Top Level Namespace
- Includes:
- ERB::Util, Rex::Post::Permission, WindowsError::Win32
Defined Under Namespace
Modules: CredentialDataProxy, CredentialDataService, DataProxyAutoLoader, DataServiceAutoLoader, DbExportDataProxy, DbExportDataService, DbImportDataProxy, DbImportDataService, EventDataProxy, EventDataService, ExploitDataProxy, ExploitDataService, HostDataProxy, HostDataService, HrrRbSsh, IPSFilter, LoginDataProxy, LoginDataService, LootDataProxy, LootDataService, Metasploit, ModuleDataService, Msf, MsfDataProxy, MsfDataService, Nexpose, NmapDataProxy, NoteDataProxy, NoteDataService, PayloadDataProxy, PayloadDataService, QueryService, Redcarpet, RemoteCredentialDataService, RemoteDbExportDataService, RemoteDbImportDataService, RemoteEventDataService, RemoteExploitDataService, RemoteHostDataService, RemoteLoginDataService, RemoteLootDataService, RemoteMsfDataService, RemoteNmapDataService, RemoteNoteDataService, RemotePayloadDataService, RemoteRouteDataService, RemoteServiceDataService, RemoteSessionDataService, RemoteSessionEventDataService, RemoteVulnAttemptDataService, RemoteVulnDataService, RemoteWebDataService, RemoteWorkspaceDataService, ResponseDataHelper, Rex, RouteDataProxy, RouteDataService, ServiceDataProxy, ServiceDataService, SessionDataProxy, SessionDataService, SessionEventDataProxy, SessionEventDataService, SocketLogger, VulnAttemptDataProxy, VulnDataProxy, VulnDataService, WebDataProxy, WebDataService, WorkspaceDataProxy, WorkspaceDataService Classes: ApplicationRecord, OpenPipeSock, QueryMeta, RouteArray, Search, SimpleClientPipe, TDSSSLProxy
Constant Summary collapse
- MSF_LICENSE =
Licenses
"Metasploit Framework License (BSD)"- GPL_LICENSE =
"GNU Public License v2.0"- BSD_LICENSE =
"BSD License"- CORE_LICENSE =
"CORE Security License (Apache 1.1)"- ARTISTIC_LICENSE =
"Perl Artistic License"- UNKNOWN_LICENSE =
"Unknown License"- LICENSES =
[ MSF_LICENSE, GPL_LICENSE, BSD_LICENSE, CORE_LICENSE, ARTISTIC_LICENSE, UNKNOWN_LICENSE ]
- JTR_NTLMV1 =
Resource list:
https://code.google.com/archive/p/hash-identifier/ https://github.com/psypanda/hashID https://hashcat.net/wiki/doku.php?id=example_hashes http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats https://openwall.info/wiki/john/sample-hashes QNX formats -> https://moar.so/blog/qnx-password-hash-formats.html 'netntlm'- JTR_NTLMV2 =
'netntlmv2'- ExceptionCallStack =
An instance of the log dispatcher exists in the global namespace, along with stubs for many of the common logging methods. Various sources can register themselves as a log sink such that logs can be directed at various targets depending on where they're sourced from. By doing it this way, things like sessions can use the global logging stubs and still be directed at the correct log file.
"__EXCEPTCALLSTACK__"- BACKTRACE_LOG_LEVEL =
Equal to LEV_3
3- DEFAULT_LOG_LEVEL =
Equal to LEV_3
0- AF_INET =
Net
2- AF_INET6 =
23- DELETE =
Permissions
0x00010000- READ_CONTROL =
0x00020000- WRITE_DAC =
0x00040000- WRITE_OWNER =
0x00080000- SYNCHRONIZE =
0x00100000- STANDARD_RIGHTS_REQUIRED =
0x000f0000- STANDARD_RIGHTS_READ =
READ_CONTROL- STANDARD_RIGHTS_WRITE =
READ_CONTROL- STANDARD_RIGHTS_EXECUTE =
