Top Level Namespace
- Includes:
- ERB::Util, Rex::Post::Permission, WindowsError::Win32
Defined Under Namespace
Modules: CredentialDataProxy, CredentialDataService, DataProxyAutoLoader, DataServiceAutoLoader, DbExportDataProxy, DbExportDataService, DbImportDataProxy, DbImportDataService, EventDataProxy, EventDataService, ExploitDataProxy, ExploitDataService, HostDataProxy, HostDataService, HrrRbSsh, IPSFilter, LoginDataProxy, LoginDataService, LootDataProxy, LootDataService, Metasploit, ModuleDataService, Msf, MsfDataProxy, MsfDataService, Nexpose, NmapDataProxy, NoteDataProxy, NoteDataService, PayloadDataProxy, PayloadDataService, QueryService, Redcarpet, RemoteCredentialDataService, RemoteDbExportDataService, RemoteDbImportDataService, RemoteEventDataService, RemoteExploitDataService, RemoteHostDataService, RemoteLoginDataService, RemoteLootDataService, RemoteMsfDataService, RemoteNmapDataService, RemoteNoteDataService, RemotePayloadDataService, RemoteRouteDataService, RemoteServiceDataService, RemoteSessionDataService, RemoteSessionEventDataService, RemoteVulnAttemptDataService, RemoteVulnDataService, RemoteWebDataService, RemoteWorkspaceDataService, ResponseDataHelper, Rex, RouteDataProxy, RouteDataService, ServiceDataProxy, ServiceDataService, SessionDataProxy, SessionDataService, SessionEventDataProxy, SessionEventDataService, SocketLogger, VulnAttemptDataProxy, VulnDataProxy, VulnDataService, WebDataProxy, WebDataService, WorkspaceDataProxy, WorkspaceDataService Classes: ApplicationRecord, OpenPipeSock, QueryMeta, RouteArray, Search, SimpleClientPipe, TDSSSLProxy
Constant Summary collapse
- MSF_LICENSE =
Licenses
"Metasploit Framework License (BSD)"
- GPL_LICENSE =
"GNU Public License v2.0"
- BSD_LICENSE =
"BSD License"
- CORE_LICENSE =
"CORE Security License (Apache 1.1)"
- ARTISTIC_LICENSE =
"Perl Artistic License"
- UNKNOWN_LICENSE =
"Unknown License"
- LICENSES =
[ MSF_LICENSE, GPL_LICENSE, BSD_LICENSE, CORE_LICENSE, ARTISTIC_LICENSE, UNKNOWN_LICENSE ]
- ExceptionCallStack =
An instance of the log dispatcher exists in the global namespace, along with stubs for many of the common logging methods. Various sources can register themselves as a log sink such that logs can be directed at various targets depending on where they’re sourced from. By doing it this way, things like sessions can use the global logging stubs and still be directed at the correct log file.
"__EXCEPTCALLSTACK__"
- BACKTRACE_LOG_LEVEL =
Equal to LEV_3
3
- DEFAULT_LOG_LEVEL =
Equal to LEV_3
0
- AF_INET =
Net
2
- AF_INET6 =
23
- DELETE =
Permissions
0x00010000
- READ_CONTROL =
0x00020000
- WRITE_DAC =
0x00040000
- WRITE_OWNER =
0x00080000
- SYNCHRONIZE =
0x00100000
- STANDARD_RIGHTS_REQUIRED =
0x000f0000
- STANDARD_RIGHTS_READ =
