From 98dd33a3cdc056bb12eb57e0435a56e5b3e10b7c Mon Sep 17 00:00:00 2001 From: SaiSakthidar <3.youth.sai@gmail.com> Date: Sun, 30 Nov 2025 23:39:52 +0530 Subject: [PATCH] Remove CAIN --- .../modules/auxiliary/server/capture/mysql.md | 4 ---- .../modules/auxiliary/server/capture/smb.md | 4 ---- .../auxiliary/server/relay/smb_to_ldap.md | 4 ---- .../auxiliary/server/relay/smb_to_mssql.md | 4 ---- .../modules/exploit/windows/smb/smb_relay.md | 4 ---- .../exploit/remote/smb/server/hash_capture.rb | 15 ------------ modules/auxiliary/server/capture/http_ntlm.rb | 22 ----------------- modules/auxiliary/server/capture/mssql.rb | 24 ------------------- modules/auxiliary/server/capture/mysql.rb | 17 +------------ modules/auxiliary/server/capture/sip.rb | 19 +-------------- modules/auxiliary/server/capture/smb.rb | 4 +--- .../windows/fileformat/cain_abel_4918_rdp.rb | 2 +- plugins/capture.rb | 2 -- 13 files changed, 4 insertions(+), 121 deletions(-) diff --git a/documentation/modules/auxiliary/server/capture/mysql.md b/documentation/modules/auxiliary/server/capture/mysql.md index 38ceaa345d..d402e88fc4 100644 --- a/documentation/modules/auxiliary/server/capture/mysql.md +++ b/documentation/modules/auxiliary/server/capture/mysql.md @@ -16,10 +16,6 @@ This module creates a mock MySQL server which accepts credentials. Upon receivi Write a file containing a John the Ripper format for cracking the credentials. Default is ``. -### CAINPWFILE - - Write a file containing a Cain & Abel format for cracking the credentials. Default is ``. - ### SRVVERSION The MySQL version to print in the login banner. Default is `5.5.16`. diff --git a/documentation/modules/auxiliary/server/capture/smb.md b/documentation/modules/auxiliary/server/capture/smb.md index 16b542b32b..1cdc847b54 100644 --- a/documentation/modules/auxiliary/server/capture/smb.md +++ b/documentation/modules/auxiliary/server/capture/smb.md @@ -18,10 +18,6 @@ Microsoft provides an article on how to detect, disable, and enable SMB in vario ## Options -### CAINPWFILE - -A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 Hashes. - ### CHALLENGE The 8 byte server challenge. If unset or not a valid 16 character hexadecimal pattern, a random challenge is used instead. diff --git a/documentation/modules/auxiliary/server/relay/smb_to_ldap.md b/documentation/modules/auxiliary/server/relay/smb_to_ldap.md index 2a6508abdf..2b00008388 100644 --- a/documentation/modules/auxiliary/server/relay/smb_to_ldap.md +++ b/documentation/modules/auxiliary/server/relay/smb_to_ldap.md @@ -82,10 +82,6 @@ msfconsole server (see an example below). Target address range or CIDR identifier to relay to. -### CAINPWFILE - -A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 Hashes. - ### JOHNPWFILE A file to store John the Ripper formatted hashes in. NTLMv1 and NTLMv2 hashes diff --git a/documentation/modules/auxiliary/server/relay/smb_to_mssql.md b/documentation/modules/auxiliary/server/relay/smb_to_mssql.md index a46ba775d5..24756dc4e1 100644 --- a/documentation/modules/auxiliary/server/relay/smb_to_mssql.md +++ b/documentation/modules/auxiliary/server/relay/smb_to_mssql.md @@ -23,10 +23,6 @@ Example steps in this format (is also in the PR): Target address range or CIDR identifier to relay to. -### CAINPWFILE - -A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 Hashes. - ### JOHNPWFILE A file to store John the Ripper formatted hashes in. NTLMv1 and NTLMv2 hashes diff --git a/documentation/modules/exploit/windows/smb/smb_relay.md b/documentation/modules/exploit/windows/smb/smb_relay.md index 3e0b27329a..ec5d5d2f36 100644 --- a/documentation/modules/exploit/windows/smb/smb_relay.md +++ b/documentation/modules/exploit/windows/smb/smb_relay.md @@ -79,10 +79,6 @@ flowchart LR Target address range or CIDR identifier to relay to -### CAINPWFILE - -A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 