From a9bcb8b3bd455c9f97dd984c94430e585f7b31e3 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Fri, 13 Jun 2014 11:10:12 -0500 Subject: [PATCH 01/32] add skeleton for JtR Cracker starting work on creating the JtR Cracker class --- lib/metasploit/framework/jtr/cracker.rb | 210 ++++++++++++++++++ .../metasploit/framework/jtr/cracker_spec.rb | 31 +++ 2 files changed, 241 insertions(+) create mode 100644 lib/metasploit/framework/jtr/cracker.rb create mode 100644 spec/lib/metasploit/framework/jtr/cracker_spec.rb diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb new file mode 100644 index 0000000000..2538a3bef8 --- /dev/null +++ b/lib/metasploit/framework/jtr/cracker.rb @@ -0,0 +1,210 @@ +module Metasploit + module Framework + module JtR + + class JohnNotFoundError < StandardError + end + + class Cracker + include ActiveModel::Validations + + # @!attribute config + # @return [String] The path to an optional config file for John to use + attr_accessor :config + + # @!attribute format + # @return [String] The hash format to try + attr_accessor :format + + # @!attribute hash_path + # @return [String] The path to the file containing the hashes + attr_accessor :hash_path + + # @!attribute incremental + # @return [String] The incremental mode to use + attr_accessor :incremental + + # @!attribute john_path + # @return [String] The file path to an alternative John binary to use + attr_accessor :john_path + + # @!attribute max_runtime + # @return [Fixnum] An optional maximum duration of the cracking attempt in seconds + attr_accessor :max_runtime + + # @!attribute pot + # @return [String] The file path to an alternative John pot file to use + attr_accessor :pot + + # @!attribute rules + # @return [String] The wordlist mangling rules to use inside John + attr_accessor :rules + + # @!attribute wordlist + # @return [String] The file path to the wordlist to use + attr_accessor :wordlist + + validates :max_runtime, + numericality: { + only_integer: true, + greater_than_or_equal_to: 0 + } + + # @param attributes [Hash{Symbol => String,nil}] + def initialize(attributes={}) + attributes.each do |attribute, value| + public_send("#{attribute}=", value) + end + end + + # This method follows a decision tree to determine the path + # to the John the Ripper binary we should use. + # + # @return [NilClass] if a binary path could not be found + # @return [String] the path to the selected JtR binary + def binary_path + # Always prefer a manually entered path + if john_path and ::File.file? john_path + bin_path = john_path + else + # Look in the Environment PATH for the john binary + path = Rex::FileUtils.find_full_path("john") || + Rex::FileUtils.find_full_path("john.exe") + + if ::File.file? path + bin_path = path + else + # If we can't find john anywhere else, look at our precompiled binaries + bin_path = select_shipped_binary + end + end + bin_path + end + + + def crack + ::IO.popen(crack_command, "rb") do |fd| + fd.each_line do |line| + yield line + end + end + end + + # This method builds an array for the command to actually run the cracker. + # It builds the command from all of the attributes on the class. + # + # @raise [JohnNotFoundError] if a suitable John binary was never found + # @return [Array] An array set up for {::IO.popen} to use + def crack_command + cmd_string = binary_path + raise JohnNotFoundError, 'No suitable John binary was found on the system' if cmd_string.blank? + + cmd = [ cmd_string, '--session=' + john_session_id, '--nolog' ] + + if config.present? + cmd << ( "--conf=" + config ) + end + + if pot.present? + cmd << ( "--pot=" + pot ) + else + cmd << ( "--pot" + john_pot_file) + end + + if format.present? + cmd << ( "--format=" + format ) + end + + if wordlist.present? + cmd << ( "--wordlist=" + wordlist ) + end + + if incremental.present? + cmd << ( "--incremental=" + incremental ) + end + + if rules.present? + cmd << ( "--rules=" + rules ) + end + + cmd << hash_path + end + + # This method returns the path to a default john.pot file. + # + # @return [String] the path to the default john.pot file + def john_pot_file + ::File.join( ::Msf::Config.config_directory, "john.pot" ) + end + + # This method is a getter for a random Session ID for John. + # It allows us to dinstiguish between cracking sessions. + # + # @ return [String] the Session ID to use + def john_session_id + @session_id ||= ::Rex::Text.rand_text_alphanumeric(8) + end + + private + + # This method tries to identify the correct version of the pre-shipped + # JtR binaries to use based on the platform. + # + # @return [NilClass] if the correct bianry could not be determined + # @return [String] the path to the selected binary + def select_shipped_binary + cpuinfo_base = ::File.join(Msf::Config.data_directory, "cpuinfo") + runpath = nil + if File.directory?(cpuinfo_base) + data = nil + + case ::RUBY_PLATFORM + when /mingw|cygwin|mswin/ + fname = "#{cpuinfo_base}/cpuinfo.exe" + if File.exists?(fname) and File.executable?(fname) + data = %x{"#{fname}"} rescue nil + end + case data + when /sse2/ + run_path ||= "run.win32.sse2/john.exe" + when /mmx/ + run_path ||= "run.win32.mmx/john.exe" + else + run_path ||= "run.win32.any/john.exe" + end + when /x86_64-linux/ + fname = "#{cpuinfo_base}/cpuinfo.ia64.bin" + if File.exists? fname + ::FileUtils.chmod(0755, fname) rescue nil + data = %x{"#{fname}"} rescue nil + end + case data + when /mmx/ + run_path ||= "run.linux.x64.mmx/john" + else + run_path ||= "run.linux.x86.any/john" + end + when /i[\d]86-linux/ + fname = "#{cpuinfo_base}/cpuinfo.ia32.bin" + if File.exists? fname + ::FileUtils.chmod(0755, fname) rescue nil + data = %x{"#{fname}"} rescue nil + end + case data + when /sse2/ + run_path ||= "run.linux.x86.sse2/john" + when /mmx/ + run_path ||= "run.linux.x86.mmx/john" + else + run_path ||= "run.linux.x86.any/john" + end + end + end + runpath + end + + end + + end + end +end diff --git a/spec/lib/metasploit/framework/jtr/cracker_spec.rb b/spec/lib/metasploit/framework/jtr/cracker_spec.rb new file mode 100644 index 0000000000..68cff3900d --- /dev/null +++ b/spec/lib/metasploit/framework/jtr/cracker_spec.rb @@ -0,0 +1,31 @@ +require 'spec_helper' +require 'metasploit/framework/jtr/cracker' + +describe Metasploit::Framework::JtR::Cracker do + + subject(:cracker) { described_class.new } + + describe '#binary_path' do + context 'when the user supplied a john_path' do + before(:each) do + cracker.john_path = '/path/to/john' + end + + it 'returns the manual path if it exists and is a regular file' do + expect(::File).to receive(:file?).with(cracker.john_path).at_least(:once).and_return true + expect(cracker.binary_path).to eq cracker.john_path + end + + it 'rejects the manual path if it does not exist or is not a regular file' do + expect(cracker.binary_path).to_not eq cracker.john_path + end + end + + context 'when the user did not supply a path' do + it 'searches the Environment PATH' do + expect(Rex::FileUtils).to receive(:find_full_path).and_return __FILE__ + expect(cracker.binary_path).to eq __FILE__ + end + end + end +end \ No newline at end of file From 7187138134621ea1799c2bcd709ad7401e714186 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Fri, 13 Jun 2014 14:53:56 -0500 Subject: [PATCH 02/32] start injecting sanity --- lib/metasploit/framework/jtr/cracker.rb | 7 +++-- .../metasploit/framework/jtr/cracker_spec.rb | 28 ++++++++++++++----- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb index 2538a3bef8..7d7f8d7cee 100644 --- a/lib/metasploit/framework/jtr/cracker.rb +++ b/lib/metasploit/framework/jtr/cracker.rb @@ -81,7 +81,10 @@ module Metasploit bin_path end - + # This method runs the command from {#crack_command} and yields each line of output. + # + # @yield [String] a line of output from the john command + # @return [void] def crack ::IO.popen(crack_command, "rb") do |fd| fd.each_line do |line| @@ -108,7 +111,7 @@ module Metasploit if pot.present? cmd << ( "--pot=" + pot ) else - cmd << ( "--pot" + john_pot_file) + cmd << ( "--pot=" + john_pot_file) end if format.present? diff --git a/spec/lib/metasploit/framework/jtr/cracker_spec.rb b/spec/lib/metasploit/framework/jtr/cracker_spec.rb index 68cff3900d..35246605a4 100644 --- a/spec/lib/metasploit/framework/jtr/cracker_spec.rb +++ b/spec/lib/metasploit/framework/jtr/cracker_spec.rb @@ -6,25 +6,39 @@ describe Metasploit::Framework::JtR::Cracker do subject(:cracker) { described_class.new } describe '#binary_path' do + let(:john_path) { '/path/to/john' } + let(:other_john_path) { '/path/to/other/john' } + context 'when the user supplied a john_path' do before(:each) do - cracker.john_path = '/path/to/john' + cracker.john_path = john_path end it 'returns the manual path if it exists and is a regular file' do - expect(::File).to receive(:file?).with(cracker.john_path).at_least(:once).and_return true - expect(cracker.binary_path).to eq cracker.john_path + expect(::File).to receive(:file?).with(john_path).once.and_return true + expect(cracker.binary_path).to eq john_path end it 'rejects the manual path if it does not exist or is not a regular file' do - expect(cracker.binary_path).to_not eq cracker.john_path + expect(::File).to receive(:file?).with(john_path).once.and_return false + expect(Rex::FileUtils).to receive(:find_full_path).with('john').and_return other_john_path + expect(::File).to receive(:file?).with(other_john_path).once.and_return true + expect(cracker.binary_path).to_not eq john_path end end context 'when the user did not supply a path' do - it 'searches the Environment PATH' do - expect(Rex::FileUtils).to receive(:find_full_path).and_return __FILE__ - expect(cracker.binary_path).to eq __FILE__ + it 'returns the john binary from the PATH if it exists' do + expect(Rex::FileUtils).to receive(:find_full_path).and_return john_path + expect(::File).to receive(:file?).with(john_path).once.and_return true + expect(cracker.binary_path).to eq john_path + end + + it 'returns the shipped john binary if it does not exist in the PATH' do + expect(Rex::FileUtils).to receive(:find_full_path).twice.and_return nil + expect(::File).to receive(:file?).with(nil).once.and_return false + expect(cracker).to receive(:select_shipped_binary).and_return other_john_path + expect(cracker.binary_path).to eq other_john_path end end end From b784bea48ee5942197d7173e81c8b085d5f62786 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Fri, 13 Jun 2014 16:08:56 -0500 Subject: [PATCH 03/32] slow roll of specs for jtr cracker slowly adding spec coverage for the JtR cracker --- lib/metasploit/framework/jtr/cracker.rb | 2 +- .../metasploit/framework/jtr/cracker_spec.rb | 50 ++++++++++++++++++- 2 files changed, 49 insertions(+), 3 deletions(-) diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb index 7d7f8d7cee..a5e3a331dc 100644 --- a/lib/metasploit/framework/jtr/cracker.rb +++ b/lib/metasploit/framework/jtr/cracker.rb @@ -105,7 +105,7 @@ module Metasploit cmd = [ cmd_string, '--session=' + john_session_id, '--nolog' ] if config.present? - cmd << ( "--conf=" + config ) + cmd << ( "--config=" + config ) end if pot.present? diff --git a/spec/lib/metasploit/framework/jtr/cracker_spec.rb b/spec/lib/metasploit/framework/jtr/cracker_spec.rb index 35246605a4..59d96807d2 100644 --- a/spec/lib/metasploit/framework/jtr/cracker_spec.rb +++ b/spec/lib/metasploit/framework/jtr/cracker_spec.rb @@ -4,10 +4,17 @@ require 'metasploit/framework/jtr/cracker' describe Metasploit::Framework::JtR::Cracker do subject(:cracker) { described_class.new } + let(:john_path) { '/path/to/john' } + let(:other_john_path) { '/path/to/other/john' } + let(:session_id) { 'Session1' } + let(:config) { '/path/to/config.conf' } + let(:pot) { '/path/to/john.pot' } + let(:other_pot) { '/path/to/other/pot' } + let(:wordlist) { '/path/to/wordlist' } + let(:hash_path) { '/path/to/hashes' } describe '#binary_path' do - let(:john_path) { '/path/to/john' } - let(:other_john_path) { '/path/to/other/john' } + context 'when the user supplied a john_path' do before(:each) do @@ -42,4 +49,43 @@ describe Metasploit::Framework::JtR::Cracker do end end end + + describe '#crack_command' do + before(:each) do + expect(cracker).to receive(:binary_path).and_return john_path + expect(cracker).to receive(:john_session_id).and_return session_id + end + + it 'starts with the john binary path' do + expect(cracker.crack_command[0]).to eq john_path + end + + it 'sets a session id' do + expect(cracker.crack_command).to include "--session=#{session_id}" + end + + it 'sets the nolog flag' do + expect(cracker.crack_command).to include '--nolog' + end + + it 'adds a config directive if the user supplied one' do + cracker.config = config + expect(cracker.crack_command).to include "--config=#{config}" + end + + it 'does not use a config directive if not supplied one' do + expect(cracker.crack_command).to_not include "--config=#{config}" + end + + it 'uses the user supplied john.pot if there is one' do + cracker.pot = pot + expect(cracker.crack_command).to include "--pot=#{pot}" + end + + it 'uses default john.pot if the user didnot supply one' do + expect(cracker).to receive(:john_pot_file).and_return other_pot + expect(cracker.crack_command).to include "--pot=#{other_pot}" + end + + end end \ No newline at end of file From 300baa577c75916241c7bfac09d3a4e9b8989b3a Mon Sep 17 00:00:00 2001 From: David Maloney Date: Fri, 13 Jun 2014 17:34:16 -0500 Subject: [PATCH 04/32] moar specs! --- .../metasploit/framework/jtr/cracker_spec.rb | 30 ++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/spec/lib/metasploit/framework/jtr/cracker_spec.rb b/spec/lib/metasploit/framework/jtr/cracker_spec.rb index 59d96807d2..57b2f6dae6 100644 --- a/spec/lib/metasploit/framework/jtr/cracker_spec.rb +++ b/spec/lib/metasploit/framework/jtr/cracker_spec.rb @@ -12,6 +12,9 @@ describe Metasploit::Framework::JtR::Cracker do let(:other_pot) { '/path/to/other/pot' } let(:wordlist) { '/path/to/wordlist' } let(:hash_path) { '/path/to/hashes' } + let(:nt_format) { 'nt' } + let(:incremental) { 'Digits5' } + let(:rules) { 'Rule34'} describe '#binary_path' do @@ -82,10 +85,35 @@ describe Metasploit::Framework::JtR::Cracker do expect(cracker.crack_command).to include "--pot=#{pot}" end - it 'uses default john.pot if the user didnot supply one' do + it 'uses default john.pot if the user did not supply one' do expect(cracker).to receive(:john_pot_file).and_return other_pot expect(cracker.crack_command).to include "--pot=#{other_pot}" end + it 'uses the user supplied format directive' do + cracker.format = nt_format + expect(cracker.crack_command).to include "--format=#{nt_format}" + end + + it 'uses the user supplied wordlist directive' do + cracker.wordlist = wordlist + expect(cracker.crack_command).to include "--wordlist=#{wordlist}" + end + + it 'uses the user supplied incremental directive' do + cracker.incremental = incremental + expect(cracker.crack_command).to include "--incremental=#{incremental}" + end + + it 'uses the user supplied rules directive' do + cracker.rules = rules + expect(cracker.crack_command).to include "--rules=#{rules}" + end + + it 'puts the path to the has file at the end' do + cracker.hash_path = hash_path + expect(cracker.crack_command.last).to eq hash_path + end + end end \ No newline at end of file From 873d6e5b99a405d1b7ae569f4bdc09f1f98ed0b8 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sat, 14 Jun 2014 12:28:17 -0500 Subject: [PATCH 05/32] add all the specs --- lib/metasploit/framework/jtr/cracker.rb | 32 ++++++++++++++++- .../metasploit/framework/jtr/cracker_spec.rb | 34 +++++++++++++++++++ 2 files changed, 65 insertions(+), 1 deletion(-) diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb index a5e3a331dc..69ae6808a6 100644 --- a/lib/metasploit/framework/jtr/cracker.rb +++ b/lib/metasploit/framework/jtr/cracker.rb @@ -102,7 +102,7 @@ module Metasploit cmd_string = binary_path raise JohnNotFoundError, 'No suitable John binary was found on the system' if cmd_string.blank? - cmd = [ cmd_string, '--session=' + john_session_id, '--nolog' ] + cmd = [ cmd_string, '--session=' + john_session_id, '--nolog', '--dupe-suppression' ] if config.present? cmd << ( "--config=" + config ) @@ -148,6 +148,36 @@ module Metasploit @session_id ||= ::Rex::Text.rand_text_alphanumeric(8) end + # This method builds the command to show the cracked passwords. + # + # @raise [JohnNotFoundError] if a suitable John binary was never found + # @return [Array] An array set up for {::IO.popen} to use + def show_command + cmd_string = binary_path + raise JohnNotFoundError, 'No suitable John binary was found on the system' if cmd_string.blank? + + pot_file = pot || john_pot_file + cmd = [cmd_string, "--show", "--pot=#{pot_file}", "--format=#{format}" ] + + if config + cmd << "--config=#{config}" + end + + cmd << hash_path + end + + # This runs the show command in john to show cracked passwords. + # + # @yield [String] the output lines from the command + # @return [void] + def show_passwords + ::IO.popen(show_command, "rb") do |fd| + fd.each_line do |line| + yield line + end + end + end + private # This method tries to identify the correct version of the pre-shipped diff --git a/spec/lib/metasploit/framework/jtr/cracker_spec.rb b/spec/lib/metasploit/framework/jtr/cracker_spec.rb index 57b2f6dae6..784ee44691 100644 --- a/spec/lib/metasploit/framework/jtr/cracker_spec.rb +++ b/spec/lib/metasploit/framework/jtr/cracker_spec.rb @@ -116,4 +116,38 @@ describe Metasploit::Framework::JtR::Cracker do end end + + describe '#show_command' do + before(:each) do + expect(cracker).to receive(:binary_path).and_return john_path + end + + it 'starts with the john binary path' do + expect(cracker.show_command[0]).to eq john_path + end + + it 'has the --show flag' do + expect(cracker.show_command).to include '--show' + end + + it 'uses the user supplied john.pot if there is one' do + cracker.pot = pot + expect(cracker.show_command).to include "--pot=#{pot}" + end + + it 'uses default john.pot if the user did not supply one' do + expect(cracker).to receive(:john_pot_file).and_return other_pot + expect(cracker.show_command).to include "--pot=#{other_pot}" + end + + it 'uses the user supplied format directive' do + cracker.format = nt_format + expect(cracker.show_command).to include "--format=#{nt_format}" + end + + it 'puts the path to the has file at the end' do + cracker.hash_path = hash_path + expect(cracker.show_command.last).to eq hash_path + end + end end \ No newline at end of file From 41f7bc1372d2179e2e70d3b11842a8e2cabeefb1 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sat, 14 Jun 2014 14:13:59 -0500 Subject: [PATCH 06/32] add common root words wordlist this adds a new wordlist to the data directory. This wordlist is compiled from statistical analysis of common Numeric passwords and Common rootwords across 6 years of colleted password breach dumps. Every word in this list has been seen thousands of times in password breaches --- data/john/wordlists/common_roots.txt | 4724 ++++++++++++++++++++++ lib/metasploit/framework/jtr/wordlist.rb | 0 2 files changed, 4724 insertions(+) create mode 100644 data/john/wordlists/common_roots.txt create mode 100644 lib/metasploit/framework/jtr/wordlist.rb diff --git a/data/john/wordlists/common_roots.txt b/data/john/wordlists/common_roots.txt new file mode 100644 index 0000000000..a2f113b3b1 --- /dev/null +++ b/data/john/wordlists/common_roots.txt @@ -0,0 +1,4724 @@ + +!1qwerty +!