READ_CONTROL
- STANDARD_RIGHTS_WRITE =
READ_CONTROL
- STANDARD_RIGHTS_EXECUTE =
READ_CONTROL
- STANDARD_RIGHTS_ALL =
0x001f0000
- SPECIFIC_RIGHTS_ALL =
0x0000ffff
- MAXIMUM_ALLOWED =
0x02000000
- GENERIC_READ =
0x80000000
- GENERIC_WRITE =
0x40000000
- GENERIC_EXECUTE =
0x20000000
- GENERIC_ALL =
0x10000000
- PAGE_NOACCESS =
Page Protections
0x00000001
- PAGE_READONLY =
0x00000002
- PAGE_READWRITE =
0x00000004
- PAGE_WRITECOPY =
0x00000008
- PAGE_EXECUTE =
0x00000010
- PAGE_EXECUTE_READ =
0x00000020
- PAGE_EXECUTE_READWRITE =
0x00000040
- PAGE_EXECUTE_WRITECOPY =
0x00000080
- PAGE_GUARD =
0x00000100
- PAGE_NOCACHE =
0x00000200
- PAGE_WRITECOMBINE =
0x00000400
- MEM_COMMIT =
0x00001000
- MEM_RESERVE =
0x00002000
- MEM_DECOMMIT =
0x00004000
- MEM_RELEASE =
0x00008000
- MEM_FREE =
0x00010000
- MEM_PRIVATE =
0x00020000
- MEM_MAPPED =
0x00040000
- MEM_RESET =
0x00080000
- MEM_TOP_DOWN =
0x00100000
- MEM_WRITE_WATCH =
0x00200000
- MEM_PHYSICAL =
0x00400000
- MEM_LARGE_PAGES =
0x20000000
- MEM_4MB_PAGES =
0x80000000
- SEC_FILE =
0x00800000
- SEC_IMAGE =
0x01000000
- SEC_RESERVE =
0x04000000
- SEC_COMMIT =
0x08000000
- SEC_NOCACHE =
0x10000000
- MEM_IMAGE =
SEC_IMAGE
- KEY_QUERY_VALUE =
Registry Permissions
0x00000001
- KEY_SET_VALUE =
0x00000002
- KEY_CREATE_SUB_KEY =
0x00000004
- KEY_ENUMERATE_SUB_KEYS =
0x00000008
- KEY_NOTIFY =
0x00000010
- KEY_CREATE_LINK =
0x00000020
- KEY_WOW64_64KEY =
0x00000100
- KEY_WOW64_32KEY =
0x00000200
- KEY_READ =
(STANDARD_RIGHTS_READ | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) & ~SYNCHRONIZE
- KEY_WRITE =
(STANDARD_RIGHTS_WRITE | KEY_SET_VALUE | KEY_CREATE_SUB_KEY) & ~SYNCHRONIZE
- KEY_EXECUTE =
KEY_READ
- KEY_ALL_ACCESS =
(STANDARD_RIGHTS_ALL | KEY_QUERY_VALUE | KEY_SET_VALUE | KEY_CREATE_SUB_KEY | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY | KEY_CREATE_LINK) & ~SYNCHRONIZE
- HKEY_CLASSES_ROOT =
Registry
0x80000000
- HKEY_CURRENT_USER =
0x80000001
- HKEY_LOCAL_MACHINE =
0x80000002
- HKEY_USERS =
0x80000003
- HKEY_PERFORMANCE_DATA =
0x80000004
- HKEY_CURRENT_CONFIG =
0x80000005
- HKEY_DYN_DATA =
0x80000006
- REG_NONE =
0
- REG_SZ =
1
- REG_EXPAND_SZ =
2
- REG_BINARY =
3
- REG_DWORD =
4
- REG_DWORD_LITTLE_ENDIAN =
4
- REG_DWORD_BIG_ENDIAN =
5
- REG_LINK =
6
- REG_MULTI_SZ =
7
- REG_QWORD =
11
- PROCESS_TERMINATE =
Process Permissions
0x00000001
- PROCESS_CREATE_THREAD =
0x00000002
- PROCESS_SET_SESSIONID =
0x00000004
- PROCESS_VM_OPERATION =
0x00000008
- PROCESS_VM_READ =
0x00000010
- PROCESS_VM_WRITE =
0x00000020
- PROCESS_DUP_HANDLE =
0x00000040
- PROCESS_CREATE_PROCESS =
0x00000080
- PROCESS_SET_QUOTA =
0x00000100
- PROCESS_SET_INFORMATION =
0x00000200
- PROCESS_QUERY_INFORMATION =
0x00000400
- PROCESS_SUSPEND_RESUME =
0x00000800
