adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove CAIN

Browse Source
This commit is contained in:
SaiSakthidar
2025-11-30 23:39:52 +05:30
committed by Spencer McIntyre
parent 3547984092
commit 98dd33a3cd
13 changed files with 4 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/auxiliary/server/capture/mysql.md
-4
View File
@@ -16,10 +16,6 @@ This module creates a mock MySQL server which accepts credentials. Upon receivi
Write a file containing a John the Ripper format for cracking the credentials. Default is ``.
### CAINPWFILE
Write a file containing a Cain & Abel format for cracking the credentials. Default is ``.
### SRVVERSION
The MySQL version to print in the login banner. Default is `5.5.16`.
documentation/modules/auxiliary/server/capture/smb.md
-4
View File
@@ -18,10 +18,6 @@ Microsoft provides an article on how to detect, disable, and enable SMB in vario
## Options
### CAINPWFILE
A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 Hashes.
### CHALLENGE
The 8 byte server challenge. If unset or not a valid 16 character hexadecimal pattern, a random challenge is used instead.
documentation/modules/auxiliary/server/relay/smb_to_ldap.md
-4
View File
@@ -82,10 +82,6 @@ msfconsole server (see an example below).
Target address range or CIDR identifier to relay to.
### CAINPWFILE
A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 Hashes.
### JOHNPWFILE
A file to store John the Ripper formatted hashes in. NTLMv1 and NTLMv2 hashes
documentation/modules/auxiliary/server/relay/smb_to_mssql.md
-4
View File
@@ -23,10 +23,6 @@ Example steps in this format (is also in the PR):
Target address range or CIDR identifier to relay to.
### CAINPWFILE
A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 Hashes.
### JOHNPWFILE
A file to store John the Ripper formatted hashes in. NTLMv1 and NTLMv2 hashes
documentation/modules/exploit/windows/smb/smb_relay.md
-4
View File
@@ -79,10 +79,6 @@ flowchart LR
Target address range or CIDR identifier to relay to
### CAINPWFILE
A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 Hashes.
### JOHNPWFILE
A file to store John the Ripper formatted hashes in. NTLMv1 and NTLMv2 hashes will be stored in separate files.
lib/msf/core/exploit/remote/smb/server/hash_capture.rb
-15
View File
@@ -16,7 +16,6 @@ module Msf
register_options(
[
OptString.new('CAINPWFILE', [false, 'Name of file to store Cain&Abel hashes in. Only supports NTLMv1 hashes. Can be a path.', nil]),
OptString.new('JOHNPWFILE', [false, 'Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 hashes, each of which is stored in separate files. Can also be a path.', nil])
], self.class)
end
@@ -35,11 +34,6 @@ module Msf
print_status("#{build_jtr_file_name(Metasploit::Framework::Hashes::JTR_NTLMV2)} for NTLMv2 hashes.")
print_line
end
if datastore['CAINPWFILE']
print_status("Cain & Abel hashes will be stored at #{File.expand_path(datastore['CAINPWFILE'], Msf::Config.install_root)}")
print_line
end
end
def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
@@ -140,15 +134,6 @@ module Msf
f.puts(combined_hash)
end
end
# Cain & Abel doesn't support import of NTLMv2 hashes
if datastore['CAINPWFILE'] && jtr_format == Metasploit::Framework::Hashes::JTR_NTLMV1
# Cain&Abel hash format
# Username:Domain:Challenge:LMHash:NTLMHash
File.open(File.expand_path(datastore['CAINPWFILE'], Msf::Config.install_root), 'ab') do |f|
f.puts("#{user}:#{domain}:#{server_challenge}:#{client_hash}")
end
end
end
def on_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:)
modules/auxiliary/server/capture/http_ntlm.rb
-22
View File
@@ -39,8 +39,6 @@ class MetasploitModule < Msf::Auxiliary
)
register_options([
# OptString.new('LOGFILE', [ false, "The local filename to store the captured hashes", nil ]),
OptString.new('CAINPWFILE', [ false, 'The local filename to store the hashes in Cain&Abel format', nil ]),
OptString.new('JOHNPWFILE', [ false, 'The prefix to the local filename to store the hashes in JOHN format', nil ]),
OptString.new('CHALLENGE', [ true, 'The 8 byte challenge ', '1122334455667788' ])
@@ -308,8 +306,6 @@ class MetasploitModule < Msf::Auxiliary
"NTHASH:#{nt_hash || '<NULL>'} " \
"NT_CLIENT_CHALLENGE:#{nt_cli_challenge || '<NULL>'}\n"
when NTLM_CONST::NTLM_2_SESSION_RESPONSE
# we can consider those as netv1 has they have the same size and i cracked the same way by cain/jtr
# also 'real' netv1 is almost never seen nowadays except with smbmount or msf server capture
capturelogmessage =
"#{capturedtime}\nNTLM2_SESSION Response Captured from #{host} \n" \
"DOMAIN: #{domain} USER: #{user} \n" \
@@ -338,24 +334,6 @@ class MetasploitModule < Msf::Auxiliary
report_creds(opts_report)
# if(datastore['LOGFILE'])
# File.open(datastore['LOGFILE'], "ab") {|fd| fd.puts(capturelogmessage + "\n")}
# end
if datastore['CAINPWFILE'] && user && ((ntlm_ver == NTLM_CONST::NTLM_V1_RESPONSE) || (ntlm_ver == NTLM_CONST::NTLM_2_SESSION_RESPONSE))
fd = File.open(datastore['CAINPWFILE'], 'ab')
fd.puts(
[
user,
domain || 'NULL',
@challenge.unpack('H*')[0],
lm_hash || '0' * 48,
nt_hash || '0' * 48
].join(':').gsub(/\n/, '\\n')
)
fd.close
end
if datastore['JOHNPWFILE'] && user
case ntlm_ver
when NTLM_CONST::NTLM_V1_RESPONSE, NTLM_CONST::NTLM_2_SESSION_RESPONSE
modules/auxiliary/server/capture/mssql.rb
-24
View File
@@ -46,7 +46,6 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
OptPort.new('SRVPORT', [ true, 'The local port to listen on.', 1433 ]),
OptString.new('CAINPWFILE', [ false, 'The local filename to store the hashes in Cain&Abel format', nil ]),
OptString.new('JOHNPWFILE', [ false, 'The prefix to the local filename to store the hashes in JOHN format', nil ]),
OptString.new('CHALLENGE', [ true, 'The 8 byte challenge ', '1122334455667788' ])
]
@@ -258,8 +257,6 @@ class MetasploitModule < Msf::Auxiliary
"NTHASH:#{nt_hash || '<NULL>'} " \
"NT_CLIENT_CHALLENGE:#{nt_cli_challenge || '<NULL>'}\n"
when NTLM_CONST::NTLM_2_SESSION_RESPONSE
# we can consider those as netv1 has they have the same size and i cracked the same way by cain/jtr
# also 'real' netv1 is almost never seen nowadays except with smbmount or msf server capture
smb_db_type_hash = Metasploit::Framework::Hashes::JTR_NTLMV1
capturelogmessage =
"#{capturedtime}\nNTLM2_SESSION Response Captured from #{host} \n" \
@@ -273,10 +270,6 @@ class MetasploitModule < Msf::Auxiliary
print_status(capturelogmessage)
# DB reporting
# Rem : one report it as a smb_challenge on port 445 has breaking those hashes
# will be mainly use for psexec / smb related exploit
jtr_hash = case smb_db_type_hash
when Metasploit::Framework::Hashes::JTR_NTLMV2
user + '::' + domain + ':' + datastore['CHALLENGE'].to_s + ':' + nt_hash + ':' + nt_cli_challenge.to_s
@@ -294,23 +287,6 @@ class MetasploitModule < Msf::Auxiliary
type: :nonreplayable_hash,
jtr_format: smb_db_type_hash
)
# if(datastore['LOGFILE'])
# File.open(datastore['LOGFILE'], "ab") {|fd| fd.puts(capturelogmessage + "\n")}
# end
if datastore['CAINPWFILE'] && user && ((ntlm_ver == NTLM_CONST::NTLM_V1_RESPONSE) || (ntlm_ver == NTLM_CONST::NTLM_2_SESSION_RESPONSE))
fd = File.open(datastore['CAINPWFILE'], 'ab')
fd.puts(
[
user,
domain || 'NULL',
@challenge.unpack('H*')[0],
lm_hash || '0' * 48,
nt_hash || '0' * 48
].join(':').gsub(/\n/, '\\n')
)
fd.close
end
if datastore['JOHNPWFILE'] && user
case ntlm_ver
modules/auxiliary/server/capture/mysql.rb
+1 -16
View File
@@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary
'Description' => %q{
This module provides a fake MySQL service that is designed to
capture authentication credentials. It captures challenge and
response pairs that can be supplied to Cain or JtR for cracking.
response pairs that can be supplied to JtR for cracking.