Hashes. - ### JOHNPWFILE A file to store John the Ripper formatted hashes in. NTLMv1 and NTLMv2 hashes will be stored in separate files. diff --git a/lib/msf/core/exploit/remote/smb/server/hash_capture.rb b/lib/msf/core/exploit/remote/smb/server/hash_capture.rb index 8c11762d1e..6951cbc4e9 100644 --- a/lib/msf/core/exploit/remote/smb/server/hash_capture.rb +++ b/lib/msf/core/exploit/remote/smb/server/hash_capture.rb @@ -16,7 +16,6 @@ module Msf register_options( [ - OptString.new('CAINPWFILE', [false, 'Name of file to store Cain&Abel hashes in. Only supports NTLMv1 hashes. Can be a path.', nil]), OptString.new('JOHNPWFILE', [false, 'Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 hashes, each of which is stored in separate files. Can also be a path.', nil]) ], self.class) end @@ -35,11 +34,6 @@ module Msf print_status("#{build_jtr_file_name(Metasploit::Framework::Hashes::JTR_NTLMV2)} for NTLMv2 hashes.") print_line end - - if datastore['CAINPWFILE'] - print_status("Cain & Abel hashes will be stored at #{File.expand_path(datastore['CAINPWFILE'], Msf::Config.install_root)}") - print_line - end end def report_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:) @@ -140,15 +134,6 @@ module Msf f.puts(combined_hash) end end - - # Cain & Abel doesn't support import of NTLMv2 hashes - if datastore['CAINPWFILE'] && jtr_format == Metasploit::Framework::Hashes::JTR_NTLMV1 - # Cain&Abel hash format - # Username:Domain:Challenge:LMHash:NTLMHash - File.open(File.expand_path(datastore['CAINPWFILE'], Msf::Config.install_root), 'ab') do |f| - f.puts("#{user}:#{domain}:#{server_challenge}:#{client_hash}") - end - end end def on_ntlm_type3(address:, ntlm_type1:, ntlm_type2:, ntlm_type3:) diff --git a/modules/auxiliary/server/capture/http_ntlm.rb b/modules/auxiliary/server/capture/http_ntlm.rb index 707656dede..a78a8a9de4 100644 --- a/modules/auxiliary/server/capture/http_ntlm.rb +++ b/modules/auxiliary/server/capture/http_ntlm.rb @@ -39,8 +39,6 @@ class MetasploitModule < Msf::Auxiliary ) register_options([ - # OptString.new('LOGFILE', [ false, "The local filename to store the captured hashes", nil ]), - OptString.new('CAINPWFILE', [ false, 'The local filename to store the hashes in Cain&Abel format', nil ]), OptString.new('JOHNPWFILE', [ false, 'The prefix to the local filename to store the hashes in JOHN format', nil ]), OptString.new('CHALLENGE', [ true, 'The 8 byte challenge ', '1122334455667788' ]) @@ -308,8 +306,6 @@ class MetasploitModule < Msf::Auxiliary "NTHASH:#{nt_hash || ''} " \ "NT_CLIENT_CHALLENGE:#{nt_cli_challenge || ''}\n" when NTLM_CONST::NTLM_2_SESSION_RESPONSE - # we can consider those as netv1 has they have the same size and i cracked the same way by cain/jtr - # also 'real' netv1 is almost never seen nowadays except with smbmount or msf server capture capturelogmessage = "#{capturedtime}\nNTLM2_SESSION Response Captured from #{host} \n" \ "DOMAIN: #{domain} USER: #{user} \n" \ @@ -338,24 +334,6 @@ class MetasploitModule < Msf::Auxiliary report_creds(opts_report) - # if(datastore['LOGFILE']) - # File.open(datastore['LOGFILE'], "ab") {|fd| fd.puts(capturelogmessage + "\n")} - # end - - if datastore['CAINPWFILE'] && user && ((ntlm_ver == NTLM_CONST::NTLM_V1_RESPONSE) || (ntlm_ver == NTLM_CONST::NTLM_2_SESSION_RESPONSE)) - fd = File.open(datastore['CAINPWFILE'], 'ab') - fd.puts( - [ - user, - domain || 'NULL', - @challenge.unpack('H*')[0], - lm_hash || '0' * 48, - nt_hash || '0' * 48 - ].join(':').gsub(/\n/, '\\n') - ) - fd.close - end - if datastore['JOHNPWFILE'] && user case ntlm_ver when NTLM_CONST::NTLM_V1_RESPONSE, NTLM_CONST::NTLM_2_SESSION_RESPONSE diff --git a/modules/auxiliary/server/capture/mssql.rb b/modules/auxiliary/server/capture/mssql.rb index 5e90130e6b..cf5c2fa0a2 100644 --- a/modules/auxiliary/server/capture/mssql.rb +++ b/modules/auxiliary/server/capture/mssql.rb @@ -46,7 +46,6 @@ class MetasploitModule < Msf::Auxiliary register_options( [ OptPort.new('SRVPORT', [ true, 'The local port to listen on.', 1433 ]), - OptString.new('CAINPWFILE', [ false, 'The local filename to store the hashes in Cain&Abel format', nil ]), OptString.new('JOHNPWFILE', [ false, 'The prefix to the local filename to store the hashes in JOHN format', nil ]), OptString.new('CHALLENGE', [ true, 'The 8 byte challenge ', '1122334455667788' ]) ] @@ -258,8 +257,6 @@ class MetasploitModule < Msf::Auxiliary "NTHASH:#{nt_hash || ''} " \ "NT_CLIENT_CHALLENGE:#{nt_cli_challenge || ''}\n" when NTLM_CONST::NTLM_2_SESSION_RESPONSE - # we can consider those as netv1 has they have the same size and i cracked the same way by cain/jtr - # also 'real' netv1 is almost never seen nowadays except with smbmount or msf server capture smb_db_type_hash = Metasploit::Framework::Hashes::JTR_NTLMV1 capturelogmessage = "#{capturedtime}\nNTLM2_SESSION Response Captured from #{host} \n" \ @@ -273,10 +270,6 @@ class MetasploitModule < Msf::Auxiliary print_status(capturelogmessage) - # DB reporting - # Rem : one report it as a smb_challenge on port 445 has breaking those hashes - # will be mainly use for psexec / smb related exploit - jtr_hash = case smb_db_type_hash when Metasploit::Framework::Hashes::JTR_NTLMV2 user + '::' + domain + ':' + datastore['CHALLENGE'].to_s + ':' + nt_hash + ':' + nt_cli_challenge.to_s @@ -294,23 +287,6 @@ class MetasploitModule < Msf::Auxiliary type: :nonreplayable_hash, jtr_format: smb_db_type_hash ) - # if(datastore['LOGFILE']) - # File.open(datastore['LOGFILE'], "ab") {|fd| fd.puts(capturelogmessage + "\n")} - # end - - if datastore['CAINPWFILE'] && user && ((ntlm_ver == NTLM_CONST::NTLM_V1_RESPONSE) || (ntlm_ver == NTLM_CONST::NTLM_2_SESSION_RESPONSE)) - fd = File.open(datastore['CAINPWFILE'], 'ab') - fd.puts( - [ - user, - domain || 'NULL', - @challenge.unpack('H*')[0], - lm_hash || '0' * 48, - nt_hash || '0' * 48 - ].join(':').gsub(/\n/, '\\n') - ) - fd.close - end if datastore['JOHNPWFILE'] && user case ntlm_ver diff --git a/modules/auxiliary/server/capture/mysql.rb b/modules/auxiliary/server/capture/mysql.rb index 6266b0451b..752c610d5e 100644 --- a/modules/auxiliary/server/capture/mysql.rb +++ b/modules/auxiliary/server/capture/mysql.rb @@ -13,7 +13,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ This module provides a fake MySQL service that is designed to capture authentication credentials. It captures challenge and - response pairs that can be supplied to Cain or JtR for cracking. + response pairs that can be supplied to JtR for cracking. }, 'Author' => 'Patrik Karlsson ', 'License' => MSF_LICENSE, @@ -27,7 +27,6 @@ class MetasploitModule < Msf::Auxiliary OptPort.new('SRVPORT', [ true, 'The local port to listen on.', 3306 ]), OptString.new('CHALLENGE', [ true, 'The 16 byte challenge', '112233445566778899AABBCCDDEEFF1122334455' ]), OptString.new('SRVVERSION', [ true, 'The server version to report in the greeting response', '5.5.16' ]), - OptString.new('CAINPWFILE', [ false, 'The local filename to store the hashes in Cain&Abel format', nil ]), OptString.new('JOHNPWFILE', [ false, 'The prefix to the local filename to store the hashes in JOHN format', nil ]), ] ) @@ -178,20 +177,6 @@ class MetasploitModule < Msf::Auxiliary proof: info[:database] || hash_line ) - if datastore['CAINPWFILE'] - fd = ::File.open(datastore['CAINPWFILE'], 'ab') - fd.puts( - [ - info[:username], - 'NULL', - info[:response].unpack('H*')[0], - @challenge.unpack('H*')[0], - 'SHA1' - ].join("\t").gsub(/\n/, '\\n') - ) - fd.close - end - if datastore['JOHNPWFILE'] john_hash_line = "#{info[:username]}:$mysqlna$#{@challenge.unpack('H*')[0]}*#{info[:response].unpack('H*')[0]}" fd = ::File.open(datastore['JOHNPWFILE'] + '_mysqlna', 'ab') diff --git a/modules/auxiliary/server/capture/sip.rb b/modules/auxiliary/server/capture/sip.rb index 36235b49c1..95279192af 100644 --- a/modules/auxiliary/server/capture/sip.rb +++ b/modules/auxiliary/server/capture/sip.