Module: Msf::Auxiliary::JohnTheRipper

Includes:
Report
Defined in:
lib/msf/core/auxiliary/jtr.rb

Overview

This module provides methods for working with John the Ripper

Instance Method Summary collapse

Methods included from Report

#db, #get_client, #get_host, #inside_workspace_boundary?, #mytask, #myworkspace, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Instance Method Details

#autodetect_platformString

Returns the run path instance variable if the platform is detectable, nil otherwise.

Returns:

  • (String)

    the run path instance variable if the platform is detectable, nil otherwise.


41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# File 'lib/msf/core/auxiliary/jtr.rb', line 41

def autodetect_platform
  return @run_path if @run_path
  cpuinfo_base = ::File.join(Msf::Config.data_directory, "cpuinfo")
  if File.directory?(cpuinfo_base)
    data = nil

    case ::RUBY_PLATFORM
    when /mingw|cygwin|mswin/
      fname = "#{cpuinfo_base}/cpuinfo.exe"
      if File.exists?(fname) and File.executable?(fname)
        data = %x{"#{fname}"} rescue nil
      end
      case data
      when /sse2/
        @run_path ||= "run.win32.sse2/john.exe"
      when /mmx/
        @run_path ||= "run.win32.mmx/john.exe"
      else
        @run_path ||= "run.win32.any/john.exe"
      end
    when /x86_64-linux/
      fname = "#{cpuinfo_base}/cpuinfo.ia64.bin"
      if File.exists? fname
        ::FileUtils.chmod(0755, fname) rescue nil
        data = %x{"#{fname}"} rescue nil
      end
      case data
      when /mmx/
        @run_path ||= "run.linux.x64.mmx/john"
      else
        @run_path ||= "run.linux.x86.any/john"
      end
    when /i[\d]86-linux/
      fname = "#{cpuinfo_base}/cpuinfo.ia32.bin"
      if File.exists? fname
        ::FileUtils.chmod(0755, fname) rescue nil
        data = %x{"#{fname}"} rescue nil
      end
      case data
      when /sse2/
        @run_path ||= "run.linux.x86.sse2/john"
      when /mmx/
        @run_path ||= "run.linux.x86.mmx/john"
      else
        @run_path ||= "run.linux.x86.any/john"
      end
    end
  end

  return @run_path
end

#build_seedObject


339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
# File 'lib/msf/core/auxiliary/jtr.rb', line 339

def build_seed

  seed = []
  #Seed the wordlist with Database , Table, and Instance Names

  count = 0
  schemas = myworkspace.notes.where('ntype like ?', '%.schema%')
  unless schemas.nil? or schemas.empty?
    schemas.each do |anote|
      seed << anote.data['DBName']
      count += 1
      anote.data['Tables'].each do |table|
        seed << table['TableName']
        count += 1
        table['Columns'].each do |column|
          seed << column['ColumnName']
          count += 1
        end
      end
    end
  end
  print_status "Seeding wordlist with DB schema info... #{count} words added"
  count = 0

  instances = myworkspace.notes.find(:all, :conditions => ['ntype=?', 'mssql.instancename'])
  unless instances.nil? or instances.empty?
    instances.each do |anote|
      seed << anote.data['InstanceName']
      count += 1
    end
  end
  print_status "Seeding with MSSQL Instance Names....#{count} words added"
  count = 0

  # Seed the wordlist with usernames, passwords, and hostnames

  myworkspace.hosts.find(:all).each do |o|
    if o.name
      seed << john_expand_word( o.name )
      count += 1
    end
  end
  print_status "Seeding with hostnames....#{count} words added"
  count = 0


  myworkspace.creds.each do |o|
    if o.user
      seed << john_expand_word( o.user )
      count +=1
    end
    if (o.pass and o.ptype !~ /hash/)
      seed << john_expand_word( o.pass )
      count += 1
    end
  end
  print_status "Seeding with found credentials....#{count} words added"
  count = 0

  # Grab any known passwords out of the john.pot file
  john_cracked_passwords.values do |v|
    seed << v
    count += 1
  end
  print_status "Seeding with cracked passwords from John....#{count} words added"
  count = 0

