implement vnc hash types

[h00die]

fixes #16296

@smashery I know you had claimed the issue, but figured I could help with the hash stuff since I wrote it. Hopefully these changes are easy to merge into the changes you've been working on.

1. removes the module writing to a john file since this is duplicate functionality already standardized and implemented in the creds command
2. changed the vnc module to not tack on $vnc$ because that is most likely JTR specific, we'll do that when we export to jtr.
3. creates a vnc catcher for hash_identify so we can properly detect them, along with a lib
4. creates a jtr export for vnc hashes
5. hashcat doesn't have an easy cracker for vnc type, so I linked the latest I could find and just left it at that
6. rubocop formatting on anything I touched because its automatic
7. fixed a bug where we assumed
8. a non-identified hash had a public (username) and when trying to export it, we crashed hard and fast. This can be tested with

Verification

• Follow the steps in VNC Capture server module's JtR output isn't parsed by JtR #16296 to start the server, send a client request. (may want an easy password like password)
• creds -o /tmp/vnc.jtr
• john /tmp/vnc.jtr
• Verify you crack the hash
• creds add hash:*00112233445566778899aabbccddeeff*6feb3cb1f07b66151656b5832341f223
• creds -o /tmp/hashes.jtr
• Verify we no longer crash

[h00die]

msf6 auxiliary(server/capture/vnc) > run
[*] Auxiliary module running as background job 1.
msf6 auxiliary(server/capture/vnc) > 
[*] Started service listener on 0.0.0.0:5900 
[*] Server started.
previous
msf6 auxiliary(scanner/vnc/vnc_login) > run

[*] 127.0.0.1:5900        - 127.0.0.1:5900 - Starting VNC login sweep
[+] 127.0.0.1:37767 - Challenge: 00112233445566778899aabbccddeeff; Response: b7b9c87777661a7a2299733209bfdfce
[-] 127.0.0.1:5900        - 127.0.0.1:5900 - LOGIN FAILED: :password (Incorrect: Authentication failed)
[+] 127.0.0.1:40427 - Challenge: 00112233445566778899aabbccddeeff; Response: b7b9c87777661a7a2299733209bfdfce
[-] 127.0.0.1:5900        - 127.0.0.1:5900 - LOGIN FAILED: :password (Incorrect: Authentication failed)
[*] 127.0.0.1:5900        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/vnc/vnc_login) > creds
Credentials
===========

host       origin     service                public  private                                                             realm  private_type        JtR Format
----       ------     -------                ------  -------                                                             -----  ------------        ----------
127.0.0.1  127.0.0.1  5900/tcp (vnc_client)          *00112233445566778899aabbccddeeff*b7b9c87777661a7a2299733209bfdfce         Nonreplayable hash  vnc

msf6 auxiliary(scanner/vnc/vnc_login) > creds -o /tmp/vnc.jtr
[*] Wrote creds to /tmp/vnc.jtr
msf6 auxiliary(scanner/vnc/vnc_login) > john /tmp/vnc.jtr
[*] exec: john /tmp/vnc.jtr

Using default input encoding: UTF-8
Loaded 1 password hash (VNC [DES 32/64])
Warning: poor OpenMP scalability for this hash type, consider --fork=8
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press Ctrl-C to abort, or send SIGUSR1 to john process for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
password         (?)     
1g 0:00:00:00 DONE 2/3 (2022-03-13 13:27) 16.66g/s 1092Kp/s 1092Kc/s 1092KC/s 123456..Dneirfts
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

[adfoster-r7]

@msjenkins-r7 retest this please

[adfoster-r7]

@gwillcox-r7 I just assigned @sjanusz-r7 to this, but it looks like you're already testing this functionality in a separate PR? 👀 #16207

Is it worth assigning this to yourself too?

[gwillcox-r7]

@adfoster-r7 Happy to pick this up seeing as the two are related 👍 Otherwise no issues with @sjanusz-r7 picking this up if he is interested

[gwillcox-r7]

Verified can capture and crack the hash:

msf6 auxiliary(scanner/vnc/vnc_login) > creds
Credentials
===========

host  origin  service  public  private  realm  private_type  JtR Format
----  ------  -------  ------  -------  -----  ------------  ----------

msf6 auxiliary(scanner/vnc/vnc_login) > run

[*] 127.0.0.1:5900        - 127.0.0.1:5900 - Starting VNC login sweep
[+] 127.0.0.1:38299 - Challenge: 00112233445566778899aabbccddeeff; Response: b7b9c87777661a7a2299733209bfdfce
[-] 127.0.0.1:5900        - 127.0.0.1:5900 - LOGIN FAILED: :password (Incorrect: Authentication failed)
[+] 127.0.0.1:43993 - Challenge: 00112233445566778899aabbccddeeff; Response: b7b9c87777661a7a2299733209bfdfce
[-] 127.0.0.1:5900        - 127.0.0.1:5900 - LOGIN FAILED: :password (Incorrect: Authentication failed)
[*] 127.0.0.1:5900        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/vnc/vnc_login) > show options