READ_CONTROL- STANDARD_RIGHTS_ALL =
0x001f0000- SPECIFIC_RIGHTS_ALL =
0x0000ffff- MAXIMUM_ALLOWED =
0x02000000- GENERIC_READ =
0x80000000- GENERIC_WRITE =
0x40000000- GENERIC_EXECUTE =
0x20000000- GENERIC_ALL =
0x10000000- PAGE_NOACCESS =
Page Protections
0x00000001- PAGE_READONLY =
0x00000002- PAGE_READWRITE =
0x00000004- PAGE_WRITECOPY =
0x00000008- PAGE_EXECUTE =
0x00000010- PAGE_EXECUTE_READ =
0x00000020- PAGE_EXECUTE_READWRITE =
0x00000040- PAGE_EXECUTE_WRITECOPY =
0x00000080- PAGE_GUARD =
0x00000100- PAGE_NOCACHE =
0x00000200- PAGE_WRITECOMBINE =
0x00000400- MEM_COMMIT =
0x00001000- MEM_RESERVE =
0x00002000- MEM_DECOMMIT =
0x00004000- MEM_RELEASE =
0x00008000- MEM_FREE =
0x00010000- MEM_PRIVATE =
0x00020000- MEM_MAPPED =
0x00040000- MEM_RESET =
0x00080000- MEM_TOP_DOWN =
0x00100000- MEM_WRITE_WATCH =
0x00200000- MEM_PHYSICAL =
0x00400000- MEM_LARGE_PAGES =
0x20000000- MEM_4MB_PAGES =
0x80000000- SEC_FILE =
0x00800000- SEC_IMAGE =
0x01000000- SEC_RESERVE =
0x04000000- SEC_COMMIT =
0x08000000- SEC_NOCACHE =
0x10000000- MEM_IMAGE =
SEC_IMAGE- KEY_QUERY_VALUE =
Registry Permissions
0x00000001- KEY_SET_VALUE =
0x00000002- KEY_CREATE_SUB_KEY =
0x00000004- KEY_ENUMERATE_SUB_KEYS =
0x00000008- KEY_NOTIFY =
0x00000010- KEY_CREATE_LINK =
0x00000020- KEY_WOW64_64KEY =
0x00000100- KEY_WOW64_32KEY =
0x00000200- KEY_READ =
(STANDARD_RIGHTS_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) & ~SYNCHRONIZE
- KEY_WRITE =
(STANDARD_RIGHTS_WRITE | KEY_SET_VALUE | KEY_CREATE_SUB_KEY) & ~SYNCHRONIZE
- KEY_EXECUTE =
KEY_READ- KEY_ALL_ACCESS =
(STANDARD_RIGHTS_ALL | KEY_QUERY_VALUE | KEY_SET_VALUE | KEY_CREATE_SUB_KEY | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY | KEY_CREATE_LINK) & ~SYNCHRONIZE
- HKEY_CLASSES_ROOT =
Registry
0x80000000- HKEY_CURRENT_USER =
0x80000001- HKEY_LOCAL_MACHINE =
0x80000002- HKEY_USERS =
0x80000003- HKEY_PERFORMANCE_DATA =
0x80000004- HKEY_CURRENT_CONFIG =
0x80000005- HKEY_DYN_DATA =
0x80000006- REG_NONE =
0- REG_SZ =
1- REG_EXPAND_SZ =
2- REG_BINARY =
3- REG_DWORD =
4- REG_DWORD_LITTLE_ENDIAN =
4- REG_DWORD_BIG_ENDIAN =
5- REG_LINK =
6- REG_MULTI_SZ =
7- PROCESS_TERMINATE =
Process Permissions
0x00000001- PROCESS_CREATE_THREAD =
0x00000002- PROCESS_SET_SESSIONID =
0x00000004- PROCESS_VM_OPERATION =
0x00000008- PROCESS_VM_READ =
0x00000010- PROCESS_VM_WRITE =
0x00000020- PROCESS_DUP_HANDLE =
0x00000040- PROCESS_CREATE_PROCESS =
0x00000080- PROCESS_SET_QUOTA =
0x00000100- PROCESS_SET_INFORMATION =
0x00000200- PROCESS_QUERY_INFORMATION =
0x00000400- PROCESS_SUSPEND_RESUME =
0x00000800- PROCESS_ALL_ACCESS =
STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFF
- THREAD_TERMINATE =
Thread Permissions
0x00000001- THREAD_SUSPEND_RESUME =
0x00000002- THREAD_GET_CONTEXT =
0x00000008- THREAD_SET_CONTEXT =
0x00000010- THREAD_SET_INFORMATION =
0x00000020- THREAD_QUERY_INFORMATION =
0x00000040- THREAD_SET_THREAD_TOKEN =
0x00000080- THREAD_IMPERSONATE =
0x00000100- THREAD_DIRECT_IMPERSONATION =
0x00000200- THREAD_ALL_ACCESS =
STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3FF
- CREATE_SUSPENDED =
Creation flags
0x00000004- EVENTLOG_SEQUENTIAL_READ =
Event Log
0x00000001- EVENTLOG_SEEK_READ =
