Top Level Namespace
- Includes:
- ERB::Util, Rex::Arch, WindowsError::Win32
Defined Under Namespace
Modules: CredentialDataProxy, CredentialDataService, DataProxyAutoLoader, DataServiceAutoLoader, DbExportDataProxy, DbExportDataService, DbImportDataProxy, DbImportDataService, EventDataProxy, EventDataService, ExploitDataProxy, ExploitDataService, HostDataProxy, HostDataService, HrrRbSsh, IPSFilter, LoginDataProxy, LoginDataService, LootDataProxy, LootDataService, Metasploit, ModuleDataService, Msf, MsfDataProxy, MsfDataService, Nexpose, NmapDataProxy, NoteDataProxy, NoteDataService, PayloadDataProxy, PayloadDataService, QueryService, Redcarpet, RemoteCredentialDataService, RemoteDbExportDataService, RemoteDbImportDataService, RemoteEventDataService, RemoteExploitDataService, RemoteHostDataService, RemoteLoginDataService, RemoteLootDataService, RemoteMsfDataService, RemoteNmapDataService, RemoteNoteDataService, RemotePayloadDataService, RemoteRouteDataService, RemoteServiceDataService, RemoteSessionDataService, RemoteSessionEventDataService, RemoteVulnAttemptDataService, RemoteVulnDataService, RemoteWebDataService, RemoteWorkspaceDataService, ResponseDataHelper, Rex, RouteDataProxy, RouteDataService, ServiceDataProxy, ServiceDataService, SessionDataProxy, SessionDataService, SessionEventDataProxy, SessionEventDataService, SocketLogger, VulnAttemptDataProxy, VulnDataProxy, VulnDataService, WebDataProxy, WebDataService, WorkspaceDataProxy, WorkspaceDataService Classes: ApplicationRecord, OpenPipeSock, QueryMeta, RouteArray, Search, SimpleClientPipe, TDSSSLProxy
Constant Summary collapse
- MSF_LICENSE =
Licenses
"Metasploit Framework License (BSD)"- GPL_LICENSE =
"GNU Public License v2.0"- BSD_LICENSE =
"BSD License"- CORE_LICENSE =
"CORE Security License (Apache 1.1)"- ARTISTIC_LICENSE =
"Perl Artistic License"- UNKNOWN_LICENSE =
"Unknown License"- LICENSES =
[ MSF_LICENSE, GPL_LICENSE, BSD_LICENSE, CORE_LICENSE, ARTISTIC_LICENSE, UNKNOWN_LICENSE ]
- LOG_ERROR =
Log severities
:error- LOG_DEBUG =
:debug- LOG_INFO =
:info- LOG_WARN =
:warn- LOG_RAW =
:raw- LEV_0 =
LEV_0 - Default
This log level is the default log level if none is specified. It should be used when a log message should always be displayed when logging is enabled. Very few log messages should occur at this level aside from necessary information logging and error/warning logging. Debug logging at level zero is not advised.
0- LEV_1 =
LEV_1 - Extra
This log level should be used when extra information may be needed to understand the cause of an error or warning message or to get debugging information that might give clues as to why something is happening. This log level should be used only when information may be useful to understanding the behavior of something at a basic level. This log level should not be used in an exhaustively verbose fashion.
1- LEV_2 =
LEV_2 - Verbose
This log level should be used when verbose information may be needed to analyze the behavior of the framework. This should be the default log level for all detailed information not falling into LEV_0 or LEV_1. It is recommended that this log level be used by default if you are unsure.
2- LEV_3 =
LEV_3 - Insanity
This log level should contain very verbose information about the behavior of the framework, such as detailed information about variable states at certain phases including, but not limited to, loop iterations, function calls, and so on. This log level will rarely be displayed, but when it is the information provided should make it easy to analyze any problem.
3- PROT_NONE =
Generic page protection flags
0- PROT_READ =
(1 << 0)
- PROT_WRITE =
(1 << 1)
- PROT_EXEC =
(1 << 2)
- PROT_COW =
(1 << 20)
- GEN_NONE =
Generic permissions
0- GEN_READ =
(1 << 0)
- GEN_WRITE =
(1 << 1)
- GEN_EXEC =
(1 << 2)
- PROCESS_READ =
Generic process open permissions
(1 << 0)
- PROCESS_WRITE =
(1 << 1)
- PROCESS_EXECUTE =
(1 << 2)
- PROCESS_ALL =
0xffffffff- THREAD_READ =
Generic thread open permissions
(1 << 0)
- THREAD_WRITE =
(1 << 1)
- THREAD_EXECUTE =
(1 << 2)
- THREAD_ALL =
0xffffffff- ExceptionCallStack =
An instance of the log dispatcher exists in the global namespace, along with stubs for many of the common logging methods. Various sources can register themselves as a log sink such that logs can be directed at various targets depending on where they're sourced from. By doing it this way, things like sessions can use the global logging stubs and still be directed at the correct log file.