- PROCESS_ALL_ACCESS =
STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFF
- THREAD_TERMINATE =
Thread Permissions
0x00000001
- THREAD_SUSPEND_RESUME =
0x00000002
- THREAD_GET_CONTEXT =
0x00000008
- THREAD_SET_CONTEXT =
0x00000010
- THREAD_SET_INFORMATION =
0x00000020
- THREAD_QUERY_INFORMATION =
0x00000040
- THREAD_SET_THREAD_TOKEN =
0x00000080
- THREAD_IMPERSONATE =
0x00000100
- THREAD_DIRECT_IMPERSONATION =
0x00000200
- THREAD_ALL_ACCESS =
STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x3FF
- CREATE_SUSPENDED =
Creation flags
0x00000004
- EVENTLOG_SEQUENTIAL_READ =
Event Log
0x00000001
- EVENTLOG_SEEK_READ =
0x00000002
- EVENTLOG_FORWARDS_READ =
0x00000004
- EVENTLOG_BACKWARDS_READ =
0x00000008
- EWX_LOGOFF =
Event Log
0
- EWX_SHUTDOWN =
0x00000001
- EWX_REBOOT =
0x00000002
- EWX_FORCE =
0x00000004
- EWX_POWEROFF =
0x00000008
- EWX_FORCEIFHUNG =
0x00000010
- SHTDN_REASON_MINOR_DC_PROMOTION =
Shutdown Reason Codes
0x00000021
- SHTDN_REASON_MAJOR_APPLICATION =
0x00040000
- SHTDN_REASON_MAJOR_HARDWARE =
0x00010000
- SHTDN_REASON_FLAG_COMMENT_REQUIRED =
0x01000000
- SHTDN_REASON_FLAG_DIRTY_UI =
0x08000000
- SHTDN_REASON_MINOR_UNSTABLE =
0x00000006
- SHTDN_REASON_MINOR_SECURITYFIX_UNINSTALL =
0x00000018
- SHTDN_REASON_MINOR_ENVIRONMENT =
0x00000000
- SHTDN_REASON_MAJOR_LEGACY_API =
0x00070000
- SHTDN_REASON_MINOR_DC_DEMOTION =
0x00000022
- SHTDN_REASON_MINOR_SECURITYFIX =
0x00000012
- SHTDN_REASON_FLAG_CLEAN_UI =
0x04000000
- SHTDN_REASON_MINOR_HOTFIX =
0x00000011
- SHTDN_REASON_MINOR_CORDUNPLUGGED =
0x00000000
- SHTDN_REASON_MINOR_HOTFIX_UNINSTALL =
0x00000017
- SHTDN_REASON_FLAG_USER_DEFINED =
0x40000000
- SHTDN_REASON_MINOR_SYSTEMRESTORE =
0x00000001
- SHTDN_REASON_MINOR_OTHERDRIVER =
0x00000000
- SHTDN_REASON_MINOR_WMI =
0x00000015
- SHTDN_REASON_MINOR_INSTALLATION =
0x00000002
- SHTDN_REASON_MINOR_BLUESCREEN =
0x0000000F
- SHTDN_REASON_MAJOR_SOFTWARE =
0x00030000
- SHTDN_REASON_MINOR_NETWORKCARD =
0x00000009
- SHTDN_REASON_MINOR_SERVICEPACK_UNINSTALL =
0x00000016
- SHTDN_REASON_MINOR_SERVICEPACK =
0x00000010
- SHTDN_REASON_MINOR_UPGRADE =
0x00000003
- SHTDN_REASON_FLAG_PLANNED =
0x80000000
- SHTDN_REASON_MINOR_MMC =
0x00000019
- SHTDN_REASON_MINOR_POWER_SUPPLY =
0x00000000
- SHTDN_REASON_MINOR_MAINTENANCE =
0x00000001
- SHTDN_REASON_VALID_BIT_MASK =
0x00000000
- SHTDN_REASON_MAJOR_NONE =
0x00000000
- SHTDN_REASON_MAJOR_POWER =
0x00060000
- SHTDN_REASON_FLAG_DIRTY_PROBLEM_ID_REQUIRED =
0x02000000
- SHTDN_REASON_MINOR_OTHER =
0x00000000
- SHTDN_REASON_MINOR_PROCESSOR =
0x00000008
- SHTDN_REASON_MAJOR_OTHER =
0x00000000
- SHTDN_REASON_MINOR_DISK =
0x00000007
- SHTDN_REASON_MINOR_NETWORK_CONNECTIVITY =
0x00000014
- SHTDN_REASON_MAJOR_OPERATINGSYSTEM =
0x00020000
- SHTDN_REASON_MINOR_HUNG =