0x00000002- EVENTLOG_FORWARDS_READ =
0x00000004- EVENTLOG_BACKWARDS_READ =
0x00000008- EWX_LOGOFF =
Event Log
0- EWX_SHUTDOWN =
0x00000001- EWX_REBOOT =
0x00000002- EWX_FORCE =
0x00000004- EWX_POWEROFF =
0x00000008- EWX_FORCEIFHUNG =
0x00000010- SHTDN_REASON_MINOR_DC_PROMOTION =
Shutdown Reason Codes
0x00000021- SHTDN_REASON_MAJOR_APPLICATION =
0x00040000- SHTDN_REASON_MAJOR_HARDWARE =
0x00010000- SHTDN_REASON_FLAG_COMMENT_REQUIRED =
0x01000000- SHTDN_REASON_FLAG_DIRTY_UI =
0x08000000- SHTDN_REASON_MINOR_UNSTABLE =
0x00000006- SHTDN_REASON_MINOR_SECURITYFIX_UNINSTALL =
0x00000018- SHTDN_REASON_MINOR_ENVIRONMENT =
0x00000000- SHTDN_REASON_MAJOR_LEGACY_API =
0x00070000- SHTDN_REASON_MINOR_DC_DEMOTION =
0x00000022- SHTDN_REASON_MINOR_SECURITYFIX =
0x00000012- SHTDN_REASON_FLAG_CLEAN_UI =
0x04000000- SHTDN_REASON_MINOR_HOTFIX =
0x00000011- SHTDN_REASON_MINOR_CORDUNPLUGGED =
0x00000000- SHTDN_REASON_MINOR_HOTFIX_UNINSTALL =
0x00000017- SHTDN_REASON_FLAG_USER_DEFINED =
0x40000000- SHTDN_REASON_MINOR_SYSTEMRESTORE =
0x00000001- SHTDN_REASON_MINOR_OTHERDRIVER =
0x00000000- SHTDN_REASON_MINOR_WMI =
0x00000015- SHTDN_REASON_MINOR_INSTALLATION =
0x00000002- SHTDN_REASON_MINOR_BLUESCREEN =
0x0000000F- SHTDN_REASON_MAJOR_SOFTWARE =
0x00030000- SHTDN_REASON_MINOR_NETWORKCARD =
0x00000009- SHTDN_REASON_MINOR_SERVICEPACK_UNINSTALL =
0x00000016- SHTDN_REASON_MINOR_SERVICEPACK =
0x00000010- SHTDN_REASON_MINOR_UPGRADE =
0x00000003- SHTDN_REASON_FLAG_PLANNED =
0x80000000- SHTDN_REASON_MINOR_MMC =
0x00000019- SHTDN_REASON_MINOR_POWER_SUPPLY =
0x00000000- SHTDN_REASON_MINOR_MAINTENANCE =
0x00000001- SHTDN_REASON_VALID_BIT_MASK =
0x00000000- SHTDN_REASON_MAJOR_NONE =
0x00000000- SHTDN_REASON_MAJOR_POWER =
0x00060000- SHTDN_REASON_FLAG_DIRTY_PROBLEM_ID_REQUIRED =
0x02000000- SHTDN_REASON_MINOR_OTHER =
0x00000000- SHTDN_REASON_MINOR_PROCESSOR =
0x00000008- SHTDN_REASON_MAJOR_OTHER =
0x00000000- SHTDN_REASON_MINOR_DISK =
0x00000007- SHTDN_REASON_MINOR_NETWORK_CONNECTIVITY =
0x00000014- SHTDN_REASON_MAJOR_OPERATINGSYSTEM =
0x00020000- SHTDN_REASON_MINOR_HUNG =
0x00000005- SHTDN_REASON_MINOR_TERMSRV =
0x00000020- SHTDN_REASON_MINOR_NONE =
0x00000000- SHTDN_REASON_MINOR_RECONFIG =
0x00000004- SHTDN_REASON_MAJOR_SYSTEM =
0x00050000- SHTDN_REASON_MINOR_HARDWARE_DRIVER =
0x00000000- SHTDN_REASON_MINOR_SECURITY =
0x00000013- SHTDN_REASON_DEFAULT =
SHTDN_REASON_MAJOR_OTHER | SHTDN_REASON_MINOR_OTHER
- VirtualKeyCodes =
Keyboard Mappings
{ 1 => %W{ LClick }, 2 => %W{ RClick }, 3 => %W{ Cancel }, 4 => %W{ MClick }, 8 => %W{ Back }, 9 => %W{ Tab }, 10 => %W{ Newline }, 12 => %W{ Clear }, 13 => %W{ Return }, 16 => %W{ Shift }, 17 => %W{ Ctrl }, 18 => %W{ Alt }, 19 => %W{ Pause }, 20 => %W{ CapsLock }, 27 => %W{ Esc }, 32 => %W{ Space }, 33 => %W{ Prior }, 34 => %W{ Next }, 35 => %W{ End }, 36 => %W{ Home }, 37 => %W{ Left }, 38 => %W{ Up }, 39 => %W{ Right }, 40 => %W{ Down }, 41 => %W{ Select }, 42 => %W{ Print }, 43 => %W{ Execute }, 44 => %W{ Snapshot }, 45 => %W{ Insert }, 46 => %W{ Delete }, 47 => %W{ Help }, 48 => %W{ 0 )}, 49 => %W{ 1 !