jtr modernizations

GSoC/Meterpreter_Web_Console
h00die 2019-01-25 14:07:24 -05:00
parent f04c2537f6
commit 9930edf704
42 changed files with 16164 additions and 2107 deletions

File diff suppressed because it is too large Load Diff

BIN
data/jtr/alnum.chr Normal file

Binary file not shown.

BIN
data/jtr/alnumspace.chr Normal file

Binary file not shown.

BIN
data/jtr/alpha.chr Normal file

Binary file not shown.

BIN
data/jtr/ascii.chr Normal file

Binary file not shown.

BIN
data/jtr/digits.chr Normal file

Binary file not shown.

1395
data/jtr/dumb16.conf Normal file

File diff suppressed because it is too large Load Diff

2368
data/jtr/dumb32.conf Normal file

File diff suppressed because it is too large Load Diff

1300
data/jtr/dynamic.conf Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,525 @@
# the set of dynamics was not disabled due to not working, but due to simply
# being academic formats, and test cases, and not ITW formats
dynamic_51 = Y
dynamic_52 = Y
dynamic_53 = Y
dynamic_54 = Y
dynamic_55 = Y
dynamic_56 = Y
dynamic_57 = Y
dynamic_58 = Y
# dyna-61 used by formspring and should not be disabled.
dynamic_61 = N
dynamic_62 = Y
dynamic_63 = Y
dynamic_64 = Y
dynamic_65 = Y
dynamic_66 = Y
dynamic_67 = Y
dynamic_68 = Y
dynamic_71 = Y
dynamic_72 = Y
dynamic_73 = Y
dynamic_74 = Y
dynamic_75 = Y
dynamic_76 = Y
dynamic_77 = Y
dynamic_78 = Y
dynamic_81 = Y
dynamic_82 = Y
dynamic_83 = Y
dynamic_84 = Y
dynamic_85 = Y
dynamic_86 = Y
dynamic_87 = Y
dynamic_88 = Y
dynamic_91 = Y
dynamic_92 = Y
dynamic_93 = Y
dynamic_94 = Y
dynamic_95 = Y
dynamic_96 = Y
dynamic_97 = Y
dynamic_98 = Y
dynamic_101 = Y
dynamic_102 = Y
dynamic_103 = Y
dynamic_104 = Y
dynamic_105 = Y
dynamic_106 = Y
dynamic_107 = Y
dynamic_108 = Y
dynamic_111 = Y
dynamic_112 = Y
dynamic_113 = Y
dynamic_114 = Y
dynamic_115 = Y
dynamic_116 = Y
dynamic_117 = Y
dynamic_118 = Y
dynamic_121 = Y
dynamic_122 = Y
dynamic_123 = Y
dynamic_124 = Y
dynamic_125 = Y
dynamic_126 = Y
dynamic_127 = Y
dynamic_128 = Y
dynamic_131 = Y
dynamic_132 = Y
dynamic_133 = Y
dynamic_134 = Y
dynamic_135 = Y
dynamic_136 = Y
dynamic_137 = Y
dynamic_138 = Y
dynamic_141 = Y
dynamic_142 = Y
dynamic_143 = Y
dynamic_144 = Y
dynamic_145 = Y
dynamic_146 = Y
dynamic_147 = Y
dynamic_148 = Y
dynamic_151 = Y
dynamic_152 = Y
dynamic_153 = Y
dynamic_154 = Y
dynamic_155 = Y
dynamic_156 = Y
dynamic_157 = Y
dynamic_158 = Y
dynamic_161 = Y
dynamic_162 = Y
dynamic_163 = Y
dynamic_164 = Y
dynamic_165 = Y
dynamic_166 = Y
dynamic_167 = Y
dynamic_168 = Y
dynamic_171 = Y
dynamic_172 = Y
dynamic_173 = Y
dynamic_174 = Y
dynamic_175 = Y
dynamic_176 = Y
dynamic_177 = Y
dynamic_178 = Y
dynamic_181 = Y
dynamic_182 = Y
dynamic_183 = Y
dynamic_184 = Y
dynamic_185 = Y
dynamic_186 = Y
dynamic_187 = Y
dynamic_188 = Y
dynamic_191 = Y
dynamic_192 = Y
dynamic_193 = Y
dynamic_194 = Y
dynamic_195 = Y
dynamic_196 = Y
dynamic_197 = Y
dynamic_198 = Y
dynamic_201 = Y
dynamic_202 = Y
dynamic_203 = Y
dynamic_204 = Y
dynamic_205 = Y
dynamic_206 = Y
dynamic_207 = Y
dynamic_208 = Y
dynamic_211 = Y
dynamic_212 = Y
dynamic_213 = Y
dynamic_214 = Y
dynamic_215 = Y
dynamic_216 = Y
dynamic_217 = Y
dynamic_218 = Y
dynamic_221 = Y
dynamic_222 = Y
dynamic_223 = Y
dynamic_224 = Y
dynamic_225 = Y
dynamic_226 = Y
dynamic_227 = Y
dynamic_228 = Y
dynamic_231 = Y
dynamic_232 = Y
dynamic_233 = Y
dynamic_234 = Y
dynamic_235 = Y
dynamic_236 = Y
dynamic_237 = Y
dynamic_238 = Y
dynamic_241 = Y
dynamic_242 = Y
dynamic_243 = Y
dynamic_244 = Y
dynamic_245 = Y
dynamic_246 = Y
dynamic_247 = Y
dynamic_248 = Y
dynamic_251 = Y
dynamic_252 = Y
dynamic_253 = Y
dynamic_254 = Y
dynamic_255 = Y
dynamic_256 = Y
dynamic_257 = Y
dynamic_258 = Y
dynamic_261 = Y
dynamic_262 = Y
dynamic_263 = Y
dynamic_264 = Y
dynamic_265 = Y
dynamic_266 = Y
dynamic_267 = Y
dynamic_268 = Y
dynamic_271 = Y
dynamic_272 = Y
dynamic_273 = Y
dynamic_274 = Y
dynamic_275 = Y
dynamic_276 = Y
dynamic_277 = Y
dynamic_278 = Y
dynamic_281 = Y
dynamic_282 = Y
dynamic_283 = Y
dynamic_284 = Y
dynamic_285 = Y
dynamic_286 = Y
dynamic_287 = Y
dynamic_288 = Y
dynamic_291 = Y
dynamic_292 = Y
dynamic_293 = Y
dynamic_294 = Y
dynamic_295 = Y
dynamic_296 = Y
dynamic_297 = Y
dynamic_298 = Y
dynamic_301 = Y
dynamic_302 = Y
dynamic_303 = Y
dynamic_304 = Y
dynamic_305 = Y
dynamic_306 = Y
dynamic_307 = Y
dynamic_308 = Y
dynamic_311 = Y
dynamic_312 = Y
dynamic_313 = Y
dynamic_314 = Y
dynamic_315 = Y
dynamic_316 = Y
dynamic_317 = Y
dynamic_318 = Y
dynamic_321 = Y
dynamic_322 = Y
dynamic_323 = Y
dynamic_324 = Y
dynamic_325 = Y
dynamic_326 = Y
dynamic_327 = Y
dynamic_328 = Y
dynamic_331 = Y
dynamic_332 = Y
dynamic_333 = Y
dynamic_334 = Y
dynamic_335 = Y
dynamic_336 = Y
dynamic_337 = Y
dynamic_338 = Y
dynamic_341 = Y
dynamic_342 = Y
dynamic_343 = Y
dynamic_344 = Y
dynamic_345 = Y
dynamic_346 = Y
dynamic_347 = Y
dynamic_348 = Y
dynamic_351 = Y
dynamic_352 = Y
dynamic_353 = Y
dynamic_354 = Y
dynamic_355 = Y
dynamic_356 = Y
dynamic_357 = Y
dynamic_358 = Y
dynamic_361 = Y
dynamic_362 = Y
dynamic_363 = Y
dynamic_364 = Y
dynamic_365 = Y
dynamic_366 = Y
dynamic_367 = Y
dynamic_368 = Y
dynamic_371 = Y
dynamic_372 = Y
dynamic_373 = Y
dynamic_374 = Y
dynamic_375 = Y
dynamic_376 = Y
dynamic_377 = Y
dynamic_378 = Y
dynamic_381 = Y
dynamic_382 = Y
dynamic_383 = Y
dynamic_384 = Y
dynamic_385 = Y
dynamic_386 = Y
dynamic_387 = Y
dynamic_388 = Y
dynamic_391 = Y
dynamic_392 = Y
dynamic_393 = Y
dynamic_394 = Y
dynamic_395 = Y
dynamic_396 = Y
dynamic_397 = Y
dynamic_398 = Y
dynamic_401 = Y
dynamic_402 = Y
dynamic_403 = Y
dynamic_404 = Y
dynamic_405 = Y
dynamic_406 = Y
dynamic_407 = Y
dynamic_408 = Y
dynamic_411 = Y
dynamic_412 = Y
dynamic_413 = Y
dynamic_414 = Y
dynamic_415 = Y
dynamic_416 = Y
dynamic_417 = Y
dynamic_418 = Y
dynamic_421 = Y
dynamic_422 = Y
dynamic_423 = Y
dynamic_424 = Y
dynamic_425 = Y
dynamic_426 = Y
dynamic_427 = Y
dynamic_428 = Y
dynamic_431 = Y
dynamic_432 = Y
dynamic_433 = Y
dynamic_434 = Y
dynamic_435 = Y
dynamic_436 = Y
dynamic_437 = Y
dynamic_438 = Y
dynamic_441 = Y
dynamic_442 = Y
dynamic_443 = Y
dynamic_444 = Y
dynamic_445 = Y
dynamic_446 = Y
dynamic_447 = Y
dynamic_448 = Y
dynamic_451 = Y
dynamic_452 = Y
dynamic_453 = Y
dynamic_454 = Y
dynamic_455 = Y
dynamic_456 = Y
dynamic_457 = Y
dynamic_458 = Y
dynamic_461 = Y
dynamic_462 = Y
dynamic_463 = Y
dynamic_464 = Y
dynamic_465 = Y
dynamic_466 = Y
dynamic_467 = Y
dynamic_468 = Y
dynamic_471 = Y
dynamic_472 = Y
dynamic_473 = Y
dynamic_474 = Y
dynamic_475 = Y
dynamic_476 = Y
dynamic_477 = Y
dynamic_478 = Y
dynamic_481 = Y
dynamic_482 = Y
dynamic_483 = Y
dynamic_484 = Y
dynamic_485 = Y
dynamic_486 = Y
dynamic_487 = Y
dynamic_488 = Y
dynamic_491 = Y
dynamic_492 = Y
dynamic_493 = Y
dynamic_494 = Y
dynamic_495 = Y
dynamic_496 = Y
dynamic_497 = Y
dynamic_498 = Y
dynamic_501 = Y
dynamic_502 = Y
dynamic_503 = Y
dynamic_504 = Y
dynamic_505 = Y
dynamic_506 = Y
dynamic_507 = Y
dynamic_508 = Y
dynamic_511 = Y
dynamic_512 = Y
dynamic_513 = Y
dynamic_514 = Y
dynamic_515 = Y
dynamic_516 = Y
dynamic_517 = Y
dynamic_518 = Y
dynamic_521 = Y
dynamic_522 = Y
dynamic_523 = Y
dynamic_524 = Y
dynamic_525 = Y
dynamic_526 = Y
dynamic_527 = Y
dynamic_528 = Y
dynamic_531 = Y
dynamic_532 = Y
dynamic_533 = Y
dynamic_534 = Y
dynamic_535 = Y
dynamic_536 = Y
dynamic_537 = Y
dynamic_538 = Y
dynamic_541 = Y
dynamic_542 = Y
dynamic_543 = Y
dynamic_544 = Y
dynamic_545 = Y
dynamic_546 = Y
dynamic_547 = Y
dynamic_548 = Y
dynamic_551 = Y
dynamic_552 = Y
dynamic_553 = Y
dynamic_554 = Y
dynamic_555 = Y
dynamic_556 = Y
dynamic_557 = Y
dynamic_558 = Y
dynamic_561 = Y
dynamic_562 = Y
dynamic_563 = Y
dynamic_564 = Y
dynamic_565 = Y
dynamic_566 = Y
dynamic_567 = Y
dynamic_568 = Y
dynamic_571 = Y
dynamic_572 = Y
dynamic_573 = Y
dynamic_574 = Y
dynamic_575 = Y
dynamic_576 = Y
dynamic_577 = Y
dynamic_578 = Y
dynamic_581 = Y
dynamic_582 = Y
dynamic_583 = Y
dynamic_584 = Y
dynamic_585 = Y
dynamic_586 = Y
dynamic_587 = Y
dynamic_588 = Y
dynamic_591 = Y
dynamic_592 = Y
dynamic_593 = Y
dynamic_594 = Y
dynamic_595 = Y
dynamic_596 = Y
dynamic_597 = Y
dynamic_598 = Y
dynamic_601 = Y
dynamic_602 = Y
dynamic_603 = Y
dynamic_604 = Y
dynamic_605 = Y
dynamic_606 = Y
dynamic_607 = Y
dynamic_608 = Y
dynamic_611 = Y
dynamic_612 = Y
dynamic_613 = Y
dynamic_614 = Y
dynamic_615 = Y
dynamic_616 = Y
dynamic_617 = Y
dynamic_618 = Y
dynamic_621 = Y
dynamic_622 = Y
dynamic_623 = Y
dynamic_624 = Y
dynamic_625 = Y
dynamic_626 = Y
dynamic_627 = Y
dynamic_628 = Y
dynamic_631 = Y
dynamic_632 = Y
dynamic_633 = Y
dynamic_634 = Y
dynamic_635 = Y
dynamic_636 = Y
dynamic_637 = Y
dynamic_638 = Y
dynamic_641 = Y
dynamic_642 = Y
dynamic_643 = Y
dynamic_644 = Y
dynamic_645 = Y
dynamic_646 = Y
dynamic_647 = Y
dynamic_648 = Y
dynamic_651 = Y
dynamic_652 = Y
dynamic_653 = Y
dynamic_654 = Y
dynamic_655 = Y
dynamic_656 = Y
dynamic_657 = Y
dynamic_658 = Y
dynamic_661 = Y
dynamic_662 = Y
dynamic_663 = Y
dynamic_664 = Y
dynamic_665 = Y
dynamic_666 = Y
dynamic_667 = Y
dynamic_668 = Y
dynamic_671 = Y
dynamic_672 = Y
dynamic_673 = Y
dynamic_674 = Y
dynamic_675 = Y
dynamic_676 = Y
dynamic_677 = Y
dynamic_678 = Y
dynamic_681 = Y
dynamic_682 = Y
dynamic_683 = Y
dynamic_684 = Y
dynamic_685 = Y
dynamic_686 = Y
dynamic_687 = Y
dynamic_688 = Y
dynamic_691 = Y
dynamic_692 = Y
dynamic_693 = Y
dynamic_694 = Y
dynamic_695 = Y
dynamic_696 = Y
dynamic_697 = Y
dynamic_698 = Y
dynamic_1033 = Y

