metasploit-framework/modules/auxiliary/analyze/jtr_crack_fast.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'
require 'msf/core/auxiliary/jtr'

class MetasploitModule < Msf::Auxiliary

  include Msf::Auxiliary::JohnTheRipper

  def initialize
    super(
      'Name'        => 'John the Ripper Password Cracker (Fast Mode)',
      'Description' => %Q{
          This module uses John the Ripper to identify weak passwords that have been
        acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal
        of this module is to find trivial passwords in a short amount of time. To
        crack complex passwords or use large wordlists, John the Ripper should be
        used outside of Metasploit. This initial version just handles LM/NTLM credentials
        from hashdump and uses the standard wordlist and rules.
      },
      'Author'      => 'hdm',
      'License'     => MSF_LICENSE  # JtR itself is GPLv2, but this wrapper is MSF (BSD)
    )
  end

  def run
    cracker = new_john_cracker

    # generate our wordlist and close the file handle
    wordlist = wordlist_file
    wordlist.close
    print_status "Wordlist file written out to #{wordlist.path}"
    cracker.wordlist = wordlist.path
    cracker.hash_path = hash_file

    ['lm','nt'].each do |format|
      # dupe our original cracker so we can safely change options between each run
      cracker_instance = cracker.dup
      cracker_instance.format = format
      print_status "Cracking #{format} hashes in normal wordlist mode..."
      # Turn on KoreLogic rules if the user asked for it
      if datastore['KoreLogic']
        cracker_instance.rules = 'KoreLogicRules'
        print_status "Applying KoreLogic ruleset..."
      end
      cracker_instance.crack do |line|
        print_status line.chomp
      end

      print_status "Cracking #{format} hashes in single mode..."
      cracker_instance.rules = 'single'
      cracker_instance.crack do |line|
        print_status line.chomp
      end

      if format == 'lm'
        print_status "Cracking #{format} hashes in incremental mode (All4)..."
        cracker_instance.rules = nil
        cracker_instance.wordlist = nil
        cracker_instance.incremental = 'All4'
        cracker_instance.crack do |line|
          print_status line.chomp
        end
      end

      print_status "Cracking #{format} hashes in incremental mode (Digits)..."
      cracker_instance.rules = nil
      cracker_instance.wordlist = nil
      cracker_instance.incremental = 'Digits'
      cracker_instance.crack do |line|
        print_status line.chomp
      end

      print_status "Cracked Passwords this run:"
      cracker_instance.each_cracked_password do |password_line|
        password_line.chomp!
        next if password_line.blank?

        fields = password_line.split(":")
        # If we don't have an expected minimum number of fields, this is probably not a hash line
        next unless fields.count >=7
        username = fields.shift
        core_id = fields.pop

        # pop off dead space here
        2.times{ fields.pop }

        # get the NT and LM hashes
        nt_hash = fields.pop
        lm_hash = fields.pop
        password = fields.join(':')

        if format == 'lm'
          if password.blank?
            if nt_hash == Metasploit::Credential::NTLMHash::BLANK_NT_HASH
              password = ''
            else
              next
            end
          end
          password = john_lm_upper_to_ntlm(password, nt_hash)
          # password can be nil if the hash is broken (i.e., the NT and
          # LM sides don't actually match) or if john was only able to
          # crack one half of the LM hash. In the latter case, we'll
          # have a line like:
          #  username:???????WORD:...:...:::
          next if password.nil?
        end

        print_good "#{username}:#{password}:#{core_id}"
        create_cracked_credential( username: username, password: password, core_id: core_id)
      end
    end
  end

  def hash_file
    hashlist = Rex::Quickfile.new("hashes_tmp")
    Metasploit::Credential::NTLMHash.joins(:cores).where(metasploit_credential_cores: { workspace_id: myworkspace.id } ).each do |hash|
      hash.cores.each do |core|
        user = core.public.username
        hash_string = "#{hash.data}"
        id = core.id
        hashlist.puts "#{user}:#{id}:#{hash_string}:::#{id}"
      end
    end
    hashlist.close
    print_status "Hashes Written out to #{hashlist.path}"
    hashlist.path
  end
end
This commit adds a basic "analyzer" module for creds git-svn-id: file:///home/svn/framework3/trunk@13136 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-09 02:14:24 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
This commit adds a basic "analyzer" module for creds git-svn-id: file:///home/svn/framework3/trunk@13136 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-09 02:14:24 +00:00			`##`


