Password Cracker: Databases - Metasploit
This page contains detailed information about how to use the auxiliary/analyze/crack_databases metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Password Cracker: Databases
Module: auxiliary/analyze/crack_databases
Source code: modules/auxiliary/analyze/crack_databases.rb
Disclosure date: -
Last modification time: 2021-02-01 14:16:13 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from the mssql_hashdump, mysql_hashdump, postgres_hashdump, or oracle_hashdump modules. Passwords that have been successfully cracked are then saved as proper credentials. Due to the complexity of some of the hash types, they can be very slow. Setting the ITERATION_TIMEOUT is highly recommended.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/analyze/crack_databases
msf auxiliary(crack_databases) > show targets
... a list of targets ...
msf auxiliary(crack_databases) > set TARGET target-id
msf auxiliary(crack_databases) > show options
... show and set options ...
msf auxiliary(crack_databases) > exploit
Knowledge Base
Vulnerable Application
This module attempts to use a password cracker to decode varying databases based password hashes, such as:
mysqlbased passwordsmysqlbased passwordsmysql-sha1based passwords
mssqlbased passwordsmssqlbased passwordsmssql05based passwordsmssql12based passwords
oraclebased passwordsoracle 10based passwordsoracle 11/12 H valuesbased passwordsoracle 12cbased passwords
postgresbased passwords
| Common | John | Hashcat |
|---|---|---|
| mysql | mysql | 200 |
| mysql-sha1 | mysql-sha1 | 300 |
| mssql | mssql | 131 |
| mssql05 | mssql05 | 132 |
| mssql12 | mssql12 | 1731 |
| oracle 10 | oracle | n/a |
| oracle 11/12 H | 112 | |
| oracle 12c | sha512crypt | 12300 |
| postgres | postgres | 1800 |
Sources of hashes can be found here: source, source2
Verification Steps
- Have at least one user with a database password hash in the database
- Start msfconsole
- Do:
use auxiliary/analyze/crack_databases - Do: set cracker of choice
- Do:
run - You should hopefully crack a password.
Actions
john
Use john the ripper (default).
hashcat
Use hashcat.
Options
CONFIG
The path to a John config file (JtR option: --config). Default is metasploit-framework/data/john.conf
CRACKER_PATH
The absolute path to the cracker executable. Default behavior is to search path.
CUSTOM_WORDLIST
The path to an optional custom wordlist. This file is added to the new wordlist which may include the other
USE items like USE_CREDS, and have MUTATE or KORELOGIC applied to it.
DeleteTempFiles
This option will prevent deletion of the wordlist and file containing hashes. This may be useful for
running the hashes through john if it wasn't cracked, or for debugging. Default is false.
Fork
This option will set how many forks to use on john the ripper. Default is 1 (no forking).
INCREMENTAL
Run the cracker in incremental mode. Default is true
ITERATION_TIMEOUT
The max-run-time for each iteration of cracking.
KORELOGIC
Apply the KoreLogic rules to Wordlist Mode (slower).
Default is false.
MSSQL
Crack MSSQL hashes. Default is true.
MYSQL
Crack MySQL hashes. Default is true.
MUTATE
Apply common mutations to the Wordlist (SLOW). Mutations are:
'@' => 'a''0' => 'o''3' => 'e''$' => 's''7' => 't''1' => 'l''5' => 's'
Default is false.
ORACLE
Crack oracle hashes. Default is true.
POSTGRES
Crack postgres hashes. Default is true.
POT
The path to a John POT file (JtR option: --pot) to use instead. The pot file is the data file which
records cracked password hashes. Kali linux's default location is /root/.john/john.pot.
Default is ~/.msf4/john.pot.
SHOWCOMMAND
Show the command being used run from the command line for debugging. Default is false
USE_CREDS
Use existing credential data saved in the database. Default is true.
USE_DB_INFO
Use looted database schema info to seed the wordlist. This includes the Database Name, each Table Name,
and each Column Name. If the DB is MSSQL, the Instance Name is also used. Default is true.