View File

@ -0,0 +1,212 @@
# NOTE, same format as dynamic_0 It is slower (50% slower, or more). But it is not limited to 55 byte passwords.
# This should work for passwords up to 110 bytes long (max length dynamic will currently allow). It should not be
# used for shorter passwords (under 55 bytes). Use dyna_0 for those.
[List.Generic:dynamic_2000]
Expression=md5($p) (PW > 55 bytes)
Flag=MGF_FLAT_BUFFERS
Flag=MGF_KEYS_INPUT
Flag=MGF_SOURCE
Flag=MGF_POOR_OMP
MaxInputLenX86=110
MaxInputLen=110
Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
Test=$dynamic_2000$5a105e8b9d40e1329780d62ea2265d8a:test1
Test=$dynamic_2000$378e2c4a07968da2eca692320136433d:thatsworking
Test=$dynamic_2000$8ad8757baa8564dc136c1e07507f4a98:test3
TestD=$dynamic_2000$a4b3933521a38111eb597dd8dbc47614:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
[List.Generic:dynamic_2001]
Expression=md5($p.$s) (joomla) (PW > 23 bytes)
Flag=MGF_FLAT_BUFFERS
Flag=MGF_SALTED
SaltLen=-64
MaxInputLenX86=110
MaxInputLen=110
Func=DynamicFunc__clean_input_kwik
Func=DynamicFunc__append_keys
Func=DynamicFunc__append_salt
Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
Test=$dynamic_2001$ed52af63d8ecf0c682442dfef5f36391$1aDNNojYGSc7pSzcdxKxhbqvLtEe4deG:test1
Test=$dynamic_2001$4fa1e9d54d89bfbe48b4c0f0ca0a3756$laxcaXPjgcdKdKEbkX1SIjHKm0gfYt1c:thatsworking
Test=$dynamic_2001$82568eeaa1fcf299662ccd59d8a12f54$BdWwFsbGtXPGc0H1TBxCrn0GasyAlJBJ:test3
TestD=$dynamic_2001$a4d4ce08d9dec5336d2a137cdab28624$1234567890123456789012345678901234567890123456789012345678901234:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
[List.Generic:dynamic_2002]
Expression=md5(md5($p)) (e107) (PW > 55 bytes)
Flag=MGF_KEYS_INPUT
Flag=MGF_FLAT_BUFFERS
MaxInputLenX86=110
MaxInputLen=110
Func=DynamicFunc__MD5_crypt_input1_overwrite_input2
Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
Test=$dynamic_2002$418d89a45edadb8ce4da17e07f72536c:test1
Test=$dynamic_2002$ccd3c4231a072b5e13856a2059d04fad:thatsworking
Test=$dynamic_2002$9992295627e7e7162bdf77f14734acf8:test3
TestD=$dynamic_2002$827b31e7fae2cdb3af70be9560162500:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
[List.Generic:dynamic_2003]
Expression=md5(md5(md5($p))) (PW > 55 bytes)
Flag=MGF_KEYS_INPUT
Flag=MGF_FLAT_BUFFERS
MaxInputLenX86=110
MaxInputLen=110
Func=DynamicFunc__MD5_crypt_input1_overwrite_input2
Func=DynamicFunc__MD5_crypt_input2_overwrite_input2
Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
Test=$dynamic_2003$964c02612b2a1013ed26d46ba9a73e74:test1
Test=$dynamic_2003$5d7e6330f69548797c07d97c915690fe:thatsworking
Test=$dynamic_2003$2e54db8c72b312007f3f228d9d4dd34d:test3
TestD=$dynamic_2003$35297f9d34baa8e3ca3e5b23155be26f:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
[List.Generic:dynamic_2004]
Expression=md5($s.$p) (OSC) (PW > 31 bytes)
Flag=MGF_SALTED
Flag=MGF_FLAT_BUFFERS
SaltLen=-64
MaxInputLenX86=110
MaxInputLen=110
Func=DynamicFunc__clean_input_kwik
Func=DynamicFunc__append_salt
Func=DynamicFunc__append_keys
Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
Test=$dynamic_2004$c02e8eef3eaa1a813c2ff87c1780f9ed$123456:test1
Test=$dynamic_2004$4a2a1b013da3cda7f7e0625cf3dc3f4c$1234:thatsworking
Test=$dynamic_2004$3a032e36a9609df6411b8004070431d3$aaaaa:test3
TestD=$dynamic_2004$d75040e824c1f9e4efd67c19961ddf4d$1234567890123456789012345678901234567890123456789012345678901234:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
[List.Generic:dynamic_2005]
Expression=md5($s.$p.$s) (PW > 31 bytes)
Flag=MGF_SALTED
Flag=MGF_FLAT_BUFFERS
SaltLen=-40
MaxInputLenX86=110
MaxInputLen=110
Func=DynamicFunc__clean_input_kwik
Func=DynamicFunc__append_salt
Func=DynamicFunc__append_keys
Func=DynamicFunc__append_salt
Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
Test=$dynamic_2005$c1003cd39cb5523dd0923a94ab15a3c7$123456:test1
Test=$dynamic_2005$c1c8618abfc7bdbc4a3c49c2c2c48f82$1234:thatsworking
Test=$dynamic_2005$e7222e806a8ce5efa6d48acb3aa56dc2$aaaaa:test3
TestD=$dynamic_2005$ba5528ac65c20213e105bb02e6aaf6a2$1234567890123456789012345678901234567890:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
[List.Generic:dynamic_2006]
Expression=md5(md5($p).$s) (PW > 55 bytes)
Flag=MGF_SALTED
Flag=MGF_KEYS_BASE16_IN1
Flag=MGF_FLAT_BUFFERS
SaltLen=-64
MaxInputLenX86=110
MaxInputLen=110
Func=DynamicFunc__set_input_len_32
Func=DynamicFunc__append_salt
Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
Test=$dynamic_2006$3a9ae23758f05da1fe539e55a096b03b$S111XB:test1
Test=$dynamic_2006$9694d706d1992abf04344c1e7da1c5d3$T &222:thatsworking
Test=$dynamic_2006$b7a7f0c374d73fac422bb01f07f5a9d4$lxxxl:test3
Test=$dynamic_2006$9164fe53be481f811f15efd769aaf0f7$aReallyLongSaltHere:test3
TestD=$dynamic_2006$7308f7ca156d77564a5dab25d4be0f34$1234567890123456789012345678901234567890123456789012345678901234:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
[List.Generic:dynamic_2008]
Expression=md5(md5($s).$p) (PW > 23 bytes)
Flag=MGF_SALTED
Flag=MGF_SALT_AS_HEX
Flag=MGF_FLAT_BUFFERS
SaltLen=-64
MaxInputLenX86=110
MaxInputLen=110
Func=DynamicFunc__clean_input_kwik
Func=DynamicFunc__append_salt
Func=DynamicFunc__append_keys
Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
Test=$dynamic_2008$534c2fb38e757d9448315abb9822db00$aaaSXB:test1
Test=$dynamic_2008$02547864bed278658e8f54dd6dfd69b7$123456:thatsworking
Test=$dynamic_2008$2f6f3881972653ebcf86e5ad3071a4ca$5555hh:test3
TestD=$dynamic_2008$a96d6ab818950bafc6baeaa80df5ec5c$1234567890123456789012345678901234567890123456789012345678901234:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
[List.Generic:dynamic_2009]
Expression=md5($s.md5($p)) (salt > 23 bytes)
Flag=MGF_SALTED
Flag=MGF_KEYS_BASE16_IN1
Flag=MGF_FLAT_BUFFERS
SaltLen=-200
MaxInputLenX86=40
MaxInputLen=40
Func=DynamicFunc__clean_input2_kwik
Func=DynamicFunc__append_salt2
Func=DynamicFunc__append_input2_from_input
Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
Test=$dynamic_2009$b38c18b5e5b676e211442bd41000b2ec$aaaSXB:test1
Test=$dynamic_2009$4dde7cd4cbf0dc4c59b255ae77352914$123456:thatsworking
Test=$dynamic_2009$899af20e3ebdd77aaecb0d9bc5fbbb66$5555hh:test3
[List.Generic:dynamic_2010]
Expression=md5($s.md5($s.$p)) (PW > 32 or salt > 23 bytes)
Flag=MGF_SALTED
#Flag=MGF_KEYS_BASE16_IN1
Flag=MGF_FLAT_BUFFERS
SaltLen=-64
MaxInputLenX86=110
MaxInputLen=110
Func=DynamicFunc__clean_input_kwik
Func=DynamicFunc__clean_input2_kwik
Func=DynamicFunc__append_salt2
Func=DynamicFunc__append_salt
Func=DynamicFunc__append_keys
Func=DynamicFunc__MD5_crypt_input1_append_input2
Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
Test=$dynamic_2010$781f83a676f45169dcfc7f36dfcdc3d5$aaaSXB:test1
Test=$dynamic_2010$f385748e67a2dc1f6379b9124fabc0df$123456:thatsworking
Test=$dynamic_2010$9e3702bb13386270cd4b0bd4dbdd489e$5555hh:test3
TestD=$dynamic_2010$74fe90a89e9e6ee5ea28d4a92640eda5$1234567890123456789012345678901234567890123456789012345678901234:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
[List.Generic:dynamic_2011]
Expression=md5($s.md5($p.$s)) (PW > 32 or salt > 23 bytes)
Flag=MGF_SALTED
#Flag=MGF_KEYS_BASE16_IN1
Flag=MGF_FLAT_BUFFERS
SaltLen=-64
MaxInputLenX86=110
MaxInputLen=110
Func=DynamicFunc__clean_input_kwik
Func=DynamicFunc__append_keys
Func=DynamicFunc__clean_input2_kwik
Func=DynamicFunc__append_salt2
Func=DynamicFunc__append_salt
Func=DynamicFunc__MD5_crypt_input1_append_input2
Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
Test=$dynamic_2011$f809a64cbd0d23e099cd5b544c8501ac$aaaSXB:test1
Test=$dynamic_2011$979e6671535cda6db95357d8a0afd9ac$123456:thatsworking
Test=$dynamic_2011$78a61ea73806ebf27bef2ab6a9bf5412$5555hh:test3
TestD=$dynamic_2011$d5acc2492e19cbf252d54942b4c7620b$1234567890123456789012345678901234567890123456789012345678901234:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
#[List.Generic:dynamic_2012]
#dynamic_12 already in MGF_FLAT_BUFFERS, so no reason for dynamic_2012
#[List.Generic:dynamic_2013]
#dynamic_13 already in MGF_FLAT_BUFFERS, so no reason for dynamic_2013
[List.Generic:dynamic_2014]
Expression=md5($s.md5($p).$s) (PW > 55 or salt > 11 bytes)
Flag=MGF_SALTED
Flag=MGF_KEYS_BASE16_IN1
Flag=MGF_FLAT_BUFFERS
SaltLen=-40
MaxInputLenX86=110
MaxInputLen=110
Func=DynamicFunc__clean_input2_kwik
Func=DynamicFunc__append_salt2
Func=DynamicFunc__append_input2_from_input
Func=DynamicFunc__append_salt2
Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
Test=$dynamic_2014$778e40e10d82a08f5377992330008cbe$aaaSXB:test1
Test=$dynamic_2014$d6321956964b2d27768df71d139eabd2$123456:thatsworking
Test=$dynamic_2014$1b3c72e16427a2f4f0819243877f7967$5555hh:test3
TestD=$dynamic_2014$6f20299d2e889eea146d141e92e91da1$1234567890123456789012345678901234567890:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
#[List.Generic:dynamic_2015]
#dynamic_15 already in MGF_FLAT_BUFFERS, so no reason for dynamic_2015
#[List.Generic:dynamic_2016]
#dynamic_16 already in MGF_FLAT_BUFFERS, so no reason for dynamic_2016

344
data/jtr/hybrid.conf Normal file
View File

@ -0,0 +1,344 @@
[List.HybridLeet:new]
int i, j;
int c, p;
int totrots;
int length;
/* Get the word length */
length = 0; while (word[length++]) ; --length;
/* Skip if this word length is out of bounds
This should not be necessary, but we'll leave it here to be defensive */
if (req_minlen > length || (req_maxlen && req_maxlen < length ))
{
hybrid_total = 0;
return;
}
/* Calculate word rotations */
word_rot_count=0; /* Number of letter positions we are rotating for this word */
totrots = 1; /* Number of total rotation iterations */
i=0;
while (i < length)
{
/* is this letter one of our rotators? a,A, b,B etc*/
c = word[i];
j = 0;
while (j < rot_poslen)
{
p = rot_pos[j];
if (c == rot_chars[p] || c == rot_chars[p+1]) /* Is 'a' or 'A' for example */
{
word_rot_idx[word_rot_count] = i; /* Save off which letter position in the word we are rotating */
word_rot_pos[word_rot_count] = j; /* Save off the rotation position for this slot */
word_rotchars_pos[word_rot_count] = p; /* Save off the first letter position in the rotation */
word_rot_count++;
/* Also, set the word to the first letter in the rotation so we ensure to go through all of them */
word[i] = rot_chars[p];
/* And multiple number of total rotations by the number of rotations for this position */
totrots = totrots * rot_len[j];
break;
}
j++;
}
i++;
}
hybrid_total = totrots;
/* Reset or counter for THIS word. */
word_rot_current = 0;
[List.External:HybridLeet]
/*
Static context
String lengths here are arbitrary, increase them if you increase the
size of the stuff in the init() procedure
*/
int rot_chars[256]; /* All characters to rotate */
int rot_charslen; /* The length of the rot_chars buffer */
int rot_len[26]; /* The number of characters to rotate through per letter */
int rot_pos[26]; /* The starting position of each letter group in the rot_chars string */
int rot_poslen; /* Length of rot_pos and rot_len arrays (both same size) */
int word_rot_idx[128]; /* The positions in the current word that require rotations (index into word)*/
int word_rot_pos[128]; /* The rot_pos index for each letter position in the current word that we are rotating (index into rot_pos)*/
int word_rotchars_pos[128]; /* The current rot_chars index for each letter position in the current word that we are rotating (state of rotation, index into rot_chars)*/
int word_rot_count; /* The number of letters that we are rotating in the current word (size of word_rot_idx, word_rot_pos, and word_rotchars_pos) */
int word_rot_current; /* The rotation number of the current word */
void init()
{
int rci;
int ri;
rot_charslen=0;
rci=0;
ri=0;
/* a */
rot_pos[ri] = rci;
rot_chars[rci++] = 'a'; /* The first two chars are always the lower */
rot_chars[rci++] = 'A'; /* and upper case letters to rotate on */
rot_chars[rci++] = '4';
rot_chars[rci++] = '@';
rot_chars[rci++] = '8';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
/* b */
rot_pos[ri] = rci;
rot_chars[rci++] = 'b';
rot_chars[rci++] = 'B';
rot_chars[rci++] = '8';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'c';
rot_chars[rci++] = 'C';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'd';
rot_chars[rci++] = 'D';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
/* e */
rot_pos[ri] = rci;
rot_chars[rci++] = 'e';
rot_chars[rci++] = 'E';
rot_chars[rci++] = '3';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'f';
rot_chars[rci++] = 'F';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'g';
rot_chars[rci++] = 'G';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
/* h */
rot_pos[ri] = rci;
rot_chars[rci++] = 'h';
rot_chars[rci++] = 'H';
rot_chars[rci++] = '#';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
/* i */
rot_pos[ri] = rci;
rot_chars[rci++] = 'i';
rot_chars[rci++] = 'I';
rot_chars[rci++] = '1';
rot_chars[rci++] = '!';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'j';
rot_chars[rci++] = 'J';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'k';
rot_chars[rci++] = 'K';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
/* l */
rot_pos[ri] = rci;
rot_chars[rci++] = 'l';
rot_chars[rci++] = 'L';
rot_chars[rci++] = '1';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'm';
rot_chars[rci++] = 'M';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'n';
rot_chars[rci++] = 'N';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
/* o */
rot_pos[ri] = rci;
rot_chars[rci++] = 'o';
rot_chars[rci++] = 'O';
rot_chars[rci++] = '0';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'p';
rot_chars[rci++] = 'P';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'q';
rot_chars[rci++] = 'Q';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'r';
rot_chars[rci++] = 'R';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
/* s */
rot_pos[ri] = rci;
rot_chars[rci++] = 's';
rot_chars[rci++] = 'S';
rot_chars[rci++] = '$';
rot_chars[rci++] = '5';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
/* t */
rot_pos[ri] = rci;
rot_chars[rci++] = 't';
rot_chars[rci++] = 'T';
rot_chars[rci++] = '+';
rot_chars[rci++] = '7';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'u';
rot_chars[rci++] = 'U';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'v';
rot_chars[rci++] = 'V';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'w';
rot_chars[rci++] = 'W';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'x';
rot_chars[rci++] = 'X';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'y';
rot_chars[rci++] = 'Y';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_pos[ri] = rci;
rot_chars[rci++] = 'z';
rot_chars[rci++] = 'Z';
rot_len[ri] = (rci - rot_pos[ri]);
ri++;
rot_charslen = rci;
rot_poslen = ri;
}
/* new word */
void new()
{
.include [List.HybridLeet:new]
}
void next()
{
int i, j;
/* If we have reached the maximum number of rotations, we're done */
if (word_rot_current == hybrid_total)
{
word[0] = 0;
return;
}
/* set word[] to the next candidate */
i=0;
while (i < word_rot_count)
{
/* Replace letter in word with appropriate rotated letter fom rot_chars */
word[word_rot_idx[i]] = rot_chars[word_rotchars_pos[i]];
i++;
}
/* Rotate the word_rotchars_pos */
i=0;
while (i < word_rot_count)
{
word_rotchars_pos[i]++;
j = word_rot_pos[i];
if (word_rotchars_pos[i] != (rot_pos[j] + rot_len[j]))
{
/* No carry */
break;
}
/* Rotation overflow, carry to next rotation */
word_rotchars_pos[i] = rot_pos[j];
i++;
}
word_rot_current++;
}
/* Called when restoring an interrupted session */
void restore()
{
int wrc;
.include [List.HybridLeet:new]
/* Pick up the current iteration */
word_rot_current = hybrid_resume;
/* Zoom the word_rotchars_pos to the hybrid_resume iteration */
i=0;
wrc = word_rot_current;
while (i < word_rot_count)
{
j = word_rot_pos[i];
/* Rotate this position */
word_rotchars_pos[i] = rot_pos[j] + (wrc % rot_len[j]);
wrc = wrc / rot_len[j];
i++;
}
}