			`require 'msf/core'`
missing require 2014-06-25 15:13:41 +00:00			`require 'msf/core/auxiliary/jtr'`
This commit adds a basic "analyzer" module for creds git-svn-id: file:///home/svn/framework3/trunk@13136 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-09 02:14:24 +00:00
use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Auxiliary`
This commit adds a basic "analyzer" module for creds git-svn-id: file:///home/svn/framework3/trunk@13136 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-09 02:14:24 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Auxiliary::JohnTheRipper`

			`def initialize`
			`super(`
Don't ignore the Wordlist option 2013-10-15 20:31:03 +00:00			`'Name' => 'John the Ripper Password Cracker (Fast Mode)',`
			`'Description' => %Q{`
Retab modules 2013-08-30 21:28:54 +00:00			`This module uses John the Ripper to identify weak passwords that have been`
			`acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal`
			`of this module is to find trivial passwords in a short amount of time. To`
			`crack complex passwords or use large wordlists, John the Ripper should be`
			`used outside of Metasploit. This initial version just handles LM/NTLM credentials`
			`from hashdump and uses the standard wordlist and rules.`
			`},`
Don't ignore the Wordlist option 2013-10-15 20:31:03 +00:00			`'Author' => 'hdm',`
			`'License' => MSF_LICENSE # JtR itself is GPLv2, but this wrapper is MSF (BSD)`
Retab modules 2013-08-30 21:28:54 +00:00			`)`
			`end`

			`def run`
successfully cracking ntlm hashes still need to handle casing for lm 2014-06-23 19:40:32 +00:00			`cracker = new_john_cracker`

Use All4 instead of LanMan ... Which was the original behavior. A full incremental LanMan can take many hours instead of the few seconds this module was intended to run. 2014-07-21 23:24:35 +00:00			`# generate our wordlist and close the file handle`
successfully cracking ntlm hashes still need to handle casing for lm 2014-06-23 19:40:32 +00:00			`wordlist = wordlist_file`
			`wordlist.close`
			`print_status "Wordlist file written out to #{wordlist.path}"`
			`cracker.wordlist = wordlist.path`
			`cracker.hash_path = hash_file`

			`['lm','nt'].each do \|format\|`
			`# dupe our original cracker so we can safely change options between each run`
			`cracker_instance = cracker.dup`
			`cracker_instance.format = format`
			`print_status "Cracking #{format} hashes in normal wordlist mode..."`
give user option to turn on KoreLogic rules the cracker modules in framework now have a datastore option to allow the user to select the KoreLogicRules 2015-01-07 18:32:26 +00:00			`# Turn on KoreLogic rules if the user asked for it`
			`if datastore['KoreLogic']`
			`cracker_instance.rules = 'KoreLogicRules'`
tell suer KoreLogic rules have been applied make sure to rpovide console feedback that we are actually applying the KoreLogic rules to wordlist mode 2015-01-07 18:36:07 +00:00			`print_status "Applying KoreLogic ruleset..."`
give user option to turn on KoreLogic rules the cracker modules in framework now have a datastore option to allow the user to select the KoreLogicRules 2015-01-07 18:32:26 +00:00			`end`
successfully cracking ntlm hashes still need to handle casing for lm 2014-06-23 19:40:32 +00:00			`cracker_instance.crack do \|line\|`
			`print_status line.chomp`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

successfully cracking ntlm hashes still need to handle casing for lm 2014-06-23 19:40:32 +00:00			`print_status "Cracking #{format} hashes in single mode..."`
			`cracker_instance.rules = 'single'`
			`cracker_instance.crack do \|line\|`
			`print_status line.chomp`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

fixed up casing 2014-06-23 20:26:12 +00:00			`if format == 'lm'`
Use All4 instead of LanMan ... Which was the original behavior. A full incremental LanMan can take many hours instead of the few seconds this module was intended to run. 2014-07-21 23:24:35 +00:00			`print_status "Cracking #{format} hashes in incremental mode (All4)..."`
fixed up casing 2014-06-23 20:26:12 +00:00			`cracker_instance.rules = nil`
			`cracker_instance.wordlist = nil`
Use All4 instead of LanMan ... Which was the original behavior. A full incremental LanMan can take many hours instead of the few seconds this module was intended to run. 2014-07-21 23:24:35 +00:00			`cracker_instance.incremental = 'All4'`
fixed up casing 2014-06-23 20:26:12 +00:00			`cracker_instance.crack do \|line\|`
			`print_status line.chomp`
			`end`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