@#QWE123qwe +!Q2w#E4r +!Q2w3e4r +!QAZ2wsx +!QAZ2wsx#EDC4rfv +!QAZ@WSX3edc4rfv +!admin +!ishtar +!manage +!qaz@wsx +!qazXsw2 +!qwe123 +!root +$SRV +$chwarzepumpe +$rfmngr$ +$secure$ +(random +(unknown) +* +*3noguru +*password +-------- +0 +00 +000 +0000 +00000 +000000 +0000000 +00000000 +0000000000 +007007 +00850085 +010101 +010203 +012012 +012345 +0123456 +0123456789 +012465 +0392a0 +04051995 +0407056 +06061977 +06071992 +080808 +082208 +09090 +098765 +0987654321 +0P3N +0RACLE +0RACLE38 +0RACLE39 +0RACLE8 +0RACLE8I +0RACLE9 +0okmnji9 +1 +10023 +101010 +10101010 +10111011 +10118 +10135 +10143 +10144 +102030 +1020304050 +1064 +11 +111 +1111 +11111 +111111 +1111111 +11111111 +1111111111 +11112222 +1111aa +111222 +112233 +11223344 +116572 +12 +1212 +121212 +12121212 +12201220 +123 +123.com +123123 +123123123 +123132123 +123258 +123321 +1234 +12341 +12341234 +123412345 +12345 +123454321 +123456 +1234567 +12345678 +123456789 +1234567890 +12345678900987654321 +1234567890987654321 +1234567890qwertyuiop +12345678910 +1234567898 +12345678987 +123456789876 +1234567898765 +12345678987654 +123456789876543 +1234567898765432 +12345678987654321 +1234567899 +12345678998 +123456789987 +1234567899876 +12345678998765 +123456789987654 +1234567899876543 +12345678998765432 +123456789987654321 +12345678abc +123456a +1234ABCD +1234Qwer +1234admin +1234qwer! +1234qwer` +123654 +123654789 +123789 +123abc +123cztery +123mudar +123qwe +123qwe!@# +123qweASD +123qweasdzxc +123qwerty +123zxc123 +124578 +125401 +12qw!@QW +12qw34er +12qwaszx +130590 +1313 +131313 +1322222 +1340hd +134679 +14111982 +141414 +142536 +143143 +14344 +1435254 +1456 +146688 +146890 +147147 +147258 +147258369 +147852 +147852369 +147896325 +1502 +151515 +1548644 +159357 +159357** +159753 +159753456 +161616 +1660359 +166816 +17161716 +171717 +17201720 +17841784 +18140815 +181818 +187cop +19491949 +19501950 +19511951 +1969 +19750407 +198624 +1986673 +1988 +19920706 +1997 +1a2s3d4f +1keeper +1lkjhgfdsa +1q2w3e +1q2w3e4R +1q2w3e4r +1q2w3e4r.. +1q2w3e4r5t +1q2w3e4r5t6y +1qa@WS3ed +1qaz!QAZ +1qaz"WSX +1qaz0okm +1qaz2wsx +1qaz2wsx3edc +1qaz@WSX +1qazcde3 +1qazxcvb +1qazxsw2 +1qsx2waz +1qsx2wdc +2 +2000 +2010 +201036 +20112011 +20132013 +202020 +20552055 +20562056 +20572057 +20682068 +2071184 +20742074 +21 +21101981 +2112 +21121477 +212121 +21241036 +22 +22071979 +222101 +2222 +22222 +222222 +22222222 +22242224 +225225 +23041979 +23051979 +232323 +23712371 +237723 +23skidoo +24041975 +240653C9467E45 +242424 +24343 +246810 +2468369 +24Banc81 +2501 +2505463 +252525 +256256 +2580 +2594561 +266344 +2718281828 +282828 +29082908 +2WSXcder +2bornot2b +2brnot2b +2cute4u +2keeper +2read +3 +3098z +311147 +31994 +321 +3333 +333333 +33333333 +3425235 +343guiltyspark +3477 +3800326 +38483848 +3Com +3ascotel +3ep5w2u +3l3ctr1c +3stones +3ware +4 +420420 +43046721 +4321 +4444 +44444 +444444 +44444444 +456 +456123 +456789 +4636421 +493749 +4Dgifts +4changes +4getme2 +4rfv$RFV +4rfv%TGB +4rfvbhu8 +4tas +4tugboat +5 +50cent +5150 +5201314 +54321 +545981 +5555 +55555 +555555 +55555555 +5583134 +56565656 +5678 +56789 +570912 +5777364 +57gbzb +5832277 +584620 +589589 +5897 +589721 +6 +60020 +6071992 +6213744 +643558 +654321 +657 +666001 +6666 +666666 +66666666 +6922374 +6969 +696969 +69696969 +7 +735841 +741852 +741852963 +749174 +753951 +7654321 +7772000 +7777 +777777 +7777777 +77777777 +788111 +789456 +789456123 +8 +8111 +8253 +832531 +8429 +852456 +8675309 +874365 +87654321 +8888 +888888 +88888888 +8RttoTriz +9 +9225481 +951753 +963258 +9641 +987654 +987654321 +9876543210 +9999 +99999 +999999 +99999999 +999999999 +9ijn7ygv +?award +@WSX1qaz +A.M.I +ABCD +ACCESS +ACCORD +ADLDEMO +ADMIN +ADMIN welcome +ADMINISTRATOR +ADSUSER ch4ngeme +ADS_AGENT ch4ngeme +ADTRAN +AIROPLANE +ALLIN1 +ALLIN1MAIL +ALLINONE +AM +AMI +AMI!SW +AMI.KEY +AMI.KEZ +AMI?SW +AMIAMI +AMIDECOD +AMIPSWD +AMISETUP +AMI_SW +AMI~ +ANS#150 +ANYCOM +AP +APC +APPS +APPS_MRC +APPUSER +AQ +AQDEMO +AQJAVA +AQUSER +AR#Admin# +ARCHIVIST +AUDIOUSER +AWARD +AWARD?SW +AWARD_PW +AWARD_SW +Admin +Admin1 +Admin123 +Admin@123 +Administrative +Administrator +Advance +Airaya +AitbISP4eCiG +Aloysius +Any +Asante +Ascend +Asd123 +Asdfg123 +Aurora01 +Avalanche +Award +BACKUP +BASE +BATCH +BC4J +BIGO +BIOS +BIOSPASS +BRIDGE +BRIO_ADMIN +Babylon +Barricade +Berman +Biostar +Boromir1 +C0de +CALVIN +CAROLIAN +CATALOG +CCC +CDEMO82 +CDEMOCOR +CDEMORID +CDEMOUCB +CENTRA +CHANGE_ON_INSTALL +CHEY_ARCHSVR +CIDS +CIS +CISCO +CISINFO +CISSUS +CLERK +CLOTH +CMOSPWD +CMSBATCH +CNAS +COGNOS +COMPANY +COMPAQ +COMPIERE +CONCAT +CONV +CR52401 +CSMIG +CTB_ADMIN sap123 +CTXDEMO +CTXSYS +CTX_123 +Cable-docsis +Chester1 +Chocolate19 +Christmas +Cisco +Col2ogro2 +Compaq +Compleri +Congress +Craftr4 +Crocodile1 +Crystal +Crystal0! +D-Link +DBDCCIC +DBSNMP +DCL +DDIC 19920706 +DDIC Welcome01 +DECMAIL +DECNET +DEFAULT +DEMO +DEMO8 +DEMO9 +DES +DEV2000_DEMOS +DEVELOPER ch4ngeme +DIGITAL +DIP +DISC +DISCOVERER_ADMIN +DSGATEWAY +DSL +DSSYS +D_SYSPW +D_SYSTPW +Daewuu +Daytec +Dell +Dragonsoul +EARLYWATCH SUPPORT +EJSADMIN +EMP +ESSEX +ESTORE +EVENT +EXFSYS +Ektron +Everything +Exabyte +FAX +FAXUSER +FAXWORKS +FIELD +FIELD.SUPPORT +FINANCE +FND +FNDPUB +FOOBAR +FORCE +FORSE +Fireport +Flamenco +GATEWAY +GL +GPFD +GPLD +GUEST +GUESTGUE +GUESTGUEST +GWrv +Gateway +Geardog +George123 +GlobalAdmin +Guest +HARRIS +HCPARK +HELGA-S +HELP +HELPDESK +HEWITT +HLT +HLW +HOST +HP +HPDESK +HPLASER +HPOFFICE +HPONLY +HPP187 +HPP189 +HPP196 +HPWORD +HR +HTTP +Haemorrhage +Hamster +Helpdesk +IBM +ILMI +IMAGEUSER +IMEDIA +INFO +INGRES +INSTANCE +INTERNAT +INTX3 +INVALID +IP +IPMI +ISPMODE +IS_$hostname +ITF3000 +ImageFolio +Impatiens +Insecure +Intel +Intermec +Israel123 +J2EE_ADMIN ch4ngeme +JDE +JETSPEED +JMUSER +Joel1234 +KNIGHT +Kia123 +Kitz +L2LDEMO +LASER +LASERWRITER +LBACSYS +LINK +LOTUS +LR-ISDN +LRISDN +Lasvegas1 +LdapPassword_1 +Letmein1 +Letmein2 +Local +LonDon +Lund +M +M1cha3l +MAIL +MAILER +MAINT +MANAG3R +MANAGER +MANAGER.SYS +MASTER +MBIU0 +MBMANAGER +MBWATCH +MCUrv +MCUser1 +MDDEMO +MDSYS +MFG +MGR +MGR.SYS +MGWUSER +MIGRATE +MILLER +MKO)9ijn +MMO2 +MOREAU +MPE +MSHOME +MServer +MTRPW +MTSSYS +MTS_PASSWORD +MUMBLEFRATZ +MXAGENT +MagiMFP +Manager +Master +Mau'dib +Mau?dib +Mau’dib +MiniAP +Multi +NAMES +NAU +NETBASE +NETCON +NETFRAME +NETMGR +NETNONPRIV +NETPRIV +NETSERVER +NETWORK +NEWINGRES +NEWS +NF +NFI +NICONEX +NOC +NONPRIV +NTCIP +NULL +NeXT +Nemesis1 +NetCache +NetICs +NetSeq +NetSurvibox +NetVCR +Newpass1 +NoGaH$@! +OAS_PUBLIC +OCITEST +OCS +ODM +ODS +ODSCOMMON +OE +OEM +OEMADM +OEMREP +OEM_TEMP +OLAPDBA +OO +OOOOOOOO +OP.OPERATOR +OPENSPIRIT +OPER +OPERATIONS +OPERATNS +OPERATOR +OPERVAX +ORACL3 +ORACLE +ORACLE8 +ORACLE8I +ORACLE9 +ORAREGSYS +ORASSO +ORDPLUGINS +ORDSYS +OSP22 +OUTLN +OWA +OWA_PUBLIC +OWNER +OkiLAN +Oper +Operator +OrigEquipMfr +P4ssw0rd +P@$$W0RD +P@$$w0rD +P@$$w0rd +P@$$word +P@55w0rd +P@55w0rd! +P@ssw0rd +P@ssw0rd! +P@ssword +P@ssword123 +PANAMA +PAPER +PASS +PASSW0RD +PASSWORD +PATROL +PBX +PDP11 +PDP8 +PERFSTAT +PLEX +PM +PO +PO7 +PO8 +PORTAL30 +PORTAL30_DEMO +PORTAL30_PUBLIC +PORTAL30_SSO +PORTAL30_SSO_PS +PORTAL30_SSO_PUBLIC +PORTAL31 +POST +POSTMASTER +POWERCARTUSER +PRIMARY +PRINT +PRINTER +PRIV +PRIVATE +PRODCICS +PRODDTA +PROG +PUBLIC +PUBSUB +PUBSUB1 +Pa22w0rd +Parasol1 +Partner +Pass1234 +PassW0rd +Passw0rd1111 +Password +Password#1 +Password1 +Password123 +Password@1 +PlsChgMe +PlsChgMe! +Polar123 +Polrty +Posterie +Private +Protector +Public +Q!W@E#R$ +Q54arwms +QAWSEDRF +QDBA +QDI +QNX +QS +QSECOFR +QSRV +QSRVBAS +QS_ADM +QS_CB +QS_CBADM +QS_CS +QS_ES +QS_OS +QS_WS +QUSER +Qwe12345 +Qwer!234 +Qwerty1! +Qwerty123 +R1QTPS +R3volution +RE +REGO +REMOTE +REPADMIN +REPORT +REP_OWNER +RIP000 +RJE +RM +RMAIL +RMAN +ROBELLE +ROOT +ROOT500 +RSAAppliance +RSX +RUPRECHT +ReadOnly +ReadWrite +Reptile1 +Republic1 +Rodopi +Root123 +Runaway1 +Runner11 +SABRE +SAMPLE +SAP +SAP* 06071992 +SAP* PASS +SAPCPIC ADMIN +SAPJSF ch4ngeme +SAPR3 +SAPR3 SAP +SDOS_ICSAP +SECDEMO +SECONDARY +SECRET +SECRET123 +SECURITY +SENTINEL +SER +SERVICE +SERVICECONSUMER1 +SESAME +SH +SHELVES +SITEMINDER +SKY_FOX +SLIDEPW +SMDR +SNMP +SNMP_trap +SNOWMAN +SQL +SSA +STARTER +STEEL +STRAT_PASSWD +STUDENT +SUN +SUPER +SUPERSECRET +SUPERVISOR +SUPPORT +SWITCH +SWITCHES_SW +SWORDFISH +SWPRO +SWUSER +SW_AWARD +SYMPA +SYS +SYS1 +SYSA +SYSADM +SYSLIB +SYSMAINT +SYSMAN +SYSPASS +SYSTEM +SYSTEST +SYSTEST_CLIG +SZYX +Secret +Security +Serial +Sharp +Silicon1 +SnuFG5 +SpIp +Spacve +Suckit1 +Summer12 +SunnyJim7 +Super +Super123 +Switch +Sxyz +Symbol +Sysop +System +T4urus +TAHITI +TANDBERG +TCH +TDOS_ICSAP +TELEDEMO +TELESUP +TENmanUFactOryPOWER +TEST +TESTPILOT +TJM +TMSADM $1Pawd2& +TMSADM ADMIN +TMSADM PASSWORD +TOAD +TRACE +TRAVEL +TSDEV +TSEUG +TSUSER +TTPTHA +TURBINE +Tamara01 +Tasmannet +Telecom +Test1234 +TheLast1 +Tiger +Tiny +Tokyo1 +Toshiba +Trintech +TrustNo1 +TzqF +UETP +UI-PSWD-01 +UI-PSWD-02 +ULTIMATE +UNKNOWN +USER +USER0 +USER1 +USER2 +USER3 +USER4 +USER5 +USER6 +USER7 +USER8 +USER9 +USERP +USER_TEMPLATE +UTLESTAT +Un1verse +Und3rGr0und +User +VAX +VCSRV +VESOFT +VIDEO +VIF_DEV_PWD +VIRUSER +VMS +VRR1 +VTAM +Varadero +Vextrex +WANGTEK +WEBCAL01 +WEBDB +WEBREAD +WELCOME +WINDOWS_PASSTHRU +WINSABRE +WKSYS +WLAN_AP +WOOD +WORD +WWW +WWWUSER +WebBoard +Welcome0 +Welcome1 +Welcome123 +What3v3r +Windows1 +Winston1 +Wireless +X#1833 +XLSERVER +XMI_DEMO sap123 +XPRT +YES +ZAAADA +ZAQ!2wsx +Zaq1xsw2 +Zenith +Zxasqw12 +[^_^] +_Cisco +a11b12c13 +a123456 +a12345678 +a13a13 +a1b2c3d4e5 +a1b2c3d4e5f6 +a1rplan3 +aLLy +aPAf +aa +aaaa +aaaaa +aaaaaa +aaaaaaaa +aaliyah +aammii +aaron +abang78 +abc +abc#123 +abc123 +abc123!! +abc123d4 +abcd +abcd-1234 +abcd1234 +abcde +abcdef +abcdef3 +abcdefg +abcdl2e +abcdpass +abd234 +abhaile1 +abigail +abra +abraham +abrakadabra +abusive +acc +access +accobra +accord +accounting +action +acuario +adam +adaptec +adfexc +adidas +adm +adm12345 +admin +admin000 +admin001 +admin01 +admin1121 +admin123 +admin1234 +admin222 +admin_1 +adminadmin +admini +administrator +adminpass +adminpasswd +adminpwd +admint +adminttd +admn +admpw +adoado +adobe +adobeadobe +adrian +adriana +adriano +adslolitec +adslroot +adtran +advcomm500349 +adworks +agent +agent_steal +aileen +aipai +airborne +airforce +airlines +airplane +ajlesd +akula123 +al2e4 +al2e4s +alabama +alarcon +alaska +albatros +albert +alberto +alejandra +alejandro +alex +alexa +alexande +alexander +alexandra +alexandru +alexia +alexis +alexl +alexo +alfarome +alfonso +alfred +alfredo +alice +alicia +alien +alisha +alison +all +all private +all public +allen +allison +allot +allstar +alog123 +alonso +alpargata +alpha +alpha1 +alpine +alvin +always +alyssa +amanda +amateur +amazing +amber +amelia +america +american +amigas +amigos +amigosw1 +amilopro +amistad +amorcito +amore +amores +amormio +an0th3r +anakonda +anakonda1 +anamaria +anderson +andre +andrea +andreea +andrei +andreita +andres +andrew +andrew1 +andrewl +angel +angel1 +angel2 +angel2000 +angel9 +angela +angelbaby +angeles +angelica +angelina +angelita +angelito +angell +angelo +angels +angie +angusyoung +anicust +animal +animals +anime +anita +annette +annie +anon +anthony +anthony1 +anthonyl +antibiotico +antonio +any@ +anyadhogyvan +anything +apa123 +apc +apollo +apollo11 +apple +applepie +apples +apricot +april +april2 +aprill +apstndp +aq12wsxz +aqq123 +aqua2000 +aquarius +archie +ardrossan +argentina +ariana +arianna +ariel +aries +aristoteles +arizona +arlene +armando +arnold +arsenal +arthur +articon +arturo +asante +ascend +asd +asd123 +asd123qwe +asdQWE123 +asdasd +asdewq +asdf +asdf1234 +asdfasdf +asdfg +asdfgh +asdfghj +asdfghjk +asdfghjkl +asdfhjkl +asdlkj +asdlkj12 +asdlkj123 +asecret +ashanti +ashlee +ashleigh +ashley +ashley1 +ashleyl +ashton +aspirine +asshole +assman +astime +at4400 +atacan +atc123 +athena +athlon64 +atlant1s +atlanta +atlantis +attack +aubrey +audrey +augmentin +august +august2 +augustl +aurora +austin +australia +author +autocad +autumn +avalon +aventura +avril +award.sw +award_? +award_ps +awesome +awkward +ax400 +axis2 +azerty +aztech +b4lls4ck +babbit +babes +babies +baby +baby2 +babyblue +babyboo +babyboy +babycakes +babydoll +babyface +babygirl +babygirl1 +babygirl2 +babygirll +babygirlo +babygurl +babygurll +babyko +babyl +babylove +babyo +babyphat +backdoor +backuponly1 +backuprestore1 +badass +badboy +badg3r5 +badger +badgirl +bagabu +bailey +baller +ballet +ballin +balls +bambam +bamsty +banana +bananas +banane1 +bandit +bang +baofeng +barbara +barbetta +barbie +barbusse +barcelona +barney +barricade +baseball +basisk +basket +basketball +bass +bastard +batista +batman +baxter +bball +bbbbbb +bbs +bciimpw +bcimpw +bcmspw +bcnaspw +beach +bear +beatles +beatriz +beautiful +beauty +beaver +beavis +bebita +becca +beckham +becky +beer +belinda +bell9 +bella +belle +benfica +benitocameloo +benjamin +benji +benny +berlin +bernard +bestfriend +bestfriends +bethany +betty +bettyboop +bewan +beyonce +bhaby +bhebhe +bianca +bier +bigboy +bigbuddy +bigcock +bigdaddy +bigdick +bigdog +bigmac +bigman +bigred +bigred23 +bigtits +bill +billabong +billie +billy +billybob +bin +bintec +biodata +bios +biosstar +biostar +birdie +birdshit +birthday +bishop +bismillah +bitch +bitch1 +bitches +bitchl +bitchy +biteme +bla123 +blabla +blabla12 +blablabla +black +black321 +blackie +blackonblack +blacky +blahblah +blake +blanca +blank +blazer +blender +blessed +blink182 +blinkl8 +blizzard +blonde +blondie +blood +bloods +blossom +blowjob +blowme +blubje +blue +blue2 +blueberry +blueeyes +bluel +bluepw +bluespot +bmw12345 +bobby +bobthebuilder +boca +bohemia +bollocks +bomba +bonbon +bond007 +bondage +bonita +bonnie +boobies +booboo +boobs +booger +boogie +boomer +booty +boricua +boss +boston +bowling +bowwow +bpel +bradley +brandi +brandon +brandon1 +brandonl +brandy +bratz +braves +brayden +brazil +breanna +brenda +brendan +brian +brian0711 +briana +brianna +brightmail +britney +britt +brittany +brittney +brocade1 +broken +bronco +broncos +brooke +brooklyn +brother +brown +brownie +browns +browsepw +bruno +brutus +bryan +bryant +bsxpass +bubba +bubba1 +bubble +bubblegum +bubbles +bubbles1 +bublik +bubububu +buddha +buddy +buddy1 +budlight +buffalo +buffy +bugsbunny +builtin +bulldog +bulldogs +bullet +bullshit +bunny +burek123 +burton +busted +buster +butt +butter +buttercup +butterfly +butterfly1 +butthead +buttons +bynthc +c +c@lvin +cabajka +cable-d +cacadmin +caesar +cairell +caitlin +calamar +caleb +california +callie +calliope +callofduty +callum +calv1n +calvin +calvin! +calvin1 +calvin22 +calvin99 +camaro +cameron +camila +camille +camilo +campanita +canada +cancer +candice +candy +cannon +canon_admin +cantik +capricorn +captain +caramel +caramelo +cardinal +carebear +carina +carla +carla123 +carlitos +carlo +carlos +carmen +carol +carolina +caroline +carpediem +carrie +carson +carter +cartman +cascade +casey +casper +cassandra +cassidy +cassie +castillo +catalina +catarina +catch22 +catdog +catfish +catherine +cathy +catinthehat +cbtp +cc +ccaere +cclfb +ccrusr +cdn123 +cdvcdv +cdwv +cecilia +celeste +cellit +cellphone +celtic +celticfc +central +cesar +cgadmin +ch4ng3m3 +chacha +champion +chance +chandler +chanel +change +change_on_install +changeit +changeme +changeme! +changeme1 +changeme123 +changeme2 +changeme20 +changemes +changethis +charlene +charles +charlie +charlie1 +charlotte +charmed +chase +cheche +check123 +checkfs +checkfsys +checksys +cheeky +cheer +cheerl +cheerleader +cheero +cheese +cheetah +chelle +chelsea +cheng1234 +cherokee +cherries +cherry +cheryl +chester +chevelle +chevy +cheyenne +chicago +chichi +chicken +chicks +chico +children +chile62 +china +chingy +chinita +chiquita +chivas +chloe +chocolate +chopper +chris +chris1 +chris2 +chrisb +chrisbrown +chrisl +chriso +chrissy +christ +christian +christin +christina +christine +christmas +christopher +christy +chronic +chubby +chucky +church +ciang +cinderella +cindy +cinnamon +cisco +cisco123 +ciscocisco +ciscofw +cisko +citel +claire +classic +classo +classofo +claudia +clayton +cleopatra +client +clifford +clinton +cloud +clover +cmaker +cmlslc +cms500 +cobra +cocacola +cock +coconut +coffee +colleen +college +collins123 +colombia +colorado +comcomcom +community +compaq +compaq2003 +computer +computer1 +condo +conexant +confused +connect +conner +connie +connor +console +consults +control +converse +cookie +cookie1 +cookies +cool +coolcat +cooldude +coolgirl +coolio +cooper +copper +corazon +core +corecess +corey +corona +correct +corvette +cosita +cougar +country +courtney +cowboy +cowboys +cowgirl +coyote +cpe1704tks +cracker +craft +craftpw +crash +crashbandicoot +crazy +cream +creative +credu +crew10 +crftpw +cricket +cristian +cristiano +cristina +cristo +crystal +csigabiga +cthdfr +cti4ever +ctrls +cuddles +cukorborso +cumming +cumshot +cunt +cupcake +curtis +custpw +cuteako +cutegirl +cuteko +cutel +cuteme +cutie +cutiel +cutiepie +cuties +cuttie +cy +cydvb +cynthia +cyphte +d.e.b.u.g +d00rmat +d0dger +d0m1n0 +d1ngd0ng +d3ft0n3s +daddy +daddy1 +daddysgirl +dadmin +dadmin01 +daemon +daemon09 +daisy +dakota +dalejr +dallas +dalton +damian +damien +damin +dance +dancer +dancerl +dancing +danger +danica +daniel +daniel1 +daniela +daniell +danielle +danilo +danny +darius +darkangel +darkness +darkside +darling +darren +darwin +darwin99 +dasusr1 +dave +david +david1 +davidl +davox +dayana +db2admin +db2fenc1 +db2inst1 +db2pass +db2password +db2pw +dbase +dbpass +dbps +ddemde +deanna +death +debbie +debug +debugs +december +december2 +decemberl +deedee +default +default.password +defero +delfin +delled0 +delta +demo +demos +deneme +denise +dennis +dennis96 +denver +derek +derrick +desiree +destiny +device +devil +devils +devin +dexter +dhs3mt +dhs3pms +diablo +diamond +diamonds +diana +dianita +dianne +dick +dickhead +diego +diesel +dietcoke +digger +digital +dikdik +dilbert +dillon +dimdim +dimple +dimples +dinamo +diosesamor +dipset +dirty +disney +distrib0 +disttech +divine +dixie +djonet +dmr99 +dn_04rjc +dni +dnnadmin +dnnhost +doctor +dodgers +doggie +doggy +dolphin +dolphins +dominic +dominique +domino +donald +donkey +donna +donnie +donovan +doodle +doraemon +doris321 +dorothy +doruk +dos +dottie +douglas +draadloos +dragon +dragonfly +dragons +dream +dream182 +dreamer +dreams +dreamweaver +driver +dropship +dropzone +drowssap +drpepper +drummer +dtvbhx +ducati +ducati900ss +dude +duffy123 +duke +dulce +duncan +dustin +dvnstw +dvr2580222 +dvst10n +dwayne +dweeble +dylan +e250changeme +e500changeme +eagle +eagle1 +eagles +eastside +easy123 +easyway +eatme +echo +eclipse +ecuador +eddie +edgar +eduardo +edward +edwin +eeyore +efmukl +einstein +ekdrms +elaine +electric +element +elena +elephant +elijah +elizabet +elizabeth +ellie +elvis +emanuel +emerald +emilio +emily +eminem +emmanuel +emotional +empire +enable +engineer +england +enhydra +enigma +enjoy +enquirypw +enrique +enter +enter123 +enter123321 +epicrouter +eragon1 +eric +erica +erick +erika +ernesto +erotic +esmeralda +esperanza +esteban +esther +estrella +estrellita +etas +eternity +ethan +eugene +eunice +evelyn +everton +evilpenguin +exinda +expert03 +exploit +explorer +extazy +extendnet +extreme +ezit +ezone +f00b4r +f00bar +f00sball +f18hornet +f4g5h6j7 +fabian +fabiola +fabulous +face2face +factory +faith +fal +falcon +falcons +falloutboy +fam +familia +family +familymacintosh +famous +fantasy +fashion +fastweb +faszom +fatboy +fatcat +father +fatima +fax +fdsa +february +felicia +felipe +felix +fender +fergie +fernanda +fernandes +fernando +ferrari +fibranne +ficken2000 +field +field-service +figarofigaro +fire +fire1818 +fireman +firstsite +fischer123 +fish +fisher +fishing +fivranne +flapjack +flaquito6 +flash +flat24 +flores +florida +florida69 +flower +flowers +fluffy +flyboy +flyers +flying +foo123 +foobar +foolproof +football +football1 +footballl +ford +forest +forever +forget +formeforme +fotos1 +france +frances +francis +francisco +frank +frankie +franklin +freak +freaky +freckles +fred +freddie +freddy +free +freedom +freedom35 +freedumb1 +freekevin +freepass +freetown1 +freeuser +fresher +fresita +friday +friend +friends +friendship +friendster +frogger +froggy +ftp +fubar +fuck +fuckbitchesgetmoney +fucked +fucker +fucking +fuckit +fucklove +fuckme +fuckoff +fucku +fuckyou +fuckyou1 +fuckyou2 +funkwerk +funny +funshion +futbol +fw +g6PJ +g8keeper +gabby +gabriel +gabriela +gabrielle +galore +games +ganda +gandako +gandalf +gandalf6 +gangsta +gangster +ganteng +garcia +garfield +garrett +gateway +gatita +gatito +gators +gbpltw +gemini +geminis +gen1 +gen2 +general +genesis +genius +genius123 +george +georgia +gerald +geraldine +gerard +gerardo +german +germany +gerrard +get2it +getmoney +getoutofhere +gfhjkm +gfhjkmrf +ggdaseuaimhrke +ghbdtnbr +ghetto +giants +gibson +giggles +gigi99 +gilbert +ginger +giovanni +girl +girls +gizmo +gladys +glftpd +glitter +gloria +gmmkh +goblue +godbless +godblessyou +goddess +godisgood +godislove +godzilla +goethe +golden +goldfish +goldie +goldstar +golf +golfer +gomachan +goneo +gonzalez +goober +good +goodgirl +google +gopher +gordon +gorefest +gorgeous +gothic +gowest! +grace +gracie +grandma +granny +grapenuts +gravis +gravity +great +green +greenday +greenl +gregory +groovy +grouper +guadalupe +guardone +guest +guest1 +guestgue +guillermo +guinness +guitar +gunner +gustavo +gwapako +gymnast +h179350 +h6BB +hagpolm1 +hahaha +hailey +haley +hallo +hallo12 +hallo123 +halt +hamilton +hammer +hamster +handsome +hannah +hannah1 +hannover96 +hanseatic +happiness +happy +happy1 +happyhippo +hard +hardcore +hardon +harley +harley1985 +harmony +harold +harris +harrison +harry +harrypotter +harvey +hasan12345 +hashimoto +haslo123 +hawaii +hawk201 +hawkeye +hayden +hayley +hazel +hdms +he +head +heart +hearts +heather +heaven +hector +heka6w2 +heleli +helena +hello +hello1 +hello123 +hellokitty +hellol +help +help1954 +helpme +helson +hendrix +henry +hentai +hercules +hermione +hermosa +hernandez +hero777 +hershey +hewlpack +heyhey +highspeed +hilary +hiphop +hitman +hobbes +hobbs +hockey +hogehoge +holas +holden +holiday +holla +hollie +hollister +holly +hollywood +homer +honda +honduras +honey +honey2 +honeyko +honeyl +hongkong +hooker +hooters +horney +horny +horse +horses +hotboy +hotchick +hotdog +hotgirl +hotmail +hotmama +hotpink +hotrod +hotstuff +hottie +hottie1 +hottiel +house +houston +howard +howard03 +hp.com +hp_admin +hpinvent +hpt +hqadmin +hs7mwxkk +hsadb +huawei +hummer +humppa +hunter +hunting +hyperdrive +i +iDirect +iamthebest +ibddls +ibm +ibmcel +icecream +iceman +iconto +ictel +idontknow +ihateu +ihateyou +ilmi +ilom-admin +ilom-operator +ilon +ilove +iloveboys +ilovechris +ilovegod +ilovehim +ilovejesus +ilovejosh +ilovematt +iloveme +ilovemike +ilovemom +ilovemyself +ilovetessa +iloveu +iloveu2 +iloveyou +iloveyou! +iloveyou1 +iloveyou2 +iloveyoul +iluvme +iluvu +iluvyou +images +imissyou +imperial +imsa7.0 +imss7.0 +inads +incubus +indian +indonesiaraya +indspw +infinity +informix +infrant1 +ingrid +init +initpw +inlove +insane +inside +install +installer +integra18 +integra99 +intel +intermec +internal +internet +inuvik49 +inuyasha +inverter +iolan +ip20 +ip21 +ip3000 +ip305Beheer +ip400 +ipax +ireland +irish +irock +ironman +ironport +isaac +isabel +isabella +isabelle +isaiah +iscopy +isdev +isee +isolation +isp +israel +italia +itsasecret +iubire +iverson +iwantu +iwill +j09F +j256 +j262 +j322 +j5Brn9 +j64 +jack +jack1998 +jackass +jackie +jackson +jackson88 +jacob +jaguar +jaime +jake +jamaica +james +james1 +james2 +jamesl +jamie +jander1 +janelle +janice +janine +janjan +jannie +january +japan +jared +jasmin +jasmine +jasmine1 +jason +jasper +jasperadmin +javier +jayden +jayjay +jayson +jazmin +jazmine +jazzy +jbvm +jeff +jefferson +jeffrey +jellybean +jenjen +jenna +jennie +jennifer +jenny +jeremiah +jeremy +jermaine +jerome +jerry +jersey +jesse +jessica +jessica1 +jessical +jessie +jester +jesucristo +jesus +jesus1 +jesuschrist +jesusl +ji394su3 +jiemou3i +jillian +jimmy +joana +joanna +joanne +jocelyn +joejonas +joeuser +joh316 +johanna +john +john2008 +johncena +johnel +johnl +johnny +johnny50 +johnson +joker +joljee +jonas +jonathan +jones +jonjon +jordan +jordan1 +jordan2 +jordan23 +jordanl +jordano +jorge +josel +joseluis +joseph +josephine +joshl +joshua +joshua1 +joshuao +joyce +joyjoy +jstwo +jtjd +juancarlos +juanita +juanito +judith +juice +juicy +juke2008 +julia +julian +juliana +julie +juliet +juliette +julio +julius +july2 +julyl +june2 +junel +juneo +junior +junjun +junker +jupiter +justice +justin +justin1 +justine +justinl +justino +justme +juventus +k123 +k1rs1kka +k4hvdq9tj9 +kailro +kaitlyn +kakala +kalap +kali2002 +kalimera +kalvin +kane +karate +karen +karina +karkulka +karla +karlita +karmal +katana +katelyn +katherine +kathleen +kathryn +kathy +katie +katrina +kawasaki +kaykay +kayla +kaylee +kayleigh +kcm +keepout123 +keisha +keith +kelly +kelsey +kelvin +kendall +kendra +kennedy +kenneth +kenny +kenzan +kenzie +kermit +kevin +keystone +kiara +kieran +killa +killer +kilo1987 +kimberly +king +kingkong +kingofthehill +kingswood +kirsten +kirsty +kisses +kisskiss +kissme +kissmyass +kitkat +kitten +kittens +kitty +kittycat +kittykat +klimis +klmnxx +km123456 +kn1TG7psLu +knight +kodiak +kolobezka +komprie +kosten +kpact +krakonos +kramer +krissy +kristen +kristin +kristina +kristine +kronites +krumholz +krystal +ksdjfg934t +kucing +kukareku +kuku +kusakusa +l0v3m3 +l1 +l2 +l2e4s6a +l2e4sa +l2eabc +l2eqwe +l3 +l8rsk8r +labas123 +lacoste +lacrosse +ladies +ladybug +laflaf +laguna +lakers +lalala +lampard +landon +langke +lantronix +larry +last +lasvegas +latina +laura +lauren +lavender +lawrence +lbyjpfdh +leanne +leather +leaves +leelee +legend +legolas +leigh +lemon123 +lenor +leoleo +leonard +leonardo +lesarotl +lesbian +leslie +lester +letacla +letmein +letmein1 +letmein2 +letmeout +letmesee +level10 +leviton +lewis +lheujq +liberty +libra +lickme +lifehack +lifeline +lifesucks +light +lights +liliana +lillian +lilly +lilmama +lilman +lilwayne +lincoln +linda +lindsay +lindsey +lineprin +linga +linkin +linkin123 +linkinpark +linux99 +lipgloss +liquidtension +lisa +little +liverpoo +liverpool +lizard +lizzie +lkilogmL +lkw +lkwpeter +llatsni +lll-222-l9eeemailaaddress.tst +localadmin +locatepw +lofasz +logan +logapp +logitech +lokita +lol +lolipop +lolipop2 +lolita +lollipop +lollol +lollypop +london +lonely +long +longhorns +looker +looking +lopata +lopez +loran123 +lord1234 +lorena +lorenzo +lorraine +loser +louie +louise +loulou +lourdes +love +love12 +love123 +love2 +love2oo +love4ever +love6 +love8 +love9 +loveable +lovebug +lovee +lovehurts +lovel +loveless +lovelife +lovelo +lovelove +lovely +lovely1 +loveme +loveme1 +loveo +lover +lover1 +loverboy +lovergirl +loverl +lovers +loves +lovesucks +loveu +loveya +loveyou +loving +lp +lpadm +lpadmin +lpassword +lq2wee +lq2wee4r +lqaz2wsx +lsxol +lucas +lucenttech1 +lucenttech2 +lucero +lucky +lucky1 +lucky7 +luckyl +lucy99 +ludacris +luisa +luke1993 +lunita +lupita +lynx +m0t0rhead +m1122 +m1link +m1r4nd4 +m45t3rm1nd +mMmM +machine +mackenzie +mackousko +macmac +macromedia +madalina +maddie +maddog +madeline +madison +madman18 +madmax +madonna +maganda +magex +maggie +magic +magnum +mahal +mahalkita +mahalko +mahalkoh +mail +maine207 +mainstreet +maint +maintain +maintpw +makayla +maldita +malibu +mama1234 +mamapapa +mamita +man +manage +manager +manchester +mandy +manman +manson +manuel +manuela +manunited +manutd +mar1jane +marcela +marcelo +march +march2 +marchl +marco +marcos +marcus +margaret +margarita +maria +maria1988 +mariah +marian +mariana +maribel +marie +marie1 +mariel +mariela +marilyn +marina +marine +marines +mario +marion +mariposa +marisa +marisol +marissa +marius +marjorie +mark +marlboro +marlene +marley +marlon +married +marshall +martha +martin +martina +martinez +marvin +maryjane +mason +master +masterkey +masterok +mathew +matrix +matt +matthew +matthew1 +mature +maureen +maurice +mauricio +maverick +maxima +maximus +maxine +maxwell +maymay +mayra +mazafaka +mc1029 +mckenzie +mcknight88 +me +mediator +medina +medion +megabit +megan +megatron +meghan +melanie +melinda +melisa +melissa +melody +melvin +member +mememe +mendoza +mercedes +mercury +merlin +mermaid +metallic +metallica +mexican +mexico +mexx6399 +mfd +mhine +mi +miamor +michael +michael1 +michaela +michaell +micheal +michel +michelangelo +michele +michelle +michelle1 +michigan +mickey +mickeymouse +microbusiness +microsoft +midnight +mierda +miguel +mihaela +mike +mikeiscool +mikel +mikey +milagros +milkshake +miller +millie +mine +minime +minnie +miracle +miranda +miriam +mirrormirror +mississippi +missy +mistress +misty +mitchell +mlusr +mmmmmm +mngt +moises +mollie +molly +momdad +mommy +mommy1 +momof +monday +money +money1 +monica +monika +monique +monitor +monkey +monkey1 +monkey2 +monkeybutt +monkeyl +monkeyo +monkeys +monster +montana +moocow +mookie +moomoo +moonlight +moose +morales +morena +moreno +morgan +morris +mother +motorola +mountain +mountfs +mountfsys +mountsys +mouse +movie +mozart +mp3mystic +mpegvideo +mtch +mtcl +mu +muffin +muffinman +mujama +mummy +mumuland +munchkin +munchkin10 +mupali +murphy +music +musica +mustang +mustang70 +muze +mvemjsunp +mwmwmw +my +my_DEMARC +myangel +mybaby +mykids +mylife +mylove +myname +mysecretpassword0* +myself +myspace +myspace1 +mysweex +n0d0ubt1 +n0ttelling +naadmin +nadine +naked +nancy +naruto +nas123 +nascar +natalia +natalie +natasha +nathan +nathaniel +naughty +naynay +ncadmin +ncc1701 +ncc1701d +ncrm +negrita +nelly +nelson +nemesis +nemtom1 +nenita +nerdnerd +net101 +netadmin +netbotz +netgear1 +netlink +netman +netnet +netopia +netscreen +network +nevaeh +new_password +newcastle +newlife +newport +news +newyork +nfmvta +nicecti +nicholas +nichole +nician +nickjonas +nicky +nicola +nicolas +nicole +nicole1 +nicole2 +nicolel +nicoleo +nigga +nigger +nightmare +nigugu +nike2008 +nikita +nikki +nimda +nimdaten +ninja +nintendo +nipple +nipples +nirvana +nissan +nitech +nitram +nm2user +nms +nmspw +no +nobchan +nobody +nokai +nokia +none +noodle +noodles +nopass +nopasswd +nopermission +norman +nortel +not4u2c +nothing +nottelling +nova21 +novell +november +november2 +novemberl +noway +npwfkl +nsa +nsi +nsroot +ntacdmax +ntpupdate +nttocn +number +number1 +number66 +nursing +nz0u4bbe +oceans11 +ocnc123 +october +october2 +octoberl +odiotodo +ods +offshore +oliver +olivia +omarion +omfglol1 +omgomg123 +omneon +onelove +online +ontology +op +opengate +openview +operator +oqksad +oracle +orange +orlando +orpheus +oscar +otbu+1 +ou812 +outlaw +overseer +p3t3rpan +p@ssw0rd +pa$$w0rd +pa$$word +pablo +packard +packers +paige +pakistan +paloma +pamela +pancho +panda +pandemonium +panget +pangit +pantera +pantera69 +panther +panthers +panties +paola +papito +par0t +paradise +paramore +paris +parker +parmesan +parola +parolamea +party +pasaway +pass +pass123 +passion +passion12 +passport +passw0rd +passw0rd1 +password +password1 +password1` +password2 +password201 +password209 +password55 +passwordl +passwordo +passwort +patches +pathology +patito +patricia +patrick +patrickb123 +patriots +patrol +paul +paula +paulina +pauline +paulo +pavilion +payton +pbxk1064 +peace +peaches +peanut +pearljam +pebbles +pedro +peekaboo +peewee +peluche +pelusa +pencil +penelope +penguin +penis +penny +pento +people +pepper +pepsi +pepsi2008 +pepson +perfect +peribit +permit +pervert +peter +peter123 +peterpan +petert999 +pfsense +phantom +philip +phillip +philly +phishfood +phoebe +phoenix +phoenix602 +photos +photoshop +phpbb +phplist +phpreactor +picard +pickle +pickles +picture +pictures +picus +pieceofshit +pierre +piggy +piglet +pikachu +pilou +pimp +pimpin +pimpl +pineapple +pink +pink2 +pinkie +pinkl +pinko +pinky +piolin +piranha +pirate +pirates +pisces +pitbull +pixadmin +pixmet2003 +pizza +pizza42 +platinum +playboy +player +playgirl +playstation +please +plokijuh +plopplop +pnadmin +poepchinees +pogiako +poi098 +pokemon +pokemon! +police +poll +pollito +poloppolop +pontiac +poohbear +poohl +pookie +poop +poopie +poopoo +poopy +popcorn +popeye +popidc +poppy +porn +porno +porsche +portakal1 +portugal +postgres +postmast +potter +powder1 +power +powerapp +powerdown +powermax +powerpower +ppmax2011 +pr1v4t3 +preciosa +precious +prelude +prepaid +preston +pretty +prettygirl +primat +prime +primenet +primeos +primos +prince +princes +princesa +princesita +princess +princess1 +princess2 +princessl +princesso +private +proba123 +progr3ss +promise +prost +protection +proxy +prtgadmin +pswrdpswrd +psycho +publ1c +public +pumpkin +punkin +punkrock +puppies +puppy +puppylove +purple +purple1 +purplel +pussies +pussy +pussy1 +pussycat +pw +pwp +pwpw +pwrchute +pyramid +q +q1q1q1 +q1q1q1q1 +q1q2q3q4 +q1w2e3r4 +q3kze7q +qaz123 +qaz74123 +qazw1234 +qazwsx +qazwsx!