0x00000005
- SHTDN_REASON_MINOR_TERMSRV =
0x00000020
- SHTDN_REASON_MINOR_NONE =
0x00000000
- SHTDN_REASON_MINOR_RECONFIG =
0x00000004
- SHTDN_REASON_MAJOR_SYSTEM =
0x00050000
- SHTDN_REASON_MINOR_HARDWARE_DRIVER =
0x00000000
- SHTDN_REASON_MINOR_SECURITY =
0x00000013
- SHTDN_REASON_DEFAULT =
SHTDN_REASON_MAJOR_OTHER | SHTDN_REASON_MINOR_OTHER
- VirtualKeyCodes =
Keyboard Mappings
{ 1 => %W{ LClick }, 2 => %W{ RClick }, 3 => %W{ Cancel }, 4 => %W{ MClick }, 8 => %W{ Back }, 9 => %W{ Tab }, 10 => %W{ Newline }, 12 => %W{ Clear }, 13 => %W{ Return }, 16 => %W{ Shift }, 17 => %W{ Ctrl }, 18 => %W{ Alt }, 19 => %W{ Pause }, 20 => %W{ CapsLock }, 27 => %W{ Esc }, 32 => %W{ Space }, 33 => %W{ Prior }, 34 => %W{ Next }, 35 => %W{ End }, 36 => %W{ Home }, 37 => %W{ Left }, 38 => %W{ Up }, 39 => %W{ Right }, 40 => %W{ Down }, 41 => %W{ Select }, 42 => %W{ Print }, 43 => %W{ Execute }, 44 => %W{ Snapshot }, 45 => %W{ Insert }, 46 => %W{ Delete }, 47 => %W{ Help }, 48 => %W{ 0 )}, 49 => %W{ 1 !}, 50 => %W{ 2 @}, 51 => %W{ 3 #}, 52 => %W{ 4 $}, 53 => %W{ 5 %}, 54 => %W{ 6 ^}, 55 => %W{ 7 &}, 56 => %W{ 8 *}, 57 => %W{ 9 (}, 65 => %W{ a A}, 66 => %W{ b B}, 67 => %W{ c C}, 68 => %W{ d D}, 69 => %W{ e E}, 70 => %W{ f F}, 71 => %W{ g G}, 72 => %W{ h H}, 73 => %W{ i I}, 74 => %W{ j J}, 75 => %W{ k K}, 76 => %W{ l L}, 77 => %W{ m M}, 78 => %W{ n N}, 79 => %W{ o O}, 80 => %W{ p P}, 81 => %W{ q Q}, 82 => %W{ r R}, 83 => %W{ s S}, 84 => %W{ t T}, 85 => %W{ u U}, 86 => %W{ v V}, 87 => %W{ w W}, 88 => %W{ x X}, 89 => %W{ y Y}, 90 => %W{ z Z}, 91 => %W{ LWin }, 92 => %W{ RWin }, 93 => %W{ Apps }, 95 => %W{ Sleep }, 96 => %W{ N0 }, 97 => %W{ N1 }, 98 => %W{ N2 }, 99 => %W{ N3 }, 100 => %W{ N4 }, 101 => %W{ N5 }, 102 => %W{ N6 }, 103 => %W{ N7 }, 104 => %W{ N8 }, 105 => %W{ N9 }, 106 => %W{ Multiply }, 107 => %W{ Add }, 108 => %W{ Separator }, 109 => %W{ Subtract }, 110 => %W{ Decimal }, 111 => %W{ Divide }, 112 => %W{ F1 }, 113 => %W{ F2 }, 114 => %W{ F3 }, 115 => %W{ F4 }, 116 => %W{ F5 }, 117 => %W{ F6 }, 118 => %W{ F7 }, 119 => %W{ F8 }, 120 => %W{ F9 }, 121 => %W{ F10 }, 122 => %W{ F11 }, 123 => %W{ F12 }, 124 => %W{ F13 }, 125 => %W{ F14 }, 126 => %W{ F15 }, 127 => %W{ F16 }, 128 => %W{ F17 }, 129 => %W{ F18 }, 130 => %W{ F19 }, 131 => %W{ F20 }, 132 => %W{ F21 }, 133 => %W{ F22 }, 134 => %W{ F23 }, 135 => %W{ F24 }, 144 => %W{ NumLock }, 145 => %W{ Scroll }, 160 => %W{ LShift }, 161 => %W{ RShift }, 162 => %W{ LCtrl }, 163 => %W{ RCtrl }, 164 => %W{ LMenu }, 165 => %W{ RMenu }, 166 => %W{ Back }, 167 => %W{ Forward }, 168 => %W{ Refresh }, 169 => %W{ Stop }, 170 => %W{ Search }, 171 => %W{ Favorites }, 172 => %W{ Home }, 176 => %W{ Forward }, 177 => %W{ Reverse }, 178 => %W{ Stop }, 179 => %W{ Play }, 186 => %W{ ; :}, 187 => %W{ = +}, 188 => %W{ , <}, 189 => %W{ - _}, 190 => %W{ . >}, 191 => %W{ / ?}, 192 => %W{ ' ~}, 219 => %W| [ {|, 220 => %W{ \ |}, 221 => %W| ] }|, 222 => %W{ ' Quotes}, }