"__EXCEPTCALLSTACK__"- BACKTRACE_LOG_LEVEL =
Equal to LEV_3
3- DEFAULT_LOG_LEVEL =
Equal to LEV_3
0- AF_INET =
Net
2- AF_INET6 =
23- DELETE =
Permissions
0x00010000- READ_CONTROL =
0x00020000- WRITE_DAC =
0x00040000- WRITE_OWNER =
0x00080000- SYNCHRONIZE =
0x00100000- STANDARD_RIGHTS_REQUIRED =
0x000f0000- STANDARD_RIGHTS_READ =
READ_CONTROL- STANDARD_RIGHTS_WRITE =
READ_CONTROL- STANDARD_RIGHTS_EXECUTE =
READ_CONTROL- STANDARD_RIGHTS_ALL =
0x001f0000- SPECIFIC_RIGHTS_ALL =
0x0000ffff- MAXIMUM_ALLOWED =
0x02000000- GENERIC_READ =
0x80000000- GENERIC_WRITE =
0x40000000- GENERIC_EXECUTE =
0x20000000- GENERIC_ALL =
0x10000000- PAGE_NOACCESS =
Page Protections
0x00000001- PAGE_READONLY =
0x00000002- PAGE_READWRITE =
0x00000004- PAGE_WRITECOPY =
0x00000008- PAGE_EXECUTE =
0x00000010- PAGE_EXECUTE_READ =
0x00000020- PAGE_EXECUTE_READWRITE =
0x00000040- PAGE_EXECUTE_WRITECOPY =
0x00000080- PAGE_GUARD =
0x00000100- PAGE_NOCACHE =
0x00000200- PAGE_WRITECOMBINE =
0x00000400- MEM_COMMIT =
0x00001000- MEM_RESERVE =
0x00002000- MEM_DECOMMIT =
0x00004000- MEM_RELEASE =
0x00008000- MEM_FREE =
0x00010000- MEM_PRIVATE =
0x00020000- MEM_MAPPED =
0x00040000- MEM_RESET =
0x00080000- MEM_TOP_DOWN =
0x00100000- MEM_WRITE_WATCH =
0x00200000- MEM_PHYSICAL =
0x00400000- MEM_LARGE_PAGES =
0x20000000- MEM_4MB_PAGES =
0x80000000- SEC_FILE =
0x00800000- SEC_IMAGE =
0x01000000- SEC_RESERVE =
0x04000000- SEC_COMMIT =
0x08000000- SEC_NOCACHE =
0x10000000- MEM_IMAGE =
SEC_IMAGE- KEY_QUERY_VALUE =
Registry Permissions
0x00000001- KEY_SET_VALUE =
0x00000002- KEY_CREATE_SUB_KEY =
0x00000004- KEY_ENUMERATE_SUB_KEYS =
0x00000008- KEY_NOTIFY =
0x00000010- KEY_CREATE_LINK =
0x00000020- KEY_WOW64_64KEY =
0x00000100- KEY_WOW64_32KEY =
0x00000200- KEY_READ =
(STANDARD_RIGHTS_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) & ~SYNCHRONIZE
- KEY_WRITE =
(STANDARD_RIGHTS_WRITE | KEY_SET_VALUE | KEY_CREATE_SUB_KEY) & ~SYNCHRONIZE
- KEY_EXECUTE =
KEY_READ- KEY_ALL_ACCESS =
(STANDARD_RIGHTS_ALL | KEY_QUERY_VALUE | KEY_SET_VALUE | KEY_CREATE_SUB_KEY | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY | KEY_CREATE_LINK) & ~SYNCHRONIZE
- HKEY_CLASSES_ROOT =
Registry
0x80000000- HKEY_CURRENT_USER =
0x80000001- HKEY_LOCAL_MACHINE =
0x80000002- HKEY_USERS =
0x80000003- HKEY_PERFORMANCE_DATA =
0x80000004- HKEY_CURRENT_CONFIG =
0x80000005- HKEY_DYN_DATA =
0x80000006- REG_NONE =
0- REG_SZ =
1- REG_EXPAND_SZ =
2- REG_BINARY =
3- REG_DWORD =
4- REG_DWORD_LITTLE_ENDIAN =
4- REG_DWORD_BIG_ENDIAN =
5- REG_LINK =
6- REG_MULTI_SZ =
7- PROCESS_TERMINATE =
Process Permissions
0x00000001- PROCESS_CREATE_THREAD =
0x00000002- PROCESS_SET_SESSIONID =
0x00000004- PROCESS_VM_OPERATION =
0x00000008- PROCESS_VM_READ =
0x00000010- PROCESS_VM_WRITE =
0x00000020- PROCESS_DUP_HANDLE =
0x00000040- PROCESS_CREATE_PROCESS =
0x00000080- PROCESS_SET_QUOTA =
0x00000100- PROCESS_SET_INFORMATION =
0x00000200- PROCESS_QUERY_INFORMATION =
0x00000400- PROCESS_SUSPEND_RESUME =