}, 50 => %W{ 2 @}, 51 => %W{ 3 #}, 52 => %W{ 4 $}, 53 => %W{ 5 %}, 54 => %W{ 6 ^}, 55 => %W{ 7 &}, 56 => %W{ 8 *}, 57 => %W{ 9 (}, 65 => %W{ a A}, 66 => %W{ b B}, 67 => %W{ c C}, 68 => %W{ d D}, 69 => %W{ e E}, 70 => %W{ f F}, 71 => %W{ g G}, 72 => %W{ h H}, 73 => %W{ i I}, 74 => %W{ j J}, 75 => %W{ k K}, 76 => %W{ l L}, 77 => %W{ m M}, 78 => %W{ n N}, 79 => %W{ o O}, 80 => %W{ p P}, 81 => %W{ q Q}, 82 => %W{ r R}, 83 => %W{ s S}, 84 => %W{ t T}, 85 => %W{ u U}, 86 => %W{ v V}, 87 => %W{ w W}, 88 => %W{ x X}, 89 => %W{ y Y}, 90 => %W{ z Z}, 91 => %W{ LWin }, 92 => %W{ RWin }, 93 => %W{ Apps }, 95 => %W{ Sleep }, 96 => %W{ N0 }, 97 => %W{ N1 }, 98 => %W{ N2 }, 99 => %W{ N3 }, 100 => %W{ N4 }, 101 => %W{ N5 }, 102 => %W{ N6 }, 103 => %W{ N7 }, 104 => %W{ N8 }, 105 => %W{ N9 }, 106 => %W{ Multiply }, 107 => %W{ Add }, 108 => %W{ Separator }, 109 => %W{ Subtract }, 110 => %W{ Decimal }, 111 => %W{ Divide }, 112 => %W{ F1 }, 113 => %W{ F2 }, 114 => %W{ F3 }, 115 => %W{ F4 }, 116 => %W{ F5 }, 117 => %W{ F6 }, 118 => %W{ F7 }, 119 => %W{ F8 }, 120 => %W{ F9 }, 121 => %W{ F10 }, 122 => %W{ F11 }, 123 => %W{ F12 }, 124 => %W{ F13 }, 125 => %W{ F14 }, 126 => %W{ F15 }, 127 => %W{ F16 }, 128 => %W{ F17 }, 129 => %W{ F18 }, 130 => %W{ F19 }, 131 => %W{ F20 }, 132 => %W{ F21 }, 133 => %W{ F22 }, 134 => %W{ F23 }, 135 => %W{ F24 }, 144 => %W{ NumLock }, 145 => %W{ Scroll }, 160 => %W{ LShift }, 161 => %W{ RShift }, 162 => %W{ LCtrl }, 163 => %W{ RCtrl }, 164 => %W{ LMenu }, 165 => %W{ RMenu }, 166 => %W{ Back }, 167 => %W{ Forward }, 168 => %W{ Refresh }, 169 => %W{ Stop }, 170 => %W{ Search }, 171 => %W{ Favorites }, 172 => %W{ Home }, 176 => %W{ Forward }, 177 => %W{ Reverse }, 178 => %W{ Stop }, 179 => %W{ Play }, 186 => %W{ ; :}, 187 => %W{ = +}, 188 => %W{ , <}, 189 => %W{ - _}, 190 => %W{ . >}, 191 => %W{ / ?}, 192 => %W{ ' ~}, 219 => %W| [ {|, 220 => %W{ \ |}, 221 => %W| ] }|, 222 => %W{ ' Quotes}, }
Constants included from Rex::Post::Permission
Rex::Post::Permission::GEN_EXEC, Rex::Post::Permission::GEN_NONE, Rex::Post::Permission::GEN_READ, Rex::Post::Permission::GEN_WRITE, Rex::Post::Permission::PROCESS_ALL, Rex::Post::Permission::PROCESS_EXECUTE, Rex::Post::Permission::PROCESS_READ, Rex::Post::Permission::PROCESS_WRITE, Rex::Post::Permission::PROT_COW, Rex::Post::Permission::PROT_EXEC, Rex::Post::Permission::PROT_NONE, Rex::Post::Permission::PROT_READ, Rex::Post::Permission::PROT_WRITE, Rex::Post::Permission::THREAD_ALL, Rex::Post::Permission::THREAD_EXECUTE, Rex::Post::Permission::THREAD_READ, Rex::Post::Permission::THREAD_WRITE
Instance Method Summary collapse
- #deregister_log_source(src) ⇒ Object
- #dlog(msg, src = 'core', level = 0) ⇒ Object
-
#elog(msg, src = 'core', log_level = 0, error: nil) ⇒ NilClass
Logs errors in a standard format for each Log Level.
- #get_log_level(src) ⇒ Object
-
#handle_credential_login(data, mod) ⇒ Object
Handles login report that does not necessarily need to include a password.
-
#hash_to_hashcat(cred) ⇒ String
This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format hashcat is expecting.
-
#hash_to_jtr(cred) ⇒ String
This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format JTR is expecting.
- #identify_hash(hash) ⇒ Object
- #ilog(msg, src = 'core', level = 0) ⇒ Object
-
#join ⇒ Object
$Id$ $Revision$.