@# +qazwsx123 +qazwsx123456 +qazwsxedc +qazxsw2 +qazxswedc123 +qazzxc +qpgmr +qq123456 +qqqitx +qqqqqq +qscwdv +qsecofr +qserv +qsrv +qsrvbas +qsvr +qsysopr +queen +quepasa +questra +quser +qwas12 +qwe +qwe123 +qwe123!@# +qwe123. +qweQWE123 +qweasd123 +qweasd789 +qweasdzxc2 +qweewq123 +qweqweqwe +qwer +qwerqaz +qwert +qwert12345 +qwerty +qwerty09 +qwerty1 +qwerty12 +qwerty123 +qwerty1234567890 +qwerty7 +qwerty77 +qwertyl +qwertyui +qwertyuiop +qwertz123 +r@p8p0r+ +rabbit +rachael +rachel +rachelle +racing +radius +radware +rafael +ragnarok +rahasia +raider +raiders +raidzone +rainbow +rais +ramirez +ramona +random +randy +randy007 +ranger +rangers +raptor +raquel +raritan +rascal +raspberry +raven +raymond +rayong1234 +rayray +razor +rcustpw +rdc123 +read +read-only +read-write +readwrite +realmadrid +rebecca +rebel +rebelde +recover +recovery +red +red123 +reddog +redhat +redhead +redline +redneck +redorblue +redpoint +redrose +redrum +redskins +redsox +redwings +reformation +reggie +regina +regional +remember +renee +replicator +restoreonly1 +resumix +revision +rfnfyf +ricardo +richard +richard#1 +richie +ricky +rihanna +rikitiki +riley +ringer +riobravo +rivera +riverhead +rje +rmnetlm +rmon +rmon_admin +ro +robbie +robert +roberta +roberto +robin +robinson +rochelle +rock +rocker +rocket +rockme +rocknroll +rockon +rocks +rockstar +rocku +rocky +rockyou +rodney +rodopi +rodrigo +rodriguez +roland +role1 +rollerblade +rolltide +roman123 +romance +romania +romeo +ronald +ronaldinho +ronaldo +ronnie +ronson +rooney +rooster +root +root123 +root1234 +root4 +roota +rootadmin +rootme +rootpass +rootroot +rosario +rosebud +rosedale +roses +rosie +rosita +rotrot +round123 +router +roxana +roxanne +rsadmin +ruben +runder +runescape +runner +rush2112 +russell +russia +rusty +rutabaga +rw +rwa +rwmaint +ryan +ryanl +s!a@m#n$p%c +s3cret +s3cur3d +sabrina +sadie +sagitario +sailor +saints +sakura +salamander +sales +sallasana +sally +salope +salvador +samantha +sammie +sammy +samson +samsun +samsung +samsung34 +samuel +san-fran +sanayounes +sanchez +sandman +sandra +sandy +sanfran +santana +santiago +santos +sap123 +sapphire +sarah +sarita +sasha +sasman +sassy +sasuke +saturn +savage +savanna +savannah +sayang +saynomore +scarface +school +scifix +sclg +scmchangeme +scooby +scoobydoo +scooter +scorpio +scorpion +scotland +scott +scotty +scout +scrappy +scruffy +sebastian +secacm +secofr +secret +secure +secure123 +secure6 +security +seekanddestroy +selena +semmi +semperfi +senioro +september +serena +serenity +sergio +seri +serial# +sertafu +service +setmefree +setup +setup/nopasswd +seven +seventeen +sexsex +sexy +sexy2 +sexy6 +sexybabe +sexybaby +sexybitch +sexygirl +sexyl +sexylady +sexylove +sexymama +sexyme +sexyo +shadow +shadow1 +shadowl +shaggy +shakira +shakyamuni +shalom +shane +shannon +sharon +shasha +shaved +shawn +shawty +sheena +sheila +shelby +shelly +shin +shineonyou +shirley +shit +shithead +shiva +shooter +shopping +shorty +shortyl +shs +shuriken +shutdown +shutup +sidney +siemens123 +siempre! +sierra +signa +silver +silvia +simba +simon +simonb +simone +simple +simpleplan +simpson +simpsons +singer +single +sister +sisters +sitecom +skate +skater +skipper +skippy +skittles +skyler +skyline +skysky21 +skywalker +slayer +sldkj754 +slideshow +slipknot +slut +sluts +sma +smallbusiness +smallville +smcadmin +smelly +smile +smiles +smiley +smith +smokey +smooth +smudge +snake +snickers +sniper +snmp +snmp-Trap +snmpd +snmptrap +snoopy +snowball +snowflake +snowman +snuggles +soccer +soccer1 +soccer2 +soccerl +soccero +socent +sofia +sofresh +softball +softballl +software +sofuck +solaris +soledad +something +somtik +sonia +sophia +sophie +sosict +soulmate +southside +sp99dd +spacemonkeys +spanky +sparkle +sparky +special +specialist +speedxess +speedy +spencer +spider +spiderma +spiderman +spike +spike04 +spirit +spitfire +spoiled +sponge +spongebob +spooky +spooml +sporting +sports +spring +sprite +sq!us3r +squ1rrel +squirt +srinivas +ssladmin +ssp +stacey +stanley +star +starfish +stargate +stark123 +starl +starlight +stars +start123 +startrek +starwars +state119 +stay-off +steaua +steelers +stefan +stella +steph +stephanie +stephen +steve +steven +stevie +stewart +sticky +stingray +stinky +storageserver +store +stormy +strasburg +stratauser +stratfor +strawberry +strike +stuart +student +stupid +sublime +success +suck +sucker +suckit +suckme +sucks +sugar +summer +summero +sun +sun12345 +sunflower +sunny +sunset +sunsh1ne! +sunshine +sunshine1 +sunvision +super +supergeil +supergirl +superman +superpass +superstar +superstart +superuser +supervisor +support +supportpw +surecom +surfer +surt +susana +suzanne +suzuki +svcPASS83 +sweet +sweet16 +sweetheart +sweetie +sweetl +sweetness +sweetpea +sweets +sweety +swimmer +swimming +switch +swordfis +swordfish +sy123456 +sydney +symantec +symbol +sync +synnet +sys +sys/change_on_install +sysAdmin +sysadm +sysadmin +sysadmpw +sysbin +syslib +sysopr +syspw +system +system1 +system32 +system_admin +sysu +t00lk1t +t00tt00t +t0ch20x +t0ch88 +t0m&j3rry +t0talc0ntr0l4! +t1m3l0rd +taco66 +tagada +tagged +taki +talent +tamara +tanglefoot +tania +tanner +tarantula1 +tarheels +tasha +tasmannet +tatercounter2000 +tatiana +tattoo +taurus +taylor +taytay +tazmania +tdvcth +te +teX1 +teacher +teamo +teamomucho +tech +technolgi +teddy +teddybear +teen +teens +teiubesc +tekiero +telco +tele +telecom +telefone +tellabs#1 +telos +temp11 +temp1234 +temp12345 +temppass +tennis +tequiero +tequieromucho +tequila +teresa +term1nat0r +terrell +terry +test +test1 +test100 +test123 +test1234 +test2 +testbed +tester +testing +testpass +testtest +texas +thailand +the +thebest +thegame +theman +themaster01 +theone +theresa +therock +theused +thisisapassword1 +thomas +three4me +throwaway +thuglife +thumper +thunder +thx1138 +tiaranet +tickle +tiffany +tiger +tiger1 +tiger123 +tigers +tigger +tigger1 +tiggerl +time +time_out +timely +timmy +timothy +tini +tinker +tinkerbell +tintin +tiny +titanic +titkos +tits +tiv0li +tivoli +tivonpw +tj1234 +tlah +tmp123 +tokiohotel +tomcat +tommy +tony +toor +tootsie +topgun +toplayer +topsecret +toptop +tornado@ +torres +toshy99 +totototo +touchpwd= +tour +toyota +tr650 +tracey +trade +trancell +trap +travis +trendimsa1.0 +trevor +triangulation +trinidad +trinity +triptrap +trisha +tristan +trixie +trmcnfg +trooper +trouble +trucks +truelove +trustno +trustno1 +tslinux +tucker +tuff1234 +tunix +turkey +turnkey +turtle +tutor +tuxalize +tweety +tweetybird +tweetyl +twilight +twinkle +twins +tyler +tyrone +tyson +uClinux +uboot +ucsucs +umountfs +umountfsys +umountsys +undertaker +unicorn +unique +united +united123 +united99 +unix +uplink +urchin +user +user0000 +userNotU +usher +usulll +uucp +uucpadm +vagina +valentin +valentina +valentine +valentino +valeria +valerie +vampire +vanesa +vanessa +vanilla +vatefairefoutre +vatten +vegeta +venigo +ventilator +veronica +vertex25 +vfnmdfie +vgnadmin +vicky +victor +victoria +victory +video +vienna12 +vienna88 +viewmaster +viewuser1 +viking +vikings +vince123 +vincent +violet +violeta +viper +virgin +virginia +virginia11 +virgo +vishal123 +vision +vision2 +visor +visual +vitaly +vitesse +vivian +viviana +vivivi +vlis +voip123 +volcom +volition +volleyball +voodoo +voyager +vpasp +w00tw00t +w0rkplac3rul3s +w2402 +w8w00rd +wachtwoord +walker +wallace +walter +wampp +wanker +wanmei +warcraft +warpdrive +warren +warrior +warriors +water +waterfire12 +watermelon +wave123 +wayne +weasel +web +webadmin +webibm +weblink +weblogic +webmaster +weeslz +welcome +welcome1 +wendimia +wendy +wesley +west123 +westlife +westside +wg +whatever +white +whitebird +whitney +whore +whynot +wibbles +wicked +wildcat +wildcats +william +williams +willie +willow +wilson +windows +windows7 +winner +winnie +winston +winston1 +winter +winterm +wipro123 +wizard +wjltnt +wlcsystem +wlpisystem +wlsedb +wlsepassword +wodj +woelco +wolf +wolfgang +wolfpack +wolverin +wolves +wombat +women +woody +world +wrestling +wrgg15_di524 +write +wutang +www +wyse +x +x-admin +x40rocks +x6zynd56 +xampp +xavier +xbox +xbox360 +xboxe6 +xceladmin +xd +xdfk9874t3 +xdr56tfc +xerox +xiazhi +ximena +xinmen +xitgmLwmp +xljlbj +xmux +xo11nE +xpsm1210 +xunlei +xupamisto +xxxx +xxxxx +xxxxxx +xxxxxxxx +xxyyzz +xyuxyu +xyzall +xyzzy +yabadabadoo +yahoo +yakiniku +yamaha +yankee +yankees +yasmin +year2000 +yellow +yellow123 +yellow22 +yes90125 +yesenia +yolanda +yomama +young +yourmom +yourock +yousuck +yoyoyo +ytrewq +yugioh +yuiop +yvette +yvonne +yyl +z0x9c8v7 +zacefron +zachary +zaq1@WSX +zaq1xsw2 +zaq1xsw2cde3 +zaqwsxcde +zaxscdvf +zazazaza +zbaaaca +zebra +zeosx +zero0zero +zero2hero +zjaaadc +zmalqp10 +zodiac666 +zombie +zoomadsl +zse4rfv +zxcpoi123 +zxcvbn +zxcvbnm +zzzz +zzzzzz diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb new file mode 100644 index 0000000000..e69de29bb2 From 19231b7c8fc74664b8600d1f359f5308f720b6f6 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sat, 14 Jun 2014 15:48:25 -0500 Subject: [PATCH 07/32] starting skeleton on wordlist class start framing out JtR wordlist class that will generate Wordlists to be passed to our JtR cracker. --- lib/metasploit/framework/jtr/cracker.rb | 2 ++ lib/metasploit/framework/jtr/wordlist.rb | 23 +++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb index 69ae6808a6..7168cfb9f7 100644 --- a/lib/metasploit/framework/jtr/cracker.rb +++ b/lib/metasploit/framework/jtr/cracker.rb @@ -236,6 +236,8 @@ module Metasploit runpath end + + end end diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index e69de29bb2..9c0db0b588 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -0,0 +1,23 @@ + +module Metasploit + module Framework + module JtR + + class Wordlist + include ActiveModel::Validations + + attr_accessor :appenders + attr_accessor :custom_wordlist + attr_accessor :mutate + attr_accessor :prependers + attr_accessor :use_common_root + attr_accessor :use_creds + attr_accessor :use_db_info + attr_accessor :use_default_wordlist + attr_accessor :use_hostnames + + end + + end + end +end \ No newline at end of file From 466576d03f9f14219de267a8357aac402baec58d Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sat, 14 Jun 2014 16:16:30 -0500 Subject: [PATCH 08/32] jtr wordlist validations started start adding validations and exceptions for the JtR Wordlist class. --- .../framework/jtr/invalid_wordlist.rb | 20 ++++++ lib/metasploit/framework/jtr/wordlist.rb | 62 +++++++++++++++++++ .../framework/jtr/invalid_wordlist_spec.rb | 38 ++++++++++++ 3 files changed, 120 insertions(+) create mode 100644 lib/metasploit/framework/jtr/invalid_wordlist.rb create mode 100644 spec/lib/metasploit/framework/jtr/invalid_wordlist_spec.rb diff --git a/lib/metasploit/framework/jtr/invalid_wordlist.rb b/lib/metasploit/framework/jtr/invalid_wordlist.rb new file mode 100644 index 0000000000..edf91b9505 --- /dev/null +++ b/lib/metasploit/framework/jtr/invalid_wordlist.rb @@ -0,0 +1,20 @@ +module Metasploit + module Framework + module JtR + + # This class is the generic Exception raised by a {Wordlist} when + # it fails validation. It rolls up all validation errors into a + # single exception so that all errors can be dealt with at once. + class InvalidWordlist < StandardError + attr_reader :model + + def initialize(model) + @model = model + + errors = @model.errors.full_messages.join(', ') + super(errors) + end + end + end + end +end \ No newline at end of file diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index 9c0db0b588..588366caf9 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -6,16 +6,78 @@ module Metasploit class Wordlist include ActiveModel::Validations + # @!attribute appenders + # @return [Array] an array of strings to append to each word attr_accessor :appenders + + # @!attribute custom_wordlist + # @return [String] the path to a custom wordlist file to include attr_accessor :custom_wordlist + + # @!attribute mutate + # @return [TrueClass] if you want each word mutated as it is added + # @return [FalseClass] if you do not want each word mutated attr_accessor :mutate + + # @!attribute prependers + # @return [Array] an array of strings to prepend to each word attr_accessor :prependers + + # @!attribute use_common_root + # @return [TrueClass] if you want to use the common root words wordlist + # @return [FalseClass] if you do not want to use the common root words wordlist attr_accessor :use_common_root + + # @!attribute use_creds + # @return [TrueClass] if you want to seed the wordlist with existing credential data from the database + # @return [FalseClass] if you do not want to seed the wordlist with existing credential data from the database attr_accessor :use_creds + + # @!attribute use_db_info + # @return [TrueClass] if you want to seed the wordlist with looted database names and schemas + # @return [FalseClass] if you do not want to seed the wordlist with looted database names and schemas attr_accessor :use_db_info + + # @!attribute use_default_wordlist + # @return [TrueClass] if you want to use the default wordlist + # @return [FalseClass] if you do not want to use the default wordlist attr_accessor :use_default_wordlist + + # @!attribute use_hostnames + # @return [TrueClass] if you want to seed the wordlist with existing hostnames from the database + # @return [FalseClass] if you do not want to seed the wordlist with existing hostnames from the database attr_accessor :use_hostnames + validates :mutate, + inclusion: { in: [true, false] } + + validates :use_common_root, + inclusion: { in: [true, false] } + + validates :use_creds, + inclusion: { in: [true, false] } + + validates :use_db_info, + inclusion: { in: [true, false] } + + validates :use_default_wordlist, + inclusion: { in: [true, false] } + + validates :use_hostnames, + inclusion: { in: [true, false] } + + + # Raise an exception if the attributes are not valid. + # + # @raise [Invalid] if the attributes are not valid on this scanner + # @return [void] + def valid! + unless valid? + raise Metasploit::Framework::JtR::InvalidWordlist.new(self) + end + nil + end + end end diff --git a/spec/lib/metasploit/framework/jtr/invalid_wordlist_spec.rb b/spec/lib/metasploit/framework/jtr/invalid_wordlist_spec.rb new file mode 100644 index 0000000000..9061e2c78a --- /dev/null +++ b/spec/lib/metasploit/framework/jtr/invalid_wordlist_spec.rb @@ -0,0 +1,38 @@ +require 'spec_helper' +require 'metasploit/framework/jtr/invalid_wordlist' + +describe Metasploit::Framework::JtR::InvalidWordlist do + + subject(:invalid) do + described_class.new(model) + end + + let(:model) do + model_class.new + end + + let(:model_class) do + Class.new do + include ActiveModel::Validations + end + end + + it { should be_a StandardError } + + it 'should use ActiveModel::Errors#full_messages' do + model.errors.should_receive(:full_messages).and_call_original + + described_class.new(model) + end + + context '#model' do + subject(:error_model) do + invalid.model + end + + it 'should be the passed in model' do + error_model.should == model + end + end + +end \ No newline at end of file From 1dd69a5228232913ad16c8fd2d8ea4f1123c6deb Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sat, 14 Jun 2014 17:49:47 -0500 Subject: [PATCH 09/32] wordlist validators added custom fielpath vaidator and added validations to the wordlist class --- app/validators/metasploit.rb | 1 + .../metasploit/framework/file_path_validator.rb | 16 ++++++++++++++++ lib/metasploit/framework/jtr/wordlist.rb | 3 +++ 3 files changed, 20 insertions(+) create mode 100644 app/validators/metasploit.rb create mode 100644 app/validators/metasploit/framework/file_path_validator.rb diff --git a/app/validators/metasploit.rb b/app/validators/metasploit.rb new file mode 100644 index 0000000000..9ad3c822cd --- /dev/null +++ b/app/validators/metasploit.rb @@ -0,0 +1 @@ +require 'metasploit/framework/file_path_validator' \ No newline at end of file diff --git a/app/validators/metasploit/framework/file_path_validator.rb b/app/validators/metasploit/framework/file_path_validator.rb new file mode 100644 index 0000000000..4b1f5381b1 --- /dev/null +++ b/app/validators/metasploit/framework/file_path_validator.rb @@ -0,0 +1,16 @@ +module Metasploit + module Framework + # This is a ActiveModel custom validator that assumes the attribute + # is supposed to be the path to a regular file. It checks