USE_DEFAULT_WORDLIST
Use the default metasploit wordlist in metasploit-framework/data/wordlists/password.lst. Default is
true.
USE_HOSTNAMES
Seed the wordlist with hostnames from the workspace. Default is true.
USE_ROOT_WORDS
Use the Common Root Words Wordlist in metasploit-framework/data/wordlists/common_roots.txt. Default
is true.
WORDLIST
Run the cracker in dictionary/wordlist mode. Default is true
Scenarios
Sample Data
The following is data which can be used to test integration, including adding entries to a wordlist and pot file to test various aspects of the cracker.
creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279$
creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E278$
creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
## oracle (10) uses usernames in the hashing, so we can't overide that here
creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
## oracle 11/12 H value, username is used
creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797$
## oracle 11/12 uses a LONG format, see lib/msf/core/auxiliary/jtr.rb
creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:$
creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B3$
##postgres uses username, so we can't overide that here
creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
creds add user:example postgres:md5be86a79bf20fake2d58d5453c47d4860
echo "" > /root/.msf4/john.pot
echo "fakeV6xlcXxRM:55" >> /root/.msf4/john.pot
echo "md5be86a79bf20fake2d58d5453c47d4860:password" >> /root/.msf4/john.pot
echo "\$1\$O3JMY.Tw\$AdLnLjQ/5jXF9.fakegHv/:password" >> /root/.msf4/john.pot
echo "test" > /tmp/wordlist
echo "password" >> /tmp/wordlist
echo "toto" >> /tmp/wordlist
echo "foo" >> /tmp/wordlist
echo "tere" >> /tmp/wordlist
echo "Password1\!" >> /tmp/wordlist
echo "system" >> /tmp/wordlist
echo "simon" >> /tmp/wordlist
echo "A" >> /tmp/wordlist
echo "THALES" >> /tmp/wordlist
echo "probe" >> /tmp/wordlist
echo "epsilon" >> /tmp/wordlist
echo "t\!" >> /tmp/wordlist
John the Ripper
We'll set ITERATION_TIMEOUT 60 for a quick crack, and ShowCommand true for easy debugging.
resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
CUSTOM_WORDLIST => /tmp/wordlist
resource (hashes_hashcat.rb)> setg ShowCommand true
ShowCommand => true
resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
USE_DEFAULT_WORDLIST => false
resource (hashes_hashcat.rb)> setg DeleteTempFiles false
DeleteTempFiles => false
resource (hashes_hashcat.rb)> setg USE_CREDS false
USE_CREDS => false
resource (hashes_hashcat.rb)> setg USE_DB_INFO false
USE_DB_INFO => false
resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
USE_HOSTNAMES => false
resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
USE_ROOT_WORDS => false
resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
ITERATION_TIMEOUT => 60
resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_databases
resource (hashes_hashcat.rb)> run
[+] john Version Detected: 1.9.0-jumbo-1 OMP
[*] Hashes Written out to /tmp/hashes_tmp20190531-29358-125bmsb
[*] Wordlist file written out to /tmp/jtrtmp20190531-29358-11uv1t0
[*] Checking mssql hashes already cracked...
[*] Cracking mssql hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 DONE (2019-05-31 15:44) 50.00g/s 400.0p/s 400.0c/s 400.0C/s TEST3:::..FOO
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[*] Cracking mssql hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mssql hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mssql hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mssql hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=RiixU30Z --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1357 mssql mssql_foo FOO Single
[*] Checking mssql05 hashes already cracked...
[*] Cracking mssql05 hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
2g 0:00:00:00 DONE (2019-05-31 15:44) 100.0g/s 400.0p/s 800.0c/s 800.0C/s test3:::..foo
Use the "--show --format=mssql05" options to display all of the cracked passwords reliably
Session completed
[*] Cracking mssql05 hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mssql05 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mssql05 hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mssql05 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=3FMqTSQB --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql05 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1356 mssql05 mssql05_toto toto Single
1357 mssql mssql_foo FOO Single
[*] Checking mssql12 hashes already cracked...