},
'Author' => 'Patrik Karlsson <patrik[at]cqure.net>',
'License' => MSF_LICENSE,
@@ -27,7 +27,6 @@ class MetasploitModule < Msf::Auxiliary
OptPort.new('SRVPORT', [ true, 'The local port to listen on.', 3306 ]),
OptString.new('CHALLENGE', [ true, 'The 16 byte challenge', '112233445566778899AABBCCDDEEFF1122334455' ]),
OptString.new('SRVVERSION', [ true, 'The server version to report in the greeting response', '5.5.16' ]),
OptString.new('CAINPWFILE', [ false, 'The local filename to store the hashes in Cain&Abel format', nil ]),
OptString.new('JOHNPWFILE', [ false, 'The prefix to the local filename to store the hashes in JOHN format', nil ]),
]
)
@@ -178,20 +177,6 @@ class MetasploitModule < Msf::Auxiliary
proof: info[:database] || hash_line
)
if datastore['CAINPWFILE']
fd = ::File.open(datastore['CAINPWFILE'], 'ab')
fd.puts(
[
info[:username],
'NULL',
info[:response].unpack('H*')[0],
@challenge.unpack('H*')[0],
'SHA1'
].join("\t").gsub(/\n/, '\\n')
)
fd.close
end
if datastore['JOHNPWFILE']
john_hash_line = "#{info[:username]}:$mysqlna$#{@challenge.unpack('H*')[0]}*#{info[:response].unpack('H*')[0]}"
fd = ::File.open(datastore['JOHNPWFILE'] + '_mysqlna', 'ab')
modules/auxiliary/server/capture/sip.rb
+1 -18
View File
@@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary
'Description' => %q{
This module provides a fake SIP service that is designed to
capture authentication credentials. It captures challenge and
response pairs that can be supplied to Cain or JtR for cracking.
response pairs that can be supplied to JtR for cracking.
},
'Author' => 'Patrik Karlsson <patrik[at]cqure.net>',
'License' => MSF_LICENSE,
@@ -35,7 +35,6 @@ class MetasploitModule < Msf::Auxiliary
OptAddress.new('SRVHOST', [ true, 'The local host to listen on.', '0.0.0.0' ]),
OptString.new('NONCE', [ true, 'The server byte nonce', '1234' ]),
OptString.new('JOHNPWFILE', [ false, 'The prefix to the local filename to store the hashes in JOHN format', nil ]),
OptString.new('CAINPWFILE', [ false, 'The local filename to store the hashes in Cain&Abel format', nil ]),
]
)
register_advanced_options(
@@ -206,22 +205,6 @@ class MetasploitModule < Msf::Auxiliary
fd.close
end
if datastore['CAINPWFILE']
resp = []
resp << auth_tokens['realm']
resp << auth_tokens['username']
resp << ''
resp << request[:uri]
resp << auth_tokens['nonce']
resp << response
resp << method
resp << algorithm
fd = File.open(datastore['CAINPWFILE'], 'ab')
fd.puts resp.join("\t") + "\r\n"
fd.close
end
end
sip_send_error_message(request, 401, 'Unauthorized')
when 'ACK'
modules/auxiliary/server/capture/smb.rb
+1 -3
View File
@@ -18,8 +18,7 @@ class MetasploitModule < Msf::Auxiliary
password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems.
Responses sent by this service by default use a random 8 byte challenge string.
A specific value (such as `1122334455667788`) can be set using the CHALLENGE option,
allowing for easy cracking using Cain & Abel (NTLMv1) or John the Ripper
(with jumbo patch).
allowing for easy cracking using John the Ripper (with jumbo patch).
To exploit this, the target system must try to authenticate to this
module. One way to force an SMB authentication attempt is by embedding
@@ -51,7 +50,6 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
OptString.new('CAINPWFILE', [ false, 'Name of file to store Cain&Abel hashes in. Only supports NTLMv1 hashes. Can be a path.', nil ]),
OptString.new('JOHNPWFILE', [ false, 'Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 hashes, each of which is stored in separate files. Can also be a path.', nil ]),
OptString.new('CHALLENGE', [ false, 'The 8 byte server challenge. Set values must be a valid 16 character hexadecimal pattern. If unset a valid random challenge is used.' ], regex: /^([a-fA-F0-9]{16})$/),
OptString.new('SMBDomain', [ true, 'The domain name used during SMB exchange.', 'WORKGROUP'], aliases: ['DOMAIN_NAME']),
modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb
+1 -1
View File
@@ -68,4 +68,4 @@ class MetasploitModule < Msf::Exploit::Remote
file_create(filerdp)
end
end
end
plugins/capture.rb
-2
View File
@@ -287,9 +287,7 @@ module Msf
end
datastore = {}
# Capturers
datastore['SRVHOST'] = config[:srvhost]
datastore['CAINPWFILE'] = File.join(config[:hashdir], "cain_#{svc}")
datastore['JOHNPWFILE'] = File.join(config[:hashdir], "john_#{svc}")
# Poisoners