO4s Nonreplayable hash bsdi
sha256_password password Password
sha256_password $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 Nonreplayable hash sha256,crypt
sha512_password password Password
sha512_password $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 Nonreplayable hash sha512,crypt
blowfish_password password Password
blowfish_password $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe Nonreplayable hash bf
lm_password password Password
lm_password e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c NTLM hash nt,lm
nt_password password Password
nt_password aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c NTLM hash nt,lm
mssql05_toto toto Password
mssql05_toto 0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 Nonreplayable hash mssql05
mssql_foo foo Password
mssql_foo FOO Password
mssql_foo 0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 Nonreplayable hash mssql
mssql12_Password1! Password1! Password
mssql12_Password1! 0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 Nonreplayable hash mssql12
mysql_probe probe Password
mysql_probe 445ff82636a7ba59 Nonreplayable hash mysql
mysql-sha1_tere tere Password
mysql-sha1_tere *5AD8F88516BD021DD43F171E2C785C69F8E54ADB Nonreplayable hash mysql-sha1
simon A Password
simon 4F8BC1809CB2AF77 Nonreplayable hash des,oracle
SYSTEM THALES Password
SYSTEM 9EEDFA0AD26C6D52 Nonreplayable hash des,oracle
DEMO epsilon Password
DEMO S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Nonreplayable hash raw-sha1,oracle
oracle11_epsilon epsilon Password
oracle11_epsilon S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Nonreplayable hash raw-sha1,oracle
oracle12c_epsilon epsilon Password
oracle12c_epsilon H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B Nonreplayable hash pbkdf2,oracle12c
example password Password
example md5be86a79bf2043622d58d5453c47d4860 Postgres md5 raw-md5,postgres