[*] Cracking mssql12 hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 DONE (2019-05-31 15:44) 50.00g/s 409600p/s 409600c/s 409600C/s test3:::..Password1\!99
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[*] Cracking mssql12 hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mssql12 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mssql12 hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mssql12 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=Hgkng17W --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mssql12 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1356 mssql05 mssql05_toto toto Single
1357 mssql mssql_foo FOO Single
1358 mssql12 mssql12_Password1! Password1! Single
[*] Checking mysql hashes already cracked...
[*] Cracking mysql hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 DONE (2019-05-31 15:45) 100.0g/s 51200p/s 51200c/s 51200C/s test3:::..est3:::
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[*] Cracking mysql hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mysql hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mysql hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mysql hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=8zGhJlFs --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1356 mssql05 mssql05_toto toto Single
1357 mssql mssql_foo FOO Single
1358 mssql12 mssql12_Password1! Password1! Single
1359 mysql mysql_probe probe Single
[*] Checking mysql-sha1 hashes already cracked...
[*] Cracking mysql-sha1 hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 DONE (2019-05-31 15:45) 100.0g/s 1600p/s 1600c/s 1600C/s tere..probe
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[*] Cracking mysql-sha1 hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mysql-sha1 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mysql-sha1 hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking mysql-sha1 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=nJ1VeTcl --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=mysql-sha1 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1356 mssql05 mssql05_toto toto Single
1357 mssql mssql_foo FOO Single
1358 mssql12 mssql12_Password1! Password1! Single
1359 mysql mysql_probe probe Single
1360 mysql-sha1 mysql-sha1_tere tere Single
[*] Checking oracle hashes already cracked...
[*] Cracking oracle hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
2g 0:00:00:00 DONE (2019-05-31 15:45) 66.66g/s 364200p/s 1092Kc/s 1092KC/s TEST3:::..T1900
Use the "--show --format=oracle" options to display all of the cracked passwords reliably
Session completed
[*] Cracking oracle hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
Warning: mixed-case charset, but the current hash type is case-insensitive;
some candidate passwords may be unnecessarily tried more than once.
0g 0:00:01:00 3/3 0g/s 2705Kp/s 2705Kc/s 2705KC/s LML489..LST0WO
Session stopped (max run-time reached)
[*] Cracking oracle hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
Warning: mixed-case charset, but the current hash type is case-insensitive;
some candidate passwords may be unnecessarily tried more than once.
0g 0:00:01:00 3/3 0g/s 2700Kp/s 2700Kc/s 2700KC/s CKS5ER..CGE0DW
Session stopped (max run-time reached)
[*] Cracking oracle hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:01:00 0g/s 2880Kp/s 2880Kc/s 2880KC/s 225486472..229896168
Session stopped (max run-time reached)
[*] Cracking oracle hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=MEvIkaAE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2019-05-31 15:48) 0g/s 16700p/s 16700c/s 16700C/s TEST3:::..HASHCATING
Session completed
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1356 mssql05 mssql05_toto toto Single
1357 mssql mssql_foo FOO Single
1358 mssql12 mssql12_Password1! Password1! Single
1359 mysql mysql_probe probe Single
1360 mysql-sha1 mysql-sha1_tere tere Single
1361 oracle simon A Single
1362 oracle SYSTEM THALES Single
[*] Checking dynamic_1506 hashes already cracked...
[*] Cracking dynamic_1506 hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking dynamic_1506 hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking dynamic_1506 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking dynamic_1506 hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking dynamic_1506 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=A4uwmyRE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1506 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1356 mssql05 mssql05_toto toto Single
1357 mssql mssql_foo FOO Single
1358 mssql12 mssql12_Password1! Password1! Single
1359 mysql mysql_probe probe Single
1360 mysql-sha1 mysql-sha1_tere tere Single
1361 oracle simon A Single
1362 oracle SYSTEM THALES Single
[*] Checking raw-sha1,oracle hashes already cracked...