- #log_source_registered?(src) ⇒ Boolean
- #print_error(msg, exception = nil) ⇒ Object
- #print_good(msg) ⇒ Object
- #print_line(msg) ⇒ Object
- #print_warning(msg) ⇒ Object
- #register_log_source(src, sink, level = nil) ⇒ Object
- #rlog(msg, src = 'core', level = 0) ⇒ Object
- #set_log_level(src, level) ⇒ Object
-
#uri ⇒ Object
This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions.
- #wlog(msg, src = 'core', level = 0) ⇒ Object
Instance Method Details
#deregister_log_source(src) ⇒ Object
203 204 205 |
# File 'lib/rex/logging/log_dispatcher.rb', line 203 def deregister_log_source(src) $dispatcher.delete(src) end |
#dlog(msg, src = 'core', level = 0) ⇒ Object
133 134 135 |
# File 'lib/rex/logging/log_dispatcher.rb', line 133 def dlog(msg, src = 'core', level = 0) $dispatcher.log(LOG_DEBUG, src, level, msg) end |
#elog(msg, src = 'core', log_level = 0, error: nil) ⇒ NilClass
Logs errors in a standard format for each Log Level.
Can also be an Exception, in which case a log is built from the Exception with no accompanying message.
the global log level set for src, then the log is not recorded.
an exception is added to a log message. If the global log level set for src is greater than BACKTRACE_LOG_LEVEL, then the stack trace for an error is also added to the log message.
(Eg Loop Iterations, Variables, Function Calls).
154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 |
# File 'lib/rex/logging/log_dispatcher.rb', line 154 def elog(msg, src = 'core', log_level = 0, error: nil) error = msg.is_a?(Exception) ? msg : error if error.nil? || !error.is_a?(Exception) $dispatcher.log(LOG_ERROR, src, log_level, msg) else error_details = "#{error.class} #{error.}" if get_log_level(src) >= BACKTRACE_LOG_LEVEL if error.backtrace error_details << "\nCall stack:\n#{error.backtrace.join("\n")}" else error_details << "\nCall stack:\nNone" end end if msg.is_a?(Exception) $dispatcher.log(LOG_ERROR, src, log_level,"#{error_details}") else $dispatcher.log(LOG_ERROR, src, log_level,"#{msg} - #{error_details}") end end end |
#get_log_level(src) ⇒ Object
211 212 213 |
# File 'lib/rex/logging/log_dispatcher.rb', line 211 def get_log_level(src) $dispatcher.get_level(src) end |
#handle_credential_login(data, mod) ⇒ Object
Handles login report that does not necessarily need to include a password
139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 |
# File 'lib/msf/core/module/external.rb', line 139 def handle_credential_login(data, mod) # Required service_data = { address: data['address'], port: data['port'], protocol: data['protocol'], service_name: data['service_name'], module_fullname: self.fullname, workspace_id: myworkspace_id } # Optional credential_data = { origin_type: :service, username: data['username'] }.merge(service_data) if data.has_key?(:password) credential_data[:private_data] = data['password'] credential_data[:private_type] = :password end if data.has_key?('domain') credential_data[:realm_value] = data['domain'] credential_data[:realm_key] = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN end login_data = { core: create_credential(credential_data), last_attempted_at: DateTime.now, status: Metasploit::Model::Login::Status::SUCCESSFUL, }.merge(service_data) create_credential_login(login_data) end |
#hash_to_hashcat(cred) ⇒ String
This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format hashcat is expecting. hashcat.net/wiki/doku.php?id=example_hashes
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 |
# File 'lib/metasploit/framework/password_crackers/hashcat/formatter.rb', line 7 def hash_to_hashcat(cred) case cred.private.type when 'Metasploit::Credential::NTLMHash' both = cred.private.data.split(":") if both[0].upcase == 'AAD3B435B51404EEAAD3B435B51404EE' #lanman empty, return ntlm return both[1] # ntlm hash-mode: 1000 end return both[0] #give lanman, hash-mode: 3000 when 'Metasploit::Credential::PostgresMD5' #hash-mode: 12 if cred.private.jtr_format =~ /postgres|raw-md5/ hash_string = cred.private.data hash_string.gsub!