New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor OSX hashdump post module and add support for 10.8+ hashes #2735
Conversation
* Adds support for MATCHUSER regex option * Adds support for OSX 10.8 and 10.9 hashes (PBKDF2) * DRYs up a bunch of older code, adds lots of helper fns * Ends up shaving off ~20 lines
* Also add spacing and indentation for better readability. * Refactors grab_shadow_blob method.
Processing... |
Tested successfully on mavericks:
@jvennix-r7 were you able to test on 10.6 / 10.7, I haven't 10.6/10.7 available to test. So if you did and could provide output, will be enough to me to land :) |
|
||
# Check if NT HASH is present | ||
if hash_decoded =~ /4F1010/ | ||
report_nt_hash(hash_decoded.scan(/^\w*4F1010(\w*)4F1044/)[0][0]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I miss a second argument for report_nt_hash
@jvazquez-r7 sure I'll test on those later today |
@kgray-r7 is going to verify 10.6 and 10.8, I'll re-verify 10.7 later |
Found a bug in 10.5/6, fixed and verified working:
|
Working well in 10.7:
|
Thanks @jvennix-r7 and @kgray-r7 , proceeding with landing! |
Note that the
enum_osx
post module duplicates the functionality for hashdump. I am purposefully not updating the duplicate, as this is a bad pattern, and I am in the middle of refactoring enum_osx anyways (branch name refactor_osx_enum).Verification steps:
MATCHUSERS
datastore option works as expectedIn each instance, verify that the dumped hash is identical to what Dave Grohl outputs with this command: