hashcat equivalents of the jtr modules

[h00die]

This adds hashcat modules for all existing jtr modules. #11351
It adds the ability to export creds into hashcat format. #11615

Help me plz

I have one bug I can't figure out.
https://github.com/rapid7/metasploit-framework/pull/11671/files#diff-1078f7f42f6c70928adb5b154ffb1adeR31 is a direct copy of

metasploit-framework/lib/msf/core/auxiliary/jtr.rb

Line 32 in 6218d89

OptPath.new('JOHN_PATH', [false, 'The absolute path to the John the Ripper executable']),

However, when I uncomment it, I get the following error which I was never able to track down why:

msf5 > use auxiliary/analyze/hashcat_aix 
[-] Error while running command use: no implicit conversion of false into Integer

Call stack:
/user/meterpreter/metasploit-framework/lib/msf/core/auxiliary/hashcat.rb:31:in `[]'
/user/meterpreter/metasploit-framework/lib/msf/core/auxiliary/hashcat.rb:31:in `initialize'
/user/meterpreter/metasploit-framework/modules/auxiliary/analyze/hashcat_aix.rb:21:in `initialize'
/user/meterpreter/metasploit-framework/lib/msf/core/module_set.rb:54:in `new'
/user/meterpreter/metasploit-framework/lib/msf/core/module_set.rb:54:in `create'
/user/meterpreter/metasploit-framework/lib/msf/core/module_manager.rb:85:in `create'
/user/meterpreter/metasploit-framework/lib/msf/ui/console/command_dispatcher/modules.rb:622:in `cmd_use'
/user/meterpreter/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:522:in `run_command'
/user/meterpreter/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:473:in `block in run_single'
/user/meterpreter/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `each'
/user/meterpreter/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `run_single'
/user/meterpreter/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run'
/user/meterpreter/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/user/meterpreter/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:49:in `<main>'

Verification

I used the following for test cases. It should crack everything but the mssql12 one.

workspace -d default
creds -d
creds add user:des_password hash:rEK1ecacw.7.c jtr:des
creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256
creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYl$
creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:$
creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279$
creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E278$
creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
## oracle (10) uses usernames in the hashing, so we can't overide that here
#creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
#creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
## oracle 11/12 H value, username is used
creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797$
## oracle 11/12 uses a LONG format, see lib/msf/core/auxiliary/jtr.rb
creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:$
creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B3$
##postgres uses username, so we can't overide that here
creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
use auxiliary/analyze/hashcat_aix
run
use auxiliary/analyze/hashcat_linux
set crypt true
run
use auxiliary/analyze/hashcat_mssql_fast
run
use auxiliary/analyze/hashcat_mysql_fast
run
use auxiliary/analyze/hashcat_oracle_fast
run
use auxiliary/analyze/hashcat_postgres_fast
run
use auxiliary/analyze/hashcat_windows_fast
run
creds

Wiki

Writing https://github.com/rapid7/metasploit-framework/wiki/Hashes-and-Password-Cracking to help document a lot of this stuff

[wvu]

Wow, this is amazing work!

[bcook-r7]

If every jtr module could have a hashcat equivalent, could we just rename the existing 'jtr' modules without the tool in the module name, and have them be able to work with whatever cracking tool you have? We might need the 'module name alias' support that @acammack-r7 worked on last year as a PoC, to avoid all of the fallout that might occur from people using the old names. Maybe a later step from this one.

[h00die]

I have mixed feelings about that @bcook-r7:

Combining would save a LOT of duplicate code, but also make for LOT of code branches since each program has different hash input, password output, and flags (like hash type). I have been thinking when this lands to go through both and cleaning them up to be more in sync (and maybe use a table output for cracked passwords)

Keeping them separate makes some sense since they are very different beasts. JtR has the Korelogic stuff, hashcat doesn't for example (and this is a minor one).

I'm a jtr person, mainly because I don't spend $ for good video cards. With that being said, i made hashcat work, but it is VERY far from optimized or really thought through.
I have a feeling once people start using hashcat, they'll want more customizations etc. Those customizations may be easy like 'also run xyz mode', or may be more complex like 'add a new CUSTOMIZE datastore option so we can put in ?1?1?1?1 for password format'. With that being said, the two code branches will stray further apart and we'll start having datastore options like JTRKORELAN and HASHCATCUSTOMFORMAT.

However, I'm up for suggestions naturally!

Pending this stays as is, priorities:

1. get this landed
2. document in the wiki all about how to test a hash for what type it is, how to export, the differences between jtr and hashcat,e tc.
3. make a PR to sync up all the stray things between the two. Make sure the texts are similar, have a table output instead of just printing to screen, and they have varying loop patterns id like to nail down (aix hash the hash type at the top, postgres has a regex at the bottom).

[h00die]

@bcook-r7 any updates on combining jtr and hashcat to one cracking module, or leaving it separate?

Also, I started writing https://github.com/rapid7/metasploit-framework/wiki/Hashes-and-Password-Cracking . WIP but putting everything in one place will make my life more sane, so it's bound to help someone else at some point!

[h00die]

I'm going to go ahead and make an executive call her and shut this down. I'll re-code it into a unified module w/ an action of selecting JtR or hashcat.

[h00die]

@acammack-r7 can you point me to the PR with that module name alias functionality?

[acammack-r7]

No PR, but there is a WIP branch with one commit: acammack-r7@da5881a. There is an issue with aliases interacting with the new module cache backend : module_class.fullname (from the module base class) vs module_class.full_name (from the module cache) acammack-r7@da5881a#diff-102aef8023f5460fe0c5d5744cad6898R21. The cache can be fixed, but that's a lot more code that needs to be touched and I didn't have the time.

After fixing the interaction with the module cache, the next step would be to added an field/method to modules with the name they were invoked with (I want to pass it to #initialize, but that would require either touching all the modules or a bunch of metaprogramming I am uncomfortable with to determine if it would accept the argument (not to mention mix-in compatibility...))