2011-02-07 02:25:55 +03:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
"""
|
|
|
|
$Id$
|
|
|
|
|
2011-07-08 00:10:03 +04:00
|
|
|
Copyright (c) 2006-2011 sqlmap developers (http://www.sqlmap.org/)
|
2011-02-07 02:25:55 +03:00
|
|
|
See the file 'doc/COPYING' for copying permission
|
|
|
|
"""
|
|
|
|
|
2011-03-27 00:10:31 +03:00
|
|
|
try:
|
2011-03-27 00:41:37 +03:00
|
|
|
from crypt import crypt
|
2011-03-27 00:10:31 +03:00
|
|
|
except ImportError, _:
|
2011-03-27 00:41:37 +03:00
|
|
|
from extra.fcrypt.fcrypt import crypt
|
2011-03-27 00:10:31 +03:00
|
|
|
|
2011-07-20 16:18:36 +04:00
|
|
|
_multiprocessing = None
|
|
|
|
try:
|
|
|
|
import multiprocessing
|
2011-07-20 17:00:34 +04:00
|
|
|
|
2011-07-27 01:28:48 +04:00
|
|
|
# problems on FreeBSD (Reference: http://www.eggheadcafe.com/microsoft/Python/35880259/multiprocessing-on-freebsd.aspx)
|
2011-07-28 03:26:36 +04:00
|
|
|
_ = multiprocessing.Queue()
|
2011-07-20 17:00:34 +04:00
|
|
|
except ImportError, _:
|
2011-07-20 16:18:36 +04:00
|
|
|
pass
|
2011-07-28 03:26:36 +04:00
|
|
|
else:
|
|
|
|
_multiprocessing = multiprocessing
|
2011-07-20 16:18:36 +04:00
|
|
|
|
2011-07-01 03:44:49 +04:00
|
|
|
import os
|
2011-02-07 02:25:55 +03:00
|
|
|
import re
|
|
|
|
import time
|
|
|
|
|
|
|
|
from hashlib import md5
|
|
|
|
from hashlib import sha1
|
2011-07-04 23:58:41 +04:00
|
|
|
from Queue import Queue
|
2011-02-07 02:25:55 +03:00
|
|
|
from zipfile import ZipFile
|
|
|
|
|
|
|
|
from extra.pydes.pyDes import des
|
|
|
|
from extra.pydes.pyDes import CBC
|
2011-07-24 13:19:33 +04:00
|
|
|
from lib.core.common import Backend
|
2011-02-07 02:25:55 +03:00
|
|
|
from lib.core.common import checkFile
|
|
|
|
from lib.core.common import clearConsoleLine
|
|
|
|
from lib.core.common import dataToStdout
|
|
|
|
from lib.core.common import getCompiledRegex
|
|
|
|
from lib.core.common import getFileItems
|
|
|
|
from lib.core.common import getPublicTypeMembers
|
2011-03-29 11:50:07 +04:00
|
|
|
from lib.core.common import normalizeUnicode
|
2011-02-07 02:25:55 +03:00
|
|
|
from lib.core.common import paths
|
|
|
|
from lib.core.common import readInput
|
2011-07-01 03:44:49 +04:00
|
|
|
from lib.core.common import singleTimeLogMessage
|
2011-07-04 23:58:41 +04:00
|
|
|
from lib.core.common import singleTimeWarnMessage
|
2011-07-01 03:44:49 +04:00
|
|
|
from lib.core.common import Wordlist
|
2011-02-07 02:25:55 +03:00
|
|
|
from lib.core.convert import hexdecode
|
|
|
|
from lib.core.convert import hexencode
|
2011-03-10 23:40:12 +03:00
|
|
|
from lib.core.convert import utf8encode
|
2011-02-07 02:25:55 +03:00
|
|
|
from lib.core.data import kb
|
|
|
|
from lib.core.data import logger
|
|
|
|
from lib.core.enums import DBMS
|
|
|
|
from lib.core.enums import HASH
|
2011-06-30 12:42:43 +04:00
|
|
|
from lib.core.exception import sqlmapFilePathException
|
2011-02-07 02:25:55 +03:00
|
|
|
from lib.core.exception import sqlmapUserQuitException
|
|
|
|
from lib.core.settings import COMMON_PASSWORD_SUFFIXES
|
|
|
|
from lib.core.settings import DUMMY_USER_PREFIX
|
2011-03-31 20:56:26 +04:00
|
|
|
from lib.core.settings import GENERAL_IP_ADDRESS_REGEX
|
2011-03-29 16:08:07 +04:00
|
|
|
from lib.core.settings import HASH_MOD_ITEM_DISPLAY
|
2011-03-26 23:46:25 +03:00
|
|
|
from lib.core.settings import IS_WIN
|
2011-07-04 23:58:41 +04:00
|
|
|
from lib.core.settings import PYVERSION
|
2011-04-01 20:40:28 +04:00
|
|
|
from lib.core.settings import ML
|
2011-02-07 02:25:55 +03:00
|
|
|
from lib.core.settings import UNICODE_ENCODING
|
2011-07-15 17:24:13 +04:00
|
|
|
