Top Level Namespace

Includes:
ERB::Util, Rex::Arch, WindowsError::Win32

Defined Under Namespace

Modules: ApiDocsServlet, AuthServlet, Authentication, CredentialDataProxy, CredentialDataService, CredentialServlet, DataProxyAutoLoader, DataServiceAutoLoader, DbExportDataProxy, DbExportDataService, DbExportServlet, DbImportDataProxy, DbImportDataService, DbImportServlet, EventDataProxy, EventDataService, EventServlet, ExploitDataProxy, ExploitDataService, ExploitServlet, HostDataProxy, HostDataService, HostServlet, HrrRbSsh, IPSFilter, LoginDataProxy, LoginDataService, LoginServlet, LootDataProxy, LootDataService, LootServlet, Metasploit, ModuleDataService, ModuleSearchServlet, Msf, MsfDataProxy, MsfDataService, MsfServlet, Nexpose, NmapDataProxy, NmapServlet, NoteDataProxy, NoteDataService, NoteServlet, PayloadDataProxy, PayloadDataService, PayloadServlet, QueryService, Redcarpet, RemoteCredentialDataService, RemoteDbExportDataService, RemoteDbImportDataService, RemoteEventDataService, RemoteExploitDataService, RemoteHostDataService, RemoteLoginDataService, RemoteLootDataService, RemoteMsfDataService, RemoteNmapDataService, RemoteNoteDataService, RemotePayloadDataService, RemoteServiceDataService, RemoteSessionDataService, RemoteSessionEventDataService, RemoteVulnAttemptDataService, RemoteVulnDataService, RemoteWebDataService, RemoteWorkspaceDataService, ResponseDataHelper, Rex, ServiceDataProxy, ServiceDataService, ServiceServlet, ServletHelper, SessionDataProxy, SessionDataService, SessionEventDataProxy, SessionEventDataService, SessionEventServlet, SessionServlet, SocketLogger, UserServlet, VulnAttemptDataProxy, VulnAttemptServlet, VulnDataProxy, VulnDataService, VulnServlet, WebDataProxy, WebDataService, WebServlet, WorkspaceDataProxy, WorkspaceDataService, WorkspaceServlet Classes: DBManagerProxy, HttpDBManagerService, JobProcessor, MetasploitApiApp, OpenPipeSock, QueryMeta, RouteArray, Search, SimpleClientPipe, TDSSSLProxy

Constant Summary collapse

MSF_LICENSE =

Licenses

"Metasploit Framework License (BSD)"
GPL_LICENSE =
"GNU Public License v2.0"
BSD_LICENSE =
"BSD License"
CORE_LICENSE =
"CORE Security License (Apache 1.1)"
ARTISTIC_LICENSE =
"Perl Artistic License"
UNKNOWN_LICENSE =
"Unknown License"
LICENSES =
[
  MSF_LICENSE,
  GPL_LICENSE,
  BSD_LICENSE,
  CORE_LICENSE,
  ARTISTIC_LICENSE,
  UNKNOWN_LICENSE
]
LOG_ERROR =

Log severities

:error
LOG_DEBUG =
:debug
LOG_INFO =
:info
LOG_WARN =
:warn
LOG_RAW =
:raw
LEV_0 =

LEV_0 - Default

This log level is the default log level if none is specified. It should be used when a log message should always be displayed when logging is enabled. Very few log messages should occur at this level aside from necessary information logging and error/warning logging. Debug logging at level zero is not advised.

0
LEV_1 =

LEV_1 - Extra

This log level should be used when extra information may be needed to understand the cause of an error or warning message or to get debugging information that might give clues as to why something is happening. This log level should be used only when information may be useful to understanding the behavior of something at a basic level. This log level should not be used in an exhaustively verbose fashion.

1
LEV_2 =

LEV_2 - Verbose

This log level should be used when verbose information may be needed to analyze the behavior of the framework. This should be the default log level for all detailed information not falling into LEV_0 or LEV_1. It is recommended that this log level be used by default if you are unsure.

2
LEV_3 =

LEV_3 - Insanity

This log level should contain very verbose information about the behavior of the framework, such as detailed information about variable states at certain phases including, but not limited to, loop iterations, function calls, and so on. This log level will rarely be displayed, but when it is the information provided should make it easy to analyze any problem.

3
PROT_NONE =

Generic page protection flags

0
PROT_READ =
(1 <<  0)
PROT_WRITE =
(1 <<  1)
PROT_EXEC =
(1 <<  2)
PROT_COW =
(1 << 20)
GEN_NONE =

Generic permissions

0
GEN_READ =
(1 <<  0)
GEN_WRITE =
(1 <<  1)
GEN_EXEC =
(1 <<  2)
PROCESS_READ =

Generic process open permissions

(1 <<  0)
PROCESS_WRITE =
(1 <<  1)
PROCESS_EXECUTE =
(1 <<  2)
PROCESS_ALL =
0xffffffff
THREAD_READ =

Generic thread open permissions

(1 <<  0)
THREAD_WRITE =
(1 <<  1)
THREAD_EXECUTE =
(1 <<  2)
THREAD_ALL =
0xffffffff
ExceptionCallStack =

An instance of the log dispatcher exists in the global namespace, along with stubs for many of the common logging methods. Various sources can register themselves as a log sink such that logs can be directed at various targets depending on where they're sourced from. By doing it this way, things like sessions can use the global logging stubs and still be directed at the correct log file.

"__EXCEPTCALLSTACK__"
BACKTRACE_LOG_LEVEL =

Equal to LEV_3

3
DEFAULT_LOG_LEVEL =

Equal to LEV_3

0
AF_INET =

Net

2
AF_INET6 =
23
DELETE =

Permissions

0x00010000
READ_CONTROL =
0x00020000
WRITE_DAC =
0x00040000
WRITE_OWNER =
0x00080000
SYNCHRONIZE =
0x00100000
STANDARD_RIGHTS_REQUIRED =
0x000f0000
STANDARD_RIGHTS_READ =
READ_CONTROL
STANDARD_RIGHTS_WRITE =
READ_CONTROL
STANDARD_RIGHTS_EXECUTE =
READ_CONTROL
STANDARD_RIGHTS_ALL =
0x001f0000
SPECIFIC_RIGHTS_ALL =
0x0000ffff
MAXIMUM_ALLOWED =
0x02000000
GENERIC_READ =
0x80000000
GENERIC_WRITE =
0x40000000
GENERIC_EXECUTE =
0x20000000
GENERIC_ALL =
0x10000000
PAGE_NOACCESS =

Page Protections

0x00000001
PAGE_READONLY =
0x00000002
PAGE_READWRITE =
0x00000004
PAGE_WRITECOPY =
0x00000008
PAGE_EXECUTE =
0x00000010
PAGE_EXECUTE_READ =
0x00000020
PAGE_EXECUTE_READWRITE =
0x00000040
PAGE_EXECUTE_WRITECOPY =
0x00000080
PAGE_GUARD =
0x00000100
PAGE_NOCACHE =
0x00000200
PAGE_WRITECOMBINE =
0x00000400
MEM_COMMIT =
0x00001000
MEM_RESERVE =
0x00002000
MEM_DECOMMIT =
0x00004000
MEM_RELEASE =
0x00008000
MEM_FREE =
0x00010000
MEM_PRIVATE =
0x00020000
MEM_MAPPED =
0x00040000
MEM_RESET =
0x00080000
MEM_TOP_DOWN =
0x00100000
MEM_WRITE_WATCH =
0x00200000
MEM_PHYSICAL =
0x00400000
MEM_LARGE_PAGES =
0x20000000
MEM_4MB_PAGES =
0x80000000
SEC_FILE =
0x00800000
SEC_IMAGE =
0x01000000
SEC_RESERVE =
0x04000000
SEC_COMMIT =
0x08000000
SEC_NOCACHE =
0x10000000
MEM_IMAGE =
SEC_IMAGE
KEY_QUERY_VALUE =

Registry Permissions

0x00000001
KEY_SET_VALUE =
0x00000002
KEY_CREATE_SUB_KEY =
0x00000004
KEY_ENUMERATE_SUB_KEYS =
0x00000008
KEY_NOTIFY =
0x00000010
0x00000020
KEY_WOW64_64KEY =
0x00000100
KEY_WOW64_32KEY =
0x00000200
KEY_READ =
(STANDARD_RIGHTS_READ | KEY_QUERY_VALUE |
KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) & ~SYNCHRONIZE
KEY_WRITE =
(STANDARD_RIGHTS_WRITE | KEY_SET_VALUE |
KEY_CREATE_SUB_KEY) & ~SYNCHRONIZE
KEY_EXECUTE =
KEY_READ
KEY_ALL_ACCESS =
(STANDARD_RIGHTS_ALL | KEY_QUERY_VALUE |
KEY_SET_VALUE | KEY_CREATE_SUB_KEY |
KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY |
KEY_CREATE_LINK) & ~SYNCHRONIZE
HKEY_CLASSES_ROOT =

Registry

0x80000000
HKEY_CURRENT_USER =
0x80000001
HKEY_LOCAL_MACHINE =
0x80000002
HKEY_USERS =
0x80000003
HKEY_PERFORMANCE_DATA =
0x80000004
HKEY_CURRENT_CONFIG =
0x80000005
HKEY_DYN_DATA =
0x80000006
REG_NONE =
0
REG_SZ =
1
REG_EXPAND_SZ =
2
REG_BINARY =
3
REG_DWORD =
4
REG_DWORD_LITTLE_ENDIAN =
4
REG_DWORD_BIG_ENDIAN =
5
6
REG_MULTI_SZ =
7
PROCESS_TERMINATE =

Process Permissions

0x00000001
PROCESS_CREATE_THREAD =
0x00000002
PROCESS_SET_SESSIONID =
0x00000004
PROCESS_VM_OPERATION =
0x00000008
PROCESS_VM_READ =
0x00000010
PROCESS_VM_WRITE =
0x00000020
PROCESS_DUP_HANDLE =
0x00000040
PROCESS_CREATE_PROCESS =
0x00000080
PROCESS_SET_QUOTA =
0x00000100
PROCESS_SET_INFORMATION =
0x00000200
PROCESS_QUERY_INFORMATION =
0x00000400
PROCESS_SUSPEND_RESUME =
0x00000800
PROCESS_ALL_ACCESS =
STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFF
THREAD_TERMINATE =

Thread Permissions

0x00000001
THREAD_SUSPEND_RESUME =
0x00000002
THREAD_GET_CONTEXT =
0x00000008
THREAD_SET_CONTEXT =
0x00000010
THREAD_SET_INFORMATION =
0x00000020
THREAD_QUERY_INFORMATION =
0x00000040
THREAD_SET_THREAD_TOKEN =
0x00000080
THREAD_IMPERSONATE =
0x00000100
THREAD_DIRECT_IMPERSONATION =
0x00000200
THREAD_ALL_ACCESS =
STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3FF
CREATE_SUSPENDED =

Creation flags

0x00000004
EVENTLOG_SEQUENTIAL_READ =

Event Log

0x00000001
EVENTLOG_SEEK_READ =
0x00000002
EVENTLOG_FORWARDS_READ =
0x00000004
EVENTLOG_BACKWARDS_READ =
0x00000008
EWX_LOGOFF =

Event Log

0
EWX_SHUTDOWN =
0x00000001
EWX_REBOOT =
0x00000002
EWX_FORCE =
0x00000004
EWX_POWEROFF =
0x00000008
EWX_FORCEIFHUNG =
0x00000010
SHTDN_REASON_MINOR_DC_PROMOTION =

Shutdown Reason Codes

0x00000021
SHTDN_REASON_MAJOR_APPLICATION =
0x00040000
SHTDN_REASON_MAJOR_HARDWARE =
0x00010000
SHTDN_REASON_FLAG_COMMENT_REQUIRED =
0x01000000
SHTDN_REASON_FLAG_DIRTY_UI =
0x08000000
SHTDN_REASON_MINOR_UNSTABLE =
0x00000006
SHTDN_REASON_MINOR_SECURITYFIX_UNINSTALL =
0x00000018
SHTDN_REASON_MINOR_ENVIRONMENT =
0x00000000
SHTDN_REASON_MAJOR_LEGACY_API =
0x00070000
SHTDN_REASON_MINOR_DC_DEMOTION =
0x00000022
SHTDN_REASON_MINOR_SECURITYFIX =
0x00000012
SHTDN_REASON_FLAG_CLEAN_UI =
0x04000000
SHTDN_REASON_MINOR_HOTFIX =
0x00000011
SHTDN_REASON_MINOR_CORDUNPLUGGED =
0x00000000
SHTDN_REASON_MINOR_HOTFIX_UNINSTALL =
0x00000017
SHTDN_REASON_FLAG_USER_DEFINED =
0x40000000
SHTDN_REASON_MINOR_SYSTEMRESTORE =
0x00000001
SHTDN_REASON_MINOR_OTHERDRIVER =
0x00000000
SHTDN_REASON_MINOR_WMI =
0x00000015
SHTDN_REASON_MINOR_INSTALLATION =
0x00000002
SHTDN_REASON_MINOR_BLUESCREEN =
0x0000000F
SHTDN_REASON_MAJOR_SOFTWARE =
0x00030000
SHTDN_REASON_MINOR_NETWORKCARD =
0x00000009
SHTDN_REASON_MINOR_SERVICEPACK_UNINSTALL =
0x00000016
SHTDN_REASON_MINOR_SERVICEPACK =
0x00000010
SHTDN_REASON_MINOR_UPGRADE =
0x00000003
SHTDN_REASON_FLAG_PLANNED =
0x80000000
SHTDN_REASON_MINOR_MMC =
0x00000019
SHTDN_REASON_MINOR_POWER_SUPPLY =
0x00000000
SHTDN_REASON_MINOR_MAINTENANCE =
0x00000001
SHTDN_REASON_VALID_BIT_MASK =
0x00000000
SHTDN_REASON_MAJOR_NONE =
0x00000000
SHTDN_REASON_MAJOR_POWER =
0x00060000
SHTDN_REASON_FLAG_DIRTY_PROBLEM_ID_REQUIRED =
0x02000000
SHTDN_REASON_MINOR_OTHER =
0x00000000
SHTDN_REASON_MINOR_PROCESSOR =
0x00000008
SHTDN_REASON_MAJOR_OTHER =
0x00000000
SHTDN_REASON_MINOR_DISK =
0x00000007
SHTDN_REASON_MINOR_NETWORK_CONNECTIVITY =
0x00000014
SHTDN_REASON_MAJOR_OPERATINGSYSTEM =
0x00020000
SHTDN_REASON_MINOR_HUNG =
0x00000005
SHTDN_REASON_MINOR_TERMSRV =
0x00000020
SHTDN_REASON_MINOR_NONE =
0x00000000
SHTDN_REASON_MINOR_RECONFIG =
0x00000004
SHTDN_REASON_MAJOR_SYSTEM =
0x00050000
SHTDN_REASON_MINOR_HARDWARE_DRIVER =
0x00000000
SHTDN_REASON_MINOR_SECURITY =
0x00000013
SHTDN_REASON_DEFAULT =
SHTDN_REASON_MAJOR_OTHER | SHTDN_REASON_MINOR_OTHER
VirtualKeyCodes =