(/^md5/, '') return "#{hash_string}:#{cred.public.username}" end when 'Metasploit::Credential::NonreplayableHash' case cred.private.jtr_format # oracle 11+ password hash descriptions: # this password is stored as a long ascii string with several sections # https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/ # example: # hash = [] # hash << "S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;" # hash << "H:DC9894A01797D91D92ECA1DA66242209;" # hash << "T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C" # puts hash.join('') # S: = 60 characters -> sha1(password + salt (10 bytes)) # 40 char sha1, 20 char salt # hash is 8F2D65FB5547B71C8DA3760F10960428CD307B1C # salt is 6271691FC55C1F56554A # H: = 32 characters # legacy MD5 # T: = 160 characters # PBKDF2-based SHA512 hash specific to 12C (12.1.0.2+) when /hmac-md5/ data = cred.private.data.split('#') password = Rex::Text.encode_base64("#{cred.public.username} #{data[1]}") return "$cram_md5$#{Rex::Text.encode_base64(data[0])}$#{password}" when /raw-sha1|oracle11/ # oracle 11, hash-mode: 112 if cred.private.data =~ /S:([\dA-F]{60})/ # oracle 11 # hashcat wants a 40 character string, : 20 character string return $1.scan(/.{1,40}/m).join(':').downcase end when /oracle12c/ if cred.private.data =~ /T:([\dA-F]{160})/ # oracle 12c, hash-mode: 12300 return $1.upcase end when /dynamic_1506|postgres/ #this may not be correct if cred.private.data =~ /H:([\dA-F]{32})/ # oracle 11, hash-mode: 3100 return "#{$1}:#{cred.public.username}" end when /oracle/ # oracle if cred.private.jtr_format.start_with?('des') # 'des,oracle', not oracle11/12c, hash-mode: 3100 return "#{cred.private.data}" end when /dynamic_82/ return cred.private.data.sub('$HEX$', ':').sub('$dynamic_82$','') when /mysql-sha1/ # lowercase, and remove the first character if its a * return cred.private.data.downcase.sub('*','') when /md5|des|bsdi|crypt|bf/, /mssql|mssql05|mssql12|mysql/, /sha256|sha-256/, /sha512|sha-512/, /xsha|xsha512|PBKDF2-HMAC-SHA512/, /mediawiki|phpass|PBKDF2-HMAC-SHA1/, /android-sha1/, /android-samsung-sha1/, /android-md5/, /ssha/, /raw-sha512/, /raw-sha256/ # md5(crypt), des(crypt), b(crypt), sha256, sha512, xsha, xsha512, PBKDF2-HMAC-SHA512 # hash-mode: 500 1500 3200 7400 1800 122 1722 7100 # mssql, mssql05, mssql12, mysql, mysql-sha1 # hash-mode: 131, 132, 1731 200 300 # mediawiki, phpass, PBKDF2-HMAC-SHA1 # hash-mode: 3711, 400, 12001 # android-sha1 # hash-mode: 5800 # ssha, raw-sha512, raw-sha256 # hash-mode: 111, 1700, 1400 return cred.private.data when /^mscash$/ # hash-mode: 1100 data = cred.private.data.split(':').first if /^M\$(?<salt>[[:print:]]+)#(?<hash>[\da-fA-F]{32})/ =~ data return "#{hash}:#{salt}" end when /^mscash2$/ # hash-mode: 2100 return cred.private.data.split(':').first when /netntlm(v2)?/ # netntlm, netntlmv2 # hash-mode: 5500 5600 return cred.private.data end end nil end |
#hash_to_jtr(cred) ⇒ String
This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format JTR is expecting.
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
# File 'lib/metasploit/framework/password_crackers/jtr/formatter.rb', line 6 def hash_to_jtr(cred) case cred.private.type when 'Metasploit::Credential::NTLMHash' return "#{cred.public.username}:#{cred.id}:#{cred.private.data}:::#{cred.id}" when 'Metasploit::Credential::PostgresMD5' if cred.private.jtr_format =~ /postgres|raw-md5/ # john --list=subformats | grep 'PostgreSQL MD5' #UserFormat = dynamic_1034 type = dynamic_1034: md5($p.$u) (PostgreSQL MD5) hash_string = cred.private.data hash_string.gsub!(/^md5/, '') return "#{cred.public.username}:$dynamic_1034$#{hash_string}" end when 'Metasploit::Credential::NonreplayableHash' case cred.private.jtr_format # oracle 11+ password hash descriptions: # this password is stored as a long ascii string with several sections # https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/ # example: # hash = [] # hash << "S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;" # hash << "H:DC9894A01797D91D92ECA1DA66242209;" # hash << "T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C" # puts hash.join('') # S: = 60 characters -> sha1(password + salt (10 bytes)) # 40 char sha1, 20 char salt # hash is 8F2D65FB5547B71C8DA3760F10960428CD307B1C # salt is 6271691FC55C1F56554A # H: = 32 characters # legacy MD5 # T: = 160 characters # PBKDF2-based SHA512 hash specific to 12C (12.1.0.2+) when /raw-sha1|oracle11/ # oracle 11 if cred.private.data =~ /S:([\dA-F]{60})/ # oracle 11 return "#{cred.public.username}:#{$1}:#{cred.id}:" end when /oracle12c/ if cred.private.data =~ /T:([\dA-F]{160})/ # oracle 12c return "#{cred.public.username}:$oracle12c$#{$1.downcase}:#{cred.id}:" end when /dynamic_1506/ if cred.private.data =~ /H:([\dA-F]{32})/ # oracle 11 return "#{cred.public.username.upcase}:$dynamic_1506$#{$1}:#{cred.id}:" end when /oracle/ # oracle if cred.private.jtr_format.start_with?