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ This module provides a fake SIP service that is designed to capture authentication credentials. It captures challenge and - response pairs that can be supplied to Cain or JtR for cracking. + response pairs that can be supplied to JtR for cracking. }, 'Author' => 'Patrik Karlsson ', 'License' => MSF_LICENSE, @@ -35,7 +35,6 @@ class MetasploitModule < Msf::Auxiliary OptAddress.new('SRVHOST', [ true, 'The local host to listen on.', '0.0.0.0' ]), OptString.new('NONCE', [ true, 'The server byte nonce', '1234' ]), OptString.new('JOHNPWFILE', [ false, 'The prefix to the local filename to store the hashes in JOHN format', nil ]), - OptString.new('CAINPWFILE', [ false, 'The local filename to store the hashes in Cain&Abel format', nil ]), ] ) register_advanced_options( @@ -206,22 +205,6 @@ class MetasploitModule < Msf::Auxiliary fd.close end - if datastore['CAINPWFILE'] - resp = [] - resp << auth_tokens['realm'] - resp << auth_tokens['username'] - resp << '' - resp << request[:uri] - resp << auth_tokens['nonce'] - resp << response - resp << method - resp << algorithm - - fd = File.open(datastore['CAINPWFILE'], 'ab') - fd.puts resp.join("\t") + "\r\n" - fd.close - end - end sip_send_error_message(request, 401, 'Unauthorized') when 'ACK' diff --git a/modules/auxiliary/server/capture/smb.rb b/modules/auxiliary/server/capture/smb.rb index ea38f7cc6c..90d1de90bb 100644 --- a/modules/auxiliary/server/capture/smb.rb +++ b/modules/auxiliary/server/capture/smb.rb @@ -18,8 +18,7 @@ class MetasploitModule < Msf::Auxiliary password NTLMv1 & NTLMv2 hashes used with SMB1, SMB2, or SMB3 client systems. Responses sent by this service by default use a random 8 byte challenge string. A specific value (such as `1122334455667788`) can be set using the CHALLENGE option, - allowing for easy cracking using Cain & Abel (NTLMv1) or John the Ripper - (with jumbo patch). + allowing for easy cracking using John the Ripper (with jumbo patch). To exploit this, the target system must try to authenticate to this module. One way to force an SMB authentication attempt is by embedding @@ -51,7 +50,6 @@ class MetasploitModule < Msf::Auxiliary register_options( [ - OptString.new('CAINPWFILE', [ false, 'Name of file to store Cain&Abel hashes in. Only supports NTLMv1 hashes. Can be a path.', nil ]), OptString.new('JOHNPWFILE', [ false, 'Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 hashes, each of which is stored in separate files. Can also be a path.', nil ]), OptString.new('CHALLENGE', [ false, 'The 8 byte server challenge. Set values must be a valid 16 character hexadecimal pattern. If unset a valid random challenge is used.' ], regex: /^([a-fA-F0-9]{16})$/), OptString.new('SMBDomain', [ true, 'The domain name used during SMB exchange.', 'WORKGROUP'], aliases: ['DOMAIN_NAME']), diff --git a/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb b/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb index 0ebfd2cffa..4f1f24593c 100644 --- a/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb +++ b/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb @@ -68,4 +68,4 @@ class MetasploitModule < Msf::Exploit::Remote file_create(filerdp) end -end +end \ No newline at end of file diff --git a/plugins/capture.rb b/plugins/capture.rb index 3b42cc191f..150e28266e 100644 --- a/plugins/capture.rb +++ b/plugins/capture.rb @@ -287,9 +287,7 @@ module Msf end datastore = {} - # Capturers datastore['SRVHOST'] = config[:srvhost] - datastore['CAINPWFILE'] = File.join(config[:hashdir], "cain_#{svc}") datastore['JOHNPWFILE'] = File.join(config[:hashdir], "john_#{svc}") # Poisoners