Constants included from Rex::Post::Permission
Rex::Post::Permission::GEN_EXEC, Rex::Post::Permission::GEN_NONE, Rex::Post::Permission::GEN_READ, Rex::Post::Permission::GEN_WRITE, Rex::Post::Permission::PROCESS_ALL, Rex::Post::Permission::PROCESS_EXECUTE, Rex::Post::Permission::PROCESS_READ, Rex::Post::Permission::PROCESS_WRITE, Rex::Post::Permission::PROT_COW, Rex::Post::Permission::PROT_EXEC, Rex::Post::Permission::PROT_NONE, Rex::Post::Permission::PROT_READ, Rex::Post::Permission::PROT_WRITE, Rex::Post::Permission::THREAD_ALL, Rex::Post::Permission::THREAD_EXECUTE, Rex::Post::Permission::THREAD_READ, Rex::Post::Permission::THREAD_WRITE
Instance Method Summary collapse
- #deregister_log_source(src) ⇒ Object
- #dlog(msg, src = 'core', level = 0) ⇒ Object
-
#elog(msg, src = 'core', log_level = 0, error: nil) ⇒ NilClass
Logs errors in a standard format for each Log Level.
- #get_log_level(src) ⇒ Object
-
#handle_credential_login(data, mod) ⇒ Object
Handles login report that does not necessarily need to include a password.
-
#hash_to_hashcat(cred) ⇒ String
This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format hashcat is expecting.
-
#hash_to_jtr(cred) ⇒ String
This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format JTR is expecting.
- #ilog(msg, src = 'core', level = 0) ⇒ Object
-
#join ⇒ Object
$Id$ $Revision$.
- #log_source_registered?(src) ⇒ Boolean
- #register_log_source(src, sink, level = nil) ⇒ Object
- #rlog(msg, src = 'core', level = 0) ⇒ Object
- #set_log_level(src, level) ⇒ Object
-
#uri ⇒ Object
This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions.
- #wlog(msg, src = 'core', level = 0) ⇒ Object
Instance Method Details
#deregister_log_source(src) ⇒ Object
203 204 205 |
# File 'lib/rex/logging/log_dispatcher.rb', line 203 def deregister_log_source(src) $dispatcher.delete(src) end |
#dlog(msg, src = 'core', level = 0) ⇒ Object
133 134 135 |
# File 'lib/rex/logging/log_dispatcher.rb', line 133 def dlog(msg, src = 'core', level = 0) $dispatcher.log(LOG_DEBUG, src, level, msg) end |
#elog(msg, src = 'core', log_level = 0, error: nil) ⇒ NilClass
Logs errors in a standard format for each Log Level.
Can also be an Exception
, in which case a log is built from the Exception
with no accompanying message.
the global log level set for src
, then the log is not recorded.
an exception is added to a log message. If the global log level set for src
is greater than BACKTRACE_LOG_LEVEL
, then the stack trace for an error is also added to the log message.
(Eg Loop Iterations, Variables, Function Calls).