from lib.core.settings import ROTATING_CHARS
|
2011-02-07 02:25:55 +03:00
|
|
|
|
|
|
|
def mysql_passwd(password, uppercase=True):
|
|
|
|
"""
|
|
|
|
Reference(s):
|
|
|
|
http://csl.sublevel3.org/mysql-password-function/
|
|
|
|
|
|
|
|
>>> mysql_passwd(password='testpass', uppercase=True)
|
|
|
|
'*00E247AC5F9AF26AE0194B41E1E769DEE1429A29'
|
|
|
|
"""
|
|
|
|
|
|
|
|
retVal = "*%s" % sha1(sha1(password).digest()).hexdigest()
|
|
|
|
|
|
|
|
return retVal.upper() if uppercase else retVal.lower()
|
|
|
|
|
|
|
|
def mysql_old_passwd(password, uppercase=True): # prior to version '4.1'
|
|
|
|
"""
|
|
|
|
Reference(s):
|
|
|
|
http://www.sfr-fresh.com/unix/privat/tpop3d-1.5.5.tar.gz:a/tpop3d-1.5.5/password.c
|
|
|
|
http://voidnetwork.org/5ynL0rd/darkc0de/python_script/darkMySQLi.html
|
|
|
|
|
|
|
|
>>> mysql_old_passwd(password='testpass', uppercase=True)
|
|
|
|
'7DCDA0D57290B453'
|
|
|
|
"""
|
|
|
|
|
|
|
|
a, b, c = 1345345333, 7, 0x12345671
|
|
|
|
|
|
|
|
for d in password:
|
|
|
|
if d == ' ' or d == '\t':
|
|
|
|
continue
|
|
|
|
|
|
|
|
e = ord(d)
|
|
|
|
a ^= (((a & 63) + b) * e) + (a << 8)
|
|
|
|
c += (c << 8) ^ a
|
|
|
|
b += e
|
|
|
|
|
|
|
|
retVal = "%08lx%08lx" % (a & ((1 << 31) - 1), c & ((1 << 31) - 1))
|
|
|
|
|
|
|
|
return retVal.upper() if uppercase else retVal.lower()
|
|
|
|
|
|
|
|
def postgres_passwd(password, username, uppercase=False):
|
|
|
|
"""
|
|
|
|
Reference(s):
|
|
|
|
http://pentestmonkey.net/blog/cracking-postgres-hashes/
|
|
|
|
|
|
|
|
>>> postgres_passwd(password='testpass', username='testuser', uppercase=False)
|
|
|
|
'md599e5ea7a6f7c3269995cba3927fd0093'
|
|
|
|
"""
|
|
|
|
|
|
|
|
retVal = "md5%s" % md5(password + username).hexdigest()
|
|
|
|
|
|
|
|
return retVal.upper() if uppercase else retVal.lower()
|
|
|
|
|
|
|
|
def mssql_passwd(password, salt, uppercase=False):
|
|
|
|
"""
|
|
|
|
Reference(s):
|
|
|
|
http://www.leidecker.info/projects/phrasendrescher/mssql.c
|
|
|
|
https://www.evilfingers.com/tools/GSAuditor.php
|
|
|
|
|
|
|
|
>>> mssql_passwd(password='testpass', salt='4086ceb6', uppercase=False)
|
|
|
|
'0x01004086ceb60c90646a8ab9889fe3ed8e5c150b5460ece8425a'
|
|
|
|
"""
|
|
|
|
|
|
|
|
binsalt = hexdecode(salt)
|
2011-03-10 23:40:12 +03:00
|
|
|
unistr = "".join(map(lambda c: ("%s\0" if ord(c) < 256 else "%s") % utf8encode(c), password))
|
2011-02-07 02:25:55 +03:00
|
|
|
|
|
|
|
retVal = "0100%s%s" % (salt, sha1(unistr + binsalt).hexdigest())
|
|
|
|
|
|
|
|
return "0x%s" % (retVal.upper() if uppercase else retVal.lower())
|
|
|
|
|
|
|
|
def mssql_old_passwd(password, salt, uppercase=True): # prior to version '2005'
|
|
|
|
"""
|
|
|
|
Reference(s):
|
|
|
|
www.exploit-db.com/download_pdf/15537/
|
|
|
|
http://www.leidecker.info/projects/phrasendrescher/mssql.c
|
|
|
|
https://www.evilfingers.com/tools/GSAuditor.php
|
|
|
|
|
|
|
|
>>> mssql_old_passwd(password='testpass', salt='4086ceb6', uppercase=True)
|
|
|
|
'0x01004086CEB60C90646A8AB9889FE3ED8E5C150B5460ECE8425AC7BB7255C0C81D79AA5D0E93D4BB077FB9A51DA0'
|
|
|
|
"""
|
|
|
|
|
|
|
|
binsalt = hexdecode(salt)
|
2011-03-10 23:40:12 +03:00
|
|
|
unistr = "".join(map(lambda c: ("%s\0" if ord(c) < 256 else "%s") % utf8encode(c), password))
|
2011-02-07 02:25:55 +03:00
|
|
|
|
|
|
|
retVal = "0100%s%s%s" % (salt, sha1(unistr + binsalt).hexdigest(), sha1(unistr.upper() + binsalt).hexdigest())
|
|
|
|
|
|
|
|
return "0x%s" % (retVal.upper() if uppercase else retVal.lower())
|
|
|
|
|
|
|
|
def oracle_passwd(password, salt, uppercase=True):
|
|
|
|
"""
|
|
|
|
Reference(s):
|
|
|
|
https://www.evilfingers.com/tools/GSAuditor.php
