Updated output formats, top 1000 passwords

data/wordlists/ipmi_passwords.txt

@@ -14,6 +14,7 @@ xupamisto
 Letmein2
 1q2w3e4r
 111111
+
 zero2hero
 admin123
 Flamenco
@@ -68,6 +69,7 @@ sun12345
 siemens123
 hpinvent
 goethe
+compaq
 cisco
 butt
 brian0711
@@ -89,7 +91,6 @@ redhat
 netnet
 letmein
 kalimera
-compaq
 carpediem
 blabla12
 blabla
@@ -315,10 +316,12 @@ stanley
 sofuck
 snickers
 skywalker
+simonb
 shin
 semmi
 sasman
 samsun
+salope
 salamander
 rutabaga
 rosedale
@@ -465,11 +468,9 @@ system32
 strasburg
 start123
 sofresh
-simonb
 setmefree
 seekanddestroy
 secure6
-salope
 root4
 roman123
 riobravo
@@ -518,6 +519,7 @@ number66
 nottelling
 nike2008
 n0d0ubt1
+mwmwmw
 mvemjsunp
 mustang70
 munchkin10
@@ -568,6 +570,7 @@ goldstar
 godblessyou
 getoutofhere
 genius123
+gbpltw
 freetown1
 freedom35
 fotos1
@@ -600,6 +603,7 @@ ciscocisco
 chile62
 check123
 ch4ng3m3
+cdvcdv
 catinthehat
 carla123
 calvin99
@@ -735,6 +739,7 @@ zero0zero
 zaq1xsw2cde3
 yyl
 yes90125
+xyuxyu
 xunlei
 xiazhi
 woelco
@@ -803,6 +808,7 @@ petert999
 pepson
 patrickb123
 password1`
+oqksad
 omfglol1
 ocnc123
 nttocn
@@ -816,7 +822,6 @@ netadmin
 net101
 nemtom1
 n0ttelling
-mwmwmw
 mupali
 mumuland
 mexx6399
@@ -859,7 +864,6 @@ gmmkh
 gigi99
 ghbdtnbr
 gfhjkmrf
-gbpltw
 g8keeper
 fuckbitchesgetmoney
 formeforme
@@ -877,6 +881,7 @@ ddemde
 darwin99
 daemon09
 d0m1n0
+cyphte
 cukorborso
 ctrls
 cti4ever
@@ -887,6 +892,7 @@ cmlslc
 changeme20
 cdwv
 cdn123
+ccaere
 cbtp
 cairell
 cabajka

modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb

@@ -1,4 +1,4 @@
-##
+#
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # web site for more information on licensing and terms of use.
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
 
 	def initialize
 		super(
-			'Name'        => 'IPMI 2.0 RAKP Remote Password Hash Retreival',
+			'Name'        => 'IPMI 2.0 RAKP Remote SHA1 Password Hash Retreival',
 			'Description' => %q|
 				This module identifies IPMI 2.0 compatible systems and attempts to retrieve the 
 				HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a 
@@ -41,7 +41,8 @@ class Metasploit3 < Msf::Auxiliary
 			OptPath.new('PASS_FILE', [ true, "File containing common passwords for offline cracking, one per line",
 				File.join(Msf::Config.install_root, 'data', 'wordlists', 'ipmi_passwords.txt')
 			]),			
-			OptString.new('OUTPUT_FILE', [false, "File to save captured password hashes into"]),
+			OptString.new('OUTPUT_HASHCAT_FILE', [false, "Save captured password hashes in hashcat format"]),
+			OptString.new('OUTPUT_JOHN_FILE', [false, "Save captured password hashes in john the ripper format"]),
 			OptBool.new('CRACK_COMMON', [true, "Automatically crack common passwords as they are obtained", true])
 		], self.class)
 