whether the + # file exists and whether or not it is a regular file. + class FilePathValidator < ActiveModel::EachValidator + + def validate_each(record, attribute, value) + unless ::File.file? value + record.errors[attribute] << (options[:message] || "is not a valid path to a regular file") + end + end + end + end +end + diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index 588366caf9..517eb0953e 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -1,3 +1,4 @@ +require 'metasploit/framework/jtr/invalid_wordlist' module Metasploit module Framework @@ -48,6 +49,8 @@ module Metasploit # @return [FalseClass] if you do not want to seed the wordlist with existing hostnames from the database attr_accessor :use_hostnames + validates :custom_wordlist, :'Metasploit::Framework::File_path' => true + validates :mutate, inclusion: { in: [true, false] } From 21f29c4da9ed0aba38ba9558144c26cc18c7786e Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sat, 14 Jun 2014 17:54:37 -0500 Subject: [PATCH 10/32] more filepath validators added filepath validations to cracker also made them all conditional validations --- lib/metasploit/framework/jtr/cracker.rb | 8 ++++++++ lib/metasploit/framework/jtr/wordlist.rb | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb index 7168cfb9f7..0b226a7ed3 100644 --- a/lib/metasploit/framework/jtr/cracker.rb +++ b/lib/metasploit/framework/jtr/cracker.rb @@ -44,12 +44,20 @@ module Metasploit # @return [String] The file path to the wordlist to use attr_accessor :wordlist + validates :config, :'Metasploit::Framework::File_path' => true, if: 'config.present?' + + validates :hash_path, :'Metasploit::Framework::File_path' => true, if: 'hash_path.present?' + + validates :pot, :'Metasploit::Framework::File_path' => true, if: 'pot.present?' + validates :max_runtime, numericality: { only_integer: true, greater_than_or_equal_to: 0 } + validates :wordlist, :'Metasploit::Framework::File_path' => true, if: 'wordlist.present?' + # @param attributes [Hash{Symbol => String,nil}] def initialize(attributes={}) attributes.each do |attribute, value| diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index 517eb0953e..50a8bedf14 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -49,7 +49,7 @@ module Metasploit # @return [FalseClass] if you do not want to seed the wordlist with existing hostnames from the database attr_accessor :use_hostnames - validates :custom_wordlist, :'Metasploit::Framework::File_path' => true + validates :custom_wordlist, :'Metasploit::Framework::File_path' => true, if: 'custom_wordlist.present?' validates :mutate, inclusion: { in: [true, false] } From 10f3531bbbcc98aa50dad84a1bdd52a7f39709e3 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sat, 14 Jun 2014 18:01:24 -0500 Subject: [PATCH 11/32] add exectuable validator like the filepath validator but also checks to see if the file is exectuable by the current users. --- .../framework/executable_path_validator.rb | 16 ++++++++++++++++ lib/metasploit/framework/jtr/cracker.rb | 2 ++ 2 files changed, 18 insertions(+) create mode 100644 app/validators/metasploit/framework/executable_path_validator.rb diff --git a/app/validators/metasploit/framework/executable_path_validator.rb b/app/validators/metasploit/framework/executable_path_validator.rb new file mode 100644 index 0000000000..b2ca74b926 --- /dev/null +++ b/app/validators/metasploit/framework/executable_path_validator.rb @@ -0,0 +1,16 @@ +module Metasploit + module Framework + # This is a ActiveModel custom validator that assumes the attribute + # is supposed to be the path to a regular file. It checks whether the + # file exists and whether or not it is a regular file. + class ExecutablePathValidator < ActiveModel::EachValidator + + def validate_each(record, attribute, value) + unless ::File.executable? value + record.errors[attribute] << (options[:message] || "is not a valid path to an executable file") + end + end + end + end +end + diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb index 0b226a7ed3..f02d85db20 100644 --- a/lib/metasploit/framework/jtr/cracker.rb +++ b/lib/metasploit/framework/jtr/cracker.rb @@ -48,6 +48,8 @@ module Metasploit validates :hash_path, :'Metasploit::Framework::File_path' => true, if: 'hash_path.present?' + validates :john_path, :'Metasploit::Framework::Executable_path' => true, if: 'john_path.present?' + validates :pot, :'Metasploit::Framework::File_path' => true, if: 'pot.present?' validates :max_runtime, From 529e5da00a2f7f231ef25d58d9ca74458dd8f6e9 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sat, 14 Jun 2014 18:02:51 -0500 Subject: [PATCH 12/32] make sure laoder finds new validator --- app/validators/metasploit.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/validators/metasploit.rb b/app/validators/metasploit.rb index 9ad3c822cd..4733b4b1ed 100644 --- a/app/validators/metasploit.rb +++ b/app/validators/metasploit.rb @@ -1 +1,2 @@ -require 'metasploit/framework/file_path_validator' \ No newline at end of file +require 'metasploit/framework/file_path_validator' +require 'metasploit/framework/executable_path_validator' \ No newline at end of file From 33519b1fcdd0cb1d66aa8c0b40543986a2b6b239 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sat, 14 Jun 2014 19:59:59 -0500 Subject: [PATCH 13/32] cracker validations and specs more validations and specs for the cracker class --- lib/metasploit/framework/jtr/cracker.rb | 2 +- .../metasploit/framework/jtr/cracker_spec.rb | 90 +++++++++++++++++++ 2 files changed, 91 insertions(+), 1 deletion(-) diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb index f02d85db20..0cad2320fb 100644 --- a/lib/metasploit/framework/jtr/cracker.rb +++ b/lib/metasploit/framework/jtr/cracker.rb @@ -56,7 +56,7 @@ module Metasploit numericality: { only_integer: true, greater_than_or_equal_to: 0 - } + }, if: 'max_runtime.present?' validates :wordlist, :'Metasploit::Framework::File_path' => true, if: 'wordlist.present?' diff --git a/spec/lib/metasploit/framework/jtr/cracker_spec.rb b/spec/lib/metasploit/framework/jtr/cracker_spec.rb index 784ee44691..4991b1d8de 100644 --- a/spec/lib/metasploit/framework/jtr/cracker_spec.rb +++ b/spec/lib/metasploit/framework/jtr/cracker_spec.rb @@ -150,4 +150,94 @@ describe Metasploit::Framework::JtR::Cracker do expect(cracker.show_command.last).to eq hash_path end end + + describe 'validations' do + context 'failures' do + context 'file_path validators' do + before(:each) do + expect(File).to receive(:file?).and_return false + end + + it 'produces the correct error message for config' do + cracker.config = config + expect(cracker).to_not be_valid + expect(cracker.errors[:config]).to include "is not a valid path to a regular file" + end + + it 'produces the correct error message for hash_path' do + cracker.hash_path = hash_path + expect(cracker).to_not be_valid + expect(cracker.errors[:hash_path]).to include "is not a valid path to a regular file" + end + + it 'produces the correct error message for pot' do + cracker.pot = pot + expect(cracker).to_not be_valid + expect(cracker.errors[:pot]).to include "is not a valid path to a regular file" + end + + it 'produces the correct error message for wordlist' do + cracker.wordlist = wordlist + expect(cracker).to_not be_valid + expect(cracker.errors[:wordlist]).to include "is not a valid path to a regular file" + end + end + + context 'executable_path validators' do + before(:each) do + expect(File).to receive(:executable?).and_return false + end + + it 'produces the correct error message for john_path' do + cracker.john_path = john_path + expect(cracker).to_not be_valid + expect(cracker.errors[:john_path]).to include "is not a valid path to an executable file" + end + end + end + + context 'successes' do + context 'file_path validators' do + before(:each) do + expect(File).to receive(:file?).and_return true + end + + it 'produces no error message for config' do + cracker.config = config + expect(cracker).to be_valid + expect(cracker.errors[:config]).to_not include "is not a valid path to a regular file" + end + + it 'produces no error message for hash_path' do + cracker.hash_path = hash_path + expect(cracker).to be_valid + expect(cracker.errors[:hash_path]).to_not include "is not a valid path to a regular file" + end + + it 'produces no error message for pot' do + cracker.pot = pot + expect(cracker).to be_valid + expect(cracker.errors[:pot]).to_not include "is not a valid path to a regular file" + end + + it 'produces no error message for wordlist' do + cracker.wordlist = wordlist + expect(cracker).to be_valid + expect(cracker.errors[:wordlist]).to_not include "is not a valid path to a regular file" + end + end + + context 'executable_path validators' do + before(:each) do + expect(File).to receive(:executable?).and_return true + end + + it 'produces no error message for john_path' do + cracker.john_path = john_path + expect(cracker).to be_valid + expect(cracker.errors[:john_path]).to_not include "is not a valid path to an executable file" + end + end + end + end end \ No newline at end of file From a5fb8989042f2f28e238d9831c0b893807767528 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sat, 14 Jun 2014 20:03:56 -0500 Subject: [PATCH 14/32] actually set max run time make maxrutnime affect the crack command --- Gemfile | 2 +- Gemfile.lock | 8 ++++++++ lib/metasploit/framework/jtr/cracker.rb | 4 ++++ spec/lib/metasploit/framework/jtr/cracker_spec.rb | 6 ++++++ 4 files changed, 19 insertions(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 5986dc1d65..23ba3d2ef8 100755 --- a/Gemfile +++ b/Gemfile @@ -2,7 +2,7 @@ source 'https://rubygems.org' # Add default group gems to `metasploit-framework.gemspec`: # spec.add_runtime_dependency '', [] gemspec - +gem 'pry' group :db do # Needed for Msf::DbManager gem 'activerecord', '>= 3.0.0', '< 4.0.0' diff --git a/Gemfile.lock b/Gemfile.lock index 54d407fefe..98e4130b5c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -53,6 +53,7 @@ GEM arel (3.0.3) bcrypt (3.1.7) builder (3.0.4) + coderay (1.1.0) diff-lcs (1.2.5) erubis (2.7.0) factory_girl (4.4.0) @@ -71,6 +72,7 @@ GEM activerecord (>= 3.2.13, < 4.0.0) activesupport pg + method_source (0.8.2) mini_portile (0.6.0) msgpack (0.5.8) multi_json (1.0.4) @@ -80,6 +82,10 @@ GEM packetfu (1.1.9) pcaprub (0.11.3) pg (0.17.1) + pry (0.9.12.6) + coderay (~> 1.0) + method_source (~> 0.8) + slop (~> 3.4) rack (1.4.5) rack-cache (1.2) rack (>= 0.4) @@ -124,6 +130,7 @@ GEM multi_json (~> 1.0.3) simplecov-html (~> 0.5.3) simplecov-html (0.5.3) + slop (3.5.0) sprockets (2.2.2) hike (~> 1.2) multi_json (~> 1.0) @@ -150,6 +157,7 @@ DEPENDENCIES network_interface (~> 0.0.1) pcaprub pg (>= 0.11) + pry rake (>= 10.0.0) redcarpet rspec (>= 2.12) diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb index 0cad2320fb..8b639650f2 100644 --- a/lib/metasploit/framework/jtr/cracker.rb +++ b/lib/metasploit/framework/jtr/cracker.rb @@ -140,6 +140,10 @@ module Metasploit cmd << ( "--rules=" + rules ) end + if max_runtime.present? + cmd << ( "--max-run-time=" + max_runtime.to_s) + end + cmd << hash_path end diff --git a/spec/lib/metasploit/framework/jtr/cracker_spec.rb b/spec/lib/metasploit/framework/jtr/cracker_spec.rb index 4991b1d8de..17fff9f4df 100644 --- a/spec/lib/metasploit/framework/jtr/cracker_spec.rb +++ b/spec/lib/metasploit/framework/jtr/cracker_spec.rb @@ -15,6 +15,7 @@ describe Metasploit::Framework::JtR::Cracker do let(:nt_format) { 'nt' } let(:incremental) { 'Digits5' } let(:rules) { 'Rule34'} + let(:max_runtime) { 5000 } describe '#binary_path' do @@ -110,6 +111,11 @@ describe Metasploit::Framework::JtR::Cracker do expect(cracker.crack_command).to include "--rules=#{rules}" end + it 'uses the user supplied max-run-time' do + cracker.max_runtime = max_runtime + expect(cracker.crack_command).to include "--max-run-time=#{max_runtime.to_s}" + end + it 'puts the path to the has file at the end' do cracker.hash_path = hash_path expect(cracker.crack_command.last).to eq hash_path From 41d6b326f2728e902df5fdd2b101e960dc595ee3 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sun, 15 Jun 2014 11:14:11 -0500 Subject: [PATCH 15/32] specs for wordlist validations added specs to cover the validations on the JtR wordlist class. --- lib/metasploit/framework/jtr/wordlist.rb | 19 ++++-- .../metasploit/framework/jtr/wordlist_spec.rb | 63 +++++++++++++++++++ 2 files changed, 76 insertions(+), 6 deletions(-) create mode 100644 spec/lib/metasploit/framework/jtr/wordlist_spec.rb diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index 50a8bedf14..7083ea65c7 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -52,23 +52,30 @@ module Metasploit validates :custom_wordlist, :'Metasploit::Framework::File_path' => true, if: 'custom_wordlist.present?' validates :mutate, - inclusion: { in: [true, false] } + inclusion: { in: [true, false], message: "must be true or false" } + validates :use_common_root, - inclusion: { in: [true, false] } + inclusion: { in: [true, false], message: "must be true or false" } validates :use_creds, - inclusion: { in: [true, false] } + inclusion: { in: [true, false], message: "must be true or false" } validates :use_db_info, - inclusion: { in: [true, false] } + inclusion: { in: [true, false], message: "must be true or false" } validates :use_default_wordlist, - inclusion: { in: [true, false] } + inclusion: { in: [true, false], message: "must be true or false" } validates :use_hostnames, - inclusion: { in: [true, false] } + inclusion: { in: [true, false], message: "must be true or false" } + # @param attributes [Hash{Symbol => String,nil}] + def initialize(attributes={}) + attributes.each do |attribute, value| + public_send("#{attribute}=", value) + end + end # Raise an exception if the attributes are not valid. # diff --git a/spec/lib/metasploit/framework/jtr/wordlist_spec.rb b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb new file mode 100644 index 0000000000..1b6b2fa32d --- /dev/null +++ b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb @@ -0,0 +1,63 @@ +require 'spec_helper' +require 'metasploit/framework/jtr/wordlist' + +describe Metasploit::Framework::JtR::Wordlist do + + subject(:wordlist) { described_class.new } + + let(:custom_wordlist) { '/path/to/custom_wordlist' } + + + it { should respond_to :appenders } + it { should respond_to :custom_wordlist } + it { should respond_to :mutate } + it { should respond_to :prependers } + it { should respond_to :use_common_root } + it { should respond_to :use_creds } + it { should respond_to :use_db_info } + it { should respond_to :use_default_wordlist } + it { should respond_to :use_hostnames } + + describe 'validations' do + + it 'raises an error if the custom_wordlist does not exist on the filesystem' do + expect(File).to receive(:file?).and_return false + wordlist.custom_wordlist = custom_wordlist + expect(wordlist).to_not be_valid + expect(wordlist.errors[:custom_wordlist]).to include "is not a valid path to a regular file" + end + + it 'raises an error if mutate is not set to true or false' do + expect(wordlist).to_not be_valid + expect(wordlist.errors[:mutate]).to include "must be true or false" + end + + it 'raises an error if use_common_root is not set to true or false' do + expect(wordlist).to_not be_valid + expect(wordlist.errors[:use_common_root]).to include "must be true or false" + end + + it 'raises an error if use_creds is not set to true or false' do + expect(wordlist).to_not be_valid + expect(wordlist.errors[:use_creds]).to include "must be true or false" + end + + it 'raises an error if use_db_info is not set to true or false' do + expect(wordlist).to_not be_valid + expect(wordlist.errors[:use_db_info]).to include "must be true or false" + end + + it 'raises an error if use_default_wordlist is not set to true or false' do + expect(wordlist).to_not be_valid + expect(wordlist.errors[:use_default_wordlist]).to include "must be true or false" + end + + it 'raises an error if use_hostnames is not set to true or false' do + expect(wordlist).to_not be_valid + expect(wordlist.errors[:use_hostnames]).to include "must be true or false" + end + end + + + +end \ No newline at end of file From 8ada0804bd79450c21d983ba13e667c5cb2fffe6 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sun, 15 Jun 2014 11:22:43 -0500 Subject: [PATCH 16/32] add valid! spec --- spec/lib/metasploit/framework/jtr/wordlist_spec.