|
|
|
|
http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/
|
|
|
|
http://seclists.org/bugtraq/2007/Sep/304
|
|
|
|
|
|
|
|
>>> oracle_passwd(password='SHAlala', salt='1B7B5F82B7235E9E182C', uppercase=True)
|
|
|
|
'S:2BFCFDF5895014EE9BB2B9BA067B01E0389BB5711B7B5F82B7235E9E182C'
|
|
|
|
"""
|
|
|
|
|
|
|
|
binsalt = hexdecode(salt)
|
|
|
|
|
2011-03-10 23:40:12 +03:00
|
|
|
retVal="s:%s%s" % (sha1(utf8encode(password) + binsalt).hexdigest(), salt)
|
2011-02-07 02:25:55 +03:00
|
|
|
|
|
|
|
return retVal.upper() if uppercase else retVal.lower()
|
|
|
|
|
|
|
|
def oracle_old_passwd(password, username, uppercase=True): # prior to version '11g'
|
|
|
|
"""
|
|
|
|
Reference(s):
|
|
|
|
http://www.notesbit.com/index.php/scripts-oracle/oracle-11g-new-password-algorithm-is-revealed-by-seclistsorg/
|
|
|
|
|
|
|
|
>>> oracle_old_passwd(password='tiger', username='scott', uppercase=True)
|
|
|
|
'F894844C34402B67'
|
|
|
|
"""
|
|
|
|
IV, pad = "\0"*8, "\0"
|
|
|
|
|
|
|
|
if isinstance(username, unicode):
|
|
|
|
username = unicode.encode(username, UNICODE_ENCODING) #pyDes has issues with unicode strings
|
|
|
|
|
|
|
|
unistr = "".join("\0%s" % c for c in (username + password).upper())
|
|
|
|
|
|
|
|
cipher = des(hexdecode("0123456789ABCDEF"), CBC, IV, pad)
|
|
|
|
encrypted = cipher.encrypt(unistr)
|
|
|
|
cipher = des(encrypted[-8:], CBC, IV, pad)
|
|
|
|
encrypted = cipher.encrypt(unistr)
|
|
|
|
|
|
|
|
retVal = hexencode(encrypted[-8:])
|
|
|
|
|
|
|
|
return retVal.upper() if uppercase else retVal.lower()
|
|
|
|
|
|
|
|
def md5_generic_passwd(password, uppercase=False):
|
|
|
|
"""
|
|
|
|
>>> md5_generic_passwd(password='testpass', uppercase=False)
|
|
|
|
'179ad45c6ce2cb97cf1029e212046e81'
|
|
|
|
"""
|
|
|
|
|
|
|
|
retVal = md5(password).hexdigest()
|
|
|
|
|
|
|
|
return retVal.upper() if uppercase else retVal.lower()
|
|
|
|
|
|
|
|
def sha1_generic_passwd(password, uppercase=False):
|
|
|
|
"""
|
|
|
|
>>> sha1_generic_passwd(password='testpass', uppercase=False)
|
|
|
|
'206c80413b9a96c1312cc346b7d2517b84463edd'
|
|
|
|
"""
|
|
|
|
|
|
|
|
retVal = sha1(password).hexdigest()
|
|
|
|
|
|
|
|
return retVal.upper() if uppercase else retVal.lower()
|
|
|
|
|
2011-03-26 23:46:25 +03:00
|
|
|
def crypt_generic_passwd(password, salt, uppercase=False):
|
|
|
|
"""
|
|
|
|
Reference(s):
|
|
|
|
http://docs.python.org/library/crypt.html
|
|
|
|
http://helpful.knobs-dials.com/index.php/Hashing_notes
|
|
|
|
http://php.net/manual/en/function.crypt.php
|
|
|
|
http://carey.geek.nz/code/python-fcrypt/
|
|
|
|
|
|
|
|
>>> crypt_generic_passwd(password='rasmuslerdorf', salt='rl', uppercase=False)
|
|
|
|
'rl.3StKT.4T8M'
|
|
|
|
"""
|
|
|
|
|
2011-03-27 00:41:37 +03:00
|
|
|
retVal = crypt(password, salt)
|
2011-03-26 23:46:25 +03:00
|
|
|
|
2011-06-08 18:30:12 +04:00
|
|
|
return retVal.upper() if uppercase else retVal
|
2011-03-26 23:46:25 +03:00
|
|
|
|
2011-02-07 02:25:55 +03:00
|
|
|
__functions__ = {
|
|
|
|
HASH.MYSQL: mysql_passwd,
|
|
|
|
HASH.MYSQL_OLD: mysql_old_passwd,
|
|
|
|
HASH.POSTGRES: postgres_passwd,
|
|
|
|
HASH.MSSQL: mssql_passwd,
|
|
|
|
HASH.MSSQL_OLD: mssql_old_passwd,
|
|
|
|
HASH.ORACLE: oracle_passwd,
|
|
|
|
HASH.ORACLE_OLD: oracle_old_passwd,
|
|
|
|
HASH.MD5_GENERIC: md5_generic_passwd,
|
2011-03-26 23:46:25 +03:00
|
|
|
HASH.SHA1_GENERIC: sha1_generic_passwd,
|
|
|
|
HASH.CRYPT_GENERIC: crypt_generic_passwd
|
2011-02-07 02:25:55 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
def attackCachedUsersPasswords():
|
|
|
|
if kb.data.cachedUsersPasswords:
|
|
|
|
