From dcc1a21251e06ccbfa842be9fef7d0e024b8b571 Mon Sep 17 00:00:00 2001
From: h00die <michaeltcyr@gmail.com>
Date: Sun, 14 Apr 2019 10:12:26 -0400
Subject: [PATCH] add osx to hash identify

---
 lib/metasploit/framework/hashes/identify.rb        |  7 ++++++-
 .../metasploit/framework/hashes/identify_spec.rb   | 14 ++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/lib/metasploit/framework/hashes/identify.rb b/lib/metasploit/framework/hashes/identify.rb
index 18cb81bd10..a6f69390eb 100644
--- a/lib/metasploit/framework/hashes/identify.rb
+++ b/lib/metasploit/framework/hashes/identify.rb
@@ -42,8 +42,13 @@ def identify_hash(hash)
     # windows
     when hash.length == 65 && hash =~ /^[\da-fA-F]{32}:[\da-fA-F]{32}$/ && hash.split(':').first.upcase == 'AAD3B435B51404EEAAD3B435B51404EE'
       return 'nt'
-    when hash.length == 65 && hash =~ /^[0-9a-fA-F]{32}:[0-9a-fA-F]{32}$/
+    when hash.length == 65 && hash =~ /^[\da-fA-F]{32}:[\da-fA-F]{32}$/
       return 'lm'
+    # OSX
+    when hash.start_with?('$ml$') && hash.split('$').last.length == 256
+      return 'pbkdf2-hmac-sha512,osx' # 10.8+
+    when hash =~ /^[\da-fA-F]{48}$/ # hash.length == 48
+      return 'xsha,osx' # 10.4-10.6
     # databases
     when hash.start_with?('0x0100') && hash.length == 54
       return 'mssql05'
diff --git a/spec/lib/metasploit/framework/hashes/identify_spec.rb b/spec/lib/metasploit/framework/hashes/identify_spec.rb
index 45fffcaeb5..b4f698b53d 100644
--- a/spec/lib/metasploit/framework/hashes/identify_spec.rb
+++ b/spec/lib/metasploit/framework/hashes/identify_spec.rb
@@ -119,6 +119,20 @@ RSpec.describe 'hashes/identify' do
     end
   end
 
+  describe 'identify_pbkdf2_osx' do
+    it 'returns pbkdf2-hmac-sha512,osx' do
+      hash = identify_hash('$ml$49504$0dba6246bd38266b2e827ff7e7271380757c71d653893aa361d5902398302369$c5f198639915a101c99af326dffe13e8f14456be8fd2312a39a777b92178804e204ca4fee12a8667871440eff4288e811d86d746c6d96a60c919c3418dfebba42f329f5d73c0372d636d61d5dfda1add61af36c70e4acd771276107209e643ae92a0f43e95a452744e50fb4540d9bdf4e0b701725d7db488fbe18c1ab7737c6b')
+      expect(hash).to match ('pbkdf2-hmac-sha512,osx')
+    end
+  end
+
+  describe 'identify_sha_osx' do
+    it 'returns xsha,osx' do
+      hash = identify_hash('1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683')
+      expect(hash).to match ('xsha,osx')
+    end
+  end
+
   describe 'identify_mssql05' do
     it 'returns mssql05' do
       hash = identify_hash('0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908')