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/spec/lib/metasploit/framework/jtr/wordlist_spec.rb b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb index 1b6b2fa32d..7699806a5b 100644 --- a/spec/lib/metasploit/framework/jtr/wordlist_spec.rb +++ b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb @@ -58,6 +58,10 @@ describe Metasploit::Framework::JtR::Wordlist do end end - + describe '#valid!' do + it 'raises an InvalidWordlist exception if not valid?' do + expect{ wordlist.valid! }.to raise_error Metasploit::Framework::JtR::InvalidWordlist + end + end end \ No newline at end of file From a00ff5aeefb267250f7284322a4d358c3582043a Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sun, 15 Jun 2014 12:16:21 -0500 Subject: [PATCH 17/32] yield custom_wordlist words --- lib/metasploit/framework/jtr/wordlist.rb | 33 +++++++++++++++++++ .../metasploit/framework/jtr/wordlist_spec.rb | 23 +++++++++++-- 2 files changed, 54 insertions(+), 2 deletions(-) diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index 7083ea65c7..827deb7dc7 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -77,6 +77,39 @@ module Metasploit end end + def each_word + # Make sure are attributes are all valid first! + valid! + + # Yield the expanded form of each line of the custom wordlist if one was given + if custom_wordlist.present? + ::File.open(custom_wordlist, "rb") do |fd| + fd.each_line do |line| + expanded_words(line) do |word| + yield word + end + end + end + end + + + + + end + + # This method takes a string and splits it on non-word characters + # and the underscore. It does this to find likely distinct words + # in the string. It then yields each 'word' found this way. + # + # @param word [String] the string to split apart + # @yieldparam expanded [String] the expanded words + # @return [void] + def expanded_words(word='') + word.split(/[\W_]+/).each do |expanded| + yield expanded + end + end + # Raise an exception if the attributes are not valid. # # @raise [Invalid] if the attributes are not valid on this scanner diff --git a/spec/lib/metasploit/framework/jtr/wordlist_spec.rb b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb index 7699806a5b..740d4f4b26 100644 --- a/spec/lib/metasploit/framework/jtr/wordlist_spec.rb +++ b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb @@ -5,8 +5,8 @@ describe Metasploit::Framework::JtR::Wordlist do subject(:wordlist) { described_class.new } - let(:custom_wordlist) { '/path/to/custom_wordlist' } - + let(:custom_wordlist) { File.expand_path('string_list.txt',FILE_FIXTURES_PATH) } + let(:expansion_word) { 'Foo bar_baz-bat.bam\\foo//bar' } it { should respond_to :appenders } it { should respond_to :custom_wordlist } @@ -64,4 +64,23 @@ describe Metasploit::Framework::JtR::Wordlist do end end + describe '#expanded_words' do + it 'yields all the possible component words in the string' do + expect { |b| wordlist.expanded_words(expansion_word,&b) }.to yield_successive_args('Foo','bar','baz','bat','bam','foo','bar') + end + end + + describe '#each_word' do + before(:each) do + expect(wordlist).to receive(:valid!) + end + context 'when given a custom wordlist' do + it 'yields each word in that wordlist' do + wordlist.custom_wordlist = custom_wordlist + expect{ |b| wordlist.each_word(&b) }.to yield_successive_args('foo', 'bar','baz') + end + end + end + + end \ No newline at end of file From 897b0b1ee5cfad1c110facc548d8dcabf09ca5fc Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sun, 15 Jun 2014 13:37:50 -0500 Subject: [PATCH 18/32] wordlist enumerators with some specs started the enumerators on the wordlist class and began adding the specs for them --- lib/metasploit/framework/jtr/wordlist.rb | 178 +++++++++++++++++- spec/file_fixtures/fake_common_roots.txt | 3 + spec/file_fixtures/fake_default_wordlist.txt | 3 + .../metasploit/framework/jtr/wordlist_spec.rb | 30 ++- 4 files changed, 198 insertions(+), 16 deletions(-) create mode 100644 spec/file_fixtures/fake_common_roots.txt create mode 100644 spec/file_fixtures/fake_default_wordlist.txt diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index 827deb7dc7..6f4c544b3c 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -77,23 +77,169 @@ module Metasploit end end - def each_word - # Make sure are attributes are all valid first! - valid! + # This method searches all saved Credentials in the database + # and yields all passwords, usernames, and realm names it finds. + # + # @yieldparam word [String] the expanded word + # @return [void] + def each_cred_word + Metasploit::Credential::Password.all.each do |password| + yield password.data + end - # Yield the expanded form of each line of the custom wordlist if one was given - if custom_wordlist.present? - ::File.open(custom_wordlist, "rb") do |fd| - fd.each_line do |line| - expanded_words(line) do |word| + Metasploit::Credential::Public.all.each do |public| + yield public.username + end + + Metasploit::Credential::Realm.all.each do |realm| + yield realm.value + end + end + + # This method reads the file provided as custom_wordlist and yields + # the expanded form of each word in the list. + # + # @yieldparam word [String] the expanded word + # @return [void] + def each_custom_word + ::File.open(custom_wordlist, "rb") do |fd| + fd.each_line do |line| + expanded_words(line) do |word| + yield word + end + end + end + end + + # This method searches the notes in the current workspace + # for DB instance names, database names, table names, and + # column names gathered from live database servers. It yields + # each one that it finds. + # + # @yieldparam word [String] the expanded word + # @return [void] + def each_database_word + # Yield database, table and column names from any looted database schemas + myworkspace.notes.where('ntype like ?', '%.schema%').each do |note| + expanded_words(note.data['DBName']) do |word| + yield word + end + + note.data['Tables'].each do |table| + expanded_words(table['TableName']) do |word| + yield word + end + + table['Columns'].each do |column| + expanded_words(column['ColumnName']) do |word| yield word end end end end + # Yield any capture MSSQL Instance names + myworkspace.notes.find(:all, :conditions => ['ntype=?', 'mssql.instancename']).each do |note| + expanded_words(note.data['InstanceName']) do |word| + yield word + end + end + end + # This method yields expanded words taken from the default john + # wordlist that we ship in the data directory. + # + # @yieldparam word [String] the expanded word + # @return [void] + def each_default_word + ::File.open(default_wordlist_path, "rb") do |fd| + fd.each_line do |line| + expanded_words(line) do |word| + yield word + end + end + end + end + # This method yields the expanded words out of all the hostnames + # found in the current workspace. + # + # @yieldparam word [String] the expanded word + # @return [void] + def each_hostname_word + myworkspace.hosts.all.each do |host| + unless host.name.nil? + expanded_words(host.name) do |word| + yield nil + end + end + end + end + + # This method reads the common_roots.txt wordlist + # expands any words in the list and yields them. + # + # @yieldparam word [String] the expanded word + # @return [void] + def each_root_word + ::File.open(common_root_words_path, "rb") do |fd| + fd.each_line do |line| + expanded_words(line) do |word| + yield word + end + end + end + end + + # This method checks all the attributes set on the object and calls + # the appropriate enumerators for each option and yields the results back + # up the call-chain. + # + # @yieldparam word [String] the expanded word + # @return [void] + def each_word + # Make sure are attributes are all valid first! + valid! + + # Yield the expanded form of each line of the custom wordlist if one was given + if custom_wordlist.present? + each_custom_word do |word| + yield word + end + end + + # Yield each word from the common root words list if it was selected + if use_common_root + each_root_word do |word| + yield word + end + end + + # If the user has selected use_creds we yield each password, username, and realm name + # that currently exists in the database. + if use_creds + each_cred_word do |word| + yield word + end + end + + if use_db_info + each_database_word do |word| + yield word + end + end + + if use_default_wordlist + each_default_word do |word| + yield word + end + end + + if use_hostnames + each_hostname_word do |word| + yield word + end + end end @@ -121,6 +267,22 @@ module Metasploit nil end + private + + # This method returns the path to the common_roots.txt wordlist + # + # @return [String] the file path to the common_roots.txt file + def common_root_words_path + ::File.join(Msf::Config.data_directory, 'john', 'wordlists', 'common_roots.txt') + end + + # This method returns the path to the passwords.lst wordlist + # + # @return [String] the file path to the passwords.lst file + def default_wordlist_path + ::File.join(Msf::Config.data_directory, 'john', 'wordlists', 'password.lst') + end + end end diff --git a/spec/file_fixtures/fake_common_roots.txt b/spec/file_fixtures/fake_common_roots.txt new file mode 100644 index 0000000000..9316db735d --- /dev/null +++ b/spec/file_fixtures/fake_common_roots.txt @@ -0,0 +1,3 @@ +password +root +toor \ No newline at end of file diff --git a/spec/file_fixtures/fake_default_wordlist.txt b/spec/file_fixtures/fake_default_wordlist.txt new file mode 100644 index 0000000000..0e27467f4b --- /dev/null +++ b/spec/file_fixtures/fake_default_wordlist.txt @@ -0,0 +1,3 @@ +changeme +summer123 +admin \ No newline at end of file diff --git a/spec/lib/metasploit/framework/jtr/wordlist_spec.rb b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb index 740d4f4b26..e1e8fd33bb 100644 --- a/spec/lib/metasploit/framework/jtr/wordlist_spec.rb +++ b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb @@ -7,6 +7,8 @@ describe Metasploit::Framework::JtR::Wordlist do let(:custom_wordlist) { File.expand_path('string_list.txt',FILE_FIXTURES_PATH) } let(:expansion_word) { 'Foo bar_baz-bat.bam\\foo//bar' } + let(:common_root_path) { File.expand_path('fake_common_roots.txt',FILE_FIXTURES_PATH) } + let(:default_wordlist_path) { File.expand_path('fake_default_wordlist.txt',FILE_FIXTURES_PATH) } it { should respond_to :appenders } it { should respond_to :custom_wordlist } @@ -70,17 +72,29 @@ describe Metasploit::Framework::JtR::Wordlist do end end - describe '#each_word' do - before(:each) do - expect(wordlist).to receive(:valid!) + describe '#each_custom_word' do + + it 'yields each word in that wordlist' do + wordlist.custom_wordlist = custom_wordlist + expect{ |b| wordlist.each_custom_word(&b) }.to yield_successive_args('foo', 'bar','baz') end - context 'when given a custom wordlist' do - it 'yields each word in that wordlist' do - wordlist.custom_wordlist = custom_wordlist - expect{ |b| wordlist.each_word(&b) }.to yield_successive_args('foo', 'bar','baz') - end + end + + describe '#each_root_word' do + it 'yields each word in the common_roots.txt list' do + expect(wordlist).to receive(:common_root_words_path).and_return common_root_path + expect { |b| wordlist.each_root_word(&b) }.to yield_successive_args('password', 'root', 'toor') + end + end + + describe '#each_default_word' do + it 'yields each word in the passwords.lst list' do + expect(wordlist).to receive(:default_wordlist_path).and_return default_wordlist_path + expect { |b| wordlist.each_default_word(&b) }.to yield_successive_args('changeme', 'summer123', 'admin') + end end + end \ No newline at end of file From 9af811a2edf51c9c7e41d7e33048213bb121d8cf Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sun, 15 Jun 2014 15:52:57 -0500 Subject: [PATCH 19/32] we need to pass in a workspace --- lib/metasploit/framework/jtr/wordlist.rb | 13 ++++++++++--- spec/lib/metasploit/framework/jtr/wordlist_spec.rb | 3 ++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index 6f4c544b3c..ff2ddb5836 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -49,6 +49,10 @@ module Metasploit # @return [FalseClass] if you do not want to seed the wordlist with existing hostnames from the database attr_accessor :use_hostnames + # @!attribute workspace + # @return [Mdm::Workspace] the workspace this cracker is for. + attr_accessor :workspace + validates :custom_wordlist, :'Metasploit::Framework::File_path' => true, if: 'custom_wordlist.present?' validates :mutate, @@ -70,6 +74,9 @@ module Metasploit validates :use_hostnames, inclusion: { in: [true, false], message: "must be true or false" } + validates :workspace, + presence: true + # @param attributes [Hash{Symbol => String,nil}] def initialize(attributes={}) attributes.each do |attribute, value| @@ -120,7 +127,7 @@ module Metasploit # @return [void] def each_database_word # Yield database, table and column names from any looted database schemas - myworkspace.notes.where('ntype like ?', '%.schema%').each do |note| + workspace.notes.where('ntype like ?', '%.schema%').each do |note| expanded_words(note.data['DBName']) do |word| yield word end @@ -139,7 +146,7 @@ module Metasploit end # Yield any capture MSSQL Instance names - myworkspace.notes.find(:all, :conditions => ['ntype=?', 'mssql.instancename']).each do |note| + workspace.notes.find(:all, :conditions => ['ntype=?', 'mssql.instancename']).each do |note| expanded_words(note.data['InstanceName']) do |word| yield word end @@ -167,7 +174,7 @@ module Metasploit # @yieldparam word [String] the expanded word # @return [void] def each_hostname_word - myworkspace.hosts.all.each do |host| + workspace.hosts.all.each do |host| unless host.name.nil? expanded_words(host.name) do |word| yield nil diff --git a/spec/lib/metasploit/framework/jtr/wordlist_spec.rb b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb index e1e8fd33bb..c6b58e4b66 100644 --- a/spec/lib/metasploit/framework/jtr/wordlist_spec.rb +++ b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb @@ -91,10 +91,11 @@ describe Metasploit::Framework::JtR::Wordlist do it 'yields each word in the passwords.lst list' do expect(wordlist).to receive(:default_wordlist_path).and_return default_wordlist_path expect { |b| wordlist.each_default_word(&b) }.to yield_successive_args('changeme', 'summer123', 'admin') - end end + + end \ No newline at end of file From f1a39ef9737b501e9479c65db580587ba8c9bdb5 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Mon, 16 Jun 2014 13:31:30 -0500 Subject: [PATCH 20/32] enumerators all done with specs the enumeration chains are now all complete with specs so we can enumerate all the words generated by the given options. --- lib/metasploit/framework/jtr/wordlist.rb | 199 ++++++++++++++---- .../metasploit/framework/jtr/wordlist_spec.rb | 39 +++- 2 files changed, 193 insertions(+), 45 deletions(-) diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index ff2ddb5836..dde824d2d6 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -82,6 +82,72 @@ module Metasploit attributes.each do |attribute, value| public_send("#{attribute}=", value) end + @appenders ||= [] + @prependers ||= [] + end + + # This method takes a word, and appends each word from the appenders list + # and yields the new words. + # + # @yieldparam word [String] the expanded word + # @return [void] + def each_appended_word(word='') + yield word + appenders.each do |suffix| + yield "#{word}#{suffix}" + end + end + + # This method checks all the attributes set on the object and calls + # the appropriate enumerators for each option and yields the results back + # up the call-chain. + # + # @yieldparam word [String] the expanded word + # @return [void] + def each_base_word + # Make sure are attributes are all valid first! + valid! + + # Yield the expanded form of each line of the custom wordlist if one was given + if custom_wordlist.present? + each_custom_word do |word| + yield word + end + end + + # Yield each word from the common root words list if it was selected + if use_common_root + each_root_word do |word| + yield word + end + end + + # If the user has selected use_creds we yield each password, username, and realm name + # that currently exists in the database. + if use_creds + each_cred_word do |word| + yield word + end + end + + if use_db_info + each_database_word do |word| + yield word + end + end + + if use_default_wordlist + each_default_word do |word| + yield word + end + end + + if use_hostnames + each_hostname_word do |word| + yield word + end + end + end # This method searches all saved Credentials in the database @@ -183,6 +249,38 @@ module Metasploit end end + # This method checks to see if the user asked for mutations. If mutations + # have been enabled, then it creates all the unique mutations and yields + # each result. + # + # @yieldparam word [String] the expanded word + # @return [void] + def each_mutated_word(word='') + mutants = [ ] + + # Run the mutations only if the option is set + if mutate + mutants = mutants + mutate_word(word) + end + + mutants << word + mutants.uniq.each do |mutant| + yield mutant + end + end + + # This method takes a word, and prepends each word from the prependers list + # and yields the new words. + # + # @yieldparam word [String] the expanded word + # @return [void] + def each_prepended_word(word='') + yield word + prependers.each do |prefix| + yield "#{prefix}#{word}" + end + end + # This method reads the common_roots.txt wordlist # expands any words in the list and yields them. # @@ -198,56 +296,24 @@ module Metasploit end end - # This method checks all the attributes set on the object and calls - # the appropriate enumerators for each option and yields the results back - # up the call-chain. + # This method wraps around all the other enumerators. It processes + # all of the options and yields each word generated by the options + # selected. # - # @yieldparam word [String] the expanded word + # @yieldparam word [String] the word to write out to the wordlist file # @return [void] def each_word - # Make sure are attributes are all valid first! - valid! + each_base_word do |base_word| + each_mutated_word(base_word) do |mutant| + each_prepended_word do |prepended| + yield prepended + end - # Yield the expanded form of each line of the custom wordlist if one was given - if custom_wordlist.present? - each_custom_word do |word| - yield word + each_appended_word do |appended| + yield appended + end end end - - # Yield each word from the common root words list if it was selected - if use_common_root - each_root_word do |word| - yield word - end - end - - # If the user has selected use_creds we yield each password, username, and realm name - # that currently exists in the database. - if use_creds - each_cred_word do |word| - yield word - end - end - - if use_db_info - each_database_word do |word| - yield word - end - end - - if use_default_wordlist - each_default_word do |word| - yield word - end - end - - if use_hostnames - each_hostname_word do |word| - yield word - end - end - end # This method takes a string and splits it on non-word characters @@ -263,6 +329,51 @@ module Metasploit end end + # This method takes a word and applies various mutation rules to that word + # and returns an array of all the mutated forms. + # + # @param word [String] the word to apply the mutations to + # @return [Array] An array containing all the mutated forms of the word + def mutate_word(word) + + # A mapping of all the different mutation types we want to apply + mutations = { + '@' => 'a', + '0' => 'o', + '3' => 'e', + '$' => 's', + '7' => 't', + '1' => 'l', + '5' => 's' + } + + iterations = mutations.keys.dup + results = [] + + # Find PowerSet of all possible mutation combinations + iterations = iterations.inject([[]]) do |accumulator,mutation_key| + power_set = [] + accumulator.each do |i| + power_set << i + power_set << i+[mutation_key] + end + power_set + end + + # Iterate through combinations to create each possible mutation + iterations.each do |iteration| + next if iteration.flatten.empty? + first = iteration.shift + intermediate = word.gsub(/#{mutations[first]}/i,first ) + iteration.each do |mutator| + next unless mutator.kind_of? String + intermediate.gsub!