fixed up casing 2014-06-23 20:26:12 +00:00			`print_status "Cracking #{format} hashes in incremental mode (Digits)..."`
			`cracker_instance.rules = nil`
			`cracker_instance.wordlist = nil`
			`cracker_instance.incremental = 'Digits'`
successfully cracking ntlm hashes still need to handle casing for lm 2014-06-23 19:40:32 +00:00			`cracker_instance.crack do \|line\|`
			`print_status line.chomp`
Retab modules 2013-08-30 21:28:54 +00:00			`end`

successfully cracking ntlm hashes still need to handle casing for lm 2014-06-23 19:40:32 +00:00			`print_status "Cracked Passwords this run:"`
			`cracker_instance.each_cracked_password do \|password_line\|`
			`password_line.chomp!`
			`next if password_line.blank?`

			`fields = password_line.split(":")`
			`# If we don't have an expected minimum number of fields, this is probably not a hash line`
			`next unless fields.count >=7`
			`username = fields.shift`
			`core_id = fields.pop`
fixed up casing 2014-06-23 20:26:12 +00:00
			`# pop off dead space here`
			`2.times{ fields.pop }`

			`# get the NT and LM hashes`
			`nt_hash = fields.pop`
			`lm_hash = fields.pop`
successfully cracking ntlm hashes still need to handle casing for lm 2014-06-23 19:40:32 +00:00			`password = fields.join(':')`

fixed up casing 2014-06-23 20:26:12 +00:00			`if format == 'lm'`
deal with blank password in ntlm 2014-06-23 20:32:50 +00:00			`if password.blank?`
			`if nt_hash == Metasploit::Credential::NTLMHash::BLANK_NT_HASH`
			`password = ''`
			`else`
			`next`
			`end`
			`end`
fixed up casing 2014-06-23 20:26:12 +00:00			`password = john_lm_upper_to_ntlm(password, nt_hash)`
Fix the case when john cracks only half of LM 2014-07-23 20:25:32 +00:00			`# password can be nil if the hash is broken (i.e., the NT and`
			`# LM sides don't actually match) or if john was only able to`
			`# crack one half of the LM hash. In the latter case, we'll`
			`# have a line like:`
			`# username:???????WORD:...:...:::`
			`next if password.nil?`
fixed up casing 2014-06-23 20:26:12 +00:00			`end`

successfully cracking ntlm hashes still need to handle casing for lm 2014-06-23 19:40:32 +00:00			`print_good "#{username}:#{password}:#{core_id}"`
deal with blank password in ntlm 2014-06-23 20:32:50 +00:00			`create_cracked_credential( username: username, password: password, core_id: core_id)`
successfully cracking ntlm hashes still need to handle casing for lm 2014-06-23 19:40:32 +00:00			`end`
			`end`
			`end`
Retab modules 2013-08-30 21:28:54 +00:00
successfully cracking ntlm hashes still need to handle casing for lm 2014-06-23 19:40:32 +00:00			`def hash_file`
			`hashlist = Rex::Quickfile.new("hashes_tmp")`
			`Metasploit::Credential::NTLMHash.joins(:cores).where(metasploit_credential_cores: { workspace_id: myworkspace.id } ).each do \|hash\|`
			`hash.cores.each do \|core\|`
			`user = core.public.username`
			`hash_string = "#{hash.data}"`
			`id = core.id`
			`hashlist.puts "#{user}:#{id}:#{hash_string}:::#{id}"`
			`end`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
successfully cracking ntlm hashes still need to handle casing for lm 2014-06-23 19:40:32 +00:00			`hashlist.close`
			`print_status "Hashes Written out to #{hashlist.path}"`
			`hashlist.path`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
This commit adds a basic "analyzer" module for creds git-svn-id: file:///home/svn/framework3/trunk@13136 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-09 02:14:24 +00:00			`end`