Unknown ciphertext format name requested
[*] Cracking raw-sha1,oracle hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Unknown ciphertext format name requested
Unknown ciphertext format name requested
[*] Cracking raw-sha1,oracle hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Unknown ciphertext format name requested
Unknown ciphertext format name requested
[*] Cracking raw-sha1,oracle hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Unknown ciphertext format name requested
Unknown ciphertext format name requested
[*] Cracking raw-sha1,oracle hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Unknown ciphertext format name requested
Unknown ciphertext format name requested
[*] Cracking raw-sha1,oracle hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=olCLdt27 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=raw-sha1,oracle --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Unknown ciphertext format name requested
Unknown ciphertext format name requested
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1356 mssql05 mssql05_toto toto Single
1357 mssql mssql_foo FOO Single
1358 mssql12 mssql12_Password1! Password1! Single
1359 mysql mysql_probe probe Single
1360 mysql-sha1 mysql-sha1_tere tere Single
1361 oracle simon A Single
1362 oracle SYSTEM THALES Single
[*] Checking oracle11 hashes already cracked...
[*] Cracking oracle11 hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 DONE (2019-05-31 15:48) 100.0g/s 2400p/s 2400c/s 2400C/s epsilon..Buddahh
Warning: passwords printed above might not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[*] Cracking oracle11 hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking oracle11 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking oracle11 hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking oracle11 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=sYHhhqvp --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle11 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1356 mssql05 mssql05_toto toto Single
1357 mssql mssql_foo FOO Single
1358 mssql12 mssql12_Password1! Password1! Single
1359 mysql mysql_probe probe Single
1360 mysql-sha1 mysql-sha1_tere tere Single
1361 oracle simon A Single
1362 oracle SYSTEM THALES Single
1363 oracle11 DEMO epsilon Single
1364 oracle11 oracle11_epsilon epsilon Single
[*] Checking oracle12c hashes already cracked...
[*] Cracking oracle12c hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 DONE (2019-05-31 15:48) 16.66g/s 2133p/s 2133c/s 2133C/s test3:::..password0
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[*] Cracking oracle12c hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking oracle12c hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking oracle12c hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking oracle12c hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=glBBUtZH --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=oracle12c --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1356 mssql05 mssql05_toto toto Single
1357 mssql mssql_foo FOO Single
1358 mssql12 mssql12_Password1! Password1! Single
1359 mysql mysql_probe probe Single
1360 mysql-sha1 mysql-sha1_tere tere Single
1361 oracle simon A Single
1362 oracle SYSTEM THALES Single
1363 oracle11 DEMO epsilon Single
1364 oracle11 oracle11_epsilon epsilon Single
1365 oracle12c oracle12c_epsilon epsilon Single
[*] Checking dynamic_1034 hashes already cracked...