0x00000800- PROCESS_ALL_ACCESS =
STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFF
- THREAD_TERMINATE =
Thread Permissions
0x00000001- THREAD_SUSPEND_RESUME =
0x00000002- THREAD_GET_CONTEXT =
0x00000008- THREAD_SET_CONTEXT =
0x00000010- THREAD_SET_INFORMATION =
0x00000020- THREAD_QUERY_INFORMATION =
0x00000040- THREAD_SET_THREAD_TOKEN =
0x00000080- THREAD_IMPERSONATE =
0x00000100- THREAD_DIRECT_IMPERSONATION =
0x00000200- THREAD_ALL_ACCESS =
STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3FF
- CREATE_SUSPENDED =
Creation flags
0x00000004- EVENTLOG_SEQUENTIAL_READ =
Event Log
0x00000001- EVENTLOG_SEEK_READ =
0x00000002- EVENTLOG_FORWARDS_READ =
0x00000004- EVENTLOG_BACKWARDS_READ =
0x00000008- EWX_LOGOFF =
Event Log
0- EWX_SHUTDOWN =
0x00000001- EWX_REBOOT =
0x00000002- EWX_FORCE =
0x00000004- EWX_POWEROFF =
0x00000008- EWX_FORCEIFHUNG =
0x00000010- SHTDN_REASON_MINOR_DC_PROMOTION =
Shutdown Reason Codes
0x00000021- SHTDN_REASON_MAJOR_APPLICATION =
0x00040000- SHTDN_REASON_MAJOR_HARDWARE =
0x00010000- SHTDN_REASON_FLAG_COMMENT_REQUIRED =
0x01000000- SHTDN_REASON_FLAG_DIRTY_UI =
0x08000000- SHTDN_REASON_MINOR_UNSTABLE =
0x00000006- SHTDN_REASON_MINOR_SECURITYFIX_UNINSTALL =
0x00000018- SHTDN_REASON_MINOR_ENVIRONMENT =
0x00000000- SHTDN_REASON_MAJOR_LEGACY_API =
0x00070000- SHTDN_REASON_MINOR_DC_DEMOTION =
0x00000022- SHTDN_REASON_MINOR_SECURITYFIX =
0x00000012- SHTDN_REASON_FLAG_CLEAN_UI =
0x04000000- SHTDN_REASON_MINOR_HOTFIX =
0x00000011- SHTDN_REASON_MINOR_CORDUNPLUGGED =
0x00000000- SHTDN_REASON_MINOR_HOTFIX_UNINSTALL =
0x00000017- SHTDN_REASON_FLAG_USER_DEFINED =
0x40000000- SHTDN_REASON_MINOR_SYSTEMRESTORE =
0x00000001- SHTDN_REASON_MINOR_OTHERDRIVER =
0x00000000- SHTDN_REASON_MINOR_WMI =
0x00000015- SHTDN_REASON_MINOR_INSTALLATION =
0x00000002- SHTDN_REASON_MINOR_BLUESCREEN =
0x0000000F- SHTDN_REASON_MAJOR_SOFTWARE =
0x00030000- SHTDN_REASON_MINOR_NETWORKCARD =
0x00000009- SHTDN_REASON_MINOR_SERVICEPACK_UNINSTALL =
0x00000016- SHTDN_REASON_MINOR_SERVICEPACK =
0x00000010- SHTDN_REASON_MINOR_UPGRADE =
0x00000003- SHTDN_REASON_FLAG_PLANNED =
0x80000000- SHTDN_REASON_MINOR_MMC =
0x00000019- SHTDN_REASON_MINOR_POWER_SUPPLY =
0x00000000- SHTDN_REASON_MINOR_MAINTENANCE =
0x00000001- SHTDN_REASON_VALID_BIT_MASK =
0x00000000- SHTDN_REASON_MAJOR_NONE =
0x00000000- SHTDN_REASON_MAJOR_POWER =
0x00060000- SHTDN_REASON_FLAG_DIRTY_PROBLEM_ID_REQUIRED =
0x02000000- SHTDN_REASON_MINOR_OTHER =
0x00000000- SHTDN_REASON_MINOR_PROCESSOR =
0x00000008- SHTDN_REASON_MAJOR_OTHER =
0x00000000- SHTDN_REASON_MINOR_DISK =
0x00000007- SHTDN_REASON_MINOR_NETWORK_CONNECTIVITY =
0x00000014- SHTDN_REASON_MAJOR_OPERATINGSYSTEM =
0x00020000- SHTDN_REASON_MINOR_HUNG =
0x00000005- SHTDN_REASON_MINOR_TERMSRV =
0x00000020- SHTDN_REASON_MINOR_NONE =
0x00000000- SHTDN_REASON_MINOR_RECONFIG =
0x00000004- SHTDN_REASON_MAJOR_SYSTEM =
0x00050000- SHTDN_REASON_MINOR_HARDWARE_DRIVER =