@@ -95,14 +96,14 @@ class Metasploit3 < Msf::Auxiliary
 				end
 
 				unless r
-					vprint_status("#{rhost} No response to IPMI open session request, stopping test")
+					vprint_status("#{rhost} No response to IPMI open session request")
 					rakp = nil 
 					break
 				end
 				
 				sess = process_opensession_reply(*r)
 				unless sess
-					vprint_status("#{rhost} Could not understand the response to the open session request, stopping test")
+					vprint_status("#{rhost} Could not understand the response to the open session request")
 					rakp = nil 
 					break
 				end
@@ -164,12 +165,18 @@ class Metasploit3 < Msf::Auxiliary
 				username
 			)
 
-			found = "#{rhost} #{username}:#{hmac_buffer.unpack("H*")[0]}:#{rakp.hmac_sha1.unpack("H*")[0]}"
+			sha1_salt = hmac_buffer.unpack("H*")[0]
+			sha1_hash = rakp.hmac_sha1.unpack("H*")[0]
+
+			found = "#{rhost} #{username}:#{sha1_salt}:#{sha1_hash}"
 			print_good(found)
 
-			# Write the rakp hash to the output file 
+			# Write the rakp hash to the output files
-			if @output
+			if @output_cat
-				@output.write(found + "\n")
+				@output_cat.write("#{rhost} #{username}:#{sha1_salt}:#{sha1_hash}\n")
+			end
+			if @output_jtr
+				@output_jtr.write("#{rhost} #{username}:$rakp$#{sha1_salt}$#{sha1_hash}\n")
 			end
 
 			# Write the rakp hash to the database
@@ -179,7 +186,7 @@ class Metasploit3 < Msf::Auxiliary
 				:proto  => 'udp',
 				:sname	=> 'ipmi',
 				:user 	=> username,
-				:pass   => "#{hmac_buffer.unpack("H*")[0]}:#{rakp.hmac_sha1.unpack("H*")[0]}",
+				:pass   => "#{sha1_salt}:#{sha1_hash}",
 				:source_type => "captured",
 				:active => true,
 				:type   => 'rakp_hmac_sha1_hash'
@@ -261,16 +268,22 @@ class Metasploit3 < Msf::Auxiliary
 
 	def setup
 		super
-		@output = nil
+		@output_cat = nil
-		if datastore['OUTPUT_FILE']
+		@output_jtr = nil
-			@output = ::File.open(datastore['OUTPUT_FILE'], "ab")
+		if datastore['OUTPUT_HASHCAT_FILE']
+			@output_cat = ::File.open(datastore['OUTPUT_HASHCAT_FILE'], "ab")
+		end
+		if datastore['OUTPUT_JOHN_FILE']
+			@output_jtr = ::File.open(datastore['OUTPUT_JOHN_FILE'], "ab")
 		end
 	end
 
 	def cleanup
 		super
-		@output.close if @output
+		@output_cat.close if @output_cat
-		@output = nil
+		@output_cat = nil
+		@output_jtr.close if @output_jtr
+		@output_jtr = nil
 	end
 
 	#

tools/hmac_sha1_crack.rb

@@ -4,7 +4,10 @@
 #
 # This script cracks HMAC SHA1 hashes. It is strangely necessary as existing tools 
 # have issues with binary salt values and extremely large salt values. The primary
-# goal of this tool is to handle IPMI 2.0 HMAC SHA1 hashes
+# goal of this tool is to handle IPMI 2.0 HMAC SHA1 hashes.
+#
+# Support for this format is being added to both hashcat and jtr, hopefully
+# making this code obsolete.
 #
 
 msfbase = __FILE__
@@ -63,11 +66,12 @@ count = 0
 cracked = 0
 
 word_fd.each_line do |line|
-	line = line.unpack("C*").pack("C*").strip
+	line = line.unpack("C*").pack("C*").sub(/\r?\n?$/, '')
+
 	next unless line.length > 0
 	hashes.each do |hinfo|
 		if OpenSSL::HMAC.digest('sha1', line, hinfo[1]) == hinfo[2]
-			$stdout.puts "[+] CRACKED " + hinfo[0]+":"+line
+			$stdout.puts [ hinfo[0], hinfo[1].unpack("H*").first, hinfo[2].unpack("H*").first, line ].join(":")
 			$stdout.flush
 			hinfo[3] = true
 			cracked += 1