[*] Cracking dynamic_1034 hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 DONE (2019-05-31 15:48) 50.00g/s 168000p/s 168000c/s 168000C/s test3:::..:::3tset4
Use the "--show --format=dynamic_1034" options to display all of the cracked passwords reliably
Session completed
[*] Cracking dynamic_1034 hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking dynamic_1034 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking dynamic_1034 hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[*] Cracking dynamic_1034 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=Ici8lKLE --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=dynamic_1034 --wordlist=/tmp/jtrtmp20190531-29358-11uv1t0 --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-29358-125bmsb
Using default input encoding: UTF-8
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1356 mssql05 mssql05_toto toto Single
1357 mssql mssql_foo FOO Single
1358 mssql12 mssql12_Password1! Password1! Single
1359 mysql mysql_probe probe Single
1360 mysql-sha1 mysql-sha1_tere tere Single
1361 oracle simon A Single
1362 oracle SYSTEM THALES Single
1363 oracle11 DEMO epsilon Single
1364 oracle11 oracle11_epsilon epsilon Single
1365 oracle12c oracle12c_epsilon epsilon Single
1366 dynamic_1034 example password Single
[*] Auxiliary module execution completed
resource (hashes_hashcat.rb)> creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
mssql_foo foo Password
oracle12c_epsilon epsilon Password
DEMO epsilon Password
oracle11_epsilon S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Nonreplayable hash raw-sha1,oracle
example md5be86a79bf2043622d58d5453c47d4860 Postgres md5 raw-md5,postgres
simon A Password
SYSTEM THALES Password
mssql12_Password1! 0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 Nonreplayable hash mssql12
mysql-sha1_tere tere Password
mysql_probe 445ff82636a7ba59 Nonreplayable hash mysql
mssql_foo 0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 Nonreplayable hash mssql
example password Password
mssql12_Password1! Password1! Password
simon 4F8BC1809CB2AF77 Nonreplayable hash des,oracle
mssql05_toto toto Password
oracle11_epsilon epsilon Password
mssql_foo FOO Password
SYSTEM 9EEDFA0AD26C6D52 Nonreplayable hash des,oracle
mssql05_toto 0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 Nonreplayable hash mssql05
DEMO S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Nonreplayable hash raw-sha1,oracle
oracle12c_epsilon H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B Nonreplayable hash pbkdf2,oracle12c
mysql_probe probe Password
mysql-sha1_tere *5AD8F88516BD021DD43F171E2C785C69F8E54ADB Nonreplayable hash mysql-sha1
Hashcat
We'll set ITERATION_TIMEOUT 60 for a quick crack, and ShowCommand true for easy debugging.
resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
CUSTOM_WORDLIST => /tmp/wordlist
resource (hashes_hashcat.rb)> setg ShowCommand true
ShowCommand => true
resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
USE_DEFAULT_WORDLIST => false
resource (hashes_hashcat.rb)> setg DeleteTempFiles false
DeleteTempFiles => false
resource (hashes_hashcat.rb)> setg USE_CREDS false
USE_CREDS => false
resource (hashes_hashcat.rb)> setg USE_DB_INFO false
USE_DB_INFO => false
resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
USE_HOSTNAMES => false
resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
USE_ROOT_WORDS => false
resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
ITERATION_TIMEOUT => 60
resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_databases
resource (hashes_hashcat.rb)> set action hashcat
action => hashcat
resource (hashes_hashcat.rb)> run
[+] hashcat Version Detected: v5.1.0
[*] Hashes Written out to /tmp/hashes_tmp20190531-29687-sp1ejs
[*] Wordlist file written out to /tmp/jtrtmp20190531-29687-1u8mjuq
[*] Checking mssql hashes already cracked...
[*] Cracking mssql hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=dZTr4DsK --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=131 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking mssql hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=dZTr4DsK --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=131 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking mssql hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=dZTr4DsK --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=131 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1380 mssql mssql_foo FOO Wordlist
[*] Checking mssql05 hashes already cracked...
[*] Cracking mssql05 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=gKYO7rts --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=132 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking mssql05 hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=gKYO7rts --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=132 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking mssql05 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=gKYO7rts --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=132 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1379 mssql05 mssql05_toto toto Wordlist
1380 mssql mssql_foo FOO Wordlist
[*] Checking mssql12 hashes already cracked...
[*] Cracking mssql12 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=X5k9f6JY --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1731 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking mssql12 hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=X5k9f6JY --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1731 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking mssql12 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=X5k9f6JY --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1731 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1379 mssql05 mssql05_toto toto Wordlist
1380 mssql mssql_foo FOO Wordlist
[*] Checking mysql hashes already cracked...
[*] Cracking mysql hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=L2YwjG1w --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=200 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking mysql hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=L2YwjG1w --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=200 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking mysql hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=L2YwjG1w --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=200 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1379 mssql05 mssql05_toto toto Wordlist
1380 mssql mssql_foo FOO Wordlist
1382 mysql mysql_probe probe Wordlist
[*] Checking mysql-sha1 hashes already cracked...