  #Grab the default John Wordlist
  john = File.open(john_wordlist_path, "rb")
  john.each_line do |line|
    seed << line.chomp
    count += 1
  end
  print_status "Seeding with default John wordlist...#{count} words added"
  count = 0

  if datastore['Wordlist']
    wordlist= File.open(datastore['Wordlist'], "rb")
    wordlist.each_line do |line|
      seed << line.chomp
      count ==1
    end
    print_status "Seeding from user supplied wordlist...#{count} words added"
  end



  unless seed.empty?
    seed.flatten!
    seed.uniq!
    if datastore['Munge']
      mungedseed=[]
      seed.each do |word|
        munged = word.gsub(/[sS]/, "$").gsub(/[aA]/,"@").gsub(/[oO]/,"0")
        mungedseed << munged
        munged.gsub!(/[eE]/, "3")
        munged.gsub!(/[tT]/, "7")
        mungedseed << munged
      end
      print_status "Adding #{mungedseed.count} words from munging..."
      seed << mungedseed
      seed.flatten!
      seed.uniq!
    end
  end
  print_status "De-duping the wordlist...."

  print_status("Wordlist Seeded with #{seed.length} words")

  return seed

end

#initialize(info = {}) ⇒ Object

Initializes an instance of an auxiliary module that calls out to John the Ripper (jtr)


22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# File 'lib/msf/core/auxiliary/jtr.rb', line 22

def initialize(info = {})
  super

  register_options(
    [
      OptPath.new('JOHN_BASE', [false, 'The directory containing John the Ripper (src, run, doc)']),
      OptPath.new('JOHN_PATH', [false, 'The absolute path to the John the Ripper executable']),
      OptPath.new('Wordlist', [false, 'The path to an optional Wordlist']),
      OptBool.new('Munge',[false, 'Munge the Wordlist (Slower)', false])
    ], Msf::Auxiliary::JohnTheRipper
  )

  @run_path  = nil
  @john_path = ::File.join(Msf::Config.data_directory, "john")

  autodetect_platform
end

#john_base_pathObject


249
250
251
252
253
254
255
256
257
# File 'lib/msf/core/auxiliary/jtr.rb', line 249

def john_base_path
  if datastore['JOHN_BASE'] and ::File.directory?(datastore['JOHN_BASE'])
    return datastore['JOHN_BASE']
  end
  if datastore['JOHN_PATH'] and ::File.file?(datastore['JOHN_PATH'])
    return ::File.dirname( datastore['JOHN_PATH'] )
  end
  @john_path
end

#john_binary_pathObject


221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
# File 'lib/msf/core/auxiliary/jtr.rb', line 221

def john_binary_path
  path = nil
  if datastore['JOHN_PATH'] and ::File.file?(datastore['JOHN_PATH'])
    path = datastore['JOHN_PATH']
    ::FileUtils.chmod(0755, path) rescue nil
    return path
  end

  if not @run_path
    if ::RUBY_PLATFORM =~ /mingw|cygwin|mswin/
      ::File.join(john_base_path, "john.exe")
    else
      path = ::File.join(john_base_path, "john")
      ::FileUtils.chmod(0755, path) rescue nil
    end
  else
    path = ::File.join(john_base_path, @run_path)
    ::FileUtils.chmod(0755, path) rescue nil
  end

  if path and ::File.exists?(path)
    return path
  end

  path = Rex::FileUtils.find_full_path("john") ||
    Rex::FileUtils.find_full_path("john.exe")
end

#john_crack(hfile, opts = {}) ⇒ Object


277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
# File 'lib/msf/core/auxiliary/jtr.rb', line 277

def john_crack(hfile, opts={})

  res = {:cracked => 0, :uncracked => 0, :users => {} }

  john_command = john_binary_path

  if john_command.nil?
    print_error("John the Ripper executable not found")
    return nil
  end

  # Don't bother making a log file, we'd just have to rm it when we're
  # done anyway.
  cmd = [ john_command,  "--session=" + john_session_id, "--nolog"]

  if opts[:conf]
    cmd << ( "--conf=" + opts[:conf] )
  else
    cmd << ( "--conf=" + ::File.join(john_base_path, "confs", "john.conf") )
  end

  if opts[:pot]
    cmd << ( "--pot=" + opts[:pot] )
  else
    cmd << ( "--pot=" + john_pot_file )
  end

  if opts[:format]
    cmd << ( "--format=" + opts[:format] )
  end

  if opts[:wordlist]
    cmd << ( "--wordlist=" + opts[:wordlist] )
  end

  if opts[:incremental]
    cmd << ( "--incremental=" + opts[:incremental] )
  end

  if opts[:single]
    cmd << ( "--single=" + opts[:single] )
  end

  if opts[:rules]
    cmd << ( "--rules=" + opts[:rules] )
  end

  cmd << hfile

  if RUBY_VERSION =~ /^1\.8\./
    cmd = cmd.join(" ")
  end

  ::IO.popen(cmd, "rb") do |fd|
    fd.each_line do |line|
      print_status("Output: #{line.strip}")
    end
  end

  res
end

#john_cracked_passwordsObject


101
102
103
104
105
106
107
108
109
110
111
# File 'lib/msf/core/auxiliary/jtr.rb', line 101

def john_cracked_passwords
  ret = {}
  return ret if not ::File.exist?(john_pot_file)
  ::File.open(john_pot_file, "rb") do |fd|
    fd.each_line do |line|
      hash,clear = line.sub(/\r?\n$/, '').split(",", 2)
      ret[hash] = clear
    end
  end
  ret
end