Keyboard Mappings

{
  1 => %W{ LClick },
  2 => %W{ RClick },
  3 => %W{ Cancel },
  4 => %W{ MClick },
  8 => %W{ Back  },
  9 => %W{ Tab  },
  10 => %W{ Newline },
  12 => %W{ Clear },
  13 => %W{ Return },

  16 => %W{ Shift },
  17 => %W{ Ctrl },
  18 => %W{ Alt },
  19 => %W{ Pause },
  20 => %W{ CapsLock },

  27 => %W{ Esc },

  32 => %W{ Space },
  33 => %W{ Prior },
  34 => %W{ Next },
  35 => %W{ End },
  36 => %W{ Home },
  37 => %W{ Left },
  38 => %W{ Up },
  39 => %W{ Right },
  40 => %W{ Down  },
  41 => %W{ Select },
  42 => %W{ Print },
  43 => %W{ Execute },
  44 => %W{ Snapshot },
  45 => %W{ Insert },
  46 => %W{ Delete },
  47 => %W{ Help },
  48 => %W{ 0  )},
  49 => %W{ 1  !},
  50 => %W{ 2  @},
  51 => %W{ 3  #},
  52 => %W{ 4  $},
  53 => %W{ 5  %},
  54 => %W{ 6  ^},
  55 => %W{ 7  &},
  56 => %W{ 8  *},
  57 => %W{ 9  (},
  65 => %W{ a  A},
  66 => %W{ b  B},
  67 => %W{ c  C},
  68 => %W{ d  D},
  69 => %W{ e  E},
  70 => %W{ f  F},
  71 => %W{ g  G},
  72 => %W{ h  H},
  73 => %W{ i  I},
  74 => %W{ j  J},
  75 => %W{ k  K},
  76 => %W{ l  L},
  77 => %W{ m  M},
  78 => %W{ n  N},
  79 => %W{ o  O},
  80 => %W{ p  P},
  81 => %W{ q  Q},
  82 => %W{ r  R},
  83 => %W{ s  S},
  84 => %W{ t  T},
  85 => %W{ u  U},
  86 => %W{ v  V},
  87 => %W{ w  W},
  88 => %W{ x  X},
  89 => %W{ y  Y},
  90 => %W{ z  Z},
  91 => %W{ LWin },
  92 => %W{ RWin },
  93 => %W{ Apps },

  95 => %W{ Sleep },
  96 => %W{ N0 },
  97 => %W{ N1 },
  98 => %W{ N2 },
  99 => %W{ N3 },
  100 => %W{ N4 },
  101 => %W{ N5 },
  102 => %W{ N6 },
  103 => %W{ N7 },
  104 => %W{ N8 },
  105 => %W{ N9 },
  106 => %W{ Multiply },
  107 => %W{ Add },
  108 => %W{ Separator },
  109 => %W{ Subtract },
  110 => %W{ Decimal },
  111 => %W{ Divide },
  112 => %W{ F1 },
  113 => %W{ F2 },
  114 => %W{ F3 },
  115 => %W{ F4 },
  116 => %W{ F5 },
  117 => %W{ F6 },
  118 => %W{ F7 },
  119 => %W{ F8 },
  120 => %W{ F9 },
  121 => %W{ F10 },
  122 => %W{ F11 },
  123 => %W{ F12 },
  124 => %W{ F13 },
  125 => %W{ F14 },
  126 => %W{ F15 },
  127 => %W{ F16 },
  128 => %W{ F17 },
  129 => %W{ F18 },
  130 => %W{ F19 },
  131 => %W{ F20 },
  132 => %W{ F21 },
  133 => %W{ F22 },
  134 => %W{ F23 },
  135 => %W{ F24 },
  144 => %W{ NumLock },
  145 => %W{ Scroll },
  160 => %W{ LShift },
  161 => %W{ RShift },
  162 => %W{ LCtrl },
  163 => %W{ RCtrl },
  164 => %W{ LMenu },
  165 => %W{ RMenu },
  166 => %W{ Back },
  167 => %W{ Forward },
  168 => %W{ Refresh },
  169 => %W{ Stop },
  170 => %W{ Search },
  171 => %W{ Favorites },
  172 => %W{ Home },
  176 => %W{ Forward },
  177 => %W{ Reverse },
  178 => %W{ Stop },
  179 => %W{ Play },
  186 => %W{ ;  :},
  187 => %W{ =  +},
  188 => %W{ ,  <},
  189 => %W{ -  _},
  190 => %W{ .  >},
  191 => %W{ /  ?},
  192 => %W{ '  ~},
  219 => %W| [  {|,
  220 => %W{ \  |},
  221 => %W| ]  }|,
  222 => %W{ '  Quotes},
}