[*] Cracking mysql-sha1 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=jMcLuSDn --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=300 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking mysql-sha1 hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=jMcLuSDn --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=300 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking mysql-sha1 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=jMcLuSDn --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=300 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1379 mssql05 mssql05_toto toto Wordlist
1380 mssql mssql_foo FOO Wordlist
1382 mysql mysql_probe probe Wordlist
1383 mysql-sha1 mysql-sha1_tere tere Wordlist
[*] Checking raw-sha1,oracle hashes already cracked...
[*] Cracking raw-sha1,oracle hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=zd9AkOJu --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking raw-sha1,oracle hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=zd9AkOJu --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking raw-sha1,oracle hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=zd9AkOJu --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1379 mssql05 mssql05_toto toto Wordlist
1380 mssql mssql_foo FOO Wordlist
1382 mysql mysql_probe probe Wordlist
1383 mysql-sha1 mysql-sha1_tere tere Wordlist
1386 raw-sha1,oracle DEMO epsilon Wordlist
1387 raw-sha1,oracle oracle11_epsilon epsilon Wordlist
[*] Checking oracle11 hashes already cracked...
[*] Cracking oracle11 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=t5k5I14z --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking oracle11 hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=t5k5I14z --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking oracle11 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=t5k5I14z --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=112 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1379 mssql05 mssql05_toto toto Wordlist
1380 mssql mssql_foo FOO Wordlist
1382 mysql mysql_probe probe Wordlist
1383 mysql-sha1 mysql-sha1_tere tere Wordlist
1386 raw-sha1,oracle DEMO epsilon Wordlist
1387 raw-sha1,oracle oracle11_epsilon epsilon Wordlist
[*] Checking oracle12c hashes already cracked...
[*] Cracking oracle12c hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=7dadE1Lr --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12300 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking oracle12c hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=7dadE1Lr --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12300 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking oracle12c hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=7dadE1Lr --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12300 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1379 mssql05 mssql05_toto toto Wordlist
1380 mssql mssql_foo FOO Wordlist
1382 mysql mysql_probe probe Wordlist
1383 mysql-sha1 mysql-sha1_tere tere Wordlist
1386 raw-sha1,oracle DEMO epsilon Wordlist
1387 raw-sha1,oracle oracle11_epsilon epsilon Wordlist
1388 oracle12c oracle12c_epsilon epsilon Wordlist
[*] Checking dynamic_1034 hashes already cracked...
[*] Cracking dynamic_1034 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=xtcCnmBc --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/wordlist
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking dynamic_1034 hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=xtcCnmBc --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking dynamic_1034 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=xtcCnmBc --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=12 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-29687-sp1ejs /tmp/jtrtmp20190531-29687-1u8mjuq
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1379 mssql05 mssql05_toto toto Wordlist
1380 mssql mssql_foo FOO Wordlist
1382 mysql mysql_probe probe Wordlist
1383 mysql-sha1 mysql-sha1_tere tere Wordlist
1386 raw-sha1,oracle DEMO epsilon Wordlist
1387 raw-sha1,oracle oracle11_epsilon epsilon Wordlist
1388 oracle12c oracle12c_epsilon epsilon Wordlist
1389 dynamic_1034 example password Wordlist
[*] Auxiliary module execution completed
resource (hashes_hashcat.rb)> creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
mssql05_toto 0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 Nonreplayable hash mssql05
mssql_foo 0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 Nonreplayable hash mssql
mssql12_Password1! 0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 Nonreplayable hash mssql12
mysql_probe 445ff82636a7ba59 Nonreplayable hash mysql
mysql-sha1_tere *5AD8F88516BD021DD43F171E2C785C69F8E54ADB Nonreplayable hash mysql-sha1
simon 4F8BC1809CB2AF77 Nonreplayable hash des,oracle
SYSTEM 9EEDFA0AD26C6D52 Nonreplayable hash des,oracle
DEMO S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Nonreplayable hash raw-sha1,oracle
oracle11_epsilon S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Nonreplayable hash raw-sha1,oracle
oracle12c_epsilon H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B Nonreplayable hash pbkdf2,oracle12c
example md5be86a79bf2043622d58d5453c47d4860 Postgres md5 raw-md5,postgres
mssql_foo FOO Password
mssql05_toto toto Password
mysql_probe probe Password
mysql-sha1_tere tere Password
oracle11_epsilon epsilon Password
DEMO epsilon Password
oracle12c_epsilon epsilon Password
example password Password
Go back to menu.