3899
data/jtr/john.conf Executable file

File diff suppressed because it is too large Load Diff

522
data/jtr/korelogic.conf Normal file
View File

@ -0,0 +1,522 @@
####################################################################
# KoreLogic Custom John the Ripper Rules:
####################################################################
# Use this rule with 2EVERYTHING.dic or 3EVERYTHING.dic
[List.Rules:PrependSeason]
a6 A0"[Ss$][uU][mM][mM][eE3][rR]"
a6 A0"[Ww][iI|][nN][tT+][eE3][rR]"
a4 A0"[Ff][aA][lL][lL]"
a6 A0"[Ss][pP][rR][iI][nN][gG]"
a6 A0"[Aa][uU][tT][uU][mM][nN]"
# Use this rule with 2EVERYTHING.dic or 3EVERYTHING.dic
[List.Rules:AppendSeason]
a6 Az"[Ss$][uU][mM][mM][eE3][rR]"
a6 Az"[Ww][iI|][nN][tT+][eE3][rR]"
a6 Az"[Ff][aA][lL][lL]"
a6 Az"[Ss][pP][rR][iI][nN][gG]"
a6 Az"[Aa][uU][tT][uU][mM][nN]"
[List.Rules:PrependHello]
a5 A0"[hH][eE][lL][lL][oO0]"
[List.Rules:PrependYears]
a4 A0"20[0-1][0-9]"
a4 A0"19[3-9][0-9]"
# Notice: Your wordlist should likely be all lowercase - or you are wasting work
[List.Rules:AppendYears]
-[c:] a4 \p[c:] Az"19[0-9][0-9]"
-[c:] a4 \p[c:] Az"20[01][0-9]"
# Notice how we
# 1) do caps first b/c they are more common in 'complex' environments
# 2) Do !$@#%. first b/c they are the most common special chars
[List.Rules:AppendCurrentYearSpecial]
-[c:] a5 \p[c:] Az"201[0-9][!$@#%.]"
-[c:] a5 \p[c:] Azq201[0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q
[List.Rules:Append4Num]
-[c:] a4 \p[c:] Az"[0-9][0-9][0-9][0-9]"
[List.Rules:Append5Num]
-[c:] a5 \p[c:] Az"[0-9][0-9][0-9][0-9][0-9]"
[List.Rules:Append6Num]
-[c:] a6 \p[c:] Az"[0-9][0-9][0-9][0-9][0-9][0-9]"
[List.Rules:AppendSpecial3num]
-[c:] a4 \p[c:] Az"[!$@#%.][0-9][0-9][0-9]"
-[c:] a4 \p[c:] Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9][0-9]q
[List.Rules:AppendSpecial4num]
-[c:] a5 \p[c:] Az"[!$@#%.][0-9][0-9][0-9][0-9]"
-[c:] a5 \p[c:] Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9][0-9][0-9]q
[List.Rules:PrependCAPCAPAppendSpecial]
a3 A0"[A-Z][A-Z]" $[!$@#%.]
a3 A0"[A-Z][A-Z]" $[^&()_+\-={}|[\]\\;'":,/<>?`~*]
[List.Rules:PrependNumNumAppendSpecial]
-[c:] a3 \p[c:] A0"[0-9][0-9]" $[!$@#%.]
-[c:] a3 \p[c:] A0"[0-9][0-9]" $[^&()_+\-={}|[\]\\;'":,/<>?`~*]
[List.Rules:PrependNumNum]
-[c:] a2 \p[c:] A0"[0-9][0-9]"
[List.Rules:PrependNumNumNum]
-[c:] a3 \p[c:] A0"[0-9][0-9][0-9]"
[List.Rules:PrependNumNumNumNum]
-[c:] a4 \p[c:] A0"[0-9][0-9][0-9][0-9]"
[List.Rules:PrependNumNumSpecial]
-[c:] a3 \p[c:] A0"[0-9][0-9][!$@#%.]"
-[c:] a3 \p[c:] A0q[0-9][0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q
[List.Rules:Prepend2NumbersAppend2Numbers]
-[c:] a4 \p[c:] A0"[0-9][0-9]" Az"[0-9][0-9]"
[List.Rules:PrependSpecialSpecial]
-[c:] a2 \p[c:] A0q[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
[List.Rules:AppendSpecialNumberNumber]
-[c:] a3 \p[c:] Az"[!$@#%.][0-9][0-9]"
-[c:] a3 \p[c:] Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9]q
[List.Rules:AppendSpecialNumberNumberNumber]
-[c:] a4 \p[c:] Az"[!$@#%.][0-9][0-9][0-9]"
-[c:] a4 \p[c:] Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9][0-9]q
[List.Rules:PrependSpecialSpecialAppendNumber]
-[c:] a3 \p[c:] A0"[!$@#%.][!$@#%.]" $[0-9]
-[c:] a3 \p[c:] A0q[^&()_+\-={}|[\]\\;'":,/<>?`~*][^&()_+\-={}|[\]\\;'":,/<>?`~*]q $[0-9]
[List.Rules:PrependSpecialSpecialAppendNumbersNumber]
-[c:] a4 \p[c:] A0"[!$@#%.][!$@#%.]" Az"[0-9][0-9]"
-[c:] a4 \p[c:] A0q[^&()_+\-={}|[\]\\;'":,/<>?`~*][^&()_+\-={}|[\]\\;'":,/<>?`~*]q Az"[0-9][0-9]"
[List.Rules:PrependSpecialSpecialAppendNumbersNumberNumber]
-[c:] a5 \p[c:] A0"[!$@#%.][!$@#%.]" Az"[0-9][0-9][0-9]"
-[c:] a5 \p[c:] A0q[^&()_+\-={}|[\]\\;'":,/<>?`~*][^&()_+\-={}|[\]\\;'":,/<>?`~*]q Az"[0-9][0-9][0-9]"
[List.Rules:Append2Letters]
a2 Az"[a-z][a-z]"
-c a2 Az"[A-Z][A-Z]"
-c a2 Az"[a-z][A-Z]"
-c a2 Az"[A-Z][a-z]"
[List.Rules:Prepend4NumAppendSpecial]
-[c:] a5 \p[c:] A0"[0-9][0-9][0-9][0-9]" $[!$@#%.]
-[c:] a5 \p[c:] A0"[0-9][0-9][0-9][0-9]" Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*]q
[List.Rules:Append4NumSpecial]
-[c:] a5 \p[c:] Az"[0-9][0-9][0-9][0-9][!$@#%.]"
-[c:] a5 \p[c:] Azq[0-9][0-9][0-9][0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q
[List.Rules:Append3NumSpecial]
-[c:] a4 \p[c:] Az"[0-9][0-9][0-9][!$@#%.]"
-[c:] a4 \p[c:] Azq[0-9][0-9][0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q
[List.Rules:Append2NumSpecial]
-[c:] a3 \p[c:] Az"[0-9][0-9][!$@#%.]"
-[c:] a3 \p[c:] Azq[0-9][0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q
# Append numbers - but limit the total length.
[List.Rules:AddJustNumbers]
-[c:] <* >1 \p[c:] $[0-9]
-[c:] <* >1 \p[c:] ^[0-9]
-[c:] <- >1 \p[c:] Az"[0-9][0-9]"
-[c:] <- >1 \p[c:] A0"[0-9][0-9]"
-[c:] a3 >1 \p[c:] Az"[0-9][0-9][0-9]"
-[c:] a4 >1 \p[c:] Az"[0-9][0-9][0-9][0-9]"
[List.Rules:DevProdTestUAT]
-\r[::cc] a3 A\p\r[0l0l]"dev" \p\r[::TT]\p\r[::0l]
-\r[::cc] a3 A\p\r[0l0l]"uat" \p\r[::TT]\p\r[::0l]
-\r[::cc] a4 A\p\r[0l0l]"prod" \p\r[::TT]\p\r[::0l]
-\r[::cc] a4 A\p\r[0l0l]"test" \p\r[::TT]\p\r[::0l]
[List.Rules:PrependAndAppendSpecial]
-[c:] a2 \p[c:] ^[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
[List.Rules:AppendJustNumbers]
-[c:] <* \p[c:] $[0-9]
-[c:] <- \p[c:] Az"[0-9][0-9]"
-[c:] a3 \p[c:] Az"[0-9][0-9][0-9]"
-[c:] a4 \p[c:] Az"[0-9][0-9][0-9][0-9]"
[List.Rules:AppendNumbers_and_Specials_Simple]
# cap first letter then add a 0 2 6 9 ! * to the end
-[c:] a1 \p[c:] $[0-9]
-[c:] a1 \p[c:] $[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
# cap first letter then add a special char - THEN a number !0 %9 !9 etc
-[c:] a2 \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9]q
# Cap the first letter - then add 0? 0! 5_ .. 9!
## add NUMBER then SPECIAL 1! .. 9?
-[c:] a2 \p[c:] Azq[0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
## Add Number Number Special
-[c:] a3 \p[c:] Azq[0-9][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
## Add Special Number Number
-[c:] a3 \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9]q
# Add 100! ... 999! to the end
-[c:] a4 \p[c:] Azq[0-9][0-9][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
[List.Rules:AppendJustSpecials]
-[c:] a1 \p[c:] $[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
-[c:] a2 \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
[List.Rules:MonthsFullPreface]
-[:c] a7 A0"\p[jJ]anuary"
-[:c] a8 A0"\p[fF]ebruary"
-[:c] a5 A0"\p[mM]arch"
-[:c] a5 A0"\p[aA]pril"
-[:c] a3 A0"\p[mM]ay"
-[:c] a4 A0"\p[jJ]une"
-[:c] a4 A0"\p[jJ]uly"
-[:c] a6 A0"\p[aA]ugust"
-[:c] a9 A0"\p[sS]eptember"
-[:c] a7 A0"\p[oO]ctober"
-[:c] a8 A0"\p[nN]ovember"
-[:c] a8 A0"\p[dD]ecember"
[List.Rules:AddShortMonthsEverywhere]
a3 >\r[00123456789] A\p[z0-9]"[jJ][aA][nN]"
a3 >\r[00123456789] A\p[z0-9]"[fF][eE][bB]"
a3 >\r[00123456789] A\p[z0-9]"[mM][aA][rRyY]"
a3 >\r[00123456789] A\p[z0-9]"[aA][pP][rR]"
a3 >\r[00123456789] A\p[z0-9]"[jJ][uU][nNlL]"
a3 >\r[00123456789] A\p[z0-9]"[aA][uU][gG]"
a3 >\r[00123456789] A\p[z0-9]"[sS][eE][pP]"
a3 >\r[00123456789] A\p[z0-9]"[oO][cC][tT]"
a3 >\r[00123456789] A\p[z0-9]"[nN][oO][vV]"
a3 >\r[00123456789] A\p[z0-9]"[dD][eE][cC]"
[List.Rules:Prepend4LetterMonths]
## Preface each dictionary with Janu janu Febr febr
-[:c] a4 A0"\p[jJ]anu"
-[:c] a4 A0"\p[fF]ebr"
-[:c] a4 A0"\p[mM]arc"
-[:c] a3 A0"\p[aA]pr"
-[:c] a3 A0"\p[mM]ay"
-[:c] a4 A0"\p[jJ]une"
-[:c] a4 A0"\p[jJ]uly"
-[:c] a4 A0"\p[Aa]ugu"
-[:c] a4 A0"\p[sS]ept"
-[:c] a4 A0"\p[oO]cto"
-[:c] a4 A0"\p[nN]ove"
-[:c] a4 A0"\p[Dd]ece"
# this will add the string '2010' at all places in the word:
# USE this with a 4 or 5 char dictionary file with ALL characters
# soo abcde will become
# 2010abcde a2010bcde ab2010cde acd2010de abcd2010e abcde2010
[List.Rules:Add2010Everywhere]
a4 >\r[00123456789] A\p[z0-9]"201[0-9]"
[List.Rules:PrependDaysWeek]
a6 A0"[Mm][oO0][nN][dD][aA4@][yY]"
a7 A0"[Tt][uU][eE3][sS$][dD][aA4@][yY]"
a9 A0"[Ww][eE3][dD][nN][eE3][sS$][dD][aA4@][yY]"
a8 A0"[Tt][hH][uU][rR][sS$][dD][aA4@][yY]"
a6 A0"[Ff][rR][iI1!][dD][aA4@][yY]"
a8 A0"[Ss][aA4@][tT+][uU][rR][dD][aA4@][yY]"
a6 A0"[Ss][uU][nN][dD][aA4@][yY]"
[List.Rules:Add1234_Everywhere]
a4 >\r[00123456789] A\p[z0-9]"1234"
[List.Rules:AppendMonthDay]
-[:c] <* Az"\p[jJ]anuary"
-[:c] a8 Az"\p[jJ]anuary[0-9]"
-[:c] a9 Az"\p[jJ]anuary[0-9][0-9]"
-[:c] <* Az"\p[fF]ebruary"
-[:c] a9 Az"\p[fF]ebruary[0-9]"
-[:c] aA Az"\p[fF]ebruary[0-9][0-9]"
-[:c] <* Az"\p[mM]arch"
-[:c] a6 Az"\p[mM]arch[0-9]"
-[:c] a7 Az"\p[mM]arch[0-9][0-9]"
-[:c] <* Az"\p[aA]pril"
-[:c] a6 Az"\p[aA]pril[0-9]"
-[:c] a7 Az"\p[aA]pril[0-9][0-9]"
-[:c] <* Az"\p[mM]ay"
-[:c] a4 Az"\p[mM]ay[0-9]"
-[:c] a5 Az"\p[mM]ay[0-9][0-9]"
-[:c] <* Az"\p[jJ]une"
-[:c] a5 Az"\p[jJ]une[0-9]"
# There was a typo in Kore's original revision of this rule
-[:c] a6 Az"\p[jJ]une[0-9][0-9]"
-[:c] <* Az"\p[jJ]uly"
-[:c] a5 Az"\p[jJ]uly[0-9]"
-[:c] a6 Az"\p[jJ]uly[0-9][0-9]"
-[:c] <* Az"\p[aA]ugust"
-[:c] Az"\p[aA]ugust[0-9]"
-[:c] Az"\p[aA]ugust[0-9][0-9]"
-[:c] <* Az"\p[sS]eptember"
-[:c] aA Az"\p[sS]eptember[0-9]"
# There was a typo in Kore's original revision of this rule
-[:c] aB Az"\p[sS]eptember[0-9][0-9]"
-[:c] <* Az"\p[oO]ctober"
-[:c] a8 Az"\p[oO]ctober[0-9]"
-[:c] a9 Az"\p[oO]ctober[0-9][0-9]"
-[:c] <* Az"\p[nN]ovember"
-[:c] a9 Az"\p[nN]ovember[0-9]"
-[:c] aA Az"\p[nN]ovember[0-9][0-9]"
-[:c] <* Az"\p[dD]ecember"
-[:c] a9 Az"\p[dD]ecember[0-9]"
-[:c] aA Az"\p[dD]ecember[0-9][0-9]"
[List.Rules:AppendMonthCurrentYear]
-[:c] a7 Az"\p[jJ]an201[0-9]"
-[:c] a7 Az"\p[fF]eb201[0-9]"
-[:c] a7 Az"\p[mM]ar201[0-9]"
-[:c] a7 Az"\p[aA]pr201[0-9]"
-[:c] a7 Az"\p[mM]ay201[0-9]"
-[:c] a7 Az"\p[jJ]un201[0-9]"
-[:c] a7 Az"\p[jJ]ul201[0-9]"
-[:c] a7 Az"\p[Aa]ug201[0-9]"
-[:c] a7 Az"\p[sS]ep201[0-9]"
-[:c] a7 Az"\p[oO]ct201[0-9]"
-[:c] a7 Az"\p[nN]ov201[0-9]"
-[:c] a7 Az"\p[Dd]ec201[0-9]"
[List.Rules:ReplaceNumbers2Special]
a0 /[1-90] s\0\p[!@#$%^&*()]
a0 /1 /[2-90] s1! s\0\p[@#$%^&*()]
a0 /2 /[3-90] s2@ s\0\p[#$%^&*()]
a0 /3 /[4-90] s3# s\0\p[$%^&*()]
a0 /4 /[5-90] s4$ s\0\p[%^&*()]
a0 /5 /[6-90] s5% s\0\p[^&*()]
a0 /6 /[7-90] s6^ s\0\p[&*()]
a0 /7 /[890] s7& s\0\p[*()]
a0 /8 /[90] s8* s\0\p[()]
a0 /9 /0 s9( s0)
[List.Rules:ReplaceNumbers]
a0 /0 s0[1-9]
a0 /1 s1[02-9]
a0 /2 s2[013-9]
a0 /3 s3[0-24-9]
a0 /4 s4[0-35-9]
a0 /5 s5[0-46-9]
a0 /6 s6[0-57-9]
a0 /7 s7[0-68-9]
a0 /8 s8[0-79]
a0 /9 s9[0-8]
# 10 lines above can be replaced with just one:
# /[0-9] s\0[0-9] Q
# but it's slower (generates, then rejects some duplicates).
# This is a lamer/faster version of --rules:nt
[List.Rules:ReplaceLettersCaps]
-c a0 /[a-z] s\0\p[A-Z]
[List.Rules:AddDotCom]
-[c:] a4 \p[c:] Az".com"
-[c:] a4 \p[c:] Az".net"
-[c:] a4 \p[c:] Az".org"
[List.Rules:AppendCap-Num_or_Special-Twice]
-[c:] a3 \p[c:] Az"[A-Z][0-9][0-9]"
-[c:] a3 \p[c:] Azq[A-Z][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9]q
-[c:] a3 \p[c:] Azq[A-Z][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
-[c:] a3 \p[c:] Azq[A-Z][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
[List.Rules:AppendSpecialLowerLower]
-[c:] a3 \p[c:] AzQ[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][a-z][a-z]Q
[List.Rules:AppendJustSpecials3Times]
-[c:] a3 \p[c:] Az"[!$@#%.][!$@#%.][!$@#%.]"
-[c:] a3 \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
[List.Rules:PrependJustSpecials]
-[c:] a1 \p[c:] ^[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
-[c:] a2 \p[c:] A0q[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
[List.Rules:Append1_AddSpecialEverywhere]
-[c:] >4 a2 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $1
-[c:] >[5-8] a2 \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $1
[List.Rules:PrependNumNum_AppendNumSpecial]
-[c:] a4 \p[c:] A0"[0-9][0-9]" Azq[0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
[List.Rules:AppendNum_AddSpecialEverywhere]
# This should probably use $[02-9] since we try $1 in
# Append1_AddSpecialEverywhere
-[c:] >4 a2 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $[02-9]
-[c:] >[5-8] a2 \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $[02-9]
[List.Rules:AppendNumNum_AddSpecialEverywhere]
-[c:] >4 a3 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"[0-9][0-9]"
-[c:] >[5-8] a3 \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"[0-9][0-9]"
[List.Rules:AppendNumNumNum_AddSpecialEverywhere]
-[c:] >4 a4 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"[0-9][0-9][0-9]"
-[c:] >[5-8] a4 \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"[0-9][0-9][0-9]"
[List.Rules:AppendYears_AddSpecialEverywhere]
-[c:] >4 a5 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"19[4-9][0-9]"
-[c:] >4 a5 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"20[0-1][0-9]"
-[c:] >[5-8] a5 \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"19[4-9][0-9]"
-[c:] >[5-8] a5 \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"20[0-1][0-9]"
# This rule needs work actually --- you have to 'sort -u' its output rick
# /a = reject if it doesnt have an 'a'
# the [:c] does waste some effort - and generate dupes. This is wasteful,
# but I want to keep it in b/c the original crack/JtR rules use it.
[List.Rules:L33t]
-[:c] a0 /\r[aaAAbBeEiiiIIIllll] s\0\r\p[@44@88331!|1!|17|!] \p1[:M] \p1[:c] \p1[:Q]
# The following line differs from Kore's erroneous 4 lines:
-[:c] a0 /\r[LLLL] s\0\r\p[17|!] \p1[:M] \p1[:c] \p1[:Q]
#/Lsl1[:c]
#/Lsl7[:c]
#/Lsl|[:c]
#/Lsl![:c]
-[:c] a0 /\r[oOssSStT1111003344557788] s\0\r\p[00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
# Full set (same as above, but on one line):
#-[:c] /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT1111003344557788] s\0\r\p[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
# Double substitutions start here.
# Compared to Kore's, we check for both chars first, then replace both.
# This produces different results from Kore's, which would replace all
# instances of the first char before checking for the second.
# Kore's behavior may be restored by moving "sa[@4]" to be right after "/a"
# on the line below, and ditto for further lines.
-[:c] a0 /a /\r[AAbBeEiiiIIIllllLLLLoOssSStT111100334@557788] sa[@4] s\2\r\p2[4@88331!|1!|17|!17|!00$5$5++!iI|oOeE@4sSlLbB] \p1[:M] \p1[:c] \p1[:Q]
# Kore had these (probably unintentionally, so we don't duplicate them):
#/asa4/4s4a[:c]
#/asa4/4s4A[:c]
-[:c] a0 /A /\r[aabBeEiiiIIIllllLLLLoOssSStT1111003344557788] sA4 s\0\r\p[@488331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
# Kore also had these, but (intentionally?) missed sb8 on this set (after sA4)
#/AsA4/4s4a[:c]
#/AsA4/4s4A[:c]
-[:c] a0 /b /\r[aaAABeEiiiIIIllllLLLLoOssSStT1111003344557788] sb8 s\0\r\p[@44@8331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /B /\r[aaAAbeEiiiIIIllllLLLLoOssSStT1111003344557788] sB8 s\0\r\p[@44@8331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /e /\r[aaAAbBEiiiIIIllllLLLLoOssSStT1111003344557788] se3 s\0\r\p[@44@8831!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /E /\r[aaAAbBeiiiIIIllllLLLLoOssSStT1111003344557788] sE3 s\0\r\p[@44@8831!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /i /\r[aaAAbBeEIIIllllLLLLoOssSStT1111003344557788] si[1!|] s\2\r\p2[@44@88331!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /I /\r[aaAAbBeEiiillllLLLLoOssSStT1111003344557788] sI[1!|] s\2\r\p2[@44@88331!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
# Kore's rules only included sl[17|], but not sl!
-[:c] a0 /l /\r[aaAAbBeEiiiIIILLLLoOssSStT1111003344557788] sl[17|!] s\2\r\p2[@44@88331|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
# All "/L" rules (171 lines) were buggy
-[:c] a0 /L /\r[aaAAbBeEiiiIIIlllloOssSStT1111003344557788] sl[17|!] s\2\r\p2[@44@88331|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /o /\r[aaAAbBeEiiiIIIllllLLLLOssSStT1111003344557788] so0 s\0\r\p[@44@88331!|1!|17|!17|!0$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /O /\r[aaAAbBeEiiiIIIllllLLLLossSStT1111003344557788] sO0 s\0\r\p[@44@88331!|1!|17|!17|!0$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /s /\r[aaAAbBeEiiiIIIllllLLLLoOSStT1111003344557788] ss[$5] s\2\r\p2[@44@88331!|1!|17|!17|!00$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /S /\r[aaAAbBeEiiiIIIllllLLLLoOsstT1111003344557788] sS[$5] s\2\r\p2[@44@88331!|1!|17|!17|!00$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /t /\r[aaAAbBeEiiiIIIllllLLLLoOssSST1111003344557788] st+ s\0\r\p[@44@88331!|1!|17|!17|!00$5$5+!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /T /\r[aaAAbBeEiiiIIIllllLLLLoOssSSt1111003344557788] sT+ s\0\r\p[@44@88331!|1!|17|!17|!00$5$5+!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
# are these 100% redundant from above rules? !!!!
-[:c] a0 /1 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT003344557788] s1[!iI|] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /0 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11113344557788] s0[oO] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|eEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /3 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110044557788] s3[eE] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
#-[:c] /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT1111003344557788] s\0\r\p[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /4 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110033557788] s4[aA] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /5 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110033447788] s5[sS] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /7 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110033445588] s7[lL] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /8 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110033445577] s8[bB] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlL] \p1[:M] \p1[:c] \p1[:Q]
# These are some popular triple/quad l33t rules
-[:c] a0 /a /e /[los] sa4 se3 s\0\p[10$] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /[ae] /l /[os] s\2\p2[43] sl1 s\3\p3[0$] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /[ae] /o /s s\2\p2[43] so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /l /o /s sl1 so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /a /e /l /[os] sa4 se3 sl1 s\0\p[0$] \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /a /[el] /o /s sa4 s\0\p[31] so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /e /l /o /s se3 sl1 so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
-[:c] a0 /a /e /l /o /s sa4 se3 sl1 so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
[List.Rules:ReplaceSpecial2Special]
# Kore's rules were missing "*"
# Kore's rules were missing ?[]{}`~
# Now converted into just a SINGLE rule (well 2 since ? must use class syntax)
# The rules do add a Q to avoid no-op, but it is now 2 'working' rules
# NOTE, there were numerous rules which also had problems, which were fixed
# (in commented out rules), and are 'right' in the 2 new replacement rules.
# Now thru some pre-processor jiu jitsu, this was reduced to a single rule line
a0 /[!@#$%^&*()\-=_+\\|;:'",./><\[\]{}`~?]\p\r[:::::::::::::::::::::::::::::::?] \p\r[:::::::::::::::::::::::::::::::s]\p\r[sssssssssssssssssssssssssssssss?]\1[!@#$%^&*()\-=_+\\|;:'",./?><\[\]{}`~] Q
#these 2 are replaced by the equivalent above 1 rule.
# /[!@#$%^&*()\-=_+\\|;:'",./><\[\]{}`~] s\0[!@#$%^&*()\-=_+\\|;:'",./?><\[\]{}`~] Q
# /?? s??[!@#$%^&*()\-=_+\\|;:'",./><\[\]{}`~]
#these are replaced by the equivalent above 2 rule lines.
# /! s![@#$%^&*()\-=_+\\|;:'",./?><\[\]{}`~]
# /@ s@[!#$%^&*()\-=_+\\|;:'",./?><\[\]{}`~]
#others replacing #$%^&*()-=_+\|;:'",./?><[]{}`~ cut out, and not shown.
[List.Rules:ReplaceLetters]
a0 /[a-z] s\0[a-z] Q
-c a0 /[a-z] s\0[A-Z]
####################################################################
# This ruleset contains ALL of the above, for a total
# of 7,074,074 rules after dupe removal
[List.Rules:KoreLogic]
.include [List.Rules:PrependNumNum]
.include [List.Rules:PrependYears]
.include [List.Rules:AppendYears]
.include [List.Rules:PrependNumNumNum]
.include [List.Rules:MonthsFullPreface]
.include [List.Rules:Prepend4LetterMonths]
.include [List.Rules:PrependSeason]
.include [List.Rules:AppendSeason]
.include [List.Rules:PrependHello]
.include [List.Rules:AppendCurrentYearSpecial]
.include [List.Rules:PrependSpecialSpecial]
.include [List.Rules:Append2Letters]
.include [List.Rules:AddJustNumbers]
.include [List.Rules:DevProdTestUAT]
.include [List.Rules:PrependAndAppendSpecial]
.include [List.Rules:AppendJustNumbers]
# This is split for better order:
# First part of AppendNumbers_and_Specials_Simple
-[c:] a1 \p[c:] $[0-9]
-[c:] a1 \p[c:] $[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
-[c:] a2 \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9]q
-[c:] a2 \p[c:] Azq[0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
.include [List.Rules:AppendJustSpecials]
.include [List.Rules:AddShortMonthsEverywhere]
.include [List.Rules:Add2010Everywhere]
.include [List.Rules:Add1234_Everywhere]
.include [List.Rules:AppendMonthDay]
.include [List.Rules:AppendMonthCurrentYear]
.include [List.Rules:ReplaceNumbers2Special]
.include [List.Rules:ReplaceNumbers]
.include [List.Rules:ReplaceLettersCaps]
.include [List.Rules:AddDotCom]
.include [List.Rules:PrependJustSpecials]
.include [List.Rules:Append1_AddSpecialEverywhere]
.include [List.Rules:AppendNum_AddSpecialEverywhere]
.include [List.Rules:AppendNumNum_AddSpecialEverywhere]
.include [List.Rules:AppendNumNumNum_AddSpecialEverywhere]
.include [List.Rules:AppendYears_AddSpecialEverywhere]
.include [List.Rules:L33t]
.include [List.Rules:ReplaceSpecial2Special]
.include [List.Rules:ReplaceLetters]
.include [List.Rules:AppendSpecialNumberNumber]
.include [List.Rules:PrependNumNumAppendSpecial]
.include [List.Rules:PrependNumNumSpecial]
.include [List.Rules:Append2NumSpecial]
.include [List.Rules:PrependDaysWeek]
# Second part of AppendNumbers_and_Specials_Simple
-[c:] a3 \p[c:] Azq[0-9][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
-[c:] a3 \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9]q
.include [List.Rules:PrependSpecialSpecialAppendNumber]
.include [List.Rules:Append4Num]
.include [List.Rules:PrependNumNumNumNum]
.include [List.Rules:Prepend2NumbersAppend2Numbers]
.include [List.Rules:PrependCAPCAPAppendSpecial]
.include [List.Rules:AppendSpecialLowerLower]
# Last part of AppendNumbers_and_Specials_Simple
-[c:] a4 \p[c:] Azq[0-9][0-9][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
.include [List.Rules:AppendSpecial3num]
.include [List.Rules:AppendSpecialNumberNumberNumber]
.include [List.Rules:Append3NumSpecial]
.include [List.Rules:PrependNumNum_AppendNumSpecial]
.include [List.Rules:AppendJustSpecials3Times]
.include [List.Rules:AppendCap-Num_or_Special-Twice]
.include [List.Rules:PrependSpecialSpecialAppendNumbersNumber]
.include [List.Rules:Append5Num]
.include [List.Rules:AppendSpecial4num]
.include [List.Rules:Prepend4NumAppendSpecial]
.include [List.Rules:Append4NumSpecial]
.include [List.Rules:PrependSpecialSpecialAppendNumbersNumberNumber]
.include [List.Rules:Append6Num]