Instance Method Summary collapse

Instance Method Details

#deregister_log_source(src) ⇒ Object



204
205
206
# File 'lib/rex/logging/log_dispatcher.rb', line 204

def deregister_log_source(src)
  $dispatcher.delete(src)
end

#dlog(msg, src = 'core', level = 0) ⇒ Object



134
135
136
# File 'lib/rex/logging/log_dispatcher.rb', line 134

def dlog(msg, src = 'core', level = 0)
  $dispatcher.log(LOG_DEBUG, src, level, msg)
end

#elog(msg, src = 'core', log_level = 0, error: nil) ⇒ NilClass

Logs errors in a standard format for each Log Level.

Can also be an Exception, in which case a log is built from the Exception with no accompanying message.

the global log level set for src, then the log is not recorded.

an exception is added to a log message. If the global log level set for src is greater than BACKTRACE_LOG_LEVEL, then the stack trace for an error is also added to the log message.

(Eg Loop Iterations, Variables, Function Calls).

Parameters:

  • msg (String)

    Contains message from the developer explaining why an error was encountered.

  • src (String) (defaults to: 'core')

    Used to indicate where the error is originating from. Most commonly set to 'core'.

  • log_level (Integer) (defaults to: 0)

    Indicates the level of logging the message should be recorded at. If log_level is greater than

  • error (Exception) (defaults to: nil)

    Exception of an error that needs to be logged. For all log messages, the class and message of

Returns:

  • (NilClass)

    .



155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
# File 'lib/rex/logging/log_dispatcher.rb', line 155

def elog(msg, src = 'core', log_level = 0, error: nil)
  error = msg.is_a?(Exception) ? msg : error

  if error.nil? || !error.is_a?(Exception)
    $dispatcher.log(LOG_ERROR, src, log_level, msg)
  else
    error_details = "#{error.class} #{error.message}"
    if get_log_level(src) >= BACKTRACE_LOG_LEVEL
      if error.backtrace
        error_details << "\nCall stack:\n#{error.backtrace.join("\n")}"
      else
        error_details << "\nCall stack:\nNone"
      end
    end

    if msg.is_a?(Exception)
      $dispatcher.log(LOG_ERROR, src, log_level,"#{error_details}")
    else
      $dispatcher.log(LOG_ERROR, src, log_level,"#{msg} - #{error_details}")
    end
  end
end

#get_log_level(src) ⇒ Object



212
213
214
# File 'lib/rex/logging/log_dispatcher.rb', line 212

def get_log_level(src)
  $dispatcher.get_level(src)
end

#handle_credential_login(data, mod) ⇒ Object

Handles login report that does not necessarily need to include a password



134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# File 'lib/msf/core/module/external.rb', line 134

def (data, mod)
  # Required
  service_data = {
      address: data['address'],
      port: data['port'],
      protocol: data['protocol'],
      service_name: data['service_name'],
      module_fullname: self.fullname,
      workspace_id: myworkspace_id
  }

  # Optional
  credential_data = {
      origin_type: :service,
      username: data['username']
  }.merge(service_data)

  if data.has_key?(:password)
    credential_data[:private_data] = data['password']
    credential_data[:private_type] = :password
  end

   = {
      core: create_credential(credential_data),
      last_attempted_at: DateTime.now,
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
  }.merge(service_data)
  ()
end

#hash_to_hashcat(cred) ⇒ String

This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format hashcat is expecting. hashcat.net/wiki/doku.php?id=example_hashes

Parameters:

  • a (credClass)

    credential from framework.db

Returns:

  • (String)

    the hash in jtr format or nil on no mach



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# File 'lib/metasploit/framework/password_crackers/hashcat/formatter.rb', line 7

def hash_to_hashcat(cred)
  case cred.private.type
  when 'Metasploit::Credential::NTLMHash'
    both = cred.private.data.split(":")
    if both[0].upcase == 'AAD3B435B51404EEAAD3B435B51404EE' #lanman empty, return ntlm
      return both[1] # ntlm hash-mode: 1000
    end
    return both[0] #give lanman, hash-mode: 3000
  when 'Metasploit::Credential::PostgresMD5' #hash-mode: 12
    if cred.private.jtr_format =~ /postgres|raw-md5/
      hash_string = cred.private.data
      hash_string.gsub!(/^md5/, '')
      return "#{hash_string}:#{cred.public.username}"
    end
  when 'Metasploit::Credential::NonreplayableHash'
    case cred.private.jtr_format
      # oracle 11+ password hash descriptions:
      # this password is stored as a long ascii string with several sections
      # https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/
      # example:
      # hash = []
      # hash << "S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;"
      # hash << "H:DC9894A01797D91D92ECA1DA66242209;"
      # hash << "T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C"
      # puts hash.join('')
      # S: = 60 characters -> sha1(password + salt (10 bytes))
      #         40 char sha1, 20 char salt
      #         hash is 8F2D65FB5547B71C8DA3760F10960428CD307B1C
      #         salt is 6271691FC55C1F56554A
      # H: = 32 characters
      #         legacy MD5
      # T: = 160 characters
      #         PBKDF2-based SHA512 hash specific to 12C (12.1.0.2+)
    when /hmac-md5/
      data = cred.private.data.split('#')
      password = Rex::Text.encode_base64("#{cred.public.username} #{data[1]}")
      return "$cram_md5$#{Rex::Text.encode_base64(data[0])}$#{password}"
    when /raw-sha1|oracle11/ # oracle 11, hash-mode: 112
      if cred.private.data =~ /S:([\dA-F]{60})/ # oracle 11
        # hashcat wants a 40 character string, : 20 character string
        return $1.scan(/.{1,40}/m).join(':').downcase
      end
    when /oracle12c/
      if cred.private.data =~ /T:([\dA-F]{160})/ # oracle 12c, hash-mode: 12300
        return $1.upcase
      end
    when /dynamic_1506|postgres/
      #this may not be correct
      if cred.private.data =~ /H:([\dA-F]{32})/ # oracle 11, hash-mode: 3100
        return "#{$1}:#{cred.public.username}"
      end
    when /oracle/ # oracle
      if cred.private.jtr_format.start_with?('des') # 'des,oracle', not oracle11/12c, hash-mode: 3100
        return "#{cred.private.data}"
      end
    when /dynamic_82/
      return cred.private.data.sub('$HEX$', ':').sub('$dynamic_82$','')
    when /mysql-sha1/
      # lowercase, and remove the first character if its a *
      return cred.private.data.downcase.sub('*','')
    when /md5|des|bsdi|crypt|bf/, /mssql|mssql05|mssql12|mysql/, /sha256|sha-256/,
         /sha512|sha-512/, /xsha|xsha512|PBKDF2-HMAC-SHA512/,
         /mediawiki|phpass|PBKDF2-HMAC-SHA1/,
         /android-sha1/, /android-samsung-sha1/, /android-md5/
      #            md5(crypt), des(crypt), b(crypt), sha256, sha512, xsha, xsha512, PBKDF2-HMAC-SHA512
      # hash-mode: 500          1500        3200      7400    1800   122   1722       7100
      #            mssql, mssql05, mssql12, mysql, mysql-sha1
      # hash-mode: 131,    132,     1731    200        300
      #            mediawiki, phpass, PBKDF2-HMAC-SHA1
      # hash-mode: 3711,      400,    12001
      #            android-sha1
      # hash-mode: 5800
      return cred.private.data
    end
  end
  nil
end

#hash_to_jtr(cred) ⇒ String

This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format JTR is expecting.

Parameters:

  • a (credClass)

    credential from framework.db

Returns:

  • (String)

    the hash in jtr format or nil on no mach



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/metasploit/framework/password_crackers/jtr/formatter.rb', line 6