154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 |
# File 'lib/rex/logging/log_dispatcher.rb', line 154 def elog(msg, src = 'core', log_level = 0, error: nil) error = msg.is_a?(Exception) ? msg : error if error.nil? || !error.is_a?(Exception) $dispatcher.log(LOG_ERROR, src, log_level, msg) else error_details = "#{error.class} #{error.}" if get_log_level(src) >= BACKTRACE_LOG_LEVEL if error.backtrace error_details << "\nCall stack:\n#{error.backtrace.join("\n")}" else error_details << "\nCall stack:\nNone" end end if msg.is_a?(Exception) $dispatcher.log(LOG_ERROR, src, log_level,"#{error_details}") else $dispatcher.log(LOG_ERROR, src, log_level,"#{msg} - #{error_details}") end end end |
#get_log_level(src) ⇒ Object
211 212 213 |
# File 'lib/rex/logging/log_dispatcher.rb', line 211 def get_log_level(src) $dispatcher.get_level(src) end |
#handle_credential_login(data, mod) ⇒ Object
Handles login report that does not necessarily need to include a password
139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 |
# File 'lib/msf/core/module/external.rb', line 139 def handle_credential_login(data, mod) # Required service_data = { address: data['address'], port: data['port'], protocol: data['protocol'], service_name: data['service_name'], module_fullname: self.fullname, workspace_id: myworkspace_id } # Optional credential_data = { origin_type: :service, username: data['username'] }.merge(service_data) if data.has_key?(:password) credential_data[:private_data] = data['password'] credential_data[:private_type] = :password end if data.has_key?('domain') credential_data[:realm_value] = data['domain'] credential_data[:realm_key] = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN end login_data = { core: create_credential(credential_data), last_attempted_at: DateTime.now, status: Metasploit::Model::Login::Status::SUCCESSFUL, }.merge(service_data) create_credential_login(login_data) end |
#hash_to_hashcat(cred) ⇒ String
This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format hashcat is expecting. hashcat.net/wiki/doku.php?id=example_hashes
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 |
# File 'lib/metasploit/framework/password_crackers/hashcat/formatter.rb', line 7 def hash_to_hashcat(cred) case cred.private.type when 'Metasploit::Credential::NTLMHash' both = cred.private.data.split(':') if both[0].upcase == 'AAD3B435B51404EEAAD3B435B51404EE' # lanman empty, return ntlm return both[1] # ntlm hash-mode: 1000 end return both[0] # give lanman, hash-mode: 3000 when 'Metasploit::Credential::PostgresMD5' # hash-mode: 12 if cred.private.jtr_format =~ /postgres|raw-md5/ hash_string = cred.private.data hash_string.gsub!(/^md5/, '') return "#{hash_string}:#{cred.public.username}" end when 'Metasploit::Credential::NonreplayableHash' case cred.private.jtr_format # oracle 11+ password hash descriptions: # this password is stored as a long ascii string with several sections # https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/ # example: # hash = [] # hash << "S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;" # hash << "H:DC9894A01797D91D92ECA1DA66242209;" # hash << "T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C" # puts hash.join('') # S: = 60 characters -> sha1(password + salt (10 bytes)) # 40 char sha1, 20 char salt # hash is 8F2D65FB5547B71C8DA3760F10960428CD307B1C # salt is 6271691FC55C1F56554A # H: = 32 characters # legacy MD5 # T: = 160 characters # PBKDF2-based SHA512 hash specific to 12C (12.1.0.2+) when /hmac-md5/ data = cred.private.data.split('#') password = Rex::Text.encode_base64("#{cred.public.username} #{data[1]}") return "$cram_md5$#{Rex::Text.encode_base64(data[0])}$#{password}" when /raw-sha1|oracle11/ # oracle 11, hash-mode: 112 if cred.private.data =~ /S:([\dA-F]{60})/ # oracle 11 # hashcat wants a 40 character string, : 20 character string return Regexp.last_match(1).scan(/.