0x00000000- SHTDN_REASON_MINOR_SECURITY =
0x00000013- SHTDN_REASON_DEFAULT =
SHTDN_REASON_MAJOR_OTHER | SHTDN_REASON_MINOR_OTHER
- VirtualKeyCodes =
Keyboard Mappings
{ 1 => %W{ LClick }, 2 => %W{ RClick }, 3 => %W{ Cancel }, 4 => %W{ MClick }, 8 => %W{ Back }, 9 => %W{ Tab }, 10 => %W{ Newline }, 12 => %W{ Clear }, 13 => %W{ Return }, 16 => %W{ Shift }, 17 => %W{ Ctrl }, 18 => %W{ Alt }, 19 => %W{ Pause }, 20 => %W{ CapsLock }, 27 => %W{ Esc }, 32 => %W{ Space }, 33 => %W{ Prior }, 34 => %W{ Next }, 35 => %W{ End }, 36 => %W{ Home }, 37 => %W{ Left }, 38 => %W{ Up }, 39 => %W{ Right }, 40 => %W{ Down }, 41 => %W{ Select }, 42 => %W{ Print }, 43 => %W{ Execute }, 44 => %W{ Snapshot }, 45 => %W{ Insert }, 46 => %W{ Delete }, 47 => %W{ Help }, 48 => %W{ 0 )}, 49 => %W{ 1 !}, 50 => %W{ 2 @}, 51 => %W{ 3 #}, 52 => %W{ 4 $}, 53 => %W{ 5 %}, 54 => %W{ 6 ^}, 55 => %W{ 7 &}, 56 => %W{ 8 *}, 57 => %W{ 9 (}, 65 => %W{ a A}, 66 => %W{ b B}, 67 => %W{ c C}, 68 => %W{ d D}, 69 => %W{ e E}, 70 => %W{ f F}, 71 => %W{ g G}, 72 => %W{ h H}, 73 => %W{ i I}, 74 => %W{ j J}, 75 => %W{ k K}, 76 => %W{ l L}, 77 => %W{ m M}, 78 => %W{ n N}, 79 => %W{ o O}, 80 => %W{ p P}, 81 => %W{ q Q}, 82 => %W{ r R}, 83 => %W{ s S}, 84 => %W{ t T}, 85 => %W{ u U}, 86 => %W{ v V}, 87 => %W{ w W}, 88 => %W{ x X}, 89 => %W{ y Y}, 90 => %W{ z Z}, 91 => %W{ LWin }, 92 => %W{ RWin }, 93 => %W{ Apps }, 95 => %W{ Sleep }, 96 => %W{ N0 }, 97 => %W{ N1 }, 98 => %W{ N2 }, 99 => %W{ N3 }, 100 => %W{ N4 }, 101 => %W{ N5 }, 102 => %W{ N6 }, 103 => %W{ N7 }, 104 => %W{ N8 }, 105 => %W{ N9 }, 106 => %W{ Multiply }, 107 => %W{ Add }, 108 => %W{ Separator }, 109 => %W{ Subtract }, 110 => %W{ Decimal }, 111 => %W{ Divide }, 112 => %W{ F1 }, 113 => %W{ F2 }, 114 => %W{ F3 }, 115 => %W{ F4 }, 116 => %W{ F5 }, 117 => %W{ F6 }, 118 => %W{ F7 }, 119 => %W{ F8 }, 120 => %W{ F9 }, 121 => %W{ F10 }, 122 => %W{ F11 }, 123 => %W{ F12 }, 124 => %W{ F13 }, 125 => %W{ F14 }, 126 => %W{ F15 }, 127 => %W{ F16 }, 128 => %W{ F17 }, 129 => %W{ F18 }, 130 => %W{ F19 }, 131 => %W{ F20 }, 132 => %W{ F21 }, 133 => %W{ F22 }, 134 => %W{ F23 }, 135 => %W{ F24 }, 144 => %W{ NumLock }, 145 => %W{ Scroll }, 160 => %W{ LShift }, 161 => %W{ RShift }, 162 => %W{ LCtrl }, 163 => %W{ RCtrl }, 164 => %W{ LMenu }, 165 => %W{ RMenu }, 166 => %W{ Back }, 167 => %W{ Forward }, 168 => %W{ Refresh }, 169 => %W{ Stop }, 170 => %W{ Search }, 171 => %W{ Favorites }, 172 => %W{ Home }, 176 => %W{ Forward }, 177 => %W{ Reverse }, 178 => %W{ Stop }, 179 => %W{ Play }, 186 => %W{ ; :}, 187 => %W{ = +}, 188 => %W{ , <}, 189 => %W{ - _}, 190 => %W{ . >}, 191 => %W{ / ?}, 192 => %W{ ' ~}, 219 => %W| [ {|, 220 => %W{ \ |}, 221 => %W| ] }|, 222 => %W{ ' Quotes}, }
Instance Method Summary collapse
- #deregister_log_source(src) ⇒ Object
- #dlog(msg, src = 'core', level = 0) ⇒ Object
-
#elog(msg, src = 'core', log_level = 0, error: nil) ⇒ NilClass
Logs errors in a standard format for each Log Level.