BIN
data/jtr/lanman.chr Normal file

Binary file not shown.

BIN
data/jtr/latin1.chr Normal file

Binary file not shown.

BIN
data/jtr/lm_ascii.chr Normal file

Binary file not shown.

BIN
data/jtr/lower.chr Normal file

Binary file not shown.

BIN
data/jtr/lowernum.chr Normal file

Binary file not shown.

BIN
data/jtr/lowerspace.chr Normal file

Binary file not shown.

View File

@ -0,0 +1,375 @@
# regex_alphabets.conf
#
# This is the multiple alphabest usable by rexgen function.
# this is the 'default'
[List.Rexgen.Alpha]
# can also use -i mode rexgen (TBD)
[List.Rexgen.Alpha:cased]
a=[aA]
b=[bB]
c=[cC]
d=[dD]
e=[eE]
f=[fF]
g=[gG]
h=[hH]
i=[iI]
j=[jJ]
k=[kK]
l=[lL]
m=[mM]
n=[nN]
o=[oO]
p=[pP]
q=[qQ]
r=[rR]
s=[sS]
t=[tT]
u=[uU]
v=[vV]
w=[wW]
x=[xX]
y=[yY]
z=[zZ]
A=[aA]
B=[bB]
C=[cC]
D=[dD]
E=[eE]
F=[fF]
G=[gG]
H=[hH]
I=[iI]
J=[jJ]
K=[kK]
L=[lL]
M=[mM]
N=[nN]
O=[oO]
P=[pP]
Q=[qQ]
R=[rR]
S=[sS]
T=[tT]
U=[uU]
V=[vV]
W=[wW]
X=[xX]
Y=[yY]
Z=[zZ]
# simple 1337 mode. ONLY leet's lower case letters, and smallish alphabet. But VERY fast.
[List.Rexgen.Alpha:leet]
a=[a4@]
b=[b8]
e=[e3]
g=[g9]
i=[i!]
l=[l17]
o=[o0]
s=[s$5]
t=[t+7]
# simple 1337 mode with mixed case
[List.Rexgen.Alpha:leet+c]
a=[aA4@]
b=[bB8]
c=[cC]
d=[dD]
e=[eE3]
f=[fF]
g=[gG9]
h=[hH]
i=[iI!]
j=[jJ]
k=[kK]
l=[lL1]
m=[mM]
n=[nN]
o=[oO0]
p=[pP]
q=[qQ]
r=[rR]
s=[sS$5]
t=[tT+7]
u=[uU]
v=[vV]
w=[wW]
x=[xX]
y=[yY]
z=[zZ]
A=[aA]
B=[bB]
C=[cC]
D=[dD]
E=[eE]
F=[fF]
G=[gG]
H=[hH]
I=[iI]
J=[jJ]
K=[kK]
L=[lL]
M=[mM]
N=[nN]
O=[oO]
P=[pP]
Q=[qQ]
R=[rR]
S=[sS]
T=[tT]
U=[uU]
V=[vV]
W=[wW]
X=[xX]
Y=[yY]
Z=[zZ]
# much stronger 1337 mode. Does much larger alphabet. Includes a couple multiple
# character replacement values: f -> ph and f -> |= Also does upper case
# note contains ALL values from Rexgen.Alpha:leet
[List.Rexgen.Alpha:leet2]
a=[a4@]
b=[b8]
c=[c\(<k]
e=[e3]
f=(f|ph|\|=)
g=[g9]
i=[i1!\|]
l=[l1]
o=[o0]
s=[s$5]
t=[t+7]
A=[A4@]
B=[B8]
C=[C\(<k]
E=[E3]
F=(F|Ph|PH|\|=)
G=[G9]
I=[I1!\|]
L=[L1]
O=[O0]
S=[S$5]
T=[T+7]
# stronger elete, with mixed case.
[List.Rexgen.Alpha:leet2_case]
a=[aA4@]
b=[bB8]
c=[cC\(]
d=[dD]
e=[eE3]
f=(f|F|ph|Ph|PH|\|=)
g=[gG9]
h=[hH]
i=[iI1!\|]
j=[jJ]
k=[kK]
l=[lL1]
m=[mM]
n=[nN]
o=[oO0]
p=[pP]
q=[qQ]
r=[rR]
s=[sS$5]
t=[tT+7]
u=[uU]
v=[vV]
w=[wW]
x=[xX]
y=[yY]
z=[zZ]
A=[aA4@]
B=[bB8]
C=[cC\(]
D=[dD]
E=[eE3]
F=(f|F|Ph|ph|PH|\|=)
G=[gG9]
H=[hH]
I=[iI1!\|]
J=[jJ]
K=[kK]
L=[lL1]
M=[mM]
N=[nN]
O=[oO0]
P=[pP]
Q=[qQ]
R=[rR]
S=[sS$5]
T=[tT+7]
U=[uU]
V=[vV]
W=[wW]
X=[xX]
Y=[yY]
Z=[zZ]
# Very strong elete. MANY multi char eletes, AND some other more obsure ones.
# a LOT of stuff here, BUT runs much much slower, since there are many more optional
# values to try.
# note contains ALL values from Rexgen.Alpha:leet2
[List.Rexgen.Alpha:leet3]
a=(a|/-\\|4|@)
b=(b|\|3|\|o|8)
c=[c\(<KS]
d=(d|\|\)|o\||\|>|<\|)
e=[e3]
f=(f|ph|\|=)
g=[g\(69]
h=(h|\|\-\||\]\-\[|\}-\{|\(-\)|\)-\(|\}\{|#)
i=(i|1|!|\||\]\[)
j=(j|_\|)
k=(k|\|<|/<|\\<|\|\{)
l=(l|1|\||\|_)
m=(m|\|\\/\||/\\/\\|\|'\|'\||\(\\/\)|/\\\\|/\|\\|/v\\)
n=(n|\|\\\||/\\/|\|\\\\\||/\|/)
o=(o|0|\(\)|\[\]|\{\})
p=(p|\|2|\|D)
q=(q|\(,\)|kw)
r=(r|\|2|\|Z|\|?)
s=[s$5]
t=(t|+|'\]\['|7)
u=(u|\|_\|)
v=(v|\|/|\\\||\\/|/)
w=(w|\\/\\/|\\\|\\\||\|/\|/|\\\|/|\\^/|//)
x=(x|><|\}\{)
y=(y|'/|`/|j)
z=(z|2|\(\\\))
A=(A|/-\\|4|@)
B=(B|\|3|\|o|8)
C=[C\(<KS]
D=(D|\|\)|o\||\|>|<\|)
E=[E3]
F=(F|Ph|PH|\|=)
G=[G\(69]
H=(H|\|\-\||\]\-\[|\}-\{|\(-\)|\)-\(|\}\{|#)
I=(I|1|!|\||\]\[)
J=(J|_\|)
K=(K|\|<|/<|\\<|\|\{)
L=(L|1|\||\|_)
M=(M|\|\\/\||/\\/\\|\|'\|'\||\(\\/\)|/\\\\|/\|\\|/v\\)
N=(N|\|\\\||/\\/|\|\\\\\||/\|/)
O=(O|0|\(\)|\[\]|\{\})
P=(P|\|2|\|D)
Q=(Q|\(,\)|kw)
R=(R|\|2|\|Z|\|?)
S=[S$5]
T=(T|+|'\]\['|7)
U=(U|\|_\|)
v=(V|\|/|\\\||\\/|/)
W=(W|\\/\\/|\\\|\\\||\|/\|/|\\\|/|\\^/|//)
X=(X|><|\}\{)
Y=(Y|'/|`/|j)
Z=(Z|2|\(\\\))
[List.Rexgen.Alpha:leet3_case]
a=(a|A|/-\\|4|@)
b=(b|B|\|3|\|o|8)
c=[cC\(<KS]
d=(d|D|\|\)|o\||\|>|<\|)
e=[eE3]
f=(f|F|ph|Ph|PH|\|=)
g=[gG\(69]
h=(h|H|\|\-\||\]\-\[|\}-\{|\(-\)|\)-\(|\}\{|#)
i=(i|I|1|!|\||\]\[)
j=(j|J|_\|)
k=(k|K|\|<|/<|\\<|\|\{)
l=(l|L|1|\||\|_)
m=(m|M|\|\\/\||/\\/\\|\|'\|'\||\(\\/\)|/\\\\|/\|\\|/v\\)
n=(n|N|\|\\\||/\\/|\|\\\\\||/\|/)
o=(o|O|0|\(\)|\[\]|\{\})
p=(p|P|\|2|\|D)
q=(q|Q|\(,\)|kw)
r=(r|R|\|2|\|Z|\|?)
s=[sS$5]
t=(t|T|+|'\]\['|7)
u=(u|U|\|_\|)
v=(v|V|\|/|\\\||\\/|/)
w=(w|W|\\/\\/|\\\|\\\||\|/\|/|\\\|/|\\^/|//)
x=(x|X|><|\}\{)
y=(y|Y|'/|`/|j)
z=(z|Z|2|\(\\\))
A=(a|A|/-\\|4|@)
B=(b|B|\|3|\|o|8)
C=[cC\(<KS]
D=(d|D|\|\)|o\||\|>|<\|)
E=[eE3]
F=(f|F|PH|Ph|ph|\|=)
G=[gG\(69]
H=(h|H|\|\-\||\]\-\[|\}-\{|\(-\)|\)-\(|\}\{|#)
I=(i|I|1|!|\||\]\[)
J=(j|J|_\|)
K=(k|K|\|<|/<|\\<|\|\{)
L=(l|L|1|\||\|_)
M=(m|M|\|\\/\||/\\/\\|\|'\|'\||\(\\/\)|/\\\\|/\|\\|/v\\)
N=(n|N|\|\\\||/\\/|\|\\\\\||/\|/)
O=(o|O|0|\(\)|\[\]|\{\})
P=(p|P|\|2|\|D)
Q=(q|Q|\(,\)|kw)
R=(r|R|\|2|\|Z|\|?)
S=[sS$5]
T=(t|T|+|'\]\['|7)
U=(u|U|\|_\|)
v=(v|V|\|/|\\\||\\/|/)
W=(w|W|\\/\\/|\\\|\\\||\|/\|/|\\\|/|\\^/|//)
X=(x|X|><|\}\{)
Y=(y|Y|'/|`/|j)
Z=(z|Z|2|\(\\\))
[List.Rexgen.Alpha:ascii2nonascii]
A=[ÀÁÂÃÄÅÆĀĂĄǍǞǠǺȀȂȦȺA]
B=[ƁƂɃʙB]
C=[ÇĆĈĊČƇȻC]
D=[ÐĎĐƉƊƋDZDzD]
E=[ÈÉÊËĒĔĖĘĚƎƏƐȄȆȨɆE]
F=[ƑF]
G=[ĜĞĠĢƓǤǦǴɢG]
H=[ĤĦǶȞʜH]
I=[ÌÍÎÏĨĪĬĮİƗǏȈȊɪI]
J=[ĴƖɈJ]
K=[ĶĸƘǨK]
L=[£ĹĻĽĿŁȽʟL]
M=[ƜM]
N=[ÑŃŅŇŊƝǸȠɴN]
O=[ÒÓÔÕÖØŌŎŐŒƆƟƠǑǪǬǾȌȎȪȬȮȰƢO]
P=[ƤP]
Q=[ɊQ]
R=[®ŔŖŘƦȐȒɌʀʁʶR]
S=[ŚŜŞŠƧȘS]
T=[ŢŤƬƮȚȾT]
U=[ÙÚÛÜŨŪŬŮŰŲƯǓǕǗǙǛȔȖɄU]
V=[ɅV]
W=[ŴW]
Y=[¥ÝŶŸƳȲɎʏY]
Z=[ŹŻŽƵȤZ]
a=[àáâãäåæāăąǎǟǡǻȁȃȧɐɑɒa]
b=[ƀƃɓb]
c=[¢©çćĉċčƈȼɕc]
d=[ðďđƌƍȡɖɗdzd]
e=[èéêëēĕėęěǝȅȇȩɇɘəɚɛɜɝɞe]
f=[ƒf]
g=[ĝğġģǥǧǵɠɡg]
h=[ħȟɥɦʮʯʰʱĥh]
i=[ìíîïĩīĭįıǐȉȋɨi]
j=[ĵǰȷɉɟʄʝʲj]
k=[ķƙǩʞ]
l=[ĺļľŀłƚƛȴɫɬɭl]
m=[µɯɰɱm]
n=[ñńņňʼnŋƞǹȵɲɳn]
o=[òóôõöøōŏőœơǒǫǭǿȍȏȫȭȯȱɵƣȣo]
p=[ƥp]
q=[ɋʠq]
r=[ŕŗřȑȓɍɹɺɻɼɽɾɿʳʴʵr]
s=[śŝşšſƨșȿʂs]
t=[ţťŦŧƫƭțȶʇʈt]
u=[ùúûüũūŭůűųưǔǖǘǚǜȕȗʉu]
v=[ʌv]
w=[ŵʍʷw]
x=[×x]
y=[ýÿŷƴȳɏʎʸy]
z=[źżžƶȥɀʐʑz]

1401
data/jtr/repeats16.conf Normal file

File diff suppressed because it is too large Load Diff

2378
data/jtr/repeats32.conf Normal file

File diff suppressed because it is too large Load Diff

BIN
data/jtr/upper.chr Normal file

Binary file not shown.