Module options (auxiliary/scanner/vnc/vnc_login):

   Name              Current Setting                     Required  Description
   ----              ---------------                     --------  -----------
   BLANK_PASSWORDS   false                               no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                   yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                               no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                               no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                               no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none                                no        Skip existing credentials stored in the current database (Acc
                                                                   epted: none, user, user&realm)
   PASSWORD          password                            no        The password to test
   PASS_FILE         /home/gwillcox/git/metasploit-fram  no        File containing passwords, one per line
                     ework/data/wordlists/vnc_passwords
                     .txt
   Proxies                                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            127.0.0.1                           yes       The target host(s), see https://github.com/rapid7/metasploit-
                                                                   framework/wiki/Using-Metasploit
   RPORT             5900                                yes       The target port (TCP)
   STOP_ON_SUCCESS   false                               yes       Stop guessing when a credential works for a host
   THREADS           1                                   yes       The number of concurrent threads (max one per host)
   USERNAME          user                                no        A specific username to authenticate as
   USERPASS_FILE                                         no        File containing users and passwords separated by space, one p
                                                                   air per line
   USER_AS_PASS      false                               no        Try the username as the password for all users
   USER_FILE                                             no        File containing usernames, one per line
   VERBOSE           true                                yes       Whether to print output for all attempts

msf6 auxiliary(scanner/vnc/vnc_login) > creds
Credentials
===========

host       origin     service                public  private                                                             realm  private_type        JtR Format
----       ------     -------                ------  -------                                                             -----  ------------        ----------
127.0.0.1  127.0.0.1  5900/tcp (vnc_client)          *00112233445566778899aabbccddeeff*b7b9c87777661a7a2299733209bfdfce         Nonreplayable hash  vnc

msf6 auxiliary(scanner/vnc/vnc_login) > creds -o /tmp/vnc.jtr
[*] Wrote creds to /tmp/vnc.jtr
msf6 auxiliary(scanner/vnc/vnc_login) >

And cracking it:

 ~/john-1.9.0-Jumbo-1/run  john /tmp/vnc.jtr                                                                      ✔ │ 3.0.2 Ruby 
Using default input encoding: UTF-8
Loaded 1 password hash (VNC [DES 32/64])
Warning: poor OpenMP scalability for this hash type, consider --fork=2
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:password.lst, rules:Wordlist
password         (?)
1g 0:00:00:00 DONE 2/3 (2022-03-22 16:51) 20.00g/s 327680p/s 327680c/s 327680C/s 123456..betabeta
Use the "--show" option to display all of the cracked passwords reliably
Session completed
 ~/john-1.9.0-Jumbo-1/run           

[gwillcox-r7]

And looks like we no longer crash:

msf6 auxiliary(scanner/vnc/vnc_login) > creds add hash:*00112233445566778899aabbccddeeff*6feb3cb1f07b66151656b5832341f223
msf6 auxiliary(scanner/vnc/vnc_login) > creds -o /tmp/vnc.jtr
[*] Wrote creds to /tmp/vnc.jtr
msf6 auxiliary(scanner/vnc/vnc_login) > creds
Credentials
===========

host       origin     service                public  private                                                             realm  private_type        JtR Format
----       ------     -------                ------  -------                                                             -----  ------------        ----------
                                                     *00112233445566778899aabbccddeeff*6feb3cb1f07b66151656b5832341f223         Nonreplayable hash  
127.0.0.1  127.0.0.1  5900/tcp (vnc_client)          *00112233445566778899aabbccddeeff*b7b9c87777661a7a2299733209bfdfce         Nonreplayable hash  vnc

msf6 auxiliary(scanner/vnc/vnc_login) > 

[gwillcox-r7]

LGTM will land this now 👍

[gwillcox-r7]

Release Notes

Fixed a bug where the auxiliary/server/capture/vnc module would not output hashes in a format compatible with John The Ripper and also fixed a bug that was causing crashes due to assuming hashes always had an associated username. Support has also been added for exporting VNC hashes into a JTR compatible format for later cracking and the hash_identify function has been updated to properly identify VNC hashes allowing for better hash detection.

[gwillcox-r7]

Heads up for whoever is doing wrapup this week, this is technically both a bug fix and an enhancement merged into one PR hence the dual labels here.

[adfoster-r7]

@gwillcox-r7 I believe the wrapup generator will preference placing this in the rn-fix section instead of the rn-enhancement section due to the ordering of the if statements that handle the release note sections, that's a somewhat arbitrary decision - but just a heads-up