- #get_log_level(src) ⇒ Object
-
#handle_credential_login(data, mod) ⇒ Object
Handles login report that does not necessarily need to include a password.
-
#hash_to_hashcat(cred) ⇒ String
This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format hashcat is expecting.
-
#hash_to_jtr(cred) ⇒ String
This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format JTR is expecting.
- #identify_hash(hash) ⇒ Object
- #ilog(msg, src = 'core', level = 0) ⇒ Object
-
#join ⇒ Object
$Id$ $Revision$.
- #log_source_registered?(src) ⇒ Boolean
- #print_error(msg, exception = nil) ⇒ Object
- #print_good(msg) ⇒ Object
- #print_line(msg) ⇒ Object
- #print_warning(msg) ⇒ Object
- #register_log_source(src, sink, level = nil) ⇒ Object
- #rlog(msg, src = 'core', level = 0) ⇒ Object
- #set_log_level(src, level) ⇒ Object
-
#uri ⇒ Object
This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions.
- #wlog(msg, src = 'core', level = 0) ⇒ Object
Instance Method Details
#deregister_log_source(src) ⇒ Object
205 206 207 |
# File 'lib/rex/logging/log_dispatcher.rb', line 205 def deregister_log_source(src) $dispatcher.delete(src) end |
#dlog(msg, src = 'core', level = 0) ⇒ Object
135 136 137 |
# File 'lib/rex/logging/log_dispatcher.rb', line 135 def dlog(msg, src = 'core', level = 0) $dispatcher.log(LOG_DEBUG, src, level, msg) end |
#elog(msg, src = 'core', log_level = 0, error: nil) ⇒ NilClass
Logs errors in a standard format for each Log Level.
Can also be an Exception, in which case a log is built from the Exception with no accompanying message.
the global log level set for src, then the log is not recorded.
an exception is added to a log message. If the global log level set for src is greater than BACKTRACE_LOG_LEVEL, then the stack trace for an error is also added to the log message.
(Eg Loop Iterations, Variables, Function Calls).
156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 |
# File 'lib/rex/logging/log_dispatcher.rb', line 156 def elog(msg, src = 'core', log_level = 0, error: nil) error = msg.is_a?(Exception) ? msg : error if error.nil? || !error.is_a?(Exception) $dispatcher.log(LOG_ERROR, src, log_level, msg) else error_details = "#{error.class} #{error.}" if get_log_level(src) >= BACKTRACE_LOG_LEVEL if error.backtrace error_details << "\nCall stack:\n#{error.backtrace.join("\n")}" else error_details << "\nCall stack:\nNone" end end if msg.is_a?(Exception) $dispatcher.log(LOG_ERROR, src, log_level,"#{error_details}") else $dispatcher.log(LOG_ERROR, src, log_level,"#{msg} - #{error_details}") end end end |
#get_log_level(src) ⇒ Object
213 214 215 |
# File 'lib/rex/logging/log_dispatcher.rb', line 213 def get_log_level(src) $dispatcher.get_level(src) end |
#handle_credential_login(data, mod) ⇒ Object
Handles login report that does not necessarily need to include a password
133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 |
# File 'lib/msf/core/module/external.rb', line 133 def handle_credential_login(data, mod) # Required service_data = { address: data['address'], port: data['port'], protocol: data['protocol'], service_name: data['service_name'], module_fullname: self.fullname, workspace_id: myworkspace_id } # Optional credential_data = { origin_type: :service, username: data['username'] }.merge(service_data) if data.has_key?(:password) credential_data[:private_data] = data['password'] credential_data[:private_type] = :password end login_data = { core: create_credential(credential_data), last_attempted_at: DateTime.now, status: Metasploit::Model::Login::Status::SUCCESSFUL, }.merge(service_data) create_credential_login(login_data) end |
#hash_to_hashcat(cred) ⇒ String
This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format hashcat is expecting. hashcat.net/wiki/doku.php?id=example_hashes
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