def hash_to_jtr(cred)
  case cred.private.type
  when 'Metasploit::Credential::NTLMHash'
    return "#{cred.public.username}:#{cred.id}:#{cred.private.data}:::#{cred.id}"
  when 'Metasploit::Credential::PostgresMD5'
    if cred.private.jtr_format =~ /postgres|raw-md5/
      # john --list=subformats | grep 'PostgreSQL MD5'
      #UserFormat = dynamic_1034  type = dynamic_1034: md5($p.$u) (PostgreSQL MD5)
      hash_string = cred.private.data
      hash_string.gsub!(/^md5/, '')
      return "#{cred.public.username}:$dynamic_1034$#{hash_string}"
    end
  when 'Metasploit::Credential::NonreplayableHash'
    case cred.private.jtr_format
      # oracle 11+ password hash descriptions:
      # this password is stored as a long ascii string with several sections
      # https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/
      # example:
      # hash = []
      # hash << "S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;"
      # hash << "H:DC9894A01797D91D92ECA1DA66242209;"
      # hash << "T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C"
      # puts hash.join('')
      # S: = 60 characters -> sha1(password + salt (10 bytes))
      #         40 char sha1, 20 char salt
      #         hash is 8F2D65FB5547B71C8DA3760F10960428CD307B1C
      #         salt is 6271691FC55C1F56554A
      # H: = 32 characters
      #         legacy MD5
      # T: = 160 characters
      #         PBKDF2-based SHA512 hash specific to 12C (12.1.0.2+)
    when /raw-sha1|oracle11/ # oracle 11
      if cred.private.data =~ /S:([\dA-F]{60})/ # oracle 11
        return "#{cred.public.username}:#{$1}:#{cred.id}:"
      end
    when /oracle12c/
      if cred.private.data =~ /T:([\dA-F]{160})/ # oracle 12c
        return "#{cred.public.username}:$oracle12c$#{$1.downcase}:#{cred.id}:"
      end
    when /dynamic_1506/
      if cred.private.data =~ /H:([\dA-F]{32})/ # oracle 11
        return "#{cred.public.username.upcase}:$dynamic_1506$#{$1}:#{cred.id}:"
      end
    when /oracle/ # oracle
      if cred.private.jtr_format.start_with?('des') # 'des,oracle', not oracle11/12c
        return "#{cred.public.username}:O$#{cred.public.username}##{cred.private.data}:#{cred.id}:"
      end
    when /md5|des|bsdi|crypt|bf|sha256|sha512|xsha512/
      # md5(crypt), des(crypt), b(crypt), sha256(crypt), sha512(crypt), xsha512
      return "#{cred.public.username}:#{cred.private.data}:::::#{cred.id}:"
    when /qnx/
      # https://moar.so/blog/qnx-password-hash-formats.html
      hash = cred.private.data.end_with?(':0:0') ? cred.private.data : "#{cred.private.data}:0:0"
      return "#{cred.public.username}:#{hash}"
    else
      # /mysql|mysql-sha1/
      # /mssql|mssql05|mssql12/
      # /des(crypt)/
      # /mediawiki|phpass|atlassian/
      # /dynamic_82/
      return "#{cred.public.username}:#{cred.private.data}:#{cred.id}:"
    end
  end
  nil
end

#identify_hash(hash) ⇒ Object

Resource list:

https://code.google.com/archive/p/hash-identifier/
https://github.com/psypanda/hashID
https://hashcat.net/wiki/doku.php?id=example_hashes
http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
https://openwall.info/wiki/john/sample-hashes
QNX formats -> https://moar.so/blog/qnx-password-hash-formats.html


15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# File 'lib/metasploit/framework/hashes/identify.rb', line 15

def identify_hash(hash)
  hash = hash.to_s.strip
  case
    # operating systems
    when hash.start_with?('$1$') && hash.length == 34
      return 'md5'
    when hash.start_with?('$2$') && hash.length == 59,
         hash.start_with?('$2a$') && hash.length == 60,
         hash.start_with?('$2b$') && hash.length == 60,
         hash.start_with?('$2x$') && hash.length == 60,
         hash.start_with?('$2y$') && hash.length == 60
      return 'bf' #bcrypt
    when hash.start_with?('$5$') && hash.split('$').last.length == 43
      # we dont check full length since it may have 'rounds=' in the [1] area or not with an arbitrary length number
      return 'sha256,crypt'
    when hash.start_with?('$6$') && hash.split('$').last.length == 86
      # we dont check full length since it may have 'rounds=' in the [1] area or not with an arbitrary length number
      return 'sha512,crypt'
    when hash.start_with?('@S@') && hash.length == 148
      return 'qnx,sha512'
    when hash.start_with?('@s@') && hash.length == 84
      return 'qnx,sha256'
    when hash.start_with?('@m@') && hash.length == 52
      return 'qnx,md5'
    when hash.start_with?('_') && hash.length == 20
      return 'des,bsdi,crypt'
    when hash =~ /^[\.\/\dA-Za-z]{13}$/ # hash.length == 13
      return 'des,crypt'
    when hash =~ /^\$dynamic_82\$[\da-f]{128}\$HEX\$[\da-f]{32}$/ # jtr vmware ldap https://github.com/rapid7/metasploit-framework/pull/13865#issuecomment-660718108
      return 'dynamic_82'
    # windows
    when hash.length == 65 && hash =~ /^[\da-fA-F]{32}:[\da-fA-F]{32}$/ && hash.split(':').first.upcase == 'AAD3B435B51404EEAAD3B435B51404EE'
      return 'nt'
    when hash.length == 65 && hash =~ /^[\da-fA-F]{32}:[\da-fA-F]{32}$/
      return 'lm'
    # OSX
    when hash.start_with?('$ml$') && hash.split('$').last.length == 256
      return 'pbkdf2-hmac-sha512,osx' # 10.8+
    when hash =~ /^[\da-fA-F]{48}$/ # hash.length == 48
      return 'xsha,osx' # 10.4-10.6
    # databases
    when hash.start_with?('0x0100') && hash.length == 54
      return 'mssql05'
    when hash.start_with?('0x0100') && hash.length == 94
      return 'mssql'
    when hash.start_with?('0x0200') && hash.length == 142
      return 'mssql12'
    when hash =~ /^[\da-f]{16}$/ # hash.length == 16
      return 'mysql' # mysql323 (pre 4.1)
    when hash.start_with?('*') && hash.length == 41
      return 'mysql-sha1' # mysql 4.1+
    when hash.start_with?('md5') && hash.length == 35
      return 'postgres'
    when hash =~ /^[\da-fA-F]{16}$/
      return 'des,oracle' # pre 11g
    when hash =~ /^S:[\dA-F]{60}$/
      return 'raw-sha1,oracle11'
    when hash =~ /^S:[\dA-F]{60};H:[\dA-F]{32};T:[\dA-F]{160}$/
      return 'raw-sha1,oracle'
    when hash =~ /^H:[\dA-F]{32};T:[\dA-F]{160}$/
      return 'pbkdf2,oracle12c'
    # webapps
    when hash.start_with?('$P$') && hash.length == 34,
         hash.start_with?('$H$') && hash.length == 34
      return 'phpass' # wordpress, drupal, phpbb3 (H not P)
    when hash.start_with?('$ml$') && hash.length == 203
      return 'PBKDF2-HMAC-SHA512'
    when hash.start_with?('{PKCS5S2}') && hash.length == 73
      return 'PBKDF2-HMAC-SHA1'
    when hash.start_with?('$B$') && hash.split('$').last.length == 32
      return 'mediawiki'
    # mobile
    when hash  =~/^[A-F0-9]{40}:[a-f0-9]{16}$/
      return 'android-sha1'
    when hash  =~/^[A-F0-9]{32}:[a-f0-9]{16}$/
      return 'android-md5'
    # other
    when hash =~ /^<\d+@.+?>#[\w]{32}$/
      return 'hmac-md5'
  end
  ''
end