results = dictionaryAttack(kb.data.cachedUsersPasswords)
|
|
|
|
|
2011-07-13 00:32:19 +04:00
|
|
|
for (user, hash_, password) in results:
|
|
|
|
for i in xrange(len(kb.data.cachedUsersPasswords[user])):
|
|
|
|
if kb.data.cachedUsersPasswords[user][i] and hash_.lower() in kb.data.cachedUsersPasswords[user][i].lower():
|
|
|
|
kb.data.cachedUsersPasswords[user][i] += "%s clear-text password: %s" % ('\n' if kb.data.cachedUsersPasswords[user][i][-1] != '\n' else '', password)
|
2011-02-07 02:25:55 +03:00
|
|
|
|
|
|
|
def attackDumpedTable():
|
2011-07-24 13:19:33 +04:00
|
|
|
isOracle, isMySQL = Backend.isDbms(DBMS.ORACLE), Backend.isDbms(DBMS.MYSQL)
|
|
|
|
|
2011-02-07 02:25:55 +03:00
|
|
|
if kb.data.dumpedTable:
|
|
|
|
table = kb.data.dumpedTable
|
|
|
|
columns = table.keys()
|
|
|
|
count = table["__infos__"]["count"]
|
|
|
|
|
|
|
|
colUser = ''
|
|
|
|
attack_dict = {}
|
|
|
|
|
|
|
|
for column in columns:
|
|
|
|
if column and column.lower() in ('user', 'username', 'user_name'):
|
|
|
|
colUser = column
|
|
|
|
break
|
|
|
|
|
2011-07-26 00:17:44 +04:00
|
|
|
for i in xrange(count):
|
2011-02-07 02:25:55 +03:00
|
|
|
for column in columns:
|
|
|
|
if column == colUser or column == '__infos__':
|
|
|
|
continue
|
|
|
|
|
|
|
|
if len(table[column]['values']) <= i:
|
|
|
|
continue
|
|
|
|
|
|
|
|
value = table[column]['values'][i]
|
|
|
|
|
2011-07-24 13:19:33 +04:00
|
|
|
if hashRecognition(value, isOracle, isMySQL):
|
2011-02-07 02:25:55 +03:00
|
|
|
if colUser:
|
|
|
|
if table[colUser]['values'][i] not in attack_dict:
|
|
|
|
attack_dict[table[colUser]['values'][i]] = []
|
|
|
|
|
|
|
|
attack_dict[table[colUser]['values'][i]].append(value)
|
|
|
|
else:
|
|
|
|
attack_dict['%s%d' % (DUMMY_USER_PREFIX, i)] = [value]
|
|
|
|
|
|
|
|
if attack_dict:
|
2011-07-13 00:49:27 +04:00
|
|
|
message = "recognized possible password hashes. Do you want to "
|
|
|
|
message += "crack them via a dictionary-based attack? [Y/n/q]"
|
2011-02-07 02:25:55 +03:00
|
|
|
test = readInput(message, default="Y")
|
|
|
|
|
|
|
|
if test[0] in ("n", "N"):
|
|
|
|
return
|
|
|
|
elif test[0] in ("q", "Q"):
|
|
|
|
raise sqlmapUserQuitException
|
|
|
|
|
|
|
|
results = dictionaryAttack(attack_dict)
|
|
|
|
|
2011-07-13 00:32:19 +04:00
|
|
|
for (user, hash_, password) in results:
|
|
|
|
for i in range(count):
|
|
|
|
for column in columns:
|
|
|
|
if column == colUser or column == '__infos__':
|
|
|
|
continue
|
|
|
|
if len(table[column]['values']) <= i:
|
|
|
|
continue
|
2011-02-07 02:25:55 +03:00
|
|
|
|
2011-07-13 00:32:19 +04:00
|
|
|
value = table[column]['values'][i]
|
2011-02-07 02:25:55 +03:00
|
|
|
|
2011-07-13 00:32:19 +04:00
|
|
|
if all(map(lambda x: x, [value, hash_])) and value.lower() == hash_.lower():
|
|
|
|
table[column]['values'][i] += " (%s)" % password
|
|
|
|
table[column]['length'] = max(table[column]['length'], len(table[column]['values'][i]))
|
2011-02-07 02:25:55 +03:00
|
|
|
|
2011-07-24 13:19:33 +04:00
|
|
|
def hashRecognition(value, isOracle=False, isMySQL=False):
|
2011-02-07 02:25:55 +03:00
|
|
|
retVal = None
|
|
|
|
|
2011-04-06 12:30:50 +04:00
|
|
|
if isinstance(value, basestring):
|
2011-02-07 02:25:55 +03:00
|
|
|
for name, regex in getPublicTypeMembers(HASH):
|
|
|
|
# Hashes for Oracle and old MySQL look the same hence these checks
|
2011-07-24 13:19:33 +04:00
|
|
|
if isOracle and regex == HASH.MYSQL_OLD:
|
2011-02-07 02:25:55 +03:00
|
|
|
continue
|
2011-07-24 13:19:33 +04:00
|
|
|
elif isMySQL and regex == HASH.ORACLE_OLD:
|
2011-02-07 02:25:55 +03:00
|
|
|
continue
|
2011-04-13 18:40:23 +04:00
|
|
|