#john_expand_word(str) ⇒ Object


259
260
261
262
263
# File 'lib/msf/core/auxiliary/jtr.rb', line 259

def john_expand_word(str)
  res = [str]
  str.split(/\W+/) {|w| res << w }
  res.uniq
end

#john_lm_upper_to_ntlm(pwd, hash) ⇒ Object


265
266
267
268
269
270
271
272
273
274
# File 'lib/msf/core/auxiliary/jtr.rb', line 265

def john_lm_upper_to_ntlm(pwd, hash)
  pwd  = pwd.upcase
  hash = hash.upcase
  Rex::Text.permute_case(pwd).each do |str|
    if hash == Rex::Proto::NTLM::Crypt.ntlm_hash(str).unpack("H*")[0].upcase
      return str
    end
  end
  nil
end

#john_pot_fileObject


97
98
99
# File 'lib/msf/core/auxiliary/jtr.rb', line 97

def john_pot_file
  ::File.join( ::Msf::Config.config_directory, "john.pot" )
end

#john_session_idObject


93
94
95
# File 'lib/msf/core/auxiliary/jtr.rb', line 93

def john_session_id
  @session_id ||= ::Rex::Text.rand_text_alphanumeric(8)
end

#john_show_passwords(hfile, format = nil) ⇒ Object


113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
# File 'lib/msf/core/auxiliary/jtr.rb', line 113

def john_show_passwords(hfile, format=nil)
  res = {:cracked => 0, :uncracked => 0, :users => {} }

  john_command = john_binary_path

  if john_command.nil?
    print_error("John the Ripper executable not found")
    return res
  end

  pot  = john_pot_file
  conf = ::File.join(john_base_path, "confs", "john.conf")

  cmd = [ john_command,  "--show", "--conf=#{conf}", "--pot=#{pot}", hfile]

  if format
    cmd << "--format=" + format
  end

  if RUBY_VERSION =~ /^1\.8\./
    cmd = cmd.join(" ")
  end

  ::IO.popen(cmd, "rb") do |fd|
    fd.each_line do |line|
      line.chomp!
      print_status(line)
      if line =~ /(\d+) password hash(es)* cracked, (\d+) left/m
        res[:cracked]   = $1.to_i
        res[:uncracked] = $2.to_i
      end

      bits = line.split(':', -1)

      # If the password had : characters in it, put them back together
      while bits.length > 7
        bits[1,2] = bits[1,2].join(":")
      end
      next if not bits[2]

      if (format== 'lm' or format == 'nt')
        res[ :users ][ bits[0] ] = bits[1]
      else
        bits.last.chomp!
        res[ :users ][ bits[0] ] = bits.drop(1)
      end

    end
  end
  res
end

#john_unshadow(passwd_file, shadow_file) ⇒ Object


165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
# File 'lib/msf/core/auxiliary/jtr.rb', line 165

def john_unshadow(passwd_file,shadow_file)

  retval=""

  john_command = john_binary_path

  if john_command.nil?
    print_error("John the Ripper executable not found")
    return nil
  end

  if File.exists?(passwd_file)
    unless File.readable?(passwd_file)
      print_error("We do not have permission to read #{passwd_file}")
      return nil
    end
  else
    print_error("File does not exist: #{passwd_file}")
    return nil
  end

  if File.exists?(shadow_file)
    unless File.readable?(shadow_file)
      print_error("We do not have permission to read #{shadow_file}")
      return nil
    end
  else
    print_error("File does not exist: #{shadow_file}")
    return nil
  end


  cmd = [ john_command.gsub(/john$/, "unshadow"), passwd_file , shadow_file ]

  if RUBY_VERSION =~ /^1\.8\./
    cmd = cmd.join(" ")
  end
  ::IO.popen(cmd, "rb") do |fd|
    fd.each_line do |line|
      retval << line
    end
  end
  return retval
end

#john_wordlist_pathObject


210
211
212
213
214
215
216
217
218
219
# File 'lib/msf/core/auxiliary/jtr.rb', line 210

def john_wordlist_path
  # We ship it under wordlists/
  path = ::File.join(john_base_path, "wordlists", "password.lst")
  # magnumripper/JohnTheRipper repo keeps it under run/
  unless ::File.file? path
    path = ::File.join(john_base_path, "run", "password.lst")
  end

  path
end