#ilog(msg, src = 'core', level = 0) ⇒ Object



182
183
184
# File 'lib/rex/logging/log_dispatcher.rb', line 182

def ilog(msg, src = 'core', level = 0)
  $dispatcher.log(LOG_INFO, src, level, msg)
end

#joinObject

$Id$ $Revision$



6
# File 'plugins/lab.rb', line 6

$:.unshift(File.join(File.expand_path(File.dirname(__FILE__)), '..', 'lib', 'lab'))

#log_source_registered?(src) ⇒ Boolean

Returns:

  • (Boolean)


194
195
196
# File 'lib/rex/logging/log_dispatcher.rb', line 194

def log_source_registered?(src)
  ($dispatcher[src] != nil)
end


92
93
94
95
96
97
98
99
100
101
102
# File 'lib/msf/core/web_services/http_db_manager_service.rb', line 92

def print_error(msg, exception = nil)
  unless exception.nil?
    msg += "\n    Call Stack:"
    exception.backtrace.each {|line|
      msg += "\n"
      msg += "\t #{line}"
    }
  end

  $console_printer.print_error(msg)
end


88
89
90
# File 'lib/msf/core/web_services/http_db_manager_service.rb', line 88

def print_good(msg)
  $console_printer.print_good(msg)
end


80
81
82
# File 'lib/msf/core/web_services/http_db_manager_service.rb', line 80

def print_line(msg)
  $console_printer.print_line(msg)
end


84
85
86
# File 'lib/msf/core/web_services/http_db_manager_service.rb', line 84

def print_warning(msg)
  $console_printer.print_warning(msg)
end

#register_log_source(src, sink, level = nil) ⇒ Object



198
199
200
201
202
# File 'lib/rex/logging/log_dispatcher.rb', line 198

def register_log_source(src, sink, level = nil)
  $dispatcher[src] = sink

  set_log_level(src, level) if (level)
end

#rlog(msg, src = 'core', level = 0) ⇒ Object



186
187
188
189
190
191
192
# File 'lib/rex/logging/log_dispatcher.rb', line 186

def rlog(msg, src = 'core', level = 0)
  if (msg == ExceptionCallStack)
    msg = "\nCall stack:\n" + $@.join("\n") + "\n"
  end

  $dispatcher.log(LOG_RAW, src, level, msg)
end

#set_log_level(src, level) ⇒ Object



208
209
210
# File 'lib/rex/logging/log_dispatcher.rb', line 208

def set_log_level(src, level)
  $dispatcher.set_level(src, level)
end

#uriObject

This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use. metasploit.com/framework/



9
# File 'lib/msf/core/auxiliary/web/http.rb', line 9

require 'uri'

#wlog(msg, src = 'core', level = 0) ⇒ Object



178
179
180
# File 'lib/rex/logging/log_dispatcher.rb', line 178

def wlog(msg, src = 'core', level = 0)
  $dispatcher.log(LOG_WARN, src, level, msg)
end