Apply Pot File To Hashes - Metasploit
This page contains detailed information about how to use the auxiliary/analyze/apply_pot metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Apply Pot File To Hashes
Module: auxiliary/analyze/apply_pot
Source code: modules/auxiliary/analyze/apply_pot.rb
Disclosure date: -
Last modification time: 2021-01-27 13:50:39 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module uses a John the Ripper or Hashcat .pot file to crack any password hashes in the creds database instantly. JtR's --show functionality is used to help combine all the passwords into an easy to use format.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/analyze/apply_pot
msf auxiliary(apply_pot) > show targets
... a list of targets ...
msf auxiliary(apply_pot) > set TARGET target-id
msf auxiliary(apply_pot) > show options
... show and set options ...
msf auxiliary(apply_pot) > exploit
Knowledge Base
Vulnerable Application
This module applies a john the ripper (or hashcat) style .pot file to hashes in the database. This will allow very fast cracking of all supported hash types which have already been cracked.
Verification Steps
- Have at least one set of hashes in the database
- Start msfconsole
- Do:
use auxiliary/analyze/apply_pot - Do:
run - You should hopefully crack a password.
Options
CONFIG
The path to a John config file (JtR option: --config). Default is metasploit-framework/data/john.conf
JOHN_PATH
The absolute path to the John the Ripper executable. Default behavior is to search path for
john and john.exe.
POT
The path to a John POT file (JtR option: --pot) to use instead. The pot file is the data file which
records cracked password hashes. Kali linux's default location is /root/.john/john.pot.
Default is ~/.msf4/john.pot.
DeleteTempFiles
This option will prevent deletion of the wordlist and file containing hashes. This may be useful for
running the hashes through john if it wasn't cracked, or for debugging. Default is false.
Scenarios
In this scenario, we fill a bunch of different hash types into the creds db. You'll need a .pot file with the cracked hashes, the following can be used:
rEK1ecacw.7.c:password
_J9..K0AyUubDrfOgO4s:password
$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe:password
yhMEAyLkfWqeQ:se
$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/:password
$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5:password
$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1:password
0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8:foo
0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908:toto
0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254:FOO
0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16:Password1!
445ff82636a7ba59:probe
*5AD8F88516BD021DD43F171E2C785C69F8E54ADB:tere
O$SIMON#4f8bc1809cb2af77:A
O$SYSTEM#9eedfa0ad26c6d52:THALES
8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A:epsilon
$oracle12c$e3243b98974159cc24fd2c9a8b30ba62e0e83b6ca2fc7c55177c3a7f82602e3bdd17ceb9b9091cf9dad672b8be961a9eac4d344bdba878edc5dcb5899f689ebd8dd1be3f67bff9813a464382381ab36b:epsilon
$dynamic_1034$be86a79bf2043622d58d5453c47d4860$HEX$24556578616d706c65:password
$LM$ac404c4ba2c66533:ASE
$LM$4a3b108f3fa6cb6d:D
$LM$e52cac67419a9a22:PASSWOR
$NT$8846f7eaee8fb117ad06bdd830b7586c:password
resource (hashes_pot.rb)> creds -d
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
resource (hashes_pot.rb)> creds add user:des_password hash:rEK1ecacw.7.c jtr:des
resource (hashes_pot.rb)> creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
resource (hashes_pot.rb)> creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
resource (hashes_pot.rb)> creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
resource (hashes_pot.rb)> creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
resource (hashes_pot.rb)> creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
resource (hashes_pot.rb)> creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
resource (hashes_pot.rb)> creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
resource (hashes_pot.rb)> creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
resource (hashes_pot.rb)> creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
resource (hashes_pot.rb)> creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12
resource (hashes_pot.rb)> creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
resource (hashes_pot.rb)> creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
resource (hashes_pot.rb)> creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
resource (hashes_pot.rb)> creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
resource (hashes_pot.rb)> creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
resource (hashes_pot.rb)> creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
resource (hashes_pot.rb)> creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
resource (hashes_pot.rb)> creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
resource (hashes_pot.rb)> use auxiliary/analyze/apply_pot
resource (hashes_pot.rb)> run
[*] Hashes Written out to /tmp/hashes_tmp20190203-16380-1974mdz
[*] Checking bcrypt hashes against pot file
[+] blowfish_password:password
[*] Checking bsdicrypt hashes against pot file
[+] bsdi_password:password
[*] Checking crypt hashes against pot file
Warning: hash encoding string length 46, type id $d
appears to be unsupported on this system; will not load such hashes.
[+] des_password:password
[+] md5_password:password
[+] sha256_password:password
[+] sha512_password:password
[*] Checking descrypt hashes against pot file
[+] des_password:password
[*] Checking lm hashes against pot file
[+] lm_password:password
[*] Checking nt hashes against pot file
[+] lm_password:password
[+] nt_password:password
[*] Checking md5crypt hashes against pot file
[+] md5_password:password
[*] Checking mysql hashes against pot file
[+] mysql_probe:probe
[*] Checking mysql-sha1 hashes against pot file
[+] mysql-sha1_tere:tere
[*] Checking mssql hashes against pot file
[+] mssql_foo:FOO
[*] Checking mssql05 hashes against pot file
[+] mssql05_toto:toto
[+] mssql_foo:foo
[*] Checking mssql12 hashes against pot file
[+] mssql12_Password1!:Password1!
[*] Checking oracle hashes against pot file
[+] simon:A
[+] SYSTEM:THALES
[*] Checking oracle11 hashes against pot file
[+] DEMO:epsilon
[+] oracle11_epsilon:epsilon
[*] Checking oracle12c hashes against pot file
[+] oracle12c_epsilon:epsilon
[*] Checking dynamic_1506 hashes against pot file
[*] Checking dynamic_1034 hashes against pot file
[+] example:password
[*] Auxiliary module execution completed
resource (hashes_pot.rb)> creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
des_password password Password
des_password rEK1ecacw.7.c Nonreplayable hash des
md5_password password Password
md5_password $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ Nonreplayable hash md5
bsdi_password password Password
bsdi_password _J9..K0AyUubDrfOgO4s Nonreplayable hash bsdi
sha256_password password Password
sha256_password $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 Nonreplayable hash sha256,crypt
sha512_password password Password
sha512_password $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 Nonreplayable hash sha512,crypt
blowfish_password password Password
blowfish_password $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe Nonreplayable hash bf
lm_password password Password
lm_password e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c NTLM hash nt,lm
nt_password password Password
nt_password aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c NTLM hash nt,lm
mssql05_toto toto Password
mssql05_toto 0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 Nonreplayable hash mssql05
mssql_foo foo Password
mssql_foo FOO Password
mssql_foo 0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 Nonreplayable hash mssql
mssql12_Password1! Password1! Password
mssql12_Password1! 0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 Nonreplayable hash mssql12
mysql_probe probe Password
mysql_probe 445ff82636a7ba59 Nonreplayable hash mysql
mysql-sha1