Msfconsole Usage
Here is how the analyze/crack_databases auxiliary module looks in the msfconsole:
msf6 > use auxiliary/analyze/crack_databases
msf6 auxiliary(analyze/crack_databases) > show info
Name: Password Cracker: Databases
Module: auxiliary/analyze/crack_databases
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
theLightCosine <[email protected]>
hdm <[email protected]>
h00die
Available actions:
Name Description
---- -----------
hashcat Use Hashcat
john Use John the Ripper
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CONFIG no The path to a John config file to use instead of the default
CRACKER_PATH no The absolute path to the cracker executable
CUSTOM_WORDLIST no The path to an optional custom wordlist
FORK 1 no Forks for John the Ripper to use
INCREMENTAL true no Run in incremental mode
ITERATION_TIMEOUT no The max-run-time for each iteration of cracking
KORELOGIC false no Apply the KoreLogic rules to John the Ripper Wordlist Mode(slower)
MSSQL true no Include MSSQL hashes
MUTATE false no Apply common mutations to the Wordlist (SLOW)
MYSQL true no Include MySQL hashes
ORACLE true no Include Oracle hashes
POSTGRES true no Include Postgres hashes
POT no The path to a John POT file to use instead of the default
USE_CREDS true no Use existing credential data saved in the database
USE_DB_INFO true no Use looted database schema info to seed the wordlist
USE_DEFAULT_WORDLIST true no Use the default metasploit wordlist
USE_HOSTNAMES true no Seed the wordlist with hostnames from the workspace
USE_ROOT_WORDS true no Use the Common Root Words Wordlist
WORDLIST true no Run in wordlist mode
Description:
This module uses John the Ripper or Hashcat to identify weak
passwords that have been acquired from the mssql_hashdump,
mysql_hashdump, postgres_hashdump, or oracle_hashdump modules.
Passwords that have been successfully cracked are then saved as
proper credentials. Due to the complexity of some of the hash types,
they can be very slow. Setting the ITERATION_TIMEOUT is highly
recommended.