(/#{mutations[mutator]}/i,mutator) + end + results << intermediate + end + results.flatten.uniq + end + # Raise an exception if the attributes are not valid. # # @raise [Invalid] if the attributes are not valid on this scanner diff --git a/spec/lib/metasploit/framework/jtr/wordlist_spec.rb b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb index c6b58e4b66..7067bcf683 100644 --- a/spec/lib/metasploit/framework/jtr/wordlist_spec.rb +++ b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb @@ -9,6 +9,24 @@ describe Metasploit::Framework::JtR::Wordlist do let(:expansion_word) { 'Foo bar_baz-bat.bam\\foo//bar' } let(:common_root_path) { File.expand_path('fake_common_roots.txt',FILE_FIXTURES_PATH) } let(:default_wordlist_path) { File.expand_path('fake_default_wordlist.txt',FILE_FIXTURES_PATH) } + let(:password) { FactoryGirl.create(:metasploit_credential_password) } + let(:public) { FactoryGirl.create(:metasploit_credential_public) } + let(:realm) { FactoryGirl.create(:metasploit_credential_realm) } + let(:mutate_me) { 'password' } + let(:mutants) { [ + "pa55word", + "password", + "pa$$word", + "passw0rd", + "pa55w0rd", + "pa$$w0rd", + "p@ssword", + "p@55word", + "p@$$word", + "p@ssw0rd", + "p@55w0rd", + "p@$$w0rd" + ] } it { should respond_to :appenders } it { should respond_to :custom_wordlist } @@ -73,7 +91,6 @@ describe Metasploit::Framework::JtR::Wordlist do end describe '#each_custom_word' do - it 'yields each word in that wordlist' do wordlist.custom_wordlist = custom_wordlist expect{ |b| wordlist.each_custom_word(&b) }.to yield_successive_args('foo', 'bar','baz') @@ -94,8 +111,28 @@ describe Metasploit::Framework::JtR::Wordlist do end end + define '#each_cred_word' do + it 'yields each username,password,and realm in the database' do + expect{ |b| wordlist.each_cred_word(&b) }.to yield_successive_args(password.data, public,username, realm,value) + end + end + describe '#mutate_word' do + it 'returns an array with all possible mutations of the word' do + expect(wordlist.mutate_word(mutate_me)).to eq mutants + end + end + describe '#each_mutated_word' do + it 'yields each unique mutated word if mutate set to true' do + wordlist.mutate = true + expect { |b| wordlist.each_mutated_word(mutate_me,&b)}.to yield_successive_args(*mutants) + end + it 'yields the original word if mutate set to true' do + wordlist.mutate = false + expect { |b| wordlist.each_mutated_word(mutate_me,&b)}.to yield_with_args(mutate_me) + end + end end \ No newline at end of file From a92a58417f26d8882075817489eab5e798fceafc Mon Sep 17 00:00:00 2001 From: David Maloney Date: Mon, 16 Jun 2014 17:18:52 -0500 Subject: [PATCH 21/32] memoize the mutation keys it was recalculating the mutation rules everytime, and there is no reason to do this --- lib/metasploit/framework/jtr/wordlist.rb | 91 +++++++++++++++--------- 1 file changed, 56 insertions(+), 35 deletions(-) diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index dde824d2d6..6bd9f4c6b3 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -7,6 +7,17 @@ module Metasploit class Wordlist include ActiveModel::Validations + # A mapping of the mutation substitution rules + MUTATIONS = { + '@' => 'a', + '0' => 'o', + '3' => 'e', + '$' => 's', + '7' => 't', + '1' => 'l', + '5' => 's' + } + # @!attribute appenders # @return [Array] an array of strings to append to each word attr_accessor :appenders @@ -111,14 +122,14 @@ module Metasploit # Yield the expanded form of each line of the custom wordlist if one was given if custom_wordlist.present? each_custom_word do |word| - yield word + yield word unless word.blank? end end # Yield each word from the common root words list if it was selected if use_common_root each_root_word do |word| - yield word + yield word unless word.blank? end end @@ -126,25 +137,25 @@ module Metasploit # that currently exists in the database. if use_creds each_cred_word do |word| - yield word + yield word unless word.blank? end end if use_db_info each_database_word do |word| - yield word + yield word unless word.blank? end end if use_default_wordlist each_default_word do |word| - yield word + yield word unless word.blank? end end if use_hostnames each_hostname_word do |word| - yield word + yield word unless word.blank? end end @@ -305,11 +316,11 @@ module Metasploit def each_word each_base_word do |base_word| each_mutated_word(base_word) do |mutant| - each_prepended_word do |prepended| + each_prepended_word(mutant) do |prepended| yield prepended end - each_appended_word do |appended| + each_appended_word(mutant) do |appended| yield appended end end @@ -335,45 +346,28 @@ module Metasploit # @param word [String] the word to apply the mutations to # @return [Array] An array containing all the mutated forms of the word def mutate_word(word) - - # A mapping of all the different mutation types we want to apply - mutations = { - '@' => 'a', - '0' => 'o', - '3' => 'e', - '$' => 's', - '7' => 't', - '1' => 'l', - '5' => 's' - } - - iterations = mutations.keys.dup results = [] - - # Find PowerSet of all possible mutation combinations - iterations = iterations.inject([[]]) do |accumulator,mutation_key| - power_set = [] - accumulator.each do |i| - power_set << i - power_set << i+[mutation_key] - end - power_set - end - # Iterate through combinations to create each possible mutation - iterations.each do |iteration| + mutation_keys.each do |iteration| next if iteration.flatten.empty? first = iteration.shift - intermediate = word.gsub(/#{mutations[first]}/i,first ) + intermediate = word.gsub(/#{MUTATIONS[first]}/i,first ) iteration.each do |mutator| next unless mutator.kind_of? String - intermediate.gsub!(/#{mutations[mutator]}/i,mutator) + intermediate.gsub!(/#{MUTATIONS[mutator]}/i,mutator) end results << intermediate end results.flatten.uniq end + # A getter for a memoized version fo the mutation keys list + # + # @return [Array] a 2D array of all mutation combinations + def mutation_keys + @mutation_keys ||= generate_mutation_keys + end + # Raise an exception if the attributes are not valid. # # @raise [Invalid] if the attributes are not valid on this scanner @@ -385,6 +379,19 @@ module Metasploit nil end + # This method takes all the options provided and streams the generated wordlist out + # to a {Rex::Quickfile} and returns the {Rex::Quickfile}. + # + # @return [Rex::Quickfile] The {Rex::Quickfile} object that the wordlist has been written to + def write + valid! + wordlist_file = Rex::Quickfile.new("jtrtmp") + each_word do |word| + wordlist_file.puts word + end + wordlist_file + end + private # This method returns the path to the common_roots.txt wordlist @@ -401,6 +408,20 @@ module Metasploit ::File.join(Msf::Config.data_directory, 'john', 'wordlists', 'password.lst') end + def generate_mutation_keys + iterations = MUTATIONS.keys.dup + + # Find PowerSet of all possible mutation combinations + iterations.inject([[]]) do |accumulator,mutation_key| + power_set = [] + accumulator.each do |i| + power_set << i + power_set << i+[mutation_key] + end + power_set + end + end + end end From 95beaa4f7ee7dd651937de49ffae82514a399559 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Mon, 16 Jun 2014 17:37:18 -0500 Subject: [PATCH 22/32] correct self-eating array nature we never noticed we were modifying the array in place because we were reculaculating. now with a memoized version we would get decreasing results --- lib/metasploit/framework/jtr/wordlist.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index 6bd9f4c6b3..aef45a1c2b 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -350,8 +350,7 @@ module Metasploit # Iterate through combinations to create each possible mutation mutation_keys.each do |iteration| next if iteration.flatten.empty? - first = iteration.shift - intermediate = word.gsub(/#{MUTATIONS[first]}/i,first ) + intermediate = word.dup iteration.each do |mutator| next unless mutator.kind_of? String intermediate.gsub!(/#{MUTATIONS[mutator]}/i,mutator) From a81b0ed17be5535d3136ee7bbca58700d8523da2 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Mon, 16 Jun 2014 18:03:06 -0500 Subject: [PATCH 23/32] rename method to_file change method name from write to to_file as it makes more sense for what it is is doing and what it returns --- lib/metasploit/framework/jtr/wordlist.rb | 26 +++++++++++++----------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index aef45a1c2b..acb8142145 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -367,6 +367,19 @@ module Metasploit @mutation_keys ||= generate_mutation_keys end + # This method takes all the options provided and streams the generated wordlist out + # to a {Rex::Quickfile} and returns the {Rex::Quickfile}. + # + # @return [Rex::Quickfile] The {Rex::Quickfile} object that the wordlist has been written to + def to_file + valid! + wordlist_file = Rex::Quickfile.new("jtrtmp") + each_word do |word| + wordlist_file.puts word + end + wordlist_file + end + # Raise an exception if the attributes are not valid. # # @raise [Invalid] if the attributes are not valid on this scanner @@ -378,18 +391,7 @@ module Metasploit nil end - # This method takes all the options provided and streams the generated wordlist out - # to a {Rex::Quickfile} and returns the {Rex::Quickfile}. - # - # @return [Rex::Quickfile] The {Rex::Quickfile} object that the wordlist has been written to - def write - valid! - wordlist_file = Rex::Quickfile.new("jtrtmp") - each_word do |word| - wordlist_file.puts word - end - wordlist_file - end + private From d473d86ef016fabcf1067e549a18d6a1f8327fc3 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 17 Jun 2014 10:29:09 -0500 Subject: [PATCH 24/32] use tr instead of gsub for mutation this should be another slight performance increase as straight up string replacement should require less overhead then multiple runs of regex replacement. --- lib/metasploit/framework/jtr/wordlist.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index acb8142145..c37a88a3b1 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -351,10 +351,8 @@ module Metasploit mutation_keys.each do |iteration| next if iteration.flatten.empty? intermediate = word.dup - iteration.each do |mutator| - next unless mutator.kind_of? String - intermediate.gsub!(/#{MUTATIONS[mutator]}/i,mutator) - end + subsititutions = iteration.collect { |key| MUTATIONS[key] } + intermediate.tr!(subsititutions.join, iteration.join) results << intermediate end results.flatten.uniq From 432b88680b560dd6ac6e5bb7248cbfe6b729f330 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 17 Jun 2014 13:27:11 -0500 Subject: [PATCH 25/32] start fixing jtr module mixin --- lib/msf/core/auxiliary/jtr.rb | 391 +++------------------------------- 1 file changed, 34 insertions(+), 357 deletions(-) diff --git a/lib/msf/core/auxiliary/jtr.rb b/lib/msf/core/auxiliary/jtr.rb index db7af6a43f..e48c5c3a58 100644 --- a/lib/msf/core/auxiliary/jtr.rb +++ b/lib/msf/core/auxiliary/jtr.rb @@ -2,7 +2,8 @@ require 'open3' require 'fileutils' require 'rex/proto/ntlm/crypt' - +require 'metasploit/framework/jtr/cracker' +require 'metasploit/framework/jtr/wordlist' module Msf @@ -24,141 +25,46 @@ module Auxiliary::JohnTheRipper register_options( [ - OptPath.new('JOHN_BASE', [false, 'The directory containing John the Ripper (src, run, doc)']), - OptPath.new('JOHN_PATH', [false, 'The absolute path to the John the Ripper executable']), - OptPath.new('Wordlist', [false, 'The path to an optional Wordlist']), - OptBool.new('Munge',[false, 'Munge the Wordlist (Slower)', false]) + OptPath.new('CONFIG', [false, 'The path to a John config file to use instead of the default']), + OptPath.new('CUSTOM_WORDLIST', [false, 'The path to an optional custom wordlist']), + OptInt.new('ITERATION_TIMOUT', [false, 'The max-run-time for each iteration of cracking']), + OptPath.new('JOHN_PATH', [false, 'The absolute path to the John the Ripper executable']), + OptBool.new('MUTATE', [false, 'Apply common mutations to the Wordlist (SLOW)', false]), + OptPath.new('POT', [false, 'The path to a John POT file to use instead of the default']), + OptBool.new('USE_CREDS', [false, 'Use existing credential data saved in the database', true]), + OptBool.new('USE_DB_INFO', [false, 'Use looted database schema info to seed the wordlist', true]), + OptBool.new('USE_DEFAULT_WORDLIST', [false, 'Use the default metasploit wordlist', true]), + OptBool.new['USE_HOSTNAMES', [false, 'Seed the wordlist with hostnames from the workspace', true]], + OptBool.new('USE_ROOT_WORDS', [false, 'Use the Common Root Words Wordlist', true]) ], Msf::Auxiliary::JohnTheRipper ) - @run_path = nil - @john_path = ::File.join(Msf::Config.data_directory, "john") - - autodetect_platform end - # @return [String] the run path instance variable if the platform is detectable, nil otherwise. - def autodetect_platform - return @run_path if @run_path - cpuinfo_base = ::File.join(Msf::Config.data_directory, "cpuinfo") - if File.directory?(cpuinfo_base) - data = nil - - case ::RUBY_PLATFORM - when /mingw|cygwin|mswin/ - fname = "#{cpuinfo_base}/cpuinfo.exe" - if File.exists?(fname) and File.executable?(fname) - data = %x{"#{fname}"} rescue nil - end - case data - when /sse2/ - @run_path ||= "run.win32.sse2/john.exe" - when /mmx/ - @run_path ||= "run.win32.mmx/john.exe" - else - @run_path ||= "run.win32.any/john.exe" - end - when /x86_64-linux/ - fname = "#{cpuinfo_base}/cpuinfo.ia64.bin" - if File.exists? fname - ::FileUtils.chmod(0755, fname) rescue nil - data = %x{"#{fname}"} rescue nil - end - case data - when /mmx/ - @run_path ||= "run.linux.x64.mmx/john" - else - @run_path ||= "run.linux.x86.any/john" - end - when /i[\d]86-linux/ - fname = "#{cpuinfo_base}/cpuinfo.ia32.bin" - if File.exists? fname - ::FileUtils.chmod(0755, fname) rescue nil - data = %x{"#{fname}"} rescue nil - end - case data - when /sse2/ - @run_path ||= "run.linux.x86.sse2/john" - when /mmx/ - @run_path ||= "run.linux.x86.mmx/john" - else - @run_path ||= "run.linux.x86.any/john" - end - end - end - - return @run_path + # This method instantiates a {Metasploit::Framework::JtR::Wordlist}, writes the data + # out to a file and returns the {rex::quickfile} object. + # + # @return [nilClass] if there is no active framework db connection + # @return [Rex::Quickfile] if it successfully wrote the wordlist to a file + def wordlist_file + return nil unless framework.db.active? + wordlist = Metasploit::Framework::JtR::Wordlist.new( + custom_wordlist: datastore['CUSTOM_WORDLIST'], + mutate: datastore['MUTATE'], + pot: datastore['POT'], + use_creds: datastore['USE_CREDS'], + use_db_info: datastore['USE_DB_INFO'], + use_default_wordlist: datastore['USE_DEFAULT_WORDLIST'], + use_hostnames: datastore['USE_HOSTNAMES'], + use_common_root: datastore['USE_ROOT_WORDS'], + workspace: myworkspace + ) + wordlist.to_file end - def john_session_id - @session_id ||= ::Rex::Text.rand_text_alphanumeric(8) - end + def john_cracker + return nil unless framework.db.active? - def john_pot_file - ::File.join( ::Msf::Config.config_directory, "john.pot" ) - end - - def john_cracked_passwords - ret = {} - return ret if not ::File.exist?