## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ # ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::JohnTheRipper def initialize super( 'Name' => 'John the Ripper MySQL Password Cracker (Fast Mode)', 'Version' => '$Revision$', 'Description' => %Q{ This module uses John the Ripper to identify weak passwords that have been acquired from the mysql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials }, 'Author' => [ 'TheLightCosine ', 'hdm' ] , 'License' => MSF_LICENSE # JtR itself is GPLv2, but this wrapper is MSF (BSD) ) end def run wordlist = Rex::Quickfile.new("jtrtmp") wordlist.write( build_seed().flatten.uniq.join("\n") + "\n" ) wordlist.close hashlist = Rex::Quickfile.new("jtrtmp") myloots = myworkspace.loots.find(:all, :conditions => ['ltype=?', 'mysql.hashes']) unless myloots.nil? or myloots.empty? myloots.each do |myloot| begin mssql_array = CSV.read(myloot.path).drop(1) rescue Exception => e print_error("Unable to read #{myloot.path} \n #{e}") end mssql_array.each do |row| hashlist.write("#{row[0]}:#{row[1]}:#{myloot.host.address}:#{myloot.service.port}\n") end end hashlist.close print_status("HashList: #{hashlist.path}") print_status("Trying 'mysql-fast' Wordlist: #{wordlist.path}") john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'mysql-fast') print_status("Trying 'mysql-fast' Rule: All4...") john_crack(hashlist.path, :incremental => "All4", :format => 'mysql-fast') print_status("Trying mysql-fast Rule: Digits5...") john_crack(hashlist.path, :incremental => "Digits5", :format => 'mysql-fast') cracked = john_show_passwords(hashlist.path, 'mysql-fast') print_status("#{cracked[:cracked]} hashes were cracked!") #Save cracked creds and add the passwords back to the wordlist for the next round tfd = ::File.open(wordlist.path, "ab") cracked[:users].each_pair do |k,v| print_good("Host: #{v[1]} Port: #{v[2]} User: #{k} Pass: #{v[0]}") tfd.write( v[0] + "\n" ) report_auth_info( :host => v[1], :port => v[2], :sname => 'mssql', :user => k, :pass => v[0] ) end print_status("Trying 'mysql-sha1' Wordlist: #{wordlist.path}") john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'mysql-sha1') print_status("Trying 'mysql-sha1' Rule: All4...") john_crack(hashlist.path, :incremental => "All4", :format => 'mysql-sha1') print_status("Trying 'mysql-sha1' Rule: Digits5...") john_crack(hashlist.path, :incremental => "Digits5", :format => 'mysql-sha1') cracked = john_show_passwords(hashlist.path, 'mysql-sha1') print_status("#{cracked[:cracked]} hashes were cracked!") cracked[:users].each_pair do |k,v| print_good("Host: #{v[1]} Port: #{v[2]} User: #{k} Pass: #{v[0]}") report_auth_info( :host => v[1], :port => v[2], :sname => 'mssql', :user => k, :pass => v[0] ) end end end def build_seed seed = [] #Seed the wordlist with Database , Table, and Instance Names schemas = myworkspace.notes.find(:all, :conditions => ['ntype like ?', '%.schema%']) unless schemas.nil? or schemas.empty? schemas.each do |anote| anote.data.each do |key,value| seed << key value.each{|a| seed << a} end end end instances = myworkspace.notes.find(:all, :conditions => ['ntype=?', 'mssql.instancename']) unless instances.nil? or instances.empty? instances.each do |anote| seed << anote.data['InstanceName'] end end # Seed the wordlist with usernames, passwords, and hostnames myworkspace.hosts.find(:all).each {|o| seed << john_expand_word( o.name ) if o.name } myworkspace.creds.each do |o| seed << john_expand_word( o.user ) if o.user seed << john_expand_word( o.pass ) if (o.pass and o.ptype !~ /hash/) end # Grab any known passwords out of the john.pot file john_cracked_passwords.values {|v| seed << v } #Grab the default John Wordlist john = File.open(john_wordlist_path, "r") john.each_line{|line| seed << line.chomp} return seed end # huh? def crack(format) end end