Module Options
This is a complete list of options available in the analyze/crack_databases auxiliary module:
msf6 auxiliary(analyze/crack_databases) > show options
Module options (auxiliary/analyze/crack_databases):
Name Current Setting Required Description
---- --------------- -------- -----------
CONFIG no The path to a John config file to use instead of the default
CRACKER_PATH no The absolute path to the cracker executable
CUSTOM_WORDLIST no The path to an optional custom wordlist
FORK 1 no Forks for John the Ripper to use
INCREMENTAL true no Run in incremental mode
ITERATION_TIMEOUT no The max-run-time for each iteration of cracking
KORELOGIC false no Apply the KoreLogic rules to John the Ripper Wordlist Mode(slower)
MSSQL true no Include MSSQL hashes
MUTATE false no Apply common mutations to the Wordlist (SLOW)
MYSQL true no Include MySQL hashes
ORACLE true no Include Oracle hashes
POSTGRES true no Include Postgres hashes
POT no The path to a John POT file to use instead of the default
USE_CREDS true no Use existing credential data saved in the database
USE_DB_INFO true no Use looted database schema info to seed the wordlist
USE_DEFAULT_WORDLIST true no Use the default metasploit wordlist
USE_HOSTNAMES true no Seed the wordlist with hostnames from the workspace
USE_ROOT_WORDS true no Use the Common Root Words Wordlist
WORDLIST true no Run in wordlist mode
Auxiliary action:
Name Description
---- -----------
john Use John the Ripper
Advanced Options
Here is a complete list of advanced options supported by the analyze/crack_databases auxiliary module:
msf6 auxiliary(analyze/crack_databases) > show advanced
Module advanced options (auxiliary/analyze/crack_databases):
Name Current Setting Required Description
---- --------------- -------- -----------
DeleteTempFiles true no Delete temporary wordlist and hash files
OptimizeKernel true no Utilize Optimized Kernels in Hashcat
ShowCommand true no Print the cracker command being used
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the analyze/crack_databases module can do:
msf6 auxiliary(analyze/crack_databases) > show actions
Auxiliary actions:
Name Description
---- -----------
hashcat Use Hashcat
john Use John the Ripper
Evasion Options
Here is the full list of possible evasion options supported by the analyze/crack_databases auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(analyze/crack_databases) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Please enable at least one database type to crack
Here is a relevant code snippet related to the "Please enable at least one database type to crack" error message:
200: if datastore['POSTGRES']
201: hashes_regex << 'dynamic_1034'
202: end
203:
204: # check we actually have an action to perform
205: fail_with(Failure::BadConfig, 'Please enable at least one database type to crack') if hashes_regex.empty?
206:
207: # array of arrays for cracked passwords.
208: # Inner array format: db_id, hash_type, username, password, method_of_crack
209: results = []
210:
This module cannot run without a database connected. Use db_connect to connect to a database.
Here is a relevant code snippet related to the "This module cannot run without a database connected. Use db_connect to connect to a database." error message:
215: cracker.hash_path, hashes = hash_file(hashes_regex)
216:
217: # generate our wordlist and close the file handle.
218: wordlist = wordlist_file
219: unless wordlist
220: print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
221: return
222: end
223:
224: wordlist.close
225: print_status "Wordlist file written out to #{wordlist.path}"
No applicable hashes in database to crack
Here is a relevant code snippet related to the "No applicable hashes in database to crack" error message:
356: end
357: end
358: hashlist.close
359: unless wrote_hash # check if we wrote anything and bail early if we didn't
360: hashlist.delete
361: fail_with Failure::NotFound, 'No applicable hashes in database to crack'
362: end
363: print_status "Hashes Written out to #{hashlist.path}"
364: return hashlist.path, hashes
365: end
366: end
Go back to menu.
Related Pull Requests
- #14669 Merged Pull Request: ensure selected cracker is available and viable
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #12912 Merged Pull Request: remove jtr specific modules that are refactored
- #11695 Merged Pull Request: Password Cracker Overhaul (ie hashcat)
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/analyze/crack_linux
- auxiliary/analyze/crack_mobile
- auxiliary/analyze/crack_osx
- auxiliary/analyze/crack_webapps
- auxiliary/analyze/crack_windows
- auxiliary/scanner/snmp/aix_version
- exploit/aix/local/ibstat_path
- exploit/aix/local/xorg_x11_server
- exploit/aix/rpc_cmsd_opcode21
- exploit/aix/rpc_ttdbserverd_realpath
- payload/aix/ppc/shell_bind_tcp
- payload/aix/ppc/shell_find_port
- payload/aix/ppc/shell_interact
- payload/aix/ppc/shell_reverse_tcp
- post/aix/hashdump
- auxiliary/analyze/crack_aix
- auxiliary/analyze/apply_pot
- auxiliary/analyze/modbus_zip
- exploit/unix/webapp/actualanalyzer_ant_cookie_exec
- exploit/windows/misc/manageengine_eventlog_analyzer_rce
- exploit/windows/oracle/client_system_analyzer_upload
Authors
- theLightCosine
- hdm
- h00die
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
