Happy CTF week, folks! If you haven't already been following along with (or competing in) Metasploit's global community CTF, it started yesterday and runs through Monday morning U.S. Eastern Time. Registration has been full for a while, but you can join the #metasploit-ctf channel on Slack to participate in the joy and frustration vicariously.

This week's Metasploit wrap-up takes a look back at work done over the last year to overhaul Metasploit's password cracking subsystem and modules. Contributor @h00die catches us up on the problems solved with the latest evolution of Metasploit 5's cracker integration.

Metasploit With More Cats: Overhauling the Password Cracking System

Our thanks to longtime Metasploit contributor and friend h00die for the following explanation of the additions and capabilities incorporated into Metasploit as part of his password-cracking overhaul.

Password cracking has been a part of Metasploit since 2011, a time before Hashcat when John the Ripper (JtR) ruled the land of cross-platform password cracking. Metasploit quickly expanded to adopt cracking multiple types of hashes, mainly focusing on those which were likely to be dumped from operating systems and databases.

As time passed, the password-cracking landscape changed and Hashcat started growing in popularity, mainly due to its adoption of GPU based cracking. JtR followed suit in 2012 as GPU cracking became orders of magnitude faster than using the CPU-only. While Metasploit greatly benefited from these updates to JtR, over time it became clear that the integration was not keeping up. An overhaul was inbound.

Overhaul Step 1: Clean-up

The first step in the overhaul was to inventory what already existed in Metasploit, and to make sure it was still working correctly and optimally. We found several issues, mainly:

  • The embedded configuration file, john.conf, was more than six years old, which caused the jtr_postgres_fast module as well as other modern optimizations from JtR to not work.
  • The Metasploit creds command needed the ability to specify the hash type so that password crackers would know if they could be used.
  • File cleanup support was lacking.
  • There was no documentation.
  • There were many module-specific issues cracking passwords.

In addition to many bug fixes and additions in the initial overhaul effort, one of the coolest additions was an apply_pot module. A pot file contains a password hash and its associated password. If you had previously cracked a password (through a previous engagement, or via password reuse by target), the apply_pot module lets you instantly crack the password and add it to the Metasploit database.

With all the major bases covered, we could turn our focus to standardizations.

Overhaul Step 2: Standardizations

One of the problems we identified in the clean-up phase was an inconsistency in labeling hashes. One of the ways this is typically done outside of Metasploit is to use a tool like hash-identifier. Using that as inspiration, we built a similar functionality into Metasploit so that modules could simply pass a hash, and get a consistently jtr_type added to password hashes. Easy peasey extra cheesey!

While there are LOTS of hashes that could be added to Metasploit's password library, we restricted ourselves to adding only those hash types that are able to be dumped by existing Metasploit modules. As new modules with different hashes are created, this library will be updated to match.

Overhaul Step 3: Meow-ify Metasploit

Finally, with many of the basic bugs and usability problems solved, it was time to modernize the password cracking system with a complete overhaul to support more than just John the Ripper. The most significant addition for most users is that Metasploit can now use hashcat for password cracking. A lot more changed under the hood, too.

We overhauled the password cracking subsystem to be more modular. It is now substantially easier to add a new password cracking program to the framework than it was before. One decision we made in this modularization effort was to standardize on the JtR hash format. Mainly this means that hash names, and hashes, are consistently stored in the database in a JtR-friendly way and will need to be translated for other programs. An example of hash type conversions is available in the wiki, and actual hash formatting from JtR to Hashcat are available in the code.

We renamed all cracking modules to be cracker -independent. If you are looking for the jtr_linux module today, it’s now crack_linux, and all other modules were renamed in this fashion as well. We added crack_osx, and crack_databases was created to incorporate the functionality of the formerly separate jtr_mssql, jtr_mysql, jtr_oracle, jtr_postgres modules. Later, we even added a crack_mobile module to focus on phone password cracking, along with a new mode specifically for PINs.

Other niceties were also added, such as show_command to print the actual command being executed. Metasploit prints the version of the cracker application being used to help with future debugging. New logic prevents the non-Jumbo patched version of JtR from being accidentally used, since it doesn’t include MANY of the hashes we can crack. Want to export the creds DB to a JtR or Hashcat format so you can crack external to Metasploit? Give creds -o a look. A password was cracked, great, but how? Was it a wordlist, was it in the pot file? Metasploit now prints a table of which method was successful in cracking the password. For example:

[+] Cracked Hashes
 DB ID  Hash Type  Username       Cracked Password  Method
 -----  ---------  --------       ----------------  ------
 1260   descrypt   des2_password  password          Wordlist
 1261   descrypt   des_password   password          Wordlist
 1262   descrypt   des_55         55                Incremental
 1263   descrypt   des_pot_55     55                Already Cracked/POT

Ready to try it out? Simply change the action of a cracker: set action hashcat. Need some hashes to try it against, we got you covered as well. You’ll need to be on MSF5 as well, as these changes weren’t backported to version 4, so go get it right meow.

For a complete list of changes over the 10 months of password cracker overhaul and 23,513 added lines of code, see:

Enhancements and features

Several useful features and important bug fixes went into Metasploit Framework as well this week, including:

  • PR #12736 adds support for Parent Process ID (PPID) spoofing in Meterpreter, by @phra. This can be used to make a Meterpreter process appear to be spawned by a different parent process than did in reality by modifying the process tables directly.

  • PR #12883 adds support for viewing and clearing the module stack, which is a set of msfconsole commands designed to make switching between different modules fast and easy, by @wvu-r7

  • PR #12859 updates the AF_PACKET chocobo_root privilege escalation module to use newer Metasploit Framework features, targets for additional Linux kernel types, making the module easier to maintain in the future, by @bcoles.

Bugs fixed

PR #12871 improves the exploit/osx/local/persistence module to print working service removal commands, by @phra.

PR #12568 adds a multitude of fixes to the exploit/windows/local/ms16_032_secondary_logon_handle_privesc module, improving reliability, flexibility, and payload support, by @leo-fb.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).