BIN
data/jtr/uppernum.chr Normal file

Binary file not shown.

BIN
data/jtr/utf8.chr Normal file

Binary file not shown.

View File

@ -0,0 +1,163 @@
## Vulnerable Application
This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode AIX
based password hashes, such as:
* `DES` based passwords
The following can be used to add credentials to the database for cracking:
* https://github.com/rapid7/metasploit-framework/pull/11264#issuecomment-455762574
[source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
## Verification Steps
1. Have at least one user with a `des` password in the database
2. Start msfconsole
3. Do: ```use auxiliary/analyze/jtr_aix```
4. Do: ```run```
5. You should hopefully crack a password.
## Options
**CONFIG**
The path to a John config file (JtR option: `--config`). Default is `metasploit-framework/data/john.conf`
**CUSTOM_WORDLIST**
The path to an optional custom wordlist. This file is added to the new wordlist which may include the other
`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
**ITERATION_TIMOUT**
The max-run-time for each iteration of cracking
**JOHN_PATH**
The absolute path to the John the Ripper executable. Default behavior is to search `path` for
`john` and `john.exe`.
**KORELOGIC**
Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
Default is `false`.
**MUTATE**
Apply common mutations to the Wordlist (SLOW). Mutations are:
* `'@' => 'a'`
* `'0' => 'o'`
* `'3' => 'e'`
* `'$' => 's'`
* `'7' => 't'`
* `'1' => 'l'`
* `'5' => 's'`
Default is `false`.
**POT**
The path to a John POT file (JtR option: `--pot`) to use instead. The `pot` file is the data file which
records cracked password hashes. Kali linux's default location is `/root/.john/john.pot`.
Default is `metasploit-framework/data/john.pot`.
**USE_CREDS**
Use existing credential data saved in the database. Default is `true`.
**USE_DB_INFO**
Use looted database schema info to seed the wordlist. This includes the Database Name, each Table Name,
and each Column Name. If the DB is MSSQL, the Instance Name is also used. Default is `true`.
**USE_DEFAULT_WORDLIST**
Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`. Default is
`true`.
**USE_HOSTNAMES**
Seed the wordlist with hostnames from the workspace. Default is `true`.
**USE_ROOT_WORDS**
Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`. Default
is true.
## Scenarios
Utilizing the `make_hashes` file listed in the Vulnerable Application section:
```
[*] Deleted 3 creds
resource (hashes.rb)> use auxiliary/scanner/ssh/ssh_login
resource (hashes.rb)> set username ubuntu
username => ubuntu
resource (hashes.rb)> set password ubuntu
password => ubuntu
resource (hashes.rb)> set rhosts 111.111.1.111
rhosts => 111.111.1.111
resource (hashes.rb)> run
[+] 111.111.1.111:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (2.2.2.2:40085 -> 111.111.1.111:22) at 2019-01-19 04:00:54 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (hashes.rb)> use post/test/make_hashes
resource (hashes.rb)> set session 1
session => 1
resource (hashes.rb)> run
[+] Adding des_passphrase:qiyh4XPJGsOZ2MEAyLkfWqeQ:des
[+] Adding des_password:rEK1ecacw.7.c:des
[*] Post module execution completed
[*] Starting persistent handler(s)...
```
```
msf5 post(test/make_hashes) > use auxiliary/analyze/jtr_aix
msf5 auxiliary(analyze/jtr_aix) > run
[*] Hashes Written out to /tmp/hashes_tmp20190119-17882-1wvuebb
[*] Wordlist file written out to /tmp/jtrtmp20190119-17882-u2m52i
[*] Cracking descrypt hashes in normal wordlist mode...
[*] Loaded 3 password hashes with 3 different salts (descrypt, traditional crypt(3) [DES 256/256 AVX2-16])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[*] password (des_password)
[*] se (des_passphrase:2)
2g 0:00:00:00 DONE (Sat 19 Jan 2019 04:01:15 AM EST) 50.00g/s 2111Kp/s 5041Kc/s 5041KC/s sanserif..vagrant
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[*] Cracking descrypt hashes in single mode...
[*] Loaded 3 password hashes with 3 different salts (descrypt, traditional crypt(3) [DES 256/256 AVX2-16])
Will run 8 OpenMP threads
[*] Remaining 1 password hash
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:07 DONE (Sat 19 Jan 2019 04:01:22 AM EST) 0g/s 4867Kp/s 4867Kc/s 4867KC/s hms1902..tude1900
Session completed
[*] Cracking descrypt hashes in incremental mode (Digits)...
[*] Loaded 3 password hashes with 3 different salts (descrypt, traditional crypt(3) [DES 256/256 AVX2-16])
Will run 8 OpenMP threads
[*] Remaining 1 password hash
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:05 DONE (Sat 19 Jan 2019 04:01:28 AM EST) 0g/s 18864Kp/s 18864Kc/s 18864KC/s 73602400..73673952
Session completed
[*] Cracked Passwords this run:
[+] des_passphrase:????????se:3213:
[+] des_password:password:3214:
[*] Auxiliary module execution completed
msf5 auxiliary(analyze/jtr_aix) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
111.111.1.111 des_passphrase qiyh4XPJGsOZ2MEAyLkfWqeQ Nonreplayable hash
111.111.1.111 des_password rEK1ecacw.7.c Nonreplayable hash
des_passphrase ????????se Password
des_password password Password
111.111.1.111 111.111.1.111 22/tcp (ssh) ubuntu ubuntu Password
```

View File

@ -0,0 +1,203 @@
## Vulnerable Application
This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Linux
based password hashes, such as:
* `DES` based passwords
* `MD5` based passwords
* `BSDi` based passwords
* With `crypt` set to `true`:
* `bf`, `bcrypt`, or `blowfish` based passwords
* `SHA256` based passwords
* `SHA512` based passwords
The following can be used to add credentials to the database for cracking:
* https://github.com/rapid7/metasploit-framework/pull/11264#issuecomment-455762574
The definition of `crypt` according to JTR and waht algorithms it decodes can be found
[here](https://github.com/magnumripper/JohnTheRipper/blob/ae24a410baac45bb36884d793c429adeb7197336/src/c3_fmt.c#L731)
## Verification Steps
1. Have at least one user with an `des`, `md5`, `bsdi`, `crypt`, `blowfish`, `sha512`, or `sha256` password hash in the database
2. Start msfconsole
3. Do: ```use auxiliary/analyze/jtr_linux```
4. Do: ```run```
5. You should hopefully crack a password.
## Options
**CONFIG**
The path to a John config file (JtR option: `--config`). Default is `metasploit-framework/data/john.conf`
**CRYPT**
Include `blowfish` and `SHA`(256/512) passwords.
**CUSTOM_WORDLIST**
The path to an optional custom wordlist. This file is added to the new wordlist which may include the other
`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
**ITERATION_TIMOUT**
The max-run-time for each iteration of cracking
**JOHN_PATH**
The absolute path to the John the Ripper executable. Default behavior is to search `path` for
`john` and `john.exe`.
**KORELOGIC**
Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
Default is `false`.
**MUTATE**
Apply common mutations to the Wordlist (SLOW). Mutations are:
* `'@' => 'a'`
* `'0' => 'o'`
* `'3' => 'e'`
* `'$' => 's'`
* `'7' => 't'`
* `'1' => 'l'`
* `'5' => 's'`
Default is `false`.
**POT**
The path to a John POT file (JtR option: `--pot`) to use instead. The `pot` file is the data file which
records cracked password hashes. Kali linux's default location is `/root/.john/john.pot`.
Default is `metasploit-framework/data/john.pot`.
**USE_CREDS**
Use existing credential data saved in the database. Default is `true`.
**USE_DB_INFO**
Use looted database schema info to seed the wordlist. This includes the Database Name, each Table Name,
and each Column Name. If the DB is MSSQL, the Instance Name is also used. Default is `true`.
**USE_DEFAULT_WORDLIST**
Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`. Default is
`true`.
**USE_HOSTNAMES**
Seed the wordlist with hostnames from the workspace. Default is `true`.
**USE_ROOT_WORDS**
Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`. Default
is true.
## Scenarios
Utilizing the `make_hashes` file listed in the Vulnerable Application section:
```
resource (hashes.rb)> use auxiliary/scanner/ssh/ssh_login
resource (hashes.rb)> set username ubuntu
username => ubuntu
resource (hashes.rb)> set password ubuntu
password => ubuntu
resource (hashes.rb)> set rhosts 111.111.1.111
rhosts => 111.111.1.111
resource (hashes.rb)> run
[+] 111.111.1.111:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (2.2.2.2:34849 -> 111.111.1.111:22) at 2019-01-19 11:52:44 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (hashes.rb)> use post/test/make_hashes
resource (hashes.rb)> set session 1
session => 1
resource (hashes.rb)> run
[+] Adding des_passphrase:qiyh4XPJGsOZ2MEAyLkfWqeQ:des
[+] Adding des_password:rEK1ecacw.7.c:des
[+] Adding md5_password:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/:md5,des,bsdi,crypt
[+] Adding bsdi_password:_J9..K0AyUubDrfOgO4s:md5,des,bsdi,crypt
[+] Adding crypt_password:SDbsugeBiC58A:md5,des,bsdi,crypt
[+] Adding sha256_password:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5:md5,des,bsdi,crypt
[+] Adding sha512_password:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1:md5,des,bsdi,crypt
[+] Adding crypt16_password:qi8H8R7OM4xMUNMPuRAZxlY.:md5,des,bsdi,crypt
[+] Adding blowfish_password:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe:bcrypt
[*] Post module execution completed
[*] Starting persistent handler(s)...
```
```
msf5 post(test/make_hashes) > use auxiliary/analyze/jtr_linux
msf5 auxiliary(analyze/jtr_linux) > set crypt true
crypt => true
msf5 auxiliary(analyze/jtr_linux) > run
[*] Hashes Written out to /tmp/hashes_tmp20190119-25843-1igh5zx
[*] Wordlist file written out to /tmp/jtrtmp20190119-25843-1fmcnd
[*] Cracking md5crypt hashes in normal wordlist mode...
[*] Cracked Passwords this run:
[+] md5_password:password
[*] Cracking descrypt hashes in normal wordlist mode...
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (Sat 19 Jan 2019 11:53:04 AM EST) 0g/s 2102Kp/s 6308Kc/s 8411KC/s scapula..vagrant
Session completed
[*] Cracked Passwords this run:
[+] des_passphrase:????????se
[+] des_password:password
[*] Cracking bsdicrypt hashes in normal wordlist mode...
[*] Cracked Passwords this run:
[+] bsdi_password:password
[*] Cracking crypt hashes in normal wordlist mode...
Warning: hash encoding string length 24, type id #3
appears to be unsupported on this system; will not load such hashes.
Warning: hash encoding string length 20, type id #4
appears to be unsupported on this system; will not load such hashes.
Warning: hash encoding string length 60, type id $2
appears to be unsupported on this system; will not load such hashes.
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 59 candidates left, minimum 96 needed for performance.
0g 0:00:00:00 DONE (Sat 19 Jan 2019 11:53:05 AM EST) 0g/s 540061p/s 540061c/s 540061C/s zubeneschamali..vagrant
Session completed
[*] Cracked Passwords this run:
Warning: hash encoding string length 24, type id #3
appears to be unsupported on this system; will not load such hashes.
[+] des_password:password
[+] md5_password:password
[+] sha256_password:password
[+] sha512_password:password
[*] Cracking bcrypt hashes in normal wordlist mode...
[*] Cracked Passwords this run:
[+] blowfish_password:password
[*] Auxiliary module execution completed
msf5 auxiliary(analyze/jtr_linux) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
des_passphrase ????????se Password
111.111.1.111 des_passphrase qiyh4XPJGsOZ2MEAyLkfWqeQ Nonreplayable hash
des_password password Password
111.111.1.111 des_password rEK1ecacw.7.c Nonreplayable hash
md5_password password Password
111.111.1.111 md5_password $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ Nonreplayable hash
bsdi_password password Password
111.111.1.111 bsdi_password _J9..K0AyUubDrfOgO4s Nonreplayable hash
111.111.1.111 crypt_password SDbsugeBiC58A Nonreplayable hash
sha256_password password Password
111.111.1.111 sha256_password $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 Nonreplayable hash
sha512_password password Password
111.111.1.111 sha512_password $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 Nonreplayable hash
111.111.1.111 crypt16_password qi8H8R7OM4xMUNMPuRAZxlY. Nonreplayable hash
blowfish_password password Password
111.111.1.111 blowfish_password $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe Nonreplayable hash
111.111.1.111 111.111.1.111 22/tcp (ssh) ubuntu ubuntu Password
```

View File

@ -0,0 +1,160 @@
## Vulnerable Application
This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Microsoft
SQL based password hashes, such as:
* `mssql` based passwords
* `mssql05` based passwords
* `mssql12` based passwords
The following can be used to add credentials to the database for cracking:
* https://github.com/rapid7/metasploit-framework/pull/11264#issuecomment-455762574
## Verification Steps
1. Have at least one user with an `mssql`, `mssql05` or `mssql12` password in the database
2. Start msfconsole
3. Do: ```use auxiliary/analyze/jtr_mssql_fast```
4. Do: ```run```
5. You should hopefully crack a password.
## Options
**CONFIG**
The path to a John config file (JtR option: `--config`). Default is `metasploit-framework/data/john.conf`
**CUSTOM_WORDLIST**
The path to an optional custom wordlist. This file is added to the new wordlist which may include the other
`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
**ITERATION_TIMOUT**
The max-run-time for each iteration of cracking
**JOHN_PATH**
The absolute path to the John the Ripper executable. Default behavior is to search `path` for
`john` and `john.exe`.
**KORELOGIC**
Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
Default is `false`.
**MUTATE**
Apply common mutations to the Wordlist (SLOW). Mutations are:
* `'@' => 'a'`
* `'0' => 'o'`
* `'3' => 'e'`
* `'$' => 's'`
* `'7' => 't'`
* `'1' => 'l'`
* `'5' => 's'`
Default is `false`.
**POT**
The path to a John POT file (JtR option: `--pot`) to use instead. The `pot` file is the data file which
records cracked password hashes. Kali linux's default location is `/root/.john/john.pot`.
Default is `metasploit-framework/data/john.pot`.
**USE_CREDS**
Use existing credential data saved in the database. Default is `true`.
**USE_DB_INFO**
Use looted database schema info to seed the wordlist. This includes the Database Name, each Table Name,
and each Column Name. If the DB is MSSQL, the Instance Name is also used. Default is `true`.
**USE_DEFAULT_WORDLIST**
Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`. Default is
`true`.
**USE_HOSTNAMES**
Seed the wordlist with hostnames from the workspace. Default is `true`.
**USE_ROOT_WORDS**
Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`. Default
is true.
## Scenarios
Utilizing the `make_hashes` file listed in the Vulnerable Application section:
```
resource (hashes.rb)> use auxiliary/scanner/ssh/ssh_login
resource (hashes.rb)> set username ubuntu
username => ubuntu
resource (hashes.rb)> set password ubuntu
password => ubuntu
resource (hashes.rb)> set rhosts 111.111.1.111
rhosts => 111.111.1.111
resource (hashes.rb)> run
[+] 111.111.1.111:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (2.2.2.2:40997 -> 111.111.1.111:22) at 2019-01-19 16:56:46 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (hashes.rb)> use post/test/make_hashes
resource (hashes.rb)> set session 1
session => 1
resource (hashes.rb)> run
[+] Adding mssql05_toto:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908:mssql05
[+] Adding mssql_foo:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254:mssql
[+] Adding mssql12_Password1!:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16:mssql12
[*] Post module execution completed
[*] Starting persistent handler(s)...
```
```
msf5 post(test/make_hashes) > use auxiliary/analyze/jtr_mssql_fast
msf5 auxiliary(analyze/jtr_mssql_fast) > run
[*] Hashes Written out to /tmp/hashes_tmp20190119-30098-16dm2ip
[*] Wordlist file written out to /tmp/jtrtmp20190119-30098-t4zx7s
[*] Cracking mssql05 hashes in normal wordlist mode...
[*] Cracking mssql05 hashes in single mode...
[*] Cracking mssql05 hashes in incremental mode (Digits)...
[*] Cracked Passwords this run:
[+] mssql05_toto:toto
[+] mssql_foo:foo
[+] mssql05_toto:toto
[+] mssql_foo:foo
[*] Cracking mssql hashes in normal wordlist mode...
[*] Cracking mssql hashes in single mode...
[*] Cracking mssql hashes in incremental mode (Digits)...
[*] Cracked Passwords this run:
[+] mssql_foo:FOO
[+] mssql_foo:FOO
[*] Cracking mssql12 hashes in normal wordlist mode...
[*] Cracking mssql12 hashes in single mode...
[*] Cracking mssql12 hashes in incremental mode (Digits)...
[*] Cracked Passwords this run:
[+] mssql12_Password1!:Password1!
[+] mssql12_Password1!:Password1!
[*] Auxiliary module execution completed
msf5 auxiliary(analyze/jtr_mssql_fast) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
mssql05_toto toto Password
111.111.1.111 mssql05_toto 0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 Nonreplayable hash
mssql_foo FOO Password
mssql_foo foo Password
111.111.1.111 mssql_foo 0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 Nonreplayable hash
mssql12_Password1! Password1! Password
111.111.1.111 mssql12_Password1! 0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 Nonreplayable hash
111.111.1.111 111.111.1.111 22/tcp (ssh) ubuntu ubuntu Password
```