elif regex == HASH.CRYPT_GENERIC:
|
|
|
|
if any([getCompiledRegex(GENERAL_IP_ADDRESS_REGEX).match(value), value.lower() == value, value.upper() == value, value.isdigit()]):
|
|
|
|
continue
|
2011-04-06 12:30:50 +04:00
|
|
|
elif getCompiledRegex(regex).match(value):
|
2011-02-07 02:25:55 +03:00
|
|
|
retVal = regex
|
|
|
|
break
|
|
|
|
|
|
|
|
return retVal
|
|
|
|
|
2011-07-11 17:16:59 +04:00
|
|
|
def __bruteProcessVariantA(attack_info, hash_regex, wordlist, suffix, retVal, proc_id, proc_count):
|
|
|
|
count = 0
|
2011-07-15 17:24:13 +04:00
|
|
|
rotator = 0
|
2011-07-11 17:16:59 +04:00
|
|
|
|
|
|
|
try:
|
|
|
|
for word in wordlist:
|
|
|
|
if not attack_info:
|
|
|
|
break
|
|
|
|
|
|
|
|
count += 1
|
|
|
|
|
|
|
|
if not isinstance(word, basestring):
|
|
|
|
continue
|
|
|
|
|
|
|
|
if suffix:
|
|
|
|
word = word + suffix
|
|
|
|
|
|
|
|
try:
|
|
|
|
current = __functions__[hash_regex](password = word, uppercase = False)
|
|
|
|
|
|
|
|
for item in attack_info:
|
|
|
|
((user, hash_), _) = item
|
|
|
|
|
|
|
|
if hash_ == current:
|
|
|
|
retVal.put((user, hash_, word))
|
|
|
|
|
|
|
|
clearConsoleLine()
|
|
|
|
|
2011-07-13 00:49:27 +04:00
|
|
|
infoMsg = "[%s] [INFO] cracked password '%s'" % (time.strftime("%X"), word)
|
2011-07-11 17:16:59 +04:00
|
|
|
|
|
|
|
if user and not user.startswith(DUMMY_USER_PREFIX):
|
|
|
|
infoMsg += " for user '%s'\n" % user
|
|
|
|
else:
|
|
|
|
infoMsg += " for hash '%s'\n" % hash_
|
|
|
|
|
|
|
|
dataToStdout(infoMsg, True)
|
|
|
|
|
|
|
|
attack_info.remove(item)
|
|
|
|
|
|
|
|
elif proc_id == 0 and count % HASH_MOD_ITEM_DISPLAY == 0 or hash_regex in (HASH.ORACLE_OLD) or hash_regex == HASH.CRYPT_GENERIC and IS_WIN:
|
2011-07-15 17:24:13 +04:00
|
|
|
rotator += 1
|
|
|
|
if rotator >= len(ROTATING_CHARS):
|
|
|
|
rotator = 0
|
|
|
|
status = 'current status: %s... %s' % (word.ljust(5)[:5], ROTATING_CHARS[rotator])
|
2011-07-11 17:16:59 +04:00
|
|
|
dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status))
|
|
|
|
|
|
|
|
except KeyboardInterrupt:
|
|
|
|
raise
|
|
|
|
|
2011-07-15 17:24:13 +04:00
|
|
|
except Exception, msg:
|
|
|
|
print msg
|
2011-07-11 17:16:59 +04:00
|
|
|
warnMsg = "there was a problem while hashing entry: %s. " % repr(word)
|
2011-07-12 19:47:04 +04:00
|
|
|
warnMsg += "Please report by e-mail to %s" % ML
|
2011-07-11 17:16:59 +04:00
|
|
|
logger.critical(warnMsg)
|
|
|
|
|
|
|
|
except KeyboardInterrupt:
|
|
|
|
pass
|
|
|
|
|
|
|
|
def __bruteProcessVariantB(user, hash_, kwargs, hash_regex, wordlist, suffix, retVal, found, proc_id, proc_count):
|
|
|
|
count = 0
|
2011-07-15 17:24:13 +04:00
|
|
|
rotator = 0
|
2011-07-11 17:16:59 +04:00
|
|
|
|
|
|
|
try:
|
|
|
|
for word in wordlist:
|
2011-07-13 00:32:19 +04:00
|
|
|
if found.value:
|
|
|
|
break
|
2011-07-11 17:16:59 +04:00
|
|
|
|
|
|
|
current = __functions__[hash_regex](password = word, uppercase = False, **kwargs)
|
|
|
|
count += 1
|
|
|
|
|
|
|
|
if not isinstance(word, basestring):
|
|
|
|
continue
|
|
|
|
|
|
|
|
if suffix:
|
|
|
|
word = word + suffix
|
|
|
|
|
|
|
|
try:
|
|
|
|
if hash_ == current:
|
2011-07-12 19:30:40 +04:00
|
|
|
if hash_regex == HASH.ORACLE_OLD: #only for cosmetic purposes
|
2011-07-11 17:16:59 +04:00
|
|
|
word = word.upper()
|
|
|
|
|
|
|
|
retVal.put((user, hash_, word))
|
|
|
|
|
|
|
|
clearConsoleLine()
|
|
|
|
|
2011-07-13 00:49:27 +04:00
|
|
|
infoMsg = "[%s] [INFO] cracked password '%s'" % (time.strftime("%X"), word)
|
2011-07-11 17:16:59 +04:00
|
|
|
|
|
|
|
if user and not user.startswith(DUMMY_USER_PREFIX):
|
|
|
|
infoMsg += " for user '%s'\n" % user
|
|