{1,40}/m).join(':').downcase end when /oracle12c/ if cred.private.data =~ /T:([\dA-F]{160})/ # oracle 12c, hash-mode: 12300 return Regexp.last_match(1).upcase end when /dynamic_1506|postgres/ # this may not be correct if cred.private.data =~ /H:([\dA-F]{32})/ # oracle 11, hash-mode: 3100 return "#{Regexp.last_match(1)}:#{cred.public.username}" end when /oracle/ # oracle if cred.private.jtr_format.start_with?('des') # 'des,oracle', not oracle11/12c, hash-mode: 3100 return cred.private.data.to_s end when /dynamic_82/ return cred.private.data.sub('$HEX$', ':').sub('$dynamic_82$', '') when /mysql-sha1/ # lowercase, and remove the first character if its a * return cred.private.data.downcase.sub('*', '') when /md5|des|bsdi|crypt|bf/, /mssql|mssql05|mssql12|mysql/, /sha256|sha-256/, /sha512|sha-512/, /xsha|xsha512|PBKDF2-HMAC-SHA512/, /mediawiki|phpass|PBKDF2-HMAC-SHA1/, /android-sha1/, /android-samsung-sha1/, /android-md5/, /ssha/, /raw-sha512/, /raw-sha256/ # md5(crypt), des(crypt), b(crypt), sha256, sha512, xsha, xsha512, PBKDF2-HMAC-SHA512 # hash-mode: 500 1500 3200 7400 1800 122 1722 7100 # mssql, mssql05, mssql12, mysql, mysql-sha1 # hash-mode: 131, 132, 1731 200 300 # mediawiki, phpass, PBKDF2-HMAC-SHA1 # hash-mode: 3711, 400, 12001 # android-sha1 # hash-mode: 5800 # ssha, raw-sha512, raw-sha256 # hash-mode: 111, 1700, 1400 return cred.private.data when /^mscash$/ # hash-mode: 1100 data = cred.private.data.split(':').first if /^M\$(?<salt>[[:print:]]+)#(?<hash>[\da-fA-F]{32})/ =~ data return "#{hash}:#{salt}" end when /^mscash2$/ # hash-mode: 2100 return cred.private.data.split(':').first when /netntlm(v2)?/ # netntlm, netntlmv2 # hash-mode: 5500 5600 return cred.private.data when /^vnc$/ # https://hashcat.net/forum/thread-8833.html # while we can do the transformation, we'd have to throw extra flags at hashcat which aren't currently written into the lib for automation nil when /^krb5$/ return cred.private.data.to_s end end nil end |
#hash_to_jtr(cred) ⇒ String
This method takes a frameworkframework.dbframework.db.cred, and normalizes it to the string format JTR is expecting.
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
# File 'lib/metasploit/framework/password_crackers/jtr/formatter.rb', line 6 def hash_to_jtr(cred) case cred.private.type when 'Metasploit::Credential::NTLMHash' return "#{cred.public.username}:#{cred.id}:#{cred.private.data}:::#{cred.id}" when 'Metasploit::Credential::PostgresMD5' if cred.private.jtr_format =~ /postgres|raw-md5/ # john --list=subformats | grep 'PostgreSQL MD5' # UserFormat = dynamic_1034 type = dynamic_1034: md5($p.$u) (PostgreSQL MD5) hash_string = cred.private.data hash_string.gsub!(/^md5/, '') return "#{cred.public.username}:$dynamic_1034$#{hash_string}" end when 'Metasploit::Credential::NonreplayableHash' case cred.private.jtr_format # oracle 11+ password hash descriptions: # this password is stored as a long ascii string with several sections # https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/ # example: # hash = [] # hash << "S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;" # hash << "H:DC9894A01797D91D92ECA1DA66242209;" # hash << "T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C" # puts hash.join('') # S: = 60 characters -> sha1(password + salt (10 bytes)) # 40 char sha1, 20 char salt # hash is 8F2D65FB5547B71C8DA3760F10960428CD307B1C # salt is 6271691FC55C1F56554A # H: = 32 characters # legacy MD5 # T: = 160 characters # PBKDF2-based SHA512 hash specific to 12C (12.1.0.2+) when /raw-sha1|oracle11/ # oracle 11 if cred.private.data =~ /S:([\dA-F]{60})/ # oracle 11 return "#{cred.public.username}:#{Regexp.last_match(1)}:#{cred.id}:" end when /oracle12c/ if cred.private.data =~ /T:([\dA-F]{160})/ # oracle 12c return "#{cred.public.username}:$oracle12c$#{Regexp.last_match(1).downcase}:#{cred.id}:" end when /dynamic_1506/ if cred.private.data =~ /H:([\dA-F]{32})/ # oracle 11 return "#{cred.public.username.upcase}:$dynamic_1506$#{Regexp.last_match(1)}:#{cred.id}:" end when /oracle/ # oracle if cred.private.jtr_format.start_with?