# File 'lib/metasploit/framework/password_crackers/hashcat/formatter.rb', line 7 def hash_to_hashcat(cred) case cred.private.type when 'Metasploit::Credential::NTLMHash' both = cred.private.data.split(":") if both[0].upcase == 'AAD3B435B51404EEAAD3B435B51404EE' #lanman empty, return ntlm return both[1] # ntlm hash-mode: 1000 end return both[0] #give lanman, hash-mode: 3000 when 'Metasploit::Credential::PostgresMD5' #hash-mode: 12 if cred.private.jtr_format =~ /postgres|raw-md5/ hash_string = cred.private.data hash_string.gsub!(/^md5/, '') return "#{hash_string}:#{cred.public.username}" end when 'Metasploit::Credential::NonreplayableHash' case cred.private.jtr_format # oracle 11+ password hash descriptions: # this password is stored as a long ascii string with several sections # https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/ # example: # hash = [] # hash << "S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;" # hash << "H:DC9894A01797D91D92ECA1DA66242209;" # hash << "T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C" # puts hash.join('') # S: = 60 characters -> sha1(password + salt (10 bytes)) # 40 char sha1, 20 char salt # hash is 8F2D65FB5547B71C8DA3760F10960428CD307B1C # salt is 6271691FC55C1F56554A # H: = 32 characters # legacy MD5 # T: = 160 characters # PBKDF2-based SHA512 hash specific to 12C (12.1.0.2+) when /hmac-md5/ data = cred.private.data.split('#') password = Rex::Text.encode_base64("#{cred.public.username} #{data[1]}") return "$cram_md5$#{Rex::Text.encode_base64(data[0])}$#{password}" when /raw-sha1|oracle11/ # oracle 11, hash-mode: 112 if cred.private.data =~ /S:([\dA-F]{60})/ # oracle 11 # hashcat wants a 40 character string, : 20 character string return $1.scan(/.{1,40}/m).join(':').downcase end when /oracle12c/ if cred.private.data =~ /T:([\dA-F]{160})/ # oracle 12c, hash-mode: 12300 return $1.upcase end when /dynamic_1506|postgres/ #this may not be correct if cred.private.data =~ /H:([\dA-F]{32})/ # oracle 11, hash-mode: 3100 return "#{$1}:#{cred.public.username}" end when /oracle/ # oracle if cred.private.jtr_format.start_with?('des') # 'des,oracle', not oracle11/12c, hash-mode: 3100 return "#{cred.private.data}" end when /dynamic_82/ return cred.private.data.sub('$HEX$', ':').sub('$dynamic_82$','') when /mysql-sha1/ # lowercase, and remove the first character if its a * return cred.private.data.downcase.sub('*','') when /md5|des|bsdi|crypt|bf/, /mssql|mssql05|mssql12|mysql/, /sha256|sha-256/, /sha512|sha-512/, /xsha|xsha512|PBKDF2-HMAC-SHA512/, /mediawiki|phpass|PBKDF2-HMAC-SHA1/, /android-sha1/, /android-samsung-sha1/, /android-md5/, /ssha/, /raw-sha512/ # md5(crypt), des(crypt), b(crypt), sha256, sha512, xsha, xsha512, PBKDF2-HMAC-SHA512 # hash-mode: 500 1500 3200 7400 1800 122 1722 7100 # mssql, mssql05, mssql12, mysql, mysql-sha1 # hash-mode: 131, 132, 1731 200 300 # mediawiki, phpass, PBKDF2-HMAC-SHA1 # hash-mode: 3711, 400, 12001 # android-sha1 # hash-mode: 5800 # ssha, raw-sha512 # hash-mode: 111, 1700 return cred.private.data when /^mscash$/ # hash-mode: 1100 data = cred.private.data.split(':').first if /^M\$(?<salt>[[:print:]]+)#(?<hash>[\da-fA-F]{32})/ =~ data return "#{hash}:#{salt}" end when /^mscash2$/ # hash-mode: 2100 return cred.private.data.split(':').first end end nil end |
#hash_to_jtr(cred) ⇒ String
This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format JTR is expecting.
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
# File 'lib/metasploit/framework/password_crackers/jtr/formatter.rb', line 6 def hash_to_jtr(cred) case cred.private.type when 'Metasploit::Credential::NTLMHash' return "#{cred.public.username}:#{cred.id}:#{cred.private.data}:::#{cred.id}" when 'Metasploit::Credential::PostgresMD5' if cred.private.jtr_format =~ /postgres|raw-md5/ # john --list=subformats | grep 'PostgreSQL MD5' #UserFormat = dynamic_1034 type = dynamic_1034: md5($p.$u) (PostgreSQL MD5) hash_string = cred.private.data hash_string.gsub!(/^md5/, '') return "#{cred.public.username}:$dynamic_1034$#{hash_string}" end when 'Metasploit::Credential::NonreplayableHash' case cred.private.jtr_format # oracle 11+ password hash descriptions: # this password is stored as a long ascii string with several sections # https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/ # example: # hash = [] # hash << "S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;" # hash << "H:DC9894A01797D91D92ECA1DA66242209;" # hash << "T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C" # puts hash.join('') # S: = 60 characters -> sha1(password + salt (10 bytes)) # 40 char sha1, 20 char salt # hash is 8F2D65FB5547B71C8DA3760F10960428CD307B1C # salt is 6271691FC55C1F56554A # H: = 32 characters # legacy MD5 # T: = 160 characters # PBKDF2-based SHA512 hash specific to 12C (12.1.0.2+) when /raw-sha1|oracle11/ # oracle 11 if cred.private.data =~ /S:([\dA-F]{60})/ # oracle 11 return "#{cred.public.username}:#{$1}:#{cred.id}:" end when /oracle12c/ if cred.private.data =~ /T:([\dA-F]{160})/ # oracle 12c return "#{cred.public.username}:$oracle12c$#{$1.downcase}:#{cred.id}:" end when /dynamic_1506/ if cred.private.data =~ /H:([\dA-F]{32})/ # oracle 11 return "#{cred.public.username.upcase}:$dynamic_1506$#{$1}:#{cred.id}:" end when /oracle/ # oracle if cred.private.jtr_format.start_with?