|
|
else:
|
|
|
|
infoMsg += " for hash '%s'\n" % hash_
|
|
|
|
|
|
|
|
dataToStdout(infoMsg, True)
|
|
|
|
|
|
|
|
found.value = True
|
|
|
|
elif proc_id == 0 and count % HASH_MOD_ITEM_DISPLAY == 0 or hash_regex in (HASH.ORACLE_OLD) or hash_regex == HASH.CRYPT_GENERIC and IS_WIN:
|
2011-07-15 17:24:13 +04:00
|
|
|
rotator += 1
|
|
|
|
if rotator >= len(ROTATING_CHARS):
|
|
|
|
rotator = 0
|
|
|
|
status = 'current status: %s... %s' % (word.ljust(5)[:5], ROTATING_CHARS[rotator])
|
2011-07-11 17:16:59 +04:00
|
|
|
if not user.startswith(DUMMY_USER_PREFIX):
|
|
|
|
status += ' (user: %s)' % user
|
|
|
|
dataToStdout("\r[%s] [INFO] %s" % (time.strftime("%X"), status))
|
|
|
|
|
|
|
|
except KeyboardInterrupt:
|
|
|
|
raise
|
|
|
|
|
|
|
|
except:
|
|
|
|
warnMsg = "there was a problem while hashing entry: %s. " % repr(word)
|
2011-07-12 19:47:04 +04:00
|
|
|
warnMsg += "Please report by e-mail to %s" % ML
|
2011-07-11 17:16:59 +04:00
|
|
|
logger.critical(warnMsg)
|
|
|
|
|
|
|
|
except KeyboardInterrupt:
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
2011-02-07 02:25:55 +03:00
|
|
|
def dictionaryAttack(attack_dict):
|
2011-03-29 16:00:29 +04:00
|
|
|
suffix_list = [""]
|
2011-02-07 02:25:55 +03:00
|
|
|
hash_regexes = []
|
|
|
|
results = []
|
2011-07-04 23:58:41 +04:00
|
|
|
processException = False
|
2011-02-07 02:25:55 +03:00
|
|
|
|
|
|
|
for (_, hashes) in attack_dict.items():
|
|
|
|
for hash_ in hashes:
|
|
|
|
if not hash_:
|
|
|
|
continue
|
|
|
|
|
|
|
|
hash_ = hash_.split()[0]
|
|
|
|
regex = hashRecognition(hash_)
|
|
|
|
|
|
|
|
if regex and regex not in hash_regexes:
|
|
|
|
hash_regexes.append(regex)
|
2011-07-13 00:49:27 +04:00
|
|
|
infoMsg = "using hash method '%s'" % __functions__[regex].func_name
|
2011-02-07 02:25:55 +03:00
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
for hash_regex in hash_regexes:
|
|
|
|
attack_info = []
|
|
|
|
|
|
|
|
for (user, hashes) in attack_dict.items():
|
|
|
|
for hash_ in hashes:
|
|
|
|
if not hash_:
|
|
|
|
continue
|
|
|
|
|
|
|
|
hash_ = hash_.split()[0]
|
|
|
|
|
2011-03-31 21:34:07 +04:00
|
|
|
if getCompiledRegex(hash_regex).match(hash_):
|
2011-02-07 02:25:55 +03:00
|
|
|
hash_ = hash_.lower()
|
|
|
|
|
|
|
|
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
|
|
|
|
attack_info.append([(user, hash_), {}])
|
|
|
|
|
|
|
|
elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES):
|
|
|
|
attack_info.append([(user, hash_), {'username': user}])
|
|
|
|
|
|
|
|
elif hash_regex in (HASH.ORACLE):
|
|
|
|
attack_info.append([(user, hash_), {'salt': hash_[-20:]}])
|
|
|
|
|
|
|
|
elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD):
|
|
|
|
attack_info.append([(user, hash_), {'salt': hash_[6:14]}])
|
|
|
|
|
2011-03-26 23:46:25 +03:00
|
|
|
elif hash_regex in (HASH.CRYPT_GENERIC):
|
2011-03-27 00:41:37 +03:00
|
|
|
attack_info.append([(user, hash_), {'salt': hash_[0:2]}])
|
2011-03-26 23:46:25 +03:00
|
|
|
|
|
|
|
if not attack_info:
|
|
|
|
continue
|
|
|
|
|
2011-02-07 02:25:55 +03:00
|
|
|
if not kb.wordlist:
|
2011-06-30 12:42:43 +04:00
|
|
|
while not kb.wordlist:
|
|
|
|
message = "what dictionary do you want to use?\n"
|
2011-07-01 14:04:34 +04:00
|
|
|
message += "[1] default dictionary file (press Enter)\n"
|
|
|
|
message += "[2] custom dictionary file\n"
|
|
|
|
message += "[3] file with list of dictionary files"
|
2011-06-30 12:42:43 +04:00
|
|
|
choice = readInput(message, default="1")
|
|
|
|
|
|
|
|
try:
|
|
|
|
if choice == "2":
|
|
|
|
message = "what's the custom dictionary's location?\n"
|
|
|
|
dictPaths = [readInput(message)]
