Happy CTF week, folks! If you haven't already been following along with (or competing in) Metasploit's global community CTF, it started yesterday and runs through Monday morning U.S. Eastern Time. Registration has been full for a while, but you can join the #metasploit-ctf channel on Slack to participate in the joy and frustration vicariously.
This week's Metasploit wrap-up takes a look back at work done over the last year to overhaul Metasploit's password cracking subsystem and modules. Contributor @h00die catches us up on the problems solved with the latest evolution of Metasploit 5's cracker integration.
Metasploit With More Cats: Overhauling the Password Cracking System
Our thanks to longtime Metasploit contributor and friend h00die for the following explanation of the additions and capabilities incorporated into Metasploit as part of his password-cracking overhaul.
Password cracking has been a part of Metasploit since 2011, a time before Hashcat when John the Ripper (JtR) ruled the land of cross-platform password cracking. Metasploit quickly expanded to adopt cracking multiple types of hashes, mainly focusing on those which were likely to be dumped from operating systems and databases.
As time passed, the password-cracking landscape changed and Hashcat started growing in popularity, mainly due to its adoption of GPU based cracking. JtR followed suit in 2012 as GPU cracking became orders of magnitude faster than using the CPU-only. While Metasploit greatly benefited from these updates to JtR, over time it became clear that the integration was not keeping up. An overhaul was inbound.
Overhaul Step 1: Clean-up
The first step in the overhaul was to inventory what already existed in Metasploit, and to make sure it was still working correctly and optimally. We found several issues, mainly:
- The embedded configuration file,
john.conf, was more than six years old, which caused the
jtr_postgres_fastmodule as well as other modern optimizations from JtR to not work.
- The Metasploit
credscommand needed the ability to specify the hash type so that password crackers would know if they could be used.
- File cleanup support was lacking.
- There was no documentation.
- There were many module-specific issues cracking passwords.
In addition to many bug fixes and additions in the initial overhaul effort, one of the coolest additions was an
apply_pot module. A
pot file contains a password hash and its associated password. If you had previously cracked a password (through a previous engagement, or via password reuse by target), the
apply_pot module lets you instantly crack the password and add it to the Metasploit database.
With all the major bases covered, we could turn our focus to standardizations.
Overhaul Step 2: Standardizations
One of the problems we identified in the clean-up phase was an inconsistency in labeling hashes. One of the ways this is typically done outside of Metasploit is to use a tool like
hash-identifier. Using that as inspiration, we built a similar functionality into Metasploit so that modules could simply pass a hash, and get a consistently
jtr_type added to password hashes. Easy peasey extra cheesey!
While there are LOTS of hashes that could be added to Metasploit's password library, we restricted ourselves to adding only those hash types that are able to be dumped by existing Metasploit modules. As new modules with different hashes are created, this library will be updated to match.
Overhaul Step 3: Meow-ify Metasploit
Finally, with many of the basic bugs and usability problems solved, it was time to modernize the password cracking system with a complete overhaul to support more than just John the Ripper. The most significant addition for most users is that Metasploit can now use
hashcat for password cracking. A lot more changed under the hood, too.
We overhauled the password cracking subsystem to be more modular. It is now substantially easier to add a new password cracking program to the framework than it was before. One decision we made in this modularization effort was to standardize on the JtR hash format. Mainly this means that hash names, and hashes, are consistently stored in the database in a JtR-friendly way and will need to be translated for other programs. An example of hash type conversions is available in the wiki, and actual hash formatting from JtR to Hashcat are available in the code.
We renamed all cracking modules to be cracker -independent. If you are looking for the
jtr_linux module today, it’s now
crack_linux, and all other modules were renamed in this fashion as well. We added
crack_databases was created to incorporate the functionality of the formerly separate
jtr_postgres modules. Later, we even added a
crack_mobile module to focus on phone password cracking, along with a new mode specifically for PINs.
Other niceties were also added, such as
show_command to print the actual command being executed. Metasploit prints the version of the cracker application being used to help with future debugging. New logic prevents the non-Jumbo patched version of JtR from being accidentally used, since it doesn’t include MANY of the hashes we can crack. Want to export the creds DB to a JtR or Hashcat format so you can crack external to Metasploit? Give
creds -o a look. A password was cracked, great, but how? Was it a wordlist, was it in the pot file? Metasploit now prints a table of which method was successful in cracking the password. For example:
[+] Cracked Hashes ============== DB ID Hash Type Username Cracked Password Method ----- --------- -------- ---------------- ------ 1260 descrypt des2_password password Wordlist 1261 descrypt des_password password Wordlist 1262 descrypt des_55 55 Incremental 1263 descrypt des_pot_55 55 Already Cracked/POT
Ready to try it out? Simply change the
action of a cracker:
set action hashcat. Need some hashes to try it against, we got you covered as well. You’ll need to be on MSF5 as well, as these changes weren’t backported to version 4, so go get it right meow.
For a complete list of changes over the 10 months of password cracker overhaul and 23,513 added lines of code, see:
- Android hashdumper – Nov 15
- Password Cracker Overhaul (ie hashcat) – Nov 7
- Fix osx 10.7 hash IDing, and JTR ids – Jun 1
- Expand hashes identify library and add spec – Apr 24
- Creds export to jtr format – Mar 23
- Add no cleanup to jtr modules – Mar 22
- jtr modernizations (again again again) – Feb 13
- updating jtr formats in hashdumpers – Feb 12
- add max_length to wordlist generation – Jan 19
- uppercase KoreLogic in JTR modules – Jan 15
Enhancements and features
Several useful features and important bug fixes went into Metasploit Framework as well this week, including:
PR #12736 adds support for Parent Process ID (PPID) spoofing in Meterpreter, by @phra. This can be used to make a Meterpreter process appear to be spawned by a different parent process than did in reality by modifying the process tables directly.
PR #12859 updates the AF_PACKET chocobo_root privilege escalation module to use newer Metasploit Framework features, targets for additional Linux kernel types, making the module easier to maintain in the future, by @bcoles.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).