('des') # 'des,oracle', not oracle11/12c return "#{cred.public.username}:O$#{cred.public.username}##{cred.private.data}:#{cred.id}:" end when /md5|des|bsdi|crypt|bf|sha256|sha512|xsha512/ # md5(crypt), des(crypt), b(crypt), sha256(crypt), sha512(crypt), xsha512 return "#{cred.public.username}:#{cred.private.data}:::::#{cred.id}:" when /netntlm(v2)?/ return cred.private.data when /qnx/ # https://moar.so/blog/qnx-password-hash-formats.html hash = cred.private.data.end_with?(':0:0') ? cred.private.data : "#{cred.private.data}:0:0" return "#{cred.public.username}:#{hash}" when /Raw-MD5u/ # This is just md5(unicode($p)), where $p is the password. # Avira uses to store their passwords, there may be other apps that also use this though. # The trailing : shows an empty salt. This is because hashcat only has one unicode hash # format which is combatible, type 30, but that is listed as md5(utf16le($pass).$salt) # with a sample hash of b31d032cfdcf47a399990a71e43c5d2a:144816. So this just outputs # The hash as *hash*: so that it is both JTR and hashcat compatible return "#{cred.private.data}:" else # /mysql|mysql-sha1/ # /mssql|mssql05|mssql12/ # /des(crypt)/ # /mediawiki|phpass|atlassian/ # /dynamic_82/ # /ssha/ # /raw-sha512/ # /raw-sha256/ return "#{cred.public.username}:#{cred.private.data}:#{cred.id}:" end end nil end |
#identify_hash(hash) ⇒ Object
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 |
# File 'lib/metasploit/framework/hashes/identify.rb', line 18 def identify_hash(hash) hash = hash.to_s.strip case # operating systems when hash.start_with?('$1$') && hash.length == 34 return 'md5' when hash.start_with?('$2$') && hash.length == 59, hash.start_with?('$2a$') && hash.length == 60, hash.start_with?('$2b$') && hash.length == 60, hash.start_with?('$2x$') && hash.length == 60, hash.start_with?('$2y$') && hash.length == 60 return 'bf' #bcrypt when hash.start_with?('$5$') && hash.split('$').last.length == 43 # we dont check full length since it may have 'rounds=' in the [1] area or not with an arbitrary length number return 'sha256,crypt' when hash.start_with?('$6$') && hash.split('$').last.length == 86 # we dont check full length since it may have 'rounds=' in the [1] area or not with an arbitrary length number return 'sha512,crypt' when hash.start_with?('@S@') && hash.length == 148 return 'qnx,sha512' when hash.start_with?('@s@') && hash.length == 84 return 'qnx,sha256' when hash.start_with?('@m@') && hash.length == 52 return 'qnx,md5' when hash.start_with?('_') && hash.length == 20 return 'des,bsdi,crypt' when hash =~ /^[\.\/\dA-Za-z]{13}$/ # hash.length == 13 return 'des,crypt' when hash =~ /^\$dynamic_82\$[\da-f]{128}\$HEX\$[\da-f]{32}$/ # jtr vmware ldap https://github.com/rapid7/metasploit-framework/pull/13865#issuecomment-660718108 return 'dynamic_82' when hash.start_with?(/{SSHA}/i) return 'ssha' when hash.start_with?(/{SHA512}/i) return 'raw-sha512' when hash.start_with?(/{SHA256}/i) return 'raw-sha256' when hash.start_with?(/{SHA}/i) return 'raw-sha1' when hash.start_with?(/{MD5}/i) return 'raw-md5' when hash.start_with?(/{SMD5}/i) return 'smd5' when hash.start_with?(/{SSHA256}/i) return 'ssha256' when hash.start_with?(/{SSHA512}/i) return 'ssha512' # windows when hash.length == 65 && hash =~ /^[\da-fA-F]{32}:[\da-fA-F]{32}$/ && hash.split(':').first.upcase == 'AAD3B435B51404EEAAD3B435B51404EE' return 'nt' when hash.length == 65 && hash =~ /^[\da-fA-F]{32}:[\da-fA-F]{32}$/ return 'lm' # OSX when hash.start_with?