|
2011-07-01 14:04:34 +04:00
|
|
|
|
|
|
|
logger.info("using custom dictionary")
|
2011-06-30 12:42:43 +04:00
|
|
|
elif choice == "3":
|
|
|
|
message = "what's the list file location?\n"
|
|
|
|
listPath = readInput(message)
|
|
|
|
checkFile(listPath)
|
|
|
|
dictPaths = getFileItems(listPath)
|
2011-07-01 14:04:34 +04:00
|
|
|
|
|
|
|
logger.info("using custom list of dictionaries")
|
2011-06-30 12:42:43 +04:00
|
|
|
else:
|
2011-07-01 14:04:34 +04:00
|
|
|
# It is the slowest of all methods hence smaller default dict
|
|
|
|
if hash_regex == HASH.ORACLE_OLD:
|
2011-06-30 12:42:43 +04:00
|
|
|
dictPaths = [paths.ORACLE_DEFAULT_PASSWD]
|
|
|
|
else:
|
|
|
|
dictPaths = [paths.WORDLIST]
|
|
|
|
|
2011-07-01 14:04:34 +04:00
|
|
|
logger.info("using default dictionary")
|
|
|
|
|
2011-06-30 12:42:43 +04:00
|
|
|
for dictPath in dictPaths:
|
|
|
|
checkFile(dictPath)
|
|
|
|
|
2011-07-01 03:44:49 +04:00
|
|
|
kb.wordlist = Wordlist(dictPaths)
|
2011-02-07 02:25:55 +03:00
|
|
|
|
2011-06-30 12:42:43 +04:00
|
|
|
except sqlmapFilePathException, msg:
|
|
|
|
warnMsg = "there was a problem while loading dictionaries"
|
|
|
|
warnMsg += " ('%s')" % msg
|
|
|
|
logger.critical(warnMsg)
|
2011-02-07 02:25:55 +03:00
|
|
|
|
2011-03-29 16:00:29 +04:00
|
|
|
message = "do you want to use common password suffixes? (slow!) [y/N] "
|
|
|
|
test = readInput(message, default="N")
|
2011-02-07 02:25:55 +03:00
|
|
|
|
2011-03-29 16:00:29 +04:00
|
|
|
if test[0] in ("y", "Y"):
|
|
|
|
suffix_list += COMMON_PASSWORD_SUFFIXES
|
2011-02-07 02:25:55 +03:00
|
|
|
|
2011-07-13 00:49:27 +04:00
|
|
|
infoMsg = "starting dictionary-based cracking (%s)" % __functions__[hash_regex].func_name
|
2011-02-07 02:25:55 +03:00
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
for item in attack_info:
|
|
|
|
((user, _), _) = item
|
2011-04-18 14:16:38 +04:00
|
|
|
|
|
|
|
if user:
|
|
|
|
kb.wordlist.append(normalizeUnicode(user))
|
2011-02-07 02:25:55 +03:00
|
|
|
|
2011-03-27 00:10:31 +03:00
|
|
|
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
|
2011-02-07 02:25:55 +03:00
|
|
|
for suffix in suffix_list:
|
2011-07-06 09:44:47 +04:00
|
|
|
if len(attack_info) == len(results) or processException:
|
2011-02-07 02:25:55 +03:00
|
|
|
break
|
|
|
|
|
2011-07-01 03:44:49 +04:00
|
|
|
if suffix:
|
|
|
|
clearConsoleLine()
|
2011-07-13 00:49:27 +04:00
|
|
|
infoMsg = "using suffix '%s'" % suffix
|
2011-07-01 03:44:49 +04:00
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
kb.wordlist.rewind()
|
|
|
|
|
2011-07-04 23:58:41 +04:00
|
|
|
retVal = None
|
|
|
|
|
|
|
|
try:
|
2011-07-20 16:18:36 +04:00
|
|
|
if _multiprocessing and not IS_WIN:
|
|
|
|
if _multiprocessing.cpu_count() > 1:
|
|
|
|
infoMsg = "starting %d processes " % _multiprocessing.cpu_count()
|
2011-07-06 09:44:47 +04:00
|
|
|
singleTimeLogMessage(infoMsg)
|
2011-02-07 02:25:55 +03:00
|
|
|
|
2011-07-04 23:58:41 +04:00
|
|
|
processes = []
|
2011-07-20 16:18:36 +04:00
|
|
|
retVal = _multiprocessing.Queue()
|
|
|
|
for i in xrange(_multiprocessing.cpu_count()):
|
|
|
|
p = _multiprocessing.Process(target=__bruteProcessVariantA, args=(attack_info, hash_regex, kb.wordlist, suffix, retVal, i, _multiprocessing.cpu_count()))
|
2011-07-04 23:58:41 +04:00
|
|
|
processes.append(p)
|
|
|
|
|
2011-07-11 15:40:27 +04:00
|
|
|
for p in processes:
|
|
|
|
p.start()
|
|
|
|
|
2011-07-04 23:58:41 +04:00
|
|
|
for p in processes:
|
|
|
|
p.join()
|
|
|
|
|
|
|
|
else:
|
2011-07-20 16:18:36 +04:00
|
|
|
warnMsg = "multiprocessing hash cracking is currently "
|
|
|
|
warnMsg += "not supported on this platform"