('des') # 'des,oracle', not oracle11/12c return "#{cred.public.username}:O$#{cred.public.username}##{cred.private.data}:#{cred.id}:" end when /md5|des|bsdi|crypt|bf|sha256|sha512|xsha512/ # md5(crypt), des(crypt), b(crypt), sha256(crypt), sha512(crypt), xsha512 return "#{cred.public.username}:#{cred.private.data}:::::#{cred.id}:" when /netntlm/ return "#{cred.private.data}::::::#{cred.id}:" when /qnx/ # https://moar.so/blog/qnx-password-hash-formats.html hash = cred.private.data.end_with?(':0:0') ? cred.private.data : "#{cred.private.data}:0:0" return "#{cred.public.username}:#{hash}" when /Raw-MD5u/ # This is just md5(unicode($p)), where $p is the password. # Avira uses to store their passwords, there may be other apps that also use this though. # The trailing : shows an empty salt. This is because hashcat only has one unicode hash # format which is combatible, type 30, but that is listed as md5(utf16le($pass).$salt) # with a sample hash of b31d032cfdcf47a399990a71e43c5d2a:144816. So this just outputs # The hash as *hash*: so that it is both JTR and hashcat compatible return "#{cred.private.data}:" when /vnc/ # add a beginning * if one is missing return "$vnc$#{cred.private.data.start_with?('*') ? cred.private.data.upcase : "*#{cred.private.data.upcase}"}" else # /mysql|mysql-sha1/ # /mssql|mssql05|mssql12/ # /des(crypt)/ # /mediawiki|phpass|atlassian/ # /dynamic_82/ # /ssha/ # /raw-sha512/ # /raw-sha256/ # This also handles *other* type credentials which aren't guaranteed to have a public return "#{cred.public.nil? ? ' ' : cred.public.username}:#{cred.private.data}:#{cred.id}:" end end nil end |
#ilog(msg, src = 'core', level = 0) ⇒ Object
181 182 183 |
# File 'lib/rex/logging/log_dispatcher.rb', line 181 def ilog(msg, src = 'core', level = 0) $dispatcher.log(LOG_INFO, src, level, msg) end |
#join ⇒ Object
$Id$ $Revision$
6 |
# File 'plugins/lab.rb', line 6 $LOAD_PATH.unshift(File.join(__dir__, '..', 'lib', 'lab')) |
#log_source_registered?(src) ⇒ Boolean
193 194 195 |
# File 'lib/rex/logging/log_dispatcher.rb', line 193 def log_source_registered?(src) ($dispatcher[src] != nil) end |
#register_log_source(src, sink, level = nil) ⇒ Object
197 198 199 200 201 |
# File 'lib/rex/logging/log_dispatcher.rb', line 197 def register_log_source(src, sink, level = nil) $dispatcher[src] = sink set_log_level(src, level) if (level) end |
#rlog(msg, src = 'core', level = 0) ⇒ Object
185 186 187 188 189 190 191 |
# File 'lib/rex/logging/log_dispatcher.rb', line 185 def rlog(msg, src = 'core', level = 0) if (msg == ExceptionCallStack) msg = "\nCall stack:\n" + $@.join("\n") + "\n" end $dispatcher.log(LOG_RAW, src, level, msg) end |
#set_log_level(src, level) ⇒ Object
207 208 209 |
# File 'lib/rex/logging/log_dispatcher.rb', line 207 def set_log_level(src, level) $dispatcher.set_level(src, level) end |
#uri ⇒ Object
This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use. metasploit.com/framework/
9 |
# File 'lib/msf/core/auxiliary/web/http.rb', line 9 require 'uri' |
#wlog(msg, src = 'core', level = 0) ⇒ Object
177 178 179 |
# File 'lib/rex/logging/log_dispatcher.rb', line 177 def wlog(msg, src = 'core', level = 0) $dispatcher.log(LOG_WARN, src, level, msg) end |