('$ml$') && hash.split('$').last.length == 256 return 'pbkdf2-hmac-sha512,osx' # 10.8+ when hash =~ /^[\da-fA-F]{48}$/ # hash.length == 48 return 'xsha,osx' # 10.4-10.6 # databases when hash.start_with?('0x0100') && hash.length == 54 return 'mssql05' when hash.start_with?('0x0100') && hash.length == 94 return 'mssql' when hash.start_with?('0x0200') && hash.length == 142 return 'mssql12' when hash =~ /^[\da-f]{16}$/ # hash.length == 16 return 'mysql' # mysql323 (pre 4.1) when hash.start_with?('*') && hash.length == 41 return 'mysql-sha1' # mysql 4.1+ when hash.start_with?('md5') && hash.length == 35 return 'postgres' when hash =~ /^[\da-fA-F]{16}$/ return 'des,oracle' # pre 11g when hash =~ /^S:[\dA-F]{60}$/ return 'raw-sha1,oracle11' when hash =~ /^S:[\dA-F]{60};H:[\dA-F]{32};T:[\dA-F]{160}$/ return 'raw-sha1,oracle' when hash =~ /^H:[\dA-F]{32};T:[\dA-F]{160}$/ return 'pbkdf2,oracle12c' # webapps when hash.start_with?('$P$') && hash.length == 34, hash.start_with?('$H$') && hash.length == 34 return 'phpass' # wordpress, drupal, phpbb3 (H not P) when hash.start_with?('$ml$') && hash.length == 203 return 'PBKDF2-HMAC-SHA512' when hash.start_with?('{PKCS5S2}') && hash.length == 73 return 'PBKDF2-HMAC-SHA1' when hash.start_with?('$B$') && hash.split('$').last.length == 32 return 'mediawiki' # mobile when hash =~/^[A-F0-9]{40}:[a-f0-9]{16}$/ return 'android-sha1' when hash =~/^[A-F0-9]{32}:[a-f0-9]{16}$/ return 'android-md5' # other when hash =~ /^<\d+@.+?>#[\w]{32}$/ return 'hmac-md5' when hash.length == 114 && hash.start_with?('$M$') return 'F5-Secure-Vault' when hash =~ /^M\$[[:print:]]+#[\da-fA-F]{32}(?:(?::[[:print:]]*$)|$)/ return 'mscash' when hash =~ /^\$DCC2\$\d+#[[:print:]]+#[\da-fA-F]{32}(?:(?::[[:print:]]*$)|$)/ return 'mscash2' end '' end |
#ilog(msg, src = 'core', level = 0) ⇒ Object
181 182 183 |
# File 'lib/rex/logging/log_dispatcher.rb', line 181 def ilog(msg, src = 'core', level = 0) $dispatcher.log(LOG_INFO, src, level, msg) end |
#join ⇒ Object
$Id$ $Revision$
6 |
# File 'plugins/lab.rb', line 6 $:.unshift(File.join(File.(File.dirname(__FILE__)), '..', 'lib', 'lab')) |
#log_source_registered?(src) ⇒ Boolean
193 194 195 |
# File 'lib/rex/logging/log_dispatcher.rb', line 193 def log_source_registered?(src) ($dispatcher[src] != nil) end |
#print_error(msg, exception = nil) ⇒ Object
91 92 93 94 95 96 97 98 99 100 101 |
# File 'lib/msf/core/web_services/http_db_manager_service.rb', line 91 def print_error(msg, exception = nil) unless exception.nil? msg += "\n Call Stack:" exception.backtrace.each {|line| msg += "\n" msg += "\t #{line}" } end $console_printer.print_error(msg) end |
#print_good(msg) ⇒ Object
87 88 89 |
# File 'lib/msf/core/web_services/http_db_manager_service.rb', line 87 def print_good(msg) $console_printer.print_good(msg) end |
#print_line(msg) ⇒ Object
79 80 81 |
# File 'lib/msf/core/web_services/http_db_manager_service.rb', line 79 def print_line(msg) $console_printer.print_line(msg) end |
#print_warning(msg) ⇒ Object
83 84 85 |
# File 'lib/msf/core/web_services/http_db_manager_service.rb', line 83 def print_warning(msg) $console_printer.print_warning(msg) end |
#register_log_source(src, sink, level = nil) ⇒ Object
197 198 199 200 201 |
# File 'lib/rex/logging/log_dispatcher.rb', line 197 def register_log_source(src, sink, level = nil) $dispatcher[src] = sink set_log_level(src, level) if (level) end |
#rlog(msg, src = 'core', level = 0) ⇒ Object
185 186 187 188 189 190 191 |
# File 'lib/rex/logging/log_dispatcher.rb', line 185 def rlog(msg, src = 'core', level = 0) if (msg == ExceptionCallStack) msg = "\nCall stack:\n" + $@.join("\n") + "\n" end $dispatcher.log(LOG_RAW, src, level, msg) end |
#set_log_level(src, level) ⇒ Object
207 208 209 |
# File 'lib/rex/logging/log_dispatcher.rb', line 207 def set_log_level(src, level) $dispatcher.set_level(src, level) end |
#uri ⇒ Object
This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use. metasploit.com/framework/
9 |
# File 'lib/msf/core/auxiliary/web/http.rb', line 9 require 'uri' |
#wlog(msg, src = 'core', level = 0) ⇒ Object
177 178 179 |
# File 'lib/rex/logging/log_dispatcher.rb', line 177 def wlog(msg, src = 'core', level = 0) $dispatcher.log(LOG_WARN, src, level, msg) end |