(john_pot_file) - ::File.open(john_pot_file, "rb") do |fd| - fd.each_line do |line| - hash,clear = line.sub(/\r?\n$/, '').split(",", 2) - ret[hash] = clear - end - end - ret - end - - def john_show_passwords(hfile, format=nil) - res = {:cracked => 0, :uncracked => 0, :users => {} } - - john_command = john_binary_path - - if john_command.nil? - print_error("John the Ripper executable not found") - return res - end - - pot = john_pot_file - conf = ::File.join(john_base_path, "confs", "john.conf") - - cmd = [ john_command, "--show", "--conf=#{conf}", "--pot=#{pot}", hfile] - - if format - cmd << "--format=" + format - end - - if RUBY_VERSION =~ /^1\.8\./ - cmd = cmd.join(" ") - end - - ::IO.popen(cmd, "rb") do |fd| - fd.each_line do |line| - line.chomp! - print_status(line) - if line =~ /(\d+) password hash(es)* cracked, (\d+) left/m - res[:cracked] = $1.to_i - res[:uncracked] = $2.to_i - end - - # XXX: If the password had : characters in it, we're screwed - - bits = line.split(':', -1) - - # Skip blank passwords - next if not bits[2] - - if (format== 'lm' or format == 'nt') - res[ :users ][ bits[0] ] = bits[1] - else - bits.last.chomp! - res[ :users ][ bits[0] ] = bits.drop(1) - end - - end - end - res end def john_unshadow(passwd_file,shadow_file) @@ -206,61 +112,6 @@ module Auxiliary::JohnTheRipper return retval end - def john_wordlist_path - # We ship it under wordlists/ - path = ::File.join(john_base_path, "wordlists", "password.lst") - # magnumripper/JohnTheRipper repo keeps it under run/ - unless ::File.file? path - path = ::File.join(john_base_path, "run", "password.lst") - end - - path - end - - def john_binary_path - path = nil - if datastore['JOHN_PATH'] and ::File.file?(datastore['JOHN_PATH']) - path = datastore['JOHN_PATH'] - ::FileUtils.chmod(0755, path) rescue nil - return path - end - - if not @run_path - if ::RUBY_PLATFORM =~ /mingw|cygwin|mswin/ - ::File.join(john_base_path, "john.exe") - else - path = ::File.join(john_base_path, "john") - ::FileUtils.chmod(0755, path) rescue nil - end - else - path = ::File.join(john_base_path, @run_path) - ::FileUtils.chmod(0755, path) rescue nil - end - - if path and ::File.exists?(path) - return path - end - - path = Rex::FileUtils.find_full_path("john") || - Rex::FileUtils.find_full_path("john.exe") - end - - def john_base_path - if datastore['JOHN_BASE'] and ::File.directory?(datastore['JOHN_BASE']) - return datastore['JOHN_BASE'] - end - if datastore['JOHN_PATH'] and ::File.file?(datastore['JOHN_PATH']) - return ::File.dirname( datastore['JOHN_PATH'] ) - end - @john_path - end - - def john_expand_word(str) - res = [str] - str.split(/\W+/) {|w| res << w } - res.uniq - end - def john_lm_upper_to_ntlm(pwd, hash) pwd = pwd.upcase hash = hash.upcase @@ -273,179 +124,5 @@ module Auxiliary::JohnTheRipper end - def john_crack(hfile, opts={}) - - res = {:cracked => 0, :uncracked => 0, :users => {} } - - john_command = john_binary_path - - if john_command.nil? - print_error("John the Ripper executable not found") - return nil - end - - # Don't bother making a log file, we'd just have to rm it when we're - # done anyway. - cmd = [ john_command, "--session=" + john_session_id, "--nolog"] - - if opts[:conf] - cmd << ( "--conf=" + opts[:conf] ) - else - cmd << ( "--conf=" + ::File.join(john_base_path, "confs", "john.conf") ) - end - - if opts[:pot] - cmd << ( "--pot=" + opts[:pot] ) - else - cmd << ( "--pot=" + john_pot_file ) - end - - if opts[:format] - cmd << ( "--format=" + opts[:format] ) - end - - if opts[:wordlist] - cmd << ( "--wordlist=" + opts[:wordlist] ) - end - - if opts[:incremental] - cmd << ( "--incremental=" + opts[:incremental] ) - end - - if opts[:single] - cmd << ( "--single=" + opts[:single] ) - end - - if opts[:rules] - cmd << ( "--rules=" + opts[:rules] ) - end - - cmd << hfile - - if RUBY_VERSION =~ /^1\.8\./ - cmd = cmd.join(" ") - end - - ::IO.popen(cmd, "rb") do |fd| - fd.each_line do |line| - print_status("Output: #{line.strip}") - end - end - - res - end - - def build_seed - - seed = [] - #Seed the wordlist with Database , Table, and Instance Names - - count = 0 - schemas = myworkspace.notes.where('ntype like ?', '%.schema%') - unless schemas.nil? or schemas.empty? - schemas.each do |anote| - seed << anote.data['DBName'] - count += 1 - anote.data['Tables'].each do |table| - seed << table['TableName'] - count += 1 - table['Columns'].each do |column| - seed << column['ColumnName'] - count += 1 - end - end - end - end - print_status "Seeding wordlist with DB schema info... #{count} words added" - count = 0 - - instances = myworkspace.notes.find(:all, :conditions => ['ntype=?', 'mssql.instancename']) - unless instances.nil? or instances.empty? - instances.each do |anote| - seed << anote.data['InstanceName'] - count += 1 - end - end - print_status "Seeding with MSSQL Instance Names....#{count} words added" - count = 0 - - # Seed the wordlist with usernames, passwords, and hostnames - - myworkspace.hosts.find(:all).each do |o| - if o.name - seed << john_expand_word( o.name ) - count += 1 - end - end - print_status "Seeding with hostnames....#{count} words added" - count = 0 - - - myworkspace.creds.each do |o| - if o.user - seed << john_expand_word( o.user ) - count +=1 - end - if (o.pass and o.ptype !~ /hash/) - seed << john_expand_word( o.pass ) - count += 1 - end - end - print_status "Seeding with found credentials....#{count} words added" - count = 0 - - # Grab any known passwords out of the john.pot file - john_cracked_passwords.values do |v| - seed << v - count += 1 - end - print_status "Seeding with cracked passwords from John....#{count} words added" - count = 0 - - #Grab the default John Wordlist - john = File.open(john_wordlist_path, "rb") - john.each_line do |line| - seed << line.chomp - count += 1 - end - print_status "Seeding with default John wordlist...#{count} words added" - count = 0 - - if datastore['Wordlist'] - wordlist= File.open(datastore['Wordlist'], "rb") - wordlist.each_line do |line| - seed << line.chomp - count ==1 - end - print_status "Seeding from user supplied wordlist...#{count} words added" - end - - - - unless seed.empty? - seed.flatten! - seed.uniq! - if datastore['Munge'] - mungedseed=[] - seed.each do |word| - munged = word.gsub(/[sS]/, "$").gsub(/[aA]/,"@").gsub(/[oO]/,"0") - mungedseed << munged - munged.gsub!(/[eE]/, "3") - munged.gsub!(/[tT]/, "7") - mungedseed << munged - end - print_status "Adding #{mungedseed.count} words from munging..." - seed << mungedseed - seed.flatten! - seed.uniq! - end - end - print_status "De-duping the wordlist...." - - print_status("Wordlist Seeded with #{seed.length} words") - - return seed - - end end end From 763f6f8d80089b66c9d19fc54fc3cc118f706ee7 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 17 Jun 2014 15:16:32 -0500 Subject: [PATCH 26/32] finish cleaning up jtr mixin finish cleaning up the module mixin for jtr --- lib/msf/core/auxiliary/jtr.rb | 90 +++++++++++------------------------ 1 file changed, 28 insertions(+), 62 deletions(-) diff --git a/lib/msf/core/auxiliary/jtr.rb b/lib/msf/core/auxiliary/jtr.rb index e48c5c3a58..30d3cf5def 100644 --- a/lib/msf/core/auxiliary/jtr.rb +++ b/lib/msf/core/auxiliary/jtr.rb @@ -41,6 +41,34 @@ module Auxiliary::JohnTheRipper end + def john_lm_upper_to_ntlm(pwd, hash) + pwd = pwd.upcase + hash = hash.upcase + Rex::Text.permute_case(pwd).each do |str| + if hash == Rex::Proto::NTLM::Crypt.ntlm_hash(str).unpack("H*")[0].upcase + return str + end + end + nil + end + + + # This method creates a new {Metasploit::Framework::JtR::Cracker} and populates + # some of the attributes based on the module datastore options. + # + # @return [nilClass] if there is no active framework db connection + # @return [Metasploit::Framework::JtR::Cracker] if it successfully creates a JtR Cracker object + def new_john_cracker + return nil unless framework.db.active? + Metasploit::Framework::JtR::Cracker.new( + config: datastore['CONFIG'], + john_path: datastore['JOHN_PATH'], + max_runtime: datastore['ITERATION_TIMEOUT'], + pot: datastore['POT'], + wordlist: datastore['CUSTOM_WORDLIST'] + ) + end + # This method instantiates a {Metasploit::Framework::JtR::Wordlist}, writes the data # out to a file and returns the {rex::quickfile} object. # @@ -62,67 +90,5 @@ module Auxiliary::JohnTheRipper wordlist.to_file end - def john_cracker - return nil unless framework.db.active? - - end - - def john_unshadow(passwd_file,shadow_file) - - retval="" - - john_command = john_binary_path - - if john_command.nil? - print_error("John the Ripper executable not found") - return nil - end - - if File.exists?(passwd_file) - unless File.readable?(passwd_file) - print_error("We do not have permission to read #{passwd_file}") - return nil - end - else - print_error("File does not exist: #{passwd_file}") - return nil - end - - if File.exists?(shadow_file) - unless File.readable?(shadow_file) - print_error("We do not have permission to read #{shadow_file}") - return nil - end - else - print_error("File does not exist: #{shadow_file}") - return nil - end - - - cmd = [ john_command.gsub(/john$/, "unshadow"), passwd_file , shadow_file ] - - if RUBY_VERSION =~ /^1\.8\./ - cmd = cmd.join(" ") - end - ::IO.popen(cmd, "rb") do |fd| - fd.each_line do |line| - retval << line - end - end - return retval - end - - def john_lm_upper_to_ntlm(pwd, hash) - pwd = pwd.upcase - hash = hash.upcase - Rex::Text.permute_case(pwd).each do |str| - if hash == Rex::Proto::NTLM::Crypt.ntlm_hash(str).unpack("H*")[0].upcase - return str - end - end - nil - end - - end end From 34c0b008169956210e1f84d013dd31e73fae7c45 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 17 Jun 2014 16:10:09 -0500 Subject: [PATCH 27/32] don't autload this mixin causes laod order problems when we try to autoload this mixin. We will just explicitly require --- lib/msf/core/auxiliary/mixins.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/msf/core/auxiliary/mixins.rb b/lib/msf/core/auxiliary/mixins.rb index afa9ff5928..d71205e8e4 100644 --- a/lib/msf/core/auxiliary/mixins.rb +++ b/lib/msf/core/auxiliary/mixins.rb @@ -19,6 +19,5 @@ require 'msf/core/auxiliary/login' require 'msf/core/auxiliary/rservices' require 'msf/core/auxiliary/cisco' require 'msf/core/auxiliary/nmap' -require 'msf/core/auxiliary/jtr' require 'msf/core/auxiliary/iax2' require 'msf/core/auxiliary/pii' From 9f11170c3b75fb2e90094bd28d340f9be61e1409 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Wed, 18 Jun 2014 10:57:41 -0500 Subject: [PATCH 28/32] some minor cleanup on jtr stuff minor cleanup to code nstyling stuff --- lib/metasploit/framework/jtr/cracker.rb | 6 ++---- lib/metasploit/framework/jtr/wordlist.rb | 1 + 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb index 8b639650f2..a480904451 100644 --- a/lib/metasploit/framework/jtr/cracker.rb +++ b/lib/metasploit/framework/jtr/cracker.rb @@ -81,13 +81,14 @@ module Metasploit path = Rex::FileUtils.find_full_path("john") || Rex::FileUtils.find_full_path("john.exe") - if ::File.file? path + if path && ::File.file?(path) bin_path = path else # If we can't find john anywhere else, look at our precompiled binaries bin_path = select_shipped_binary end end + raise JohnNotFoundError, 'No suitable John binary was found on the system' if bin_path.blank? bin_path end @@ -110,8 +111,6 @@ module Metasploit # @return [Array] An array set up for {::IO.popen} to use def crack_command cmd_string = binary_path - raise JohnNotFoundError, 'No suitable John binary was found on the system' if cmd_string.blank? - cmd = [ cmd_string, '--session=' + john_session_id, '--nolog', '--dupe-suppression' ] if config.present? @@ -168,7 +167,6 @@ module Metasploit # @return [Array] An array set up for {::IO.popen} to use def show_command cmd_string = binary_path - raise JohnNotFoundError, 'No suitable John binary was found on the system' if cmd_string.blank? pot_file = pot || john_pot_file cmd = [cmd_string, "--show", "--pot=#{pot_file}", "--format=#{format}" ] diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb index c37a88a3b1..1b8a395eef 100644 --- a/lib/metasploit/framework/jtr/wordlist.rb +++ b/lib/metasploit/framework/jtr/wordlist.rb @@ -167,6 +167,7 @@ module Metasploit # @yieldparam word [String] the expanded word # @return [void] def each_cred_word + # We don't want all Private types here. Only Passwords make sense for inclusion in the wordlist. Metasploit::Credential::Password.all.each do |password| yield password.data end From 4b4d9796c5b574c6a61a297c8f62b78a3596eb7d Mon Sep 17 00:00:00 2001 From: David Maloney Date: Wed, 18 Jun 2014 11:24:55 -0500 Subject: [PATCH 29/32] more minor cleanup cleanup from code review --- .../framework/executable_path_validator.rb | 2 +- lib/metasploit/framework/jtr/cracker.rb | 26 +++++++++---------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/app/validators/metasploit/framework/executable_path_validator.rb b/app/validators/metasploit/framework/executable_path_validator.rb index b2ca74b926..ce5450054d 100644 --- a/app/validators/metasploit/framework/executable_path_validator.rb +++ b/app/validators/metasploit/framework/executable_path_validator.rb @@ -2,7 +2,7 @@ module Metasploit module Framework # This is a ActiveModel custom validator that assumes the attribute # is supposed to be the path to a regular file. It checks whether the - # file exists and whether or not it is a regular file. + # file exists and whether or not it is an executable file. class ExecutablePathValidator < ActiveModel::EachValidator def validate_each(record, attribute, value) diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb index a480904451..235e09b43a 100644 --- a/lib/metasploit/framework/jtr/cracker.rb +++ b/lib/metasploit/framework/jtr/cracker.rb @@ -74,7 +74,7 @@ module Metasploit # @return [String] the path to the selected JtR binary def binary_path # Always prefer a manually entered path - if john_path and ::File.file? john_path + if john_path && ::File.file? john_path bin_path = john_path else # Look in the Environment PATH for the john binary @@ -146,6 +146,18 @@ module Metasploit cmd << hash_path end + # This runs the show command in john and yields cracked passwords. + # + # @yield [String] the output lines from the command + # @return [void] + def each_cracked_password + ::IO.popen(show_command, "rb") do |fd| + fd.each_line do |line| + yield line + end + end + end + # This method returns the path to a default john.pot file. # # @return [String] the path to the default john.pot file @@ -178,18 +190,6 @@ module Metasploit cmd << hash_path end - # This runs the show command in john to show cracked passwords. - # - # @yield [String] the output lines from the command - # @return [void] - def show_passwords - ::IO.popen(show_command, "rb") do |fd| - fd.each_line do |line| - yield line - end - end - end - private # This method tries to identify the correct version of the pre-shipped From fd0e24cdb28fda91dfa911b12da1e58aedcc7afb Mon Sep 17 00:00:00 2001 From: David Maloney Date: Wed, 18 Jun 2014 11:38:07 -0500 Subject: [PATCH 30/32] moar docs! --- lib/metasploit/framework/jtr/cracker.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb index 235e09b43a..f33c0ce090 100644 --- a/lib/metasploit/framework/jtr/cracker.rb +++ b/lib/metasploit/framework/jtr/cracker.rb @@ -25,6 +25,10 @@ module Metasploit attr_accessor :incremental # @!attribute john_path + # This attribute allows the user to specify a john binary to use. + # If not supplied, the Cracker will search the PATH for a suitable john binary + # and finally fall back to the pre-compiled versions shipped with Metasploit. + # # @return [String] The file path to an alternative John binary to use attr_accessor :john_path From 641559ec1219980950d7fc1f82e5c72689a95a54 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Wed, 18 Jun 2014 11:47:36 -0500 Subject: [PATCH 31/32] put pry in gemfile include pry in the development group of the framework gemfile --- Gemfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 23ba3d2ef8..0c0db42b21 100755 --- a/Gemfile +++ b/Gemfile @@ -2,7 +2,7 @@ source 'https://rubygems.org' # Add default group gems to `metasploit-framework.gemspec`: # spec.add_runtime_dependency '', [] gemspec -gem 'pry' + group :db do # Needed for Msf::DbManager gem 'activerecord', '>= 3.0.0', '< 4.0.0' @@ -19,6 +19,8 @@ group :development do gem 'redcarpet' # generating documentation gem 'yard' + # for development and testing purposes + gem 'pry' end group :development, :test do From 2d9c6f832a0112988e8977967dd04562de771d22 Mon Sep 17 00:00:00 2001 From: James Lee Date: Thu, 19 Jun 2014 10:07:21 -0500 Subject: [PATCH 32/32] Moar parens!!1!! --- lib/metasploit/framework/jtr/cracker.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb index f33c0ce090..60c3bb11d1 100644 --- a/lib/metasploit/framework/jtr/cracker.rb +++ b/lib/metasploit/framework/jtr/cracker.rb @@ -78,7 +78,7 @@ module Metasploit # @return [String] the path to the selected JtR binary def binary_path # Always prefer a manually entered path - if john_path && ::File.file? john_path + if john_path && ::File.file?(john_path) bin_path = john_path else # Look in the Environment PATH for the john binary