View File

@ -0,0 +1,144 @@
## Vulnerable Application
This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode MySQL
based password hashes, such as:
* `mysql` (pre 4.1) based passwords
* `mysql-sha1` based passwords
The following can be used to add credentials to the database for cracking:
* https://github.com/rapid7/metasploit-framework/pull/11264#issuecomment-455762574
## Verification Steps
1. Have at least one user with an `mysql`, or `mysql-sha1` password in the database
2. Start msfconsole
3. Do: ```use auxiliary/analyze/jtr_mysql_fast```
4. Do: ```run```
5. You should hopefully crack a password.
## Options
**CONFIG**
The path to a John config file (JtR option: `--config`). Default is `metasploit-framework/data/john.conf`
**CUSTOM_WORDLIST**
The path to an optional custom wordlist. This file is added to the new wordlist which may include the other
`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
**ITERATION_TIMOUT**
The max-run-time for each iteration of cracking
**JOHN_PATH**
The absolute path to the John the Ripper executable. Default behavior is to search `path` for
`john` and `john.exe`.
**KORELOGIC**
Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
Default is `false`.
**MUTATE**
Apply common mutations to the Wordlist (SLOW). Mutations are:
* `'@' => 'a'`
* `'0' => 'o'`
* `'3' => 'e'`
* `'$' => 's'`
* `'7' => 't'`
* `'1' => 'l'`
* `'5' => 's'`
Default is `false`.
**POT**
The path to a John POT file (JtR option: `--pot`) to use instead. The `pot` file is the data file which
records cracked password hashes. Kali linux's default location is `/root/.john/john.pot`.
Default is `metasploit-framework/data/john.pot`.
**USE_CREDS**
Use existing credential data saved in the database. Default is `true`.
**USE_DB_INFO**
Use looted database schema info to seed the wordlist. This includes the Database Name, each Table Name,
and each Column Name. If the DB is MSSQL, the Instance Name is also used. Default is `true`.
**USE_DEFAULT_WORDLIST**
Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`. Default is
`true`.
**USE_HOSTNAMES**
Seed the wordlist with hostnames from the workspace. Default is `true`.
**USE_ROOT_WORDS**
Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`. Default
is true.
## Scenarios
Utilizing the `make_hashes` file listed in the Vulnerable Application section:
```
resource (hashes.rb)> use auxiliary/scanner/ssh/ssh_login
resource (hashes.rb)> set username ubuntu
username => ubuntu
resource (hashes.rb)> set password ubuntu
password => ubuntu
resource (hashes.rb)> set rhosts 111.111.1.111
rhosts => 111.111.1.111
resource (hashes.rb)> run
[+] 111.111.1.111:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (2.2.2.2:46211 -> 111.111.1.111:22) at 2019-01-19 17:24:54 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (hashes.rb)> use post/test/make_hashes
resource (hashes.rb)> set session 1
session => 1
resource (hashes.rb)> run
[+] Adding mysql_probe:445ff82636a7ba59:mysql
[+] Adding mssql-sha1_tere:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB:mysql-sha1
[*] Post module execution completed
[*] Starting persistent handler(s)...
```
```
msf5 post(test/make_hashes) > use auxiliary/analyze/jtr_mysql_fast
msf5 auxiliary(analyze/jtr_mysql_fast) > run
[*] Hashes Written out to /tmp/hashes_tmp20190119-30962-19gqf2v
[*] Wordlist file written out to /tmp/jtrtmp20190119-30962-qrof08
[*] Cracking mysql hashes in normal wordlist mode...
[*] Cracking mysql hashes in single mode...
[*] Cracking mysql hashes in incremental mode (Digits)...
[*] Cracked Passwords this run:
[+] mysql_probe:probe
[*] Cracking mysql-sha1 hashes in normal wordlist mode...
[*] Cracking mysql-sha1 hashes in single mode...
[*] Cracking mysql-sha1 hashes in incremental mode (Digits)...
[*] Cracked Passwords this run:
[+] mssql-sha1_tere:tere
[*] Auxiliary module execution completed
msf5 auxiliary(analyze/jtr_mysql_fast) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
mysql_probe probe Password
111.111.1.111 mysql_probe 445ff82636a7ba59 Nonreplayable hash
mssql-sha1_tere tere Password
111.111.1.111 mssql-sha1_tere *5AD8F88516BD021DD43F171E2C785C69F8E54ADB Nonreplayable hash
111.111.1.111 111.111.1.111 22/tcp (ssh) ubuntu ubuntu Password
```

View File

@ -0,0 +1,188 @@
## Vulnerable Application
This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode oracle
based password hashes, such as:
* `oracle` (<=10) aka `des` based passwords
* `oracle11` based passwords
* Oracle 11 and 12c backwards compatibility `H` field (MD5)
* `oracle12c` based passwords
The following can be used to add credentials to the database for cracking:
* https://github.com/rapid7/metasploit-framework/pull/11264#issuecomment-455762574
For a detailed explanation of Oracle 11/12c formats, see
[www.trustwave.com](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/).
Oracle 11/12c `H` field is `dynamic_1506` in JtR and added
[here](https://github.com/magnumripper/JohnTheRipper/commit/53973c5e6eb026ea232ba643f9aa20a1ffee0ffb)
## Verification Steps
1. Have at least one user with an `oracle`, `oracle11`, or `oracle12c` password in the database
2. Start msfconsole
3. Do: ```use auxiliary/analyze/jtr_oracle_fast```
4. Do: ```run```
5. You should hopefully crack a password.
## Options
**CONFIG**
The path to a John config file (JtR option: `--config`). Default is `metasploit-framework/data/john.conf`
**CUSTOM_WORDLIST**
The path to an optional custom wordlist. This file is added to the new wordlist which may include the other
`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
**ITERATION_TIMOUT**
The max-run-time for each iteration of cracking
**JOHN_PATH**
The absolute path to the John the Ripper executable. Default behavior is to search `path` for
`john` and `john.exe`.
**KORELOGIC**
Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
Default is `false`.
**MUTATE**
Apply common mutations to the Wordlist (SLOW). Mutations are:
* `'@' => 'a'`
* `'0' => 'o'`
* `'3' => 'e'`
* `'$' => 's'`
* `'7' => 't'`
* `'1' => 'l'`
* `'5' => 's'`
Default is `false`.
**POT**
The path to a John POT file (JtR option: `--pot`) to use instead. The `pot` file is the data file which
records cracked password hashes. Kali linux's default location is `/root/.john/john.pot`.
Default is `metasploit-framework/data/john.pot`.
**USE_CREDS**
Use existing credential data saved in the database. Default is `true`.
**USE_DB_INFO**
Use looted database schema info to seed the wordlist. This includes the Database Name, each Table Name,
and each Column Name. If the DB is MSSQL, the Instance Name is also used. Default is `true`.
**USE_DEFAULT_WORDLIST**
Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`. Default is
`true`.
**USE_HOSTNAMES**
Seed the wordlist with hostnames from the workspace. Default is `true`.
**USE_ROOT_WORDS**
Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`. Default
is true.
## Scenarios
Utilizing the `make_hashes` file listed in the Vulnerable Application section:
```
resource (hashes.rb)> use auxiliary/scanner/ssh/ssh_login
resource (hashes.rb)> set username ubuntu
username => ubuntu
resource (hashes.rb)> set password ubuntu
password => ubuntu
resource (hashes.rb)> set rhosts 111.111.1.111
rhosts => 111.111.1.111
resource (hashes.rb)> run
[+] 111.111.1.111:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (2.2.2.2:45369 -> 111.111.1.111:22) at 2019-01-21 15:35:19 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (hashes.rb)> use post/test/make_hashes
resource (hashes.rb)> set session 1
session => 1
resource (hashes.rb)> run
[+] Adding simon:4F8BC1809CB2AF77:des,oracle
[+] Adding SYSTEM:9EEDFA0AD26C6D52:des,oracle
[+] Adding DEMO:S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C:raw-sha1,oracle
[+] Adding oracle11_epsilon:S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C:raw-sha1,oracle
[+] Adding oracle12c_epsilon:H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B:pbkdf2,oracle12c
[*] Post module execution completed
[*] Starting persistent handler(s)...
```
```
msf5 post(test/make_hashes) > use auxiliary/analyze/jtr_oracle_fast
msf5 auxiliary(analyze/jtr_oracle_fast) > run
[*] Wordlist file written out to /tmp/jtrtmp20190121-21358-1qgil9r
[*] Hashes Written out to /tmp/hashes_tmp20190121-21358-1mz3zna
[*] Cracking oracle hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking oracle hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[+] simon:A
[+] SYSTEM:THALES
[*] Hashes Written out to /tmp/hashes_tmp20190121-21358-1hm4xok
[*] Cracking dynamic_1506 hashes in normal wordlist mode...
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2019-01-21 15:35) 0g/s 4861Kp/s 9722Kc/s 9722KC/s waneta..vagrant
Session completed
[*] Cracking dynamic_1506 hashes in single mode...
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:14 DONE (2019-01-21 15:36) 0g/s 5680Kp/s 11361Kc/s 11361KC/s ximenes1900..vagrant1900
Session completed
[*] Cracked passwords this run:
[+] DEMO:epsilon
[*] Hashes Written out to /tmp/hashes_tmp20190121-21358-h0fjvl
[*] Cracking oracle11 hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking oracle11 hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[+] DEMO:epsilon
[+] oracle11_epsilon:epsilon
[*] Hashes Written out to /tmp/hashes_tmp20190121-21358-5hgfu5
[*] Cracking oracle12c hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking oracle12c hashes in single mode...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[+] oracle12c_epsilon:epsilon
[*] Auxiliary module execution completed
msf5 auxiliary(analyze/jtr_oracle_fast) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
simon A Password
111.111.1.111 simon 4F8BC1809CB2AF77 Nonreplayable hash
SYSTEM THALES Password
111.111.1.111 SYSTEM 9EEDFA0AD26C6D52 Nonreplayable hash
DEMO epsilon Password
111.111.1.111 DEMO S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Nonreplayable hash
oracle11_epsilon epsilon Password
111.111.1.111 oracle11_epsilon S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Nonreplayable hash
oracle12c_epsilon epsilon Password
111.111.1.111 oracle12c_epsilon H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B Nonreplayable hash
111.111.1.111 111.111.1.111 22/tcp (ssh) ubuntu ubuntu Password
```

View File

@ -0,0 +1,142 @@
## Vulnerable Application
This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode PostgreSQL
based password hashes, such as:
* `postgres` based passwords
* `raw-md5` based passwords
The following can be used to add credentials to the database for cracking:
* https://github.com/rapid7/metasploit-framework/pull/11264#issuecomment-455762574
PostgreSQL is a `raw-md5` format with the username appended to the password. This format was
added to JtR as `dynamic_1034` [here](https://github.com/magnumripper/JohnTheRipper/commit/e57d740bed5c4f4e40a0ff346bcdde270a8173e6)
## Verification Steps
1. Have at least one user with an `postgres`, or `raw-md5` password in the database
2. Start msfconsole
3. Do: ```use auxiliary/analyze/jtr_postgres_fast```
4. Do: ```run```
5. You should hopefully crack a password.
## Options
**CONFIG**
The path to a John config file (JtR option: `--config`). Default is `metasploit-framework/data/john.conf`
**CUSTOM_WORDLIST**
The path to an optional custom wordlist. This file is added to the new wordlist which may include the other
`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
**ITERATION_TIMOUT**
The max-run-time for each iteration of cracking
**JOHN_PATH**
The absolute path to the John the Ripper executable. Default behavior is to search `path` for
`john` and `john.exe`.
**KORELOGIC**
Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
Default is `false`.
**MUTATE**
Apply common mutations to the Wordlist (SLOW). Mutations are:
* `'@' => 'a'`
* `'0' => 'o'`
* `'3' => 'e'`
* `'$' => 's'`
* `'7' => 't'`
* `'1' => 'l'`
* `'5' => 's'`
Default is `false`.
**POT**
The path to a John POT file (JtR option: `--pot`) to use instead. The `pot` file is the data file which
records cracked password hashes. Kali linux's default location is `/root/.john/john.pot`.
Default is `metasploit-framework/data/john.pot`.
**USE_CREDS**
Use existing credential data saved in the database. Default is `true`.
**USE_DB_INFO**
Use looted database schema info to seed the wordlist. This includes the Database Name, each Table Name,
and each Column Name. If the DB is MSSQL, the Instance Name is also used. Default is `true`.
**USE_DEFAULT_WORDLIST**
Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`. Default is
`true`.
**USE_HOSTNAMES**
Seed the wordlist with hostnames from the workspace. Default is `true`.
**USE_ROOT_WORDS**
Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`. Default
is true.
## Scenarios
Utilizing the `make_hashes` file listed in the Vulnerable Application section:
```
resource (hashes.rb)> use auxiliary/scanner/ssh/ssh_login
resource (hashes.rb)> set username ubuntu
username => ubuntu
resource (hashes.rb)> set password ubuntu
password => ubuntu
resource (hashes.rb)> set rhosts 111.111.1.111
rhosts => 111.111.1.111
resource (hashes.rb)> run
[+] 111.111.1.111:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (2.2.2.2:36917 -> 111.111.1.111:22) at 2019-01-20 21:07:44 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (hashes.rb)> use post/test/make_hashes
resource (hashes.rb)> set session 1
session => 1
resource (hashes.rb)> run
[+] Adding example:md5be86a79bf2043622d58d5453c47d4860:postgres
[*] Post module execution completed
[*] Starting persistent handler(s)...
```
```
msf5 post(test/make_hashes) > use auxiliary/analyze/jtr_postgres_fast
msf5 auxiliary(analyze/jtr_postgres_fast) > run
[*] Hashes written out to /tmp/hashes_tmp20190120-11480-173dub0
[*] Wordlist file written out to /tmp/jtrtmp20190120-11480-1hbm42j
[*] Cracking dynamic_1034 hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracking dynamic_1034 hashes in single mode...
Using default input encoding: UTF-8
[*] Cracking dynamic_1034 hashes in incremental mode (Digits)...
Using default input encoding: UTF-8
[*] Cracked passwords this run:
[+] example:password
[*] Auxiliary module execution completed
msf5 auxiliary(analyze/jtr_postgres_fast) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
example password Password
111.111.1.111 example md5be86a79bf2043622d58d5453c47d4860 Postgres md5
111.111.1.111 111.111.1.111 22/tcp (ssh) ubuntu ubuntu Password
```

View File

@ -0,0 +1,189 @@
## Vulnerable Application
This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Windows
based password hashes, such as:
* `LM`, or `LANMAN` based passwords
* `NT`, `NTLM`, or `NTLANMAN` based passwords
The following can be used to add credentials to the database for cracking:
* https://github.com/rapid7/metasploit-framework/pull/11264#issuecomment-455762574
## Verification Steps
1. Have at least one user with an `nt` or `lm` password in the database
2. Start msfconsole
3. Do: ```use auxiliary/analyze/jtr_windows_fast```
4. Do: ```run```
5. You should hopefully crack a password.
## Options
**CONFIG**
The path to a John config file (JtR option: `--config`). Default is `metasploit-framework/data/john.conf`
**CUSTOM_WORDLIST**
The path to an optional custom wordlist. This file is added to the new wordlist which may include the other
`USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
**ITERATION_TIMOUT**
The max-run-time for each iteration of cracking
**JOHN_PATH**
The absolute path to the John the Ripper executable. Default behavior is to search `path` for
`john` and `john.exe`.
**KORELOGIC**
Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
Default is `false`.
**MUTATE**
Apply common mutations to the Wordlist (SLOW). Mutations are:
* `'@' => 'a'`
* `'0' => 'o'`
* `'3' => 'e'`
* `'$' => 's'`
* `'7' => 't'`
* `'1' => 'l'`
* `'5' => 's'`
Default is `false`.
**POT**
The path to a John POT file (JtR option: `--pot`) to use instead. The `pot` file is the data file which
records cracked password hashes. Kali linux's default location is `/root/.john/john.pot`.
Default is `metasploit-framework/data/john.pot`.
**USE_CREDS**
Use existing credential data saved in the database. Default is `true`.
**USE_DB_INFO**
Use looted database schema info to seed the wordlist. This includes the Database Name, each Table Name,
and each Column Name. If the DB is MSSQL, the Instance Name is also used. Default is `true`.
**USE_DEFAULT_WORDLIST**
Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`. Default is
`true`.
**USE_HOSTNAMES**
Seed the wordlist with hostnames from the workspace. Default is `true`.
**USE_ROOT_WORDS**
Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`. Default
is true.
## Scenarios
Utilizing the `make_hashes` file listed in the Vulnerable Application section:
```
resource (hashes.rb)> use auxiliary/scanner/ssh/ssh_login
resource (hashes.rb)> set username ubuntu
username => ubuntu
resource (hashes.rb)> set password ubuntu
password => ubuntu
resource (hashes.rb)> set rhosts 111.111.1.111
rhosts => 111.111.1.111
resource (hashes.rb)> run
[+] 111.111.1.111:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare) Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux '
[*] Command shell session 1 opened (2.2.2.2:38243 -> 111.111.1.111:22) at 2019-01-19 05:28:14 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
resource (hashes.rb)> use post/test/make_hashes
resource (hashes.rb)> set session 1
session => 1
resource (hashes.rb)> run
[+] Adding lm_password:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C:lm
[+] Adding lm_passphrase:855C3697D9979E78AC404C4BA2C66533:7F8FE03093CC84B267B109625F6BBF4B:lm
[+] Adding nt_password:00000000000000000000000000000000:8846F7EAEE8FB117AD06BDD830B7586C:nt
[+] Adding nt_passphrase:00000000000000000000000000000000:7F8FE03093CC84B267B109625F6BBF4B:nt
[*] Post module execution completed
[*] Starting persistent handler(s)...
```
```
msf5 post(test/make_hashes) > use auxiliary/analyze/jtr_windows_fast
msf5 auxiliary(analyze/jtr_windows_fast) > run
[*] Hashes Written out to /tmp/hashes_tmp20190123-2730-1wr8x6o
[*] Wordlist file written out to /tmp/jtrtmp20190123-2730-lx6cxy
[*] Cracking lm hashes in normal wordlist mode...
Using default input encoding: UTF-8
Using default target encoding: CP850
Warning: poor OpenMP scalability for this hash type, consider --fork=8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2019-01-23 16:00) 0g/s 2573Kp/s 2573Kc/s 2573KC/s STEEPER..VAGRANT
Session completed
[*] Cracking lm hashes in single mode...
Using default input encoding: UTF-8
Using default target encoding: CP850
Warning: poor OpenMP scalability for this hash type, consider --fork=8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 DONE (2019-01-23 16:01) 0g/s 5927Kp/s 5927Kc/s 5927KC/s HAS1907..E1900
Session completed
[*] Cracking lm hashes in incremental mode (Digits)...
Using default input encoding: UTF-8
Using default target encoding: CP850
Warning: poor OpenMP scalability for this hash type, consider --fork=8
Will run 8 OpenMP threads
Warning: MaxLen = 20 is too large for the current hash type, reduced to 7
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2019-01-23 16:01) 0g/s 39682Kp/s 39682Kc/s 39682KC/s 0766269..0769743
Session completed
[*] Cracked Passwords this run:
[+] lm_password:password
[+] lm_passphrase:passphrase
[*] Cracking nt hashes in normal wordlist mode...
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2019-01-23 16:01) 0g/s 3836Kp/s 3836Kc/s 3836KC/s yardarm..yipped
Session completed
[*] Cracking nt hashes in single mode...
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:04 DONE (2019-01-23 16:01) 0g/s 15131Kp/s 15131Kc/s 15131KC/s yankee1900..yipped1900
Session completed
[*] Cracking nt hashes in incremental mode (Digits)...
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 DONE (2019-01-23 16:01) 0g/s 40700Kp/s 40700Kc/s 40700KC/s 73673897..73673952
Session completed
[*] Cracked Passwords this run:
[+] lm_password:password
[+] nt_password:password
[*] Auxiliary module execution completed
msf5 auxiliary(analyze/jtr_windows_fast) > creds
Credentials
===========
host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
lm_password password Password
111.111.1.111 lm_password e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c NTLM hash
lm_passphrase passphrase Password
111.111.1.111 lm_passphrase 855c3697d9979e78ac404c4ba2c66533:7f8fe03093cc84b267b109625f6bbf4b NTLM hash
nt_password password Password
111.111.1.111 nt_password 00000000000000000000000000000000:8846f7eaee8fb117ad06bdd830b7586c NTLM hash
111.111.1.111 nt_passphrase 00000000000000000000000000000000:7f8fe03093cc84b267b109625f6bbf4b NTLM hash
111.111.1.111 111.111.1.111 22/tcp (ssh) ubuntu ubuntu Password
```