('des') # 'des,oracle', not oracle11/12c return "#{cred.public.username}:O$#{cred.public.username}##{cred.private.data}:#{cred.id}:" end when /md5|des|bsdi|crypt|bf|sha256|sha512|xsha512/ # md5(crypt), des(crypt), b(crypt), sha256(crypt), sha512(crypt), xsha512 return "#{cred.public.username}:#{cred.private.data}:::::#{cred.id}:" when /qnx/ # https://moar.so/blog/qnx-password-hash-formats.html hash = cred.private.data.end_with?(':0:0') ? cred.private.data : "#{cred.private.data}:0:0" return "#{cred.public.username}:#{hash}" when /Raw-MD5u/ # This is just md5(unicode($p)), where $p is the password. # Avira uses to store their passwords, there may be other apps that also use this though. # The trailing : shows an empty salt. This is because hashcat only has one unicode hash # format which is combatible, type 30, but that is listed as md5(utf16le($pass).$salt) # with a sample hash of b31d032cfdcf47a399990a71e43c5d2a:144816. So this just outputs # The hash as *hash*: so that it is both JTR and hashcat compatible return "#{cred.private.data}:" else # /mysql|mysql-sha1/ # /mssql|mssql05|mssql12/ # /des(crypt)/ # /mediawiki|phpass|atlassian/ # /dynamic_82/ # /ssha/ # /raw-sha512/ return "#{cred.public.username}:#{cred.private.data}:#{cred.id}:" end end nil end |
#identify_hash(hash) ⇒ Object
Resource list:
https://code.google.com/archive/p/hash-identifier/
https://github.com/psypanda/hashID
https://hashcat.net/wiki/doku.php?id=example_hashes
http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
https://openwall.info/wiki/john/sample-hashes
QNX formats -> https://moar.so/blog/qnx-password-hash-formats.html
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 |
# File 'lib/metasploit/framework/hashes/identify.rb', line 15 def identify_hash(hash) hash = hash.to_s.strip case # operating systems when hash.start_with?('$1$') && hash.length == 34 return 'md5' when hash.start_with?('$2$') && hash.length == 59, hash.start_with?('$2a$') && hash.length == 60, hash.start_with?('$2b$') && hash.length == 60, hash.start_with?('$2x$') && hash.length == 60, hash.start_with?('$2y$') && hash.length == 60 return 'bf' #bcrypt when hash.start_with?('$5$') && hash.split('$').last.length == 43 # we dont check full length since it may have 'rounds=' in the [1] area or not with an arbitrary length number return 'sha256,crypt' when hash.start_with?('$6$') && hash.split('$').last.length == 86 # we dont check full length since it may have 'rounds=' in the [1] area or not with an arbitrary length number return 'sha512,crypt' when hash.start_with?('@S@') && hash.length == 148 return 'qnx,sha512' when hash.start_with?('@s@') && hash.length == 84 return 'qnx,sha256' when hash.start_with?('@m@') && hash.length == 52 return 'qnx,md5' when hash.start_with?('_') && hash.length == 20 return 'des,bsdi,crypt' when hash =~ /^[\.\/\dA-Za-z]{13}$/ # hash.length == 13 return 'des,crypt' when hash =~ /^\$dynamic_82\$[\da-f]{128}\$HEX\$[\da-f]{32}$/ # jtr vmware ldap https://github.com/rapid7/metasploit-framework/pull/13865#issuecomment-660718108 return 'dynamic_82' when hash.start_with?(/{SSHA}/i) return 'ssha' when hash.start_with?(/{SHA512}/i) return 'raw-sha512' when hash.start_with?(/{SHA}/i) return 'raw-sha1' when hash.start_with?(/{MD5}/i) return 'raw-md5' when hash.start_with?(/{SMD5}/i) return 'smd5' when hash.start_with?(/{SSHA256}/i) return 'ssha256' when hash.start_with?(/{SSHA512}/i) return 'ssha512' # windows when hash.length == 65 && hash =~ /^[\da-fA-F]{32}:[\da-fA-F]{32}$/ && hash.split(':').first.upcase == 'AAD3B435B51404EEAAD3B435B51404EE' return 'nt' when hash.length == 65 && hash =~ /^[\da-fA-F]{32}:[\da-fA-F]{32}$/ return 'lm' # OSX when hash.start_with?