|
|
|
|
singleTimeWarnMessage(warnMsg)
|
2011-07-04 23:58:41 +04:00
|
|
|
|
|
|
|
retVal = Queue()
|
2011-07-11 17:16:59 +04:00
|
|
|
__bruteProcessVariantA(attack_info, hash_regex, kb.wordlist, suffix, retVal, 0, 1)
|
2011-07-04 23:58:41 +04:00
|
|
|
|
|
|
|
except KeyboardInterrupt:
|
|
|
|
print
|
|
|
|
processException = True
|
|
|
|
warnMsg = "user aborted during dictionary attack phase"
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
2011-07-13 00:32:19 +04:00
|
|
|
while not retVal.empty():
|
|
|
|
results.append(retVal.get())
|
2011-02-07 02:25:55 +03:00
|
|
|
|
|
|
|
clearConsoleLine()
|
|
|
|
|
|
|
|
else:
|
|
|
|
for ((user, hash_), kwargs) in attack_info:
|
|
|
|
count = 0
|
|
|
|
found = False
|
|
|
|
|
|
|
|
for suffix in suffix_list:
|
2011-07-04 23:58:41 +04:00
|
|
|
if found or processException:
|
2011-02-07 02:25:55 +03:00
|
|
|
break
|
|
|
|
|
2011-07-01 03:44:49 +04:00
|
|
|
if suffix:
|
|
|
|
clearConsoleLine()
|
2011-07-13 00:49:27 +04:00
|
|
|
infoMsg = "using suffix '%s'" % suffix
|
2011-07-01 03:44:49 +04:00
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
kb.wordlist.rewind()
|
|
|
|
|
2011-07-04 23:58:41 +04:00
|
|
|
retVal = None
|
|
|
|
|
|
|
|
try:
|
2011-07-20 16:18:36 +04:00
|
|
|
if _multiprocessing and not IS_WIN:
|
|
|
|
if _multiprocessing.cpu_count() > 1:
|
|
|
|
infoMsg = "starting %d processes " % _multiprocessing.cpu_count()
|
2011-07-06 09:44:47 +04:00
|
|
|
singleTimeLogMessage(infoMsg)
|
2011-07-04 23:58:41 +04:00
|
|
|
|
|
|
|
processes = []
|
2011-07-20 16:18:36 +04:00
|
|
|
retVal = _multiprocessing.Queue()
|
|
|
|
found_ = _multiprocessing.Value('i', False)
|
2011-07-04 23:58:41 +04:00
|
|
|
|
2011-07-20 16:18:36 +04:00
|
|
|
for i in xrange(_multiprocessing.cpu_count()):
|
|
|
|
p = _multiprocessing.Process(target=__bruteProcessVariantB, args=(user, hash_, kwargs, hash_regex, kb.wordlist, suffix, retVal, found_, i, _multiprocessing.cpu_count()))
|
2011-07-04 23:58:41 +04:00
|
|
|
processes.append(p)
|
|
|
|
|
2011-07-11 15:40:27 +04:00
|
|
|
for p in processes:
|
|
|
|
p.start()
|
|
|
|
|
2011-07-04 23:58:41 +04:00
|
|
|
for p in processes:
|
|
|
|
p.join()
|
|
|
|
|
|
|
|
found = found_.value != 0
|
|
|
|
|
|
|
|
else:
|
2011-07-20 16:18:36 +04:00
|
|
|
warnMsg = "multiprocessing hash cracking is currently "
|
|
|
|
warnMsg += "not supported on this platform"
|
|
|
|
singleTimeWarnMessage(warnMsg)
|
2011-07-04 23:58:41 +04:00
|
|
|
|
|
|
|
class Value():
|
|
|
|
pass
|
|
|
|
|
|
|
|
retVal = Queue()
|
|
|
|
found_ = Value()
|
|
|
|
found_.value = False
|
|
|
|
|
2011-07-11 17:16:59 +04:00
|
|
|
__bruteProcessVariantB(user, hash_, kwargs, hash_regex, kb.wordlist, suffix, retVal, found_, 0, 1)
|
2011-07-04 23:58:41 +04:00
|
|
|
|
|
|
|
found = found_.value
|
|
|
|
|
|
|
|
except KeyboardInterrupt:
|
|
|
|
print
|
|
|
|
processException = True
|
|
|
|
warnMsg = "user aborted during dictionary attack phase"
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
2011-07-13 00:32:19 +04:00
|
|
|
while not retVal.empty():
|
|
|
|
results.append(retVal.get())
|
2011-02-07 02:25:55 +03:00
|
|
|
|
|
|
|
clearConsoleLine()
|
|
|
|
|
|
|
|
if len(hash_regexes) == 0:
|
2011-07-12 19:47:04 +04:00
|
|
|
warnMsg = "unknown hash format. "
|
|
|
|
warnMsg += "Please report by e-mail to %s" % ML
|
2011-02-07 02:25:55 +03:00
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
if len(results) == 0:
|
2011-04-30 17:20:05 +04:00
|
|
|
warnMsg = "no clear password(s) found"
|
2011-02-07 02:25:55 +03:00
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
return results
|