View File

@ -36,6 +36,10 @@ module Metasploit
# @return [Integer] An optional maximum duration of the cracking attempt in seconds # @return [Integer] An optional maximum duration of the cracking attempt in seconds
attr_accessor :max_runtime attr_accessor :max_runtime
# @!attribute max_length
# @return [Integer] An optional maximum length of password to attempt cracking
attr_accessor :max_length
# @!attribute pot # @!attribute pot
# @return [String] The file path to an alternative John pot file to use # @return [String] The file path to an alternative John pot file to use
attr_accessor :pot attr_accessor :pot
@ -62,6 +66,12 @@ module Metasploit
greater_than_or_equal_to: 0 greater_than_or_equal_to: 0
}, if: 'max_runtime.present?' }, if: 'max_runtime.present?'
validates :max_length,
numericality: {
only_integer: true,
greater_than_or_equal_to: 0
}, if: 'max_length.present?'
validates :wordlist, :'Metasploit::Framework::File_path' => true, if: 'wordlist.present?' validates :wordlist, :'Metasploit::Framework::File_path' => true, if: 'wordlist.present?'
# @param attributes [Hash{Symbol => String,nil}] # @param attributes [Hash{Symbol => String,nil}]
@ -146,6 +156,10 @@ module Metasploit
cmd << ( "--max-run-time=" + max_runtime.to_s) cmd << ( "--max-run-time=" + max_runtime.to_s)
end end
if max_length.present?
cmd << ( "--max-len=" + max_length.to_s)
end
cmd << hash_path cmd << hash_path
end end
@ -165,7 +179,7 @@ module Metasploit
# #
# @return [String] the path to the default john.conf file # @return [String] the path to the default john.conf file
def john_config_file def john_config_file
::File.join( ::Msf::Config.data_directory, "john.conf" ) ::File.join( ::Msf::Config.data_directory, "jtr", "john.conf" )
end end
# This method returns the path to a default john.pot file. # This method returns the path to a default john.pot file.

View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary
'Name' => 'John the Ripper AIX Password Cracker', 'Name' => 'John the Ripper AIX Password Cracker',
'Description' => %Q{ 'Description' => %Q{
This module uses John the Ripper to identify weak passwords that have been This module uses John the Ripper to identify weak passwords that have been
acquired from passwd files on AIX systems. acquired from passwd files on AIX systems. These utilize DES hashing.
}, },
'Author' => 'Author' =>
[ [
@ -28,8 +28,11 @@ class MetasploitModule < Msf::Auxiliary
def run def run
cracker = new_john_cracker cracker = new_john_cracker
# generate our wordlist and close the file handle # create the hash file first, so if there aren't any hashes we can quit early
wordlist = wordlist_file cracker.hash_path = hash_file
# generate our wordlist and close the file handle. max length of DES is 8
wordlist = wordlist_file(8)
unless wordlist unless wordlist
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.') print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
return return
@ -38,26 +41,27 @@ class MetasploitModule < Msf::Auxiliary
wordlist.close wordlist.close
print_status "Wordlist file written out to #{wordlist.path}" print_status "Wordlist file written out to #{wordlist.path}"
cracker.wordlist = wordlist.path cracker.wordlist = wordlist.path
cracker.hash_path = hash_file
['des'].each do |format| cleanup_files = [cracker.hash_path, wordlist.path]
['descrypt'].each do |format|
# dupe our original cracker so we can safely change options between each run # dupe our original cracker so we can safely change options between each run
cracker_instance = cracker.dup cracker_instance = cracker.dup
cracker_instance.format = format cracker_instance.format = format
print_status "Cracking #{format} hashes in normal wordlist mode..." print_status "Cracking #{format} hashes in normal wordlist mode..."
# Turn on KoreLogic rules if the user asked for it # Turn on KoreLogic rules if the user asked for it
if datastore['KoreLogic'] if datastore['KORELOGIC']
cracker_instance.rules = 'KoreLogicRules' cracker_instance.rules = 'KoreLogicRules'
print_status "Applying KoreLogic ruleset..." print_status "Applying KoreLogic ruleset..."
end end
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracking #{format} hashes in single mode..." print_status "Cracking #{format} hashes in single mode..."
cracker_instance.rules = 'single' cracker_instance.rules = 'single'
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracking #{format} hashes in incremental mode (Digits)..." print_status "Cracking #{format} hashes in incremental mode (Digits)..."
@ -65,7 +69,7 @@ class MetasploitModule < Msf::Auxiliary
cracker_instance.wordlist = nil cracker_instance.wordlist = nil
cracker_instance.incremental = 'Digits' cracker_instance.incremental = 'Digits'
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracked Passwords this run:" print_status "Cracked Passwords this run:"
@ -78,13 +82,17 @@ class MetasploitModule < Msf::Auxiliary
username = fields.shift username = fields.shift
core_id = fields.pop core_id = fields.pop
password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them
print_good password_line print_good "#{username}:#{password}"
create_cracked_credential( username: username, password: password, core_id: core_id) create_cracked_credential( username: username, password: password, core_id: core_id)
end end
end end
cleanup_files.each do |f|
File.delete(f)
end
end end
def hash_file def hash_file
wrote_hash = false
hashlist = Rex::Quickfile.new("hashes_tmp") hashlist = Rex::Quickfile.new("hashes_tmp")
framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NonreplayableHash').each do |core| framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NonreplayableHash').each do |core|
if core.private.jtr_format =~ /des/ if core.private.jtr_format =~ /des/
@ -92,9 +100,14 @@ class MetasploitModule < Msf::Auxiliary
hash_string = core.private.data hash_string = core.private.data
id = core.id id = core.id
hashlist.puts "#{user}:#{hash_string}:#{id}:" hashlist.puts "#{user}:#{hash_string}:#{id}:"
wrote_hash = true
end end
end end
hashlist.close hashlist.close
unless wrote_hash # check if we wrote anything and bail early if we didn't
hashlist.delete
fail_with Failure::NotFound, 'No DES hashes in database to crack'
end
print_status "Hashes Written out to #{hashlist.path}" print_status "Hashes Written out to #{hashlist.path}"
hashlist.path hashlist.path
end end

View File

@ -14,8 +14,8 @@ class MetasploitModule < Msf::Auxiliary
'Description' => %Q{ 'Description' => %Q{
This module uses John the Ripper to identify weak passwords that have been This module uses John the Ripper to identify weak passwords that have been
acquired from unshadowed passwd files from Unix systems. The module will only crack acquired from unshadowed passwd files from Unix systems. The module will only crack
MD5 and DES implementations by default. Set Crypt to true to also try to crack MD5, BSDi and DES implementations by default. Set Crypt to true to also try to crack
Blowfish and SHA implementations. Warning: This is much slower. Blowfish and SHA(256/512). Warning: This is much slower.
}, },
'Author' => 'Author' =>
[ [
@ -38,10 +38,14 @@ class MetasploitModule < Msf::Auxiliary
formats = [ 'md5crypt', 'descrypt', 'bsdicrypt'] formats = [ 'md5crypt', 'descrypt', 'bsdicrypt']
if datastore['Crypt'] if datastore['Crypt']
formats << 'crypt' formats << 'crypt'
formats << 'bcrypt' #blowfish is not within the 'crypt' family
end end
cracker = new_john_cracker cracker = new_john_cracker
# create the hash file first, so if there aren't any hashes we can quit early
cracker.hash_path = hash_file
# generate our wordlist and close the file handle # generate our wordlist and close the file handle
wordlist = wordlist_file wordlist = wordlist_file
unless wordlist unless wordlist
@ -52,7 +56,8 @@ class MetasploitModule < Msf::Auxiliary
wordlist.close wordlist.close
print_status "Wordlist file written out to #{wordlist.path}" print_status "Wordlist file written out to #{wordlist.path}"
cracker.wordlist = wordlist.path cracker.wordlist = wordlist.path
cracker.hash_path = hash_file
cleanup_files = [cracker.hash_path, wordlist.path]
formats.each do |format| formats.each do |format|
# dupe our original cracker so we can safely change options between each run # dupe our original cracker so we can safely change options between each run
@ -65,7 +70,7 @@ class MetasploitModule < Msf::Auxiliary
print_status "Applying KoreLogic ruleset..." print_status "Applying KoreLogic ruleset..."
end end
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracked Passwords this run:" print_status "Cracked Passwords this run:"
@ -79,27 +84,34 @@ class MetasploitModule < Msf::Auxiliary
core_id = fields.pop core_id = fields.pop
4.times { fields.pop } 4.times { fields.pop }
password = fields.join('') # Anything left must be the password. This accounts for passwords with : in them password = fields.join('') # Anything left must be the password. This accounts for passwords with : in them
print_good password_line print_good "#{username}:#{password}"
create_cracked_credential( username: username, password: password, core_id: core_id) create_cracked_credential( username: username, password: password, core_id: core_id)
end end
end end
cleanup_files.each do |f|
File.delete(f)
end
end end
def hash_file def hash_file
wrote_hash = false
hashlist = Rex::Quickfile.new("hashes_tmp") hashlist = Rex::Quickfile.new("hashes_tmp")
framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NonreplayableHash').each do |core| framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NonreplayableHash').each do |core|
if core.private.jtr_format =~ /md5|des|bsdi|crypt/ if core.private.jtr_format =~ /md5|des|bsdi|crypt|bf/
user = core.public.username user = core.public.username
hash_string = core.private.data hash_string = core.private.data
id = core.id id = core.id
hashlist.puts "#{user}:#{hash_string}:::::#{id}:" hashlist.puts "#{user}:#{hash_string}:::::#{id}:"
wrote_hash = true
end end
end end
hashlist.close hashlist.close
unless wrote_hash # check if we wrote anything and bail early if we didn't
hashlist.delete
fail_with Failure::NotFound, 'No applicable hashes in database to crack'
end
print_status "Hashes Written out to #{hashlist.path}" print_status "Hashes Written out to #{hashlist.path}"
hashlist.path hashlist.path
end end
end end

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Auxiliary
'Description' => %Q{ 'Description' => %Q{
This module uses John the Ripper to identify weak passwords that have been This module uses John the Ripper to identify weak passwords that have been
acquired from the mssql_hashdump module. Passwords that have been successfully acquired from the mssql_hashdump module. Passwords that have been successfully
cracked are then saved as proper credentials cracked are then saved as proper credentials.
}, },
'Author' => 'Author' =>
[ [
@ -29,6 +29,9 @@ class MetasploitModule < Msf::Auxiliary
@formats = Set.new @formats = Set.new
cracker = new_john_cracker cracker = new_john_cracker
# create the hash file first, so if there aren't any hashes we can quit early
cracker.hash_path = hash_file
# generate our wordlist and close the file handle # generate our wordlist and close the file handle
wordlist = wordlist_file wordlist = wordlist_file
unless wordlist unless wordlist
@ -39,7 +42,8 @@ class MetasploitModule < Msf::Auxiliary
wordlist.close wordlist.close
print_status "Wordlist file written out to #{wordlist.path}" print_status "Wordlist file written out to #{wordlist.path}"
cracker.wordlist = wordlist.path cracker.wordlist = wordlist.path
cracker.hash_path = hash_file
cleanup_files = [cracker.hash_path, wordlist.path]
@formats.each do |format| @formats.each do |format|
# dupe our original cracker so we can safely change options between each run # dupe our original cracker so we can safely change options between each run
@ -52,19 +56,21 @@ class MetasploitModule < Msf::Auxiliary
print_status "Applying KoreLogic ruleset..." print_status "Applying KoreLogic ruleset..."
end end
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracking #{format} hashes in single mode..." print_status "Cracking #{format} hashes in single mode..."
cracker_instance.rules = 'single' cracker_instance.rules = 'single'
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracking #{format} hashes in incremental mode (Digits)..." print_status "Cracking #{format} hashes in incremental mode (Digits)..."
cracker_instance.rules = nil
cracker_instance.wordlist = nil
cracker_instance.incremental = 'Digits' cracker_instance.incremental = 'Digits'
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracked Passwords this run:" print_status "Cracked Passwords this run:"
@ -77,14 +83,17 @@ class MetasploitModule < Msf::Auxiliary
username = fields.shift username = fields.shift
core_id = fields.pop core_id = fields.pop
password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them
print_good password_line print_good "#{username}:#{password}"
create_cracked_credential( username: username, password: password, core_id: core_id) create_cracked_credential( username: username, password: password, core_id: core_id)
end end
end end
cleanup_files.each do |f|
File.delete(f)
end
end end
def hash_file def hash_file
wrote_hash = false
hashlist = Rex::Quickfile.new("hashes_tmp") hashlist = Rex::Quickfile.new("hashes_tmp")
Metasploit::Credential::NonreplayableHash.joins(:cores).where(metasploit_credential_cores: { workspace_id: myworkspace.id }, jtr_format: ['mssql', 'mssql05', 'mssql12']).each do |hash| Metasploit::Credential::NonreplayableHash.joins(:cores).where(metasploit_credential_cores: { workspace_id: myworkspace.id }, jtr_format: ['mssql', 'mssql05', 'mssql12']).each do |hash|
# Track the formats that we've seen so we do not attempt a format that isn't relevant # Track the formats that we've seen so we do not attempt a format that isn't relevant
@ -103,12 +112,16 @@ class MetasploitModule < Msf::Auxiliary
hash_string = core.private.data hash_string = core.private.data
id = core.id id = core.id
hashlist.puts "#{user}:#{hash_string}:#{id}:" hashlist.puts "#{user}:#{hash_string}:#{id}:"
wrote_hash = true
end end
end end
hashlist.close hashlist.close
unless wrote_hash # check if we wrote anything and bail early if we didn't
hashlist.delete
fail_with Failure::NotFound, 'No applicable hashes in database to crack'
end
print_status "Hashes Written out to #{hashlist.path}" print_status "Hashes Written out to #{hashlist.path}"
hashlist.path hashlist.path
end end
end end

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Auxiliary
'Description' => %Q{ 'Description' => %Q{
This module uses John the Ripper to identify weak passwords that have been This module uses John the Ripper to identify weak passwords that have been
acquired from the mysql_hashdump module. Passwords that have been successfully acquired from the mysql_hashdump module. Passwords that have been successfully
cracked are then saved as proper credentials cracked are then saved as proper credentials.
}, },
'Author' => 'Author' =>
[ [
@ -28,6 +28,9 @@ class MetasploitModule < Msf::Auxiliary
def run def run
cracker = new_john_cracker cracker = new_john_cracker
# create the hash file first, so if there aren't any hashes we can quit early
cracker.hash_path = hash_file
# generate our wordlist and close the file handle # generate our wordlist and close the file handle
wordlist = wordlist_file wordlist = wordlist_file
unless wordlist unless wordlist
@ -38,7 +41,8 @@ class MetasploitModule < Msf::Auxiliary
wordlist.close wordlist.close
print_status "Wordlist file written out to #{wordlist.path}" print_status "Wordlist file written out to #{wordlist.path}"
cracker.wordlist = wordlist.path cracker.wordlist = wordlist.path
cracker.hash_path = hash_file
cleanup_files = [cracker.hash_path, wordlist.path]
['mysql','mysql-sha1'].each do |format| ['mysql','mysql-sha1'].each do |format|
cracker_instance = cracker.dup cracker_instance = cracker.dup
@ -50,19 +54,21 @@ class MetasploitModule < Msf::Auxiliary
print_status "Applying KoreLogic ruleset..." print_status "Applying KoreLogic ruleset..."
end end
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracking #{format} hashes in single mode..." print_status "Cracking #{format} hashes in single mode..."
cracker_instance.rules = 'single' cracker_instance.rules = 'single'
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracking #{format} hashes in incremental mode (Digits)..." print_status "Cracking #{format} hashes in incremental mode (Digits)..."
cracker_instance.rules = nil
cracker_instance.wordlist = nil
cracker_instance.incremental = 'Digits' cracker_instance.incremental = 'Digits'
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracked Passwords this run:" print_status "Cracked Passwords this run:"
@ -75,13 +81,17 @@ class MetasploitModule < Msf::Auxiliary
username = fields.shift username = fields.shift
core_id = fields.pop core_id = fields.pop
password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them
print_good password_line print_good "#{username}:#{password}"
create_cracked_credential( username: username, password: password, core_id: core_id) create_cracked_credential( username: username, password: password, core_id: core_id)
end end
end end
cleanup_files.each do |f|
File.delete(f)
end
end end
def hash_file def hash_file
wrote_hash = false
hashlist = Rex::Quickfile.new("hashes_tmp") hashlist = Rex::Quickfile.new("hashes_tmp")
framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NonreplayableHash').each do |core| framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NonreplayableHash').each do |core|
if core.private.jtr_format =~ /mysql|mysql-sha1/ if core.private.jtr_format =~ /mysql|mysql-sha1/
@ -89,12 +99,16 @@ class MetasploitModule < Msf::Auxiliary
hash_string = core.private.data hash_string = core.private.data
id = core.id id = core.id
hashlist.puts "#{user}:#{hash_string}:#{id}:" hashlist.puts "#{user}:#{hash_string}:#{id}:"
wrote_hash = true
end end
end end
hashlist.close hashlist.close
unless wrote_hash # check if we wrote anything and bail early if we didn't
hashlist.delete
fail_with Failure::NotFound, 'No applicable hashes in database to crack'
end
print_status "Hashes Written out to #{hashlist.path}" print_status "Hashes Written out to #{hashlist.path}"
hashlist.path hashlist.path
end end
end end

