7.4 KiB
Vulnerable Application
This module attempts to use john the ripper to decode Linux based password hashes, such as:
DESbased passwordsMD5based passwordsBSDibased passwords- With
cryptset totrue:bf,bcrypt, orblowfishbased passwordsSHA256based passwordsSHA512based passwords
Sources of hashes can be found here: source, source2
The definition of crypt according to JTR and waht algorithms it decodes can be found
here
Verification Steps
- Have at least one user with an
des,md5,bsdi,crypt,blowfish,sha512, orsha256password hash in the database - Start msfconsole
- Do:
use auxiliary/analyze/jtr_linux - Do:
run - You should hopefully crack a password.
Options
CONFIG
The path to a John config file (JtR option: --config). Default is metasploit-framework/data/john.conf
CRYPT
Include blowfish and SHA(256/512) passwords.
CUSTOM_WORDLIST
The path to an optional custom wordlist. This file is added to the new wordlist which may include the other
USE items like USE_CREDS, and have MUTATE or KORELOGIC applied to it.
ITERATION_TIMEOUT
The max-run-time for each iteration of cracking
JOHN_PATH
The absolute path to the John the Ripper executable. Default behavior is to search path for
john and john.exe.
KORELOGIC
Apply the KoreLogic rules to Wordlist Mode (slower).
Default is false.
MUTATE
Apply common mutations to the Wordlist (SLOW). Mutations are:
'@' => 'a''0' => 'o''3' => 'e''$' => 's''7' => 't''1' => 'l''5' => 's'
Default is false.
POT
The path to a John POT file (JtR option: --pot) to use instead. The pot file is the data file which
records cracked password hashes. Kali linux's default location is /root/.john/john.pot.
Default is ~/.msf4/john.pot.
USE_CREDS
Use existing credential data saved in the database. Default is true.
USE_DB_INFO
Use looted database schema info to seed the wordlist. This includes the Database Name, each Table Name,
and each Column Name. If the DB is MSSQL, the Instance Name is also used. Default is true.
USE_DEFAULT_WORDLIST
Use the default metasploit wordlist in metasploit-framework/data/wordlists/password.lst. Default is
true.
USE_HOSTNAMES
Seed the wordlist with hostnames from the workspace. Default is true.
USE_ROOT_WORDS
Use the Common Root Words Wordlist in metasploit-framework/data/wordlists/common_roots.txt. Default
is true.
Scenarios
Create hashes:
creds add user:des_password hash:rEK1ecacw.7.c jtr:des
creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
Crack them:
msf5 > use auxiliary/analyze/jtr_linux
msf5 auxiliary(analyze/jtr_linux) > set crypt true
crypt => true
msf5 auxiliary(analyze/jtr_linux) > run
[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-hqwf2h
[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-1ixz59k
[*] Cracking md5crypt hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracked Passwords this run:
[+] md5_password:password
[*] Cracking descrypt hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracked Passwords this run:
[+] des_password:password
[*] Cracking bsdicrypt hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracked Passwords this run:
[+] bsdi_password:password
[*] Cracking crypt hashes in normal wordlist mode...
Warning: hash encoding string length 20, type id #4
appears to be unsupported on this system; will not load such hashes.
Warning: hash encoding string length 60, type id $2
appears to be unsupported on this system; will not load such hashes.
Using default input encoding: UTF-8
[*] Cracked Passwords this run:
[+] des_password:password
[+] md5_password:password
[+] sha256_password:password
[+] sha512_password:password
[*] Cracking bcrypt hashes in normal wordlist mode...
Using default input encoding: UTF-8
[*] Cracked Passwords this run:
[+] blowfish_password:password
[*] Auxiliary module execution completed
msf5 auxiliary(analyze/jtr_linux) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
bsdi_password password Password
des_password password Password
sha256_password $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 Nonreplayable hash sha256,crypt
md5_password password Password
md5_password $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ Nonreplayable hash md5
bsdi_password _J9..K0AyUubDrfOgO4s Nonreplayable hash bsdi
sha512_password password Password
blowfish_password $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe Nonreplayable hash bf
sha512_password $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 Nonreplayable hash sha512,crypt
sha256_password password Password
des_password rEK1ecacw.7.c Nonreplayable hash des
blowfish_password password Password