('$ml$') && hash.split('$').last.length == 256 return 'pbkdf2-hmac-sha512,osx' # 10.8+ when hash =~ /^[\da-fA-F]{48}$/ # hash.length == 48 return 'xsha,osx' # 10.4-10.6 # databases when hash.start_with?('0x0100') && hash.length == 54 return 'mssql05' when hash.start_with?('0x0100') && hash.length == 94 return 'mssql' when hash.start_with?('0x0200') && hash.length == 142 return 'mssql12' when hash =~ /^[\da-f]{16}$/ # hash.length == 16 return 'mysql' # mysql323 (pre 4.1) when hash.start_with?('*') && hash.length == 41 return 'mysql-sha1' # mysql 4.1+ when hash.start_with?('md5') && hash.length == 35 return 'postgres' when hash =~ /^[\da-fA-F]{16}$/ return 'des,oracle' # pre 11g when hash =~ /^S:[\dA-F]{60}$/ return 'raw-sha1,oracle11' when hash =~ /^S:[\dA-F]{60};H:[\dA-F]{32};T:[\dA-F]{160}$/ return 'raw-sha1,oracle' when hash =~ /^H:[\dA-F]{32};T:[\dA-F]{160}$/ return 'pbkdf2,oracle12c' # webapps when hash.start_with?('$P$') && hash.length == 34, hash.start_with?('$H$') && hash.length == 34 return 'phpass' # wordpress, drupal, phpbb3 (H not P) when hash.start_with?('$ml$') && hash.length == 203 return 'PBKDF2-HMAC-SHA512' when hash.start_with?('{PKCS5S2}') && hash.length == 73 return 'PBKDF2-HMAC-SHA1' when hash.start_with?('$B$') && hash.split('$').last.length == 32 return 'mediawiki' # mobile when hash =~/^[A-F0-9]{40}:[a-f0-9]{16}$/ return 'android-sha1' when hash =~/^[A-F0-9]{32}:[a-f0-9]{16}$/ return 'android-md5' # other when hash =~ /^<\d+@.+?>#[\w]{32}$/ return 'hmac-md5' when hash.length == 114 && hash.start_with?('$M$') return 'F5-Secure-Vault' when hash =~ /^M\$[[:print:]]+#[\da-fA-F]{32}(?:(?::[[:print:]]*$)|$)/ return 'mscash' when hash =~ /^\$DCC2\$\d+#[[:print:]]+#[\da-fA-F]{32}(?:(?::[[:print:]]*$)|$)/ return 'mscash2' end '' end |
#ilog(msg, src = 'core', level = 0) ⇒ Object
183 184 185 |
# File 'lib/rex/logging/log_dispatcher.rb', line 183 def ilog(msg, src = 'core', level = 0) $dispatcher.log(LOG_INFO, src, level, msg) end |
#join ⇒ Object
$Id$ $Revision$
6 |
# File 'plugins/lab.rb', line 6 $:.unshift(File.join(File.(File.dirname(__FILE__)), '..', 'lib', 'lab')) |
#log_source_registered?(src) ⇒ Boolean
195 196 197 |
# File 'lib/rex/logging/log_dispatcher.rb', line 195 def log_source_registered?(src) ($dispatcher[src] != nil) end |
#print_error(msg, exception = nil) ⇒ Object
91 92 93 94 95 96 97 98 99 100 101 |
# File 'lib/msf/core/web_services/http_db_manager_service.rb', line 91 def print_error(msg, exception = nil) unless exception.nil? msg += "\n Call Stack:" exception.backtrace.each {|line| msg += "\n" msg += "\t #{line}" } end $console_printer.print_error(msg) end |
#print_good(msg) ⇒ Object
87 88 89 |
# File 'lib/msf/core/web_services/http_db_manager_service.rb', line 87 def print_good(msg) $console_printer.print_good(msg) end |
#print_line(msg) ⇒ Object
79 80 81 |
# File 'lib/msf/core/web_services/http_db_manager_service.rb', line 79 def print_line(msg) $console_printer.print_line(msg) end |
#print_warning(msg) ⇒ Object
83 84 85 |
# File 'lib/msf/core/web_services/http_db_manager_service.rb', line 83 def print_warning(msg) $console_printer.print_warning(msg) end |
#register_log_source(src, sink, level = nil) ⇒ Object
199 200 201 202 203 |
# File 'lib/rex/logging/log_dispatcher.rb', line 199 def register_log_source(src, sink, level = nil) $dispatcher[src] = sink set_log_level(src, level) if (level) end |
#rlog(msg, src = 'core', level = 0) ⇒ Object
187 188 189 190 191 192 193 |
# File 'lib/rex/logging/log_dispatcher.rb', line 187 def rlog(msg, src = 'core', level = 0) if (msg == ExceptionCallStack) msg = "\nCall stack:\n" + $@.join("\n") + "\n" end $dispatcher.log(LOG_RAW, src, level, msg) end |
#set_log_level(src, level) ⇒ Object
209 210 211 |
# File 'lib/rex/logging/log_dispatcher.rb', line 209 def set_log_level(src, level) $dispatcher.set_level(src, level) end |
#uri ⇒ Object
This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use. metasploit.com/framework/
9 |
# File 'lib/msf/core/auxiliary/web/http.rb', line 9 require 'uri' |
#wlog(msg, src = 'core', level = 0) ⇒ Object
179 180 181 |
# File 'lib/rex/logging/log_dispatcher.rb', line 179 def wlog(msg, src = 'core', level = 0) $dispatcher.log(LOG_WARN, src, level, msg) end |