View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Auxiliary
'Description' => %Q{ 'Description' => %Q{
This module uses John the Ripper to identify weak passwords that have been This module uses John the Ripper to identify weak passwords that have been
acquired from the oracle_hashdump module. Passwords that have been successfully acquired from the oracle_hashdump module. Passwords that have been successfully
cracked are then saved as proper credentials cracked are then saved as proper credentials.
}, },
'Author' => 'Author' =>
[ [
@ -33,17 +33,27 @@ class MetasploitModule < Msf::Auxiliary
wordlist.close wordlist.close
print_status "Wordlist file written out to #{wordlist.path}" print_status "Wordlist file written out to #{wordlist.path}"
cracker.wordlist = wordlist.path cracker.wordlist = wordlist.path
#cracker.hash_path = hash_file("des")
['oracle', 'oracle11'].each do |format| cleanup_files = [wordlist.path]
# dynamic_1506 is oracle 11/12's H field, MD5.
['oracle', 'dynamic_1506', 'oracle11', 'oracle12c'].each do |format|
cracker_instance = cracker.dup cracker_instance = cracker.dup
cracker_instance.format = format cracker_instance.format = format
case format case format
when 'oracle' when 'oracle'
cracker_instance.hash_path = hash_file('des') cracker_instance.hash_path = hash_file('des|oracle')
cleanup_files << cracker_instance.hash_path
when 'dynamic_1506'
cracker_instance.hash_path = hash_file('raw-sha1|oracle11|oracle12c|dynamic_1506')
cleanup_files << cracker_instance.hash_path
when 'oracle11' when 'oracle11'
cracker_instance.hash_path = hash_file('raw-sha1') cracker_instance.hash_path = hash_file('raw-sha1|oracle11')
cleanup_files << cracker_instance.hash_path
when 'oracle12c'
cracker_instance.hash_path = hash_file('oracle12c')
cleanup_files << cracker_instance.hash_path
end end
print_status "Cracking #{format} hashes in normal wordlist mode..." print_status "Cracking #{format} hashes in normal wordlist mode..."
@ -52,15 +62,14 @@ class MetasploitModule < Msf::Auxiliary
cracker_instance.rules = 'KoreLogicRules' cracker_instance.rules = 'KoreLogicRules'
print_status "Applying KoreLogic ruleset..." print_status "Applying KoreLogic ruleset..."
end end
print_status "Crack command #{cracker_instance.crack_command.join(' ')}"
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracking #{format} hashes in single mode..." print_status "Cracking #{format} hashes in single mode..."
cracker_instance.rules = 'single' cracker_instance.rules = 'single'
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracked passwords this run:" print_status "Cracked passwords this run:"
@ -76,11 +85,13 @@ class MetasploitModule < Msf::Auxiliary
# Postgres hashes always prepend the username to the password before hashing. So we strip the username back off here. # Postgres hashes always prepend the username to the password before hashing. So we strip the username back off here.
password.gsub!(/^#{username}/,'') password.gsub!(/^#{username}/,'')
print_good "#{username}:#{password}:#{core_id}" print_good "#{username}:#{password}"
create_cracked_credential( username: username, password: password, core_id: core_id) create_cracked_credential( username: username, password: password, core_id: core_id)
end end
end end
cleanup_files.each do |f|
File.delete(f)
end
end end
@ -89,9 +100,39 @@ class MetasploitModule < Msf::Auxiliary
framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NonreplayableHash').each do |core| framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NonreplayableHash').each do |core|
if core.private.jtr_format =~ /#{format}/ if core.private.jtr_format =~ /#{format}/
user = core.public.username user = core.public.username
hash_string = core.private.data.split(':')[1] case format
when 'des|oracle' #oracle
if core.private.jtr_format.start_with?('des') #aka not oracle11/12c
hash_string = "O$#{user.upcase}##{core.private.data}"
end
when 'raw-sha1|oracle11|oracle12c|dynamic_1506'
if core.private.data =~ /H:([\dA-F]{32})/
user = user.upcase
hash_string = "$dynamic_1506$#{$1}"
end
when 'raw-sha1|oracle11'
# this password is stored as a long ascii string with several sections
# https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/
# example: S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C
# S: = 60 characters -> sha1(password + salt (10 bytes))
# 40 char sha1, 20 char salt
# hash is 8F2D65FB5547B71C8DA3760F10960428CD307B1C
# salt is 6271691FC55C1F56554A
# H: = 32 characters
# legacy MD5
# T: = 160 characters
# PBKDF2-based SHA512 hash specific to 12C
if core.private.data =~ /S:([\dA-F]{60})/
hash_string = $1
end
when 'oracle12c'
# see H and T sections above
if core.private.data =~ /T:([\dA-F]{160})/
hash_string = "$oracle12c$#{$1.downcase}"
end
end
id = core.id id = core.id
hashlist.puts "#{user}:#{hash_string}:#{id}:" hashlist.puts "#{user}:#{hash_string}:#{id}:" unless hash_string.nil? || hash_string.empty?
end end
end end
hashlist.close hashlist.close

View File

@ -30,7 +30,11 @@ class MetasploitModule < Msf::Auxiliary
cracker = new_john_cracker cracker = new_john_cracker
hash_list = hash_file # since a dynamic list doesn't include an ID, we keep a local list to include it
# for lookup at a later time
reconstruct_list = []
# create the hash file first, so if there aren't any hashes we can quit early
cracker.hash_path, reconstruct_list = hash_file(reconstruct_list)
# generate our wordlist and close the file handle # generate our wordlist and close the file handle
wordlist = wordlist_file wordlist = wordlist_file
@ -38,16 +42,19 @@ class MetasploitModule < Msf::Auxiliary
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.') print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
return return
end end
wordlist.close wordlist.close
print_status "Wordlist file written out to #{wordlist.path}" print_status "Wordlist file written out to #{wordlist.path}"
cracker.wordlist = wordlist.path cracker.wordlist = wordlist.path
cracker.hash_path = hash_list
['raw-md5'].each do |format| cleanup_files = [cracker.hash_path, wordlist.path]
['dynamic_1034'].each do |format|
cracker_instance = cracker.dup cracker_instance = cracker.dup
# the following line is left for historical purposes, however
# while psql uses MD5, instead of using a format flag to john
# we actually just set the 'dynamic_1034' type in the hashes
# file directly
cracker_instance.format = format cracker_instance.format = format
print_status "Cracking #{format} hashes in normal wordlist mode..." print_status "Cracking #{format} hashes in normal wordlist mode..."
# Turn on KoreLogic rules if the user asked for it # Turn on KoreLogic rules if the user asked for it
@ -56,19 +63,21 @@ class MetasploitModule < Msf::Auxiliary
print_status "Applying KoreLogic ruleset..." print_status "Applying KoreLogic ruleset..."
end end
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracking #{format} hashes in single mode..." print_status "Cracking #{format} hashes in single mode..."
cracker_instance.rules = 'single' cracker_instance.rules = 'single'
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracking #{format} hashes in incremental mode (Digits)..." print_status "Cracking #{format} hashes in incremental mode (Digits)..."
cracker_instance.rules = nil
cracker_instance.wordlist = nil
cracker_instance.incremental = 'Digits' cracker_instance.incremental = 'Digits'
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracked passwords this run:" print_status "Cracked passwords this run:"
@ -77,18 +86,47 @@ class MetasploitModule < Msf::Auxiliary
next if password_line.blank? next if password_line.blank?
fields = password_line.split(":") fields = password_line.split(":")
# If we don't have an expected minimum number of fields, this is probably not a hash line # If we don't have an expected minimum number of fields, this is probably not a hash line
next unless fields.count >=3 next unless fields.count >=2
username = fields.shift username = fields.shift
core_id = fields.pop #core_id = fields.pop #not passed in on dynamic formats
password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them
# Postgres hashes always prepend the username to the password before hashing. So we strip the username back off here. # this is ugly, we need to get the id, however it isnt in the john files
password.gsub!(/^#{username}/,'') # we generated. So we have to open the john.pot file to get the hash
print_good "#{username}:#{password}:#{core_id}" # to password matching, so the end product looks like this:
create_cracked_credential( username: username, password: password, core_id: core_id) # (reconstruct_list) (john.pot) (cracked)
# un /----> hash un
# hash ----/ password -------> password
# id
# example .pot dynamic_1034 line: $dynamic_1034$be86a79bf2043622d58d5453c47d4860$HEX$24556578616d706c65:password
# also note how the $HEX$ till : part is added by jtr
pot = File.open(cracker.john_pot_file, 'rb')
pots = pot.read
pot.close
# here we combine un:hash and hash:password to make un:hash:password
combined = []
pots.each_line do |p|
reconstruct_list.each do |r|
hash = r.split(":")[1]
next unless p.starts_with?("#{hash}$HEX$")
combined << "#{r}:#{p.split(':')[1]}"
end
end
combined.each do |cred|
c = cred.split(":")
c_u = c[0].strip
c_h = c[1].strip
c_i = c[2].strip
c_p = c[3].strip
next unless c_u==username && c_p==password
print_good "#{username}:#{password}"
create_cracked_credential( username: username, password: password, core_id: c_i)
end
end end
end end
cleanup_files.each do |f|
File.delete(f)
end
end end
# Override the mixin method to add prependers # Override the mixin method to add prependers
@ -108,20 +146,29 @@ class MetasploitModule < Msf::Auxiliary
wordlist.to_file wordlist.to_file
end end
def hash_file def hash_file(reconstruct_list)
wrote_hash = false
hashlist = Rex::Quickfile.new("hashes_tmp") hashlist = Rex::Quickfile.new("hashes_tmp")
framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::PostgresMD5').each do |core| framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::PostgresMD5').each do |core|
if core.private.jtr_format =~ /des/ if core.private.jtr_format =~ /postgres|raw-md5/
user = core.public.username user = core.public.username
@username_set << user @username_set << user
hash_string = core.private.data hash_string = core.private.data
hash_string.gsub!(/^md5/, '') hash_string.gsub!(/^md5/, '')
id = core.id id = core.id
hashlist.puts "#{user}:#{hash_string}:#{id}:" # john --list=subformats | grep 'PostgreSQL MD5'
#UserFormat = dynamic_1034 type = dynamic_1034: md5($p.$u) (PostgreSQL MD5)
hashlist.puts "#{user}:$dynamic_1034$#{hash_string}"
reconstruct_list << "#{user}:$dynamic_1034$#{hash_string}:#{id}"
wrote_hash = true
end end
end end
hashlist.close hashlist.close
unless wrote_hash # check if we wrote anything and bail early if we didn't
hashlist.delete
fail_with Failure::NotFound, 'No Postgres hashes in database to crack'
end
print_status "Hashes written out to #{hashlist.path}" print_status "Hashes written out to #{hashlist.path}"
hashlist.path return hashlist.path, reconstruct_list
end end
end end

View File

@ -10,7 +10,7 @@ class MetasploitModule < Msf::Auxiliary
def initialize def initialize
super( super(
'Name' => 'John the Ripper Password Cracker (Fast Mode)', 'Name' => 'John the Ripper Windows Password Cracker (Fast Mode)',
'Description' => %Q{ 'Description' => %Q{
This module uses John the Ripper to identify weak passwords that have been This module uses John the Ripper to identify weak passwords that have been
acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal
@ -27,6 +27,9 @@ class MetasploitModule < Msf::Auxiliary
def run def run
cracker = new_john_cracker cracker = new_john_cracker
# create the hash file first, so if there aren't any hashes we can quit early
cracker.hash_path = hash_file
# generate our wordlist and close the file handle # generate our wordlist and close the file handle
wordlist = wordlist_file wordlist = wordlist_file
unless wordlist unless wordlist
@ -37,12 +40,23 @@ class MetasploitModule < Msf::Auxiliary
wordlist.close wordlist.close
print_status "Wordlist file written out to #{wordlist.path}" print_status "Wordlist file written out to #{wordlist.path}"
cracker.wordlist = wordlist.path cracker.wordlist = wordlist.path
cracker.hash_path = hash_file
cleanup_files = [cracker.hash_path, wordlist.path]
['lm','nt'].each do |format| ['lm','nt'].each do |format|
# dupe our original cracker so we can safely change options between each run # dupe our original cracker so we can safely change options between each run
cracker_instance = cracker.dup cracker_instance = cracker.dup
cracker_instance.format = format cracker_instance.format = format
# lanman has a max length of 7, so we create a new wordlist optimized for it
if format == 'lm'
wordlist = wordlist_file(maxlen=7)
cracker.wordlist = wordlist.path
# JtR would handle this itself, but throws a warning. This prevents that additional dialog
cracker_instance.max_length = 7
cleanup_files.append(wordlist.path)
end
print_status "Cracking #{format} hashes in normal wordlist mode..." print_status "Cracking #{format} hashes in normal wordlist mode..."
# Turn on KoreLogic rules if the user asked for it # Turn on KoreLogic rules if the user asked for it
if datastore['KORELOGIC'] if datastore['KORELOGIC']
@ -50,31 +64,26 @@ class MetasploitModule < Msf::Auxiliary
print_status "Applying KoreLogic ruleset..." print_status "Applying KoreLogic ruleset..."
end end
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracking #{format} hashes in single mode..." print_status "Cracking #{format} hashes in single mode..."
cracker_instance.rules = 'single' cracker_instance.rules = 'single'
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end
if format == 'lm'
print_status "Cracking #{format} hashes in incremental mode (All4)..."
cracker_instance.rules = nil
cracker_instance.wordlist = nil
cracker_instance.incremental = 'All4'
cracker_instance.crack do |line|
print_status line.chomp
end
end end
print_status "Cracking #{format} hashes in incremental mode (Digits)..." print_status "Cracking #{format} hashes in incremental mode (Digits)..."
if format == 'nt'
# https://github.com/magnumripper/JohnTheRipper/commit/f4467dd3c58d5223fc804741bc1bcce77d3d898f#diff-c499d11af6e80a995563b547db7ce022R341
# we do this for speed
cracker_instance.max_length = 8
end
cracker_instance.rules = nil cracker_instance.rules = nil
cracker_instance.wordlist = nil cracker_instance.wordlist = nil
cracker_instance.incremental = 'Digits' cracker_instance.incremental = 'Digits'
cracker_instance.crack do |line| cracker_instance.crack do |line|
print_status line.chomp vprint_status line.chomp
end end
print_status "Cracked Passwords this run:" print_status "Cracked Passwords this run:"
@ -94,6 +103,7 @@ class MetasploitModule < Msf::Auxiliary
# get the NT and LM hashes # get the NT and LM hashes
nt_hash = fields.pop nt_hash = fields.pop
lm_hash = fields.pop lm_hash = fields.pop
id = fields.pop
password = fields.join(':') password = fields.join(':')
if format == 'lm' if format == 'lm'
@ -113,21 +123,30 @@ class MetasploitModule < Msf::Auxiliary
next if password.nil? next if password.nil?
end end
print_good "#{username}:#{password}:#{core_id}" print_good "#{username}:#{password}"
create_cracked_credential( username: username, password: password, core_id: core_id) create_cracked_credential( username: username, password: password, core_id: core_id)
end end
end end
cleanup_files.each do |f|
File.delete(f)
end
end end
def hash_file def hash_file
wrote_hash = false
hashlist = Rex::Quickfile.new("hashes_tmp") hashlist = Rex::Quickfile.new("hashes_tmp")
framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NTLMHash').each do |core| framework.db.creds(workspace: myworkspace, type: 'Metasploit::Credential::NTLMHash').each do |core|
user = core.public.username user = core.public.username
hash_string = core.private.data hash_string = core.private.data
id = core.id id = core.id
hashlist.puts "#{user}:#{id}:#{hash_string}:::#{id}" hashlist.puts "#{user}:#{id}:#{hash_string}:::#{id}"
wrote_hash = true
end end
hashlist.close hashlist.close
unless wrote_hash # check if we wrote anything and bail early if we didn't
hashlist.delete
fail_with Failure::NotFound, 'No LM/NT hashes in database to crack'
end
print_status "Hashes Written out to #{hashlist.path}" print_status "Hashes Written out to #{hashlist.path}"
hashlist.path hashlist.path
end end

View File

@ -50,8 +50,6 @@ class MetasploitModule < Msf::Auxiliary
:proto => 'tcp' :proto => 'tcp'
) )
tbl = Rex::Text::Table.new( tbl = Rex::Text::Table.new(
'Header' => 'Oracle Server Hashes', 'Header' => 'Oracle Server Hashes',
'Indent' => 1, 'Indent' => 1,
@ -97,9 +95,9 @@ class MetasploitModule < Msf::Auxiliary
# Reports the hashes slightly differently depending on the version # Reports the hashes slightly differently depending on the version
# This is so that we know which are which when we go to crack them # This is so that we know which are which when we go to crack them
if is_11g==false if is_11g==false
jtr_format = "des" jtr_format = "des,oracle"
else else
jtr_format = "raw-sha1" jtr_format = "raw-sha1,oracle11"
end end
service_data = { service_data = {
address: Rex::Socket.getaddress(ip), address: Rex::Socket.getaddress(ip),