Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/msp 12244/postgres pass the hash #4871

Merged
merged 12 commits into from Mar 4, 2015
Merged

Feature/msp 12244/postgres pass the hash #4871

merged 12 commits into from Mar 4, 2015

Conversation

thelightcosine
Copy link

This PR adds Pass-the-Hash functionality for Postgres.

  • The auxiliary/scanner/postgres/postgres_login module now can reuse postgresmd5 hashes from the database or recognize a postgres md5 hash when given in the format 'md5' as a password.

-The postgres_hashdump module also now stores postgres hashes into this model

  • The postgres JtR hash cracker also uses the PostgresMD5 model now for finding the right hashes to crack

VERIFICATION STEPS

  • Land PR Feature/msp 12244/postgres pass the hash metasploit-credential#98
  • bundle install to get the latest version of the gem
  • commit the gemfile.lock change
  • OR ping me and I'll do the above two lines and push it.
  • start msfconsole
  • use auxiliary/scanner/postgres/postgres_login
  • target a metasploitable2 instance
  • set username to postgres
  • set password to md53175bce1d3201d16594cebf9d7eb3f9d
  • run
  • VERIFY that it logged in with the hash
  • creds
  • VERIFY you see the cred listed
  • VERIFY the cred has a private type of Postgres Md5
  • use auxiliary/analyze/jtr_postgres_fast
  • run
  • VERIFY it cracks the hash successfully
  • clear your workspace
  • use auxiliary/scanner/postgres/postgres_hashdump
  • target the metasploitable box again
  • set username to postgres
  • set password to postgres
  • run
  • VERIFY you see the hash get snarfed
  • creds
  • VERIFY you see both the password and hash saved in the creds table

David Maloney added 6 commits March 3, 2015 13:16
allow the postgres librry to take an md5 hash
aa4038d 
allow the raw md5 password hash to be passed in instead of
a password for md5 authentication in postgres. Adds an extra exception
class for when an md5 hash is given but the server expects
a different form of authentication.

MSP-12244
allow credentials to have a type of postgres_md5
c836078 
add postgres_md5 to the type validation on
Metasploit::Framework::Credential to account
for the new Private type

MSP-12244
CredCollection now knows about postgres_md5
64490c7 
the cred collection can now identify a postgres_md5 hash string
and set the type on the Metasploit::Framework::Credential object
appropriately

MSP-12244
postgres hashdump now stores PostgresMD5 objects
199c3ba 
instead of nonreplayabke hashes the postgres_hashdump
aux module now saves them approriately as PostgresMD5s
with the md5 tag intact at the front

MSP-12244
update metasploit-credential to get new model
8c0e892 
update version of metasploit-credential in order
to get the PostgresMD5 hash subtype

MSP-12244
fix jtr_postgres_fast too
c8f23b2 
the JtR hash cracker for postgres hashes now uses
the new PostgresMD5 class for finding it's hashes

MSP-12244
@thelightcosine thelightcosine added the jira Old label, generally associated with PRs that had pro support and a jira link label Mar 4, 2015
@hdm
Copy link
Contributor

hdm commented Mar 4, 2015

Minor nitpick on the PTH format, any chance it could be changed to md5:<password hash> (versus without a colon). It makes it a little easier to figure out what is going on by looking at it.

@thelightcosine
Copy link
Author

@hmoore-r7 that format is exactly how it is stored in the postgres database. that's why it's that way

@thelightcosine
Copy link
Author

oops, bad Dave screwing up a regex

@wvu wvu self-assigned this Mar 4, 2015
@todb-r7
Copy link

todb-r7 commented Mar 4, 2015

Note, the Travis tests will fail out of the gate until the gem is actually updated. This is expected.

update gemfile.lock
6b9cf40 
update gemfile lock for new credential version

MSP-12244
@wvu wvu added newbie friendly module library hotness Something we're really excited about feature labels Mar 4, 2015
@thelightcosine
Copy link
Author

arg travis, wtf

fix schema.rb again
7fa8e4f 
screwed it up somehow the first time
@wvu
Copy link
Contributor

wvu commented Mar 4, 2015

lol travis

fix transient factory bug
8d6ba0e 
pulled re-released metasploit-credential to fix
bug by a hidden change to factories

MSP-1244
@wvu wvu merged commit 8d6ba0e into rapid7:master Mar 4, 2015
wvu added a commit that referenced this pull request Mar 4, 2015
@wvu
Land #4871, Postgres PTH support
a64dd4a 
MSP-12244
todb-r7 pushed a commit to todb-r7/metasploit-framework that referenced this pull request Mar 5, 2015
Add reference and description for PTH on Postgres
d4f622e 
Dave and William did most of the work already over on PR rapid7#4871, this
just points it out in the module.
todb-r7 pushed a commit to todb-r7/metasploit-framework that referenced this pull request Mar 5, 2015
Add reference and description for PTH on Postgres
e429d4c 
Dave and William did most of the work already over on PR rapid7#4871, this
just points it out in the module.
@todb-r7 todb-r7 mentioned this pull request Mar 5, 2015
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wvu wvu

Labels
feature hotness Something we're really excited about jira Old label, generally associated with PRs that had pro support and a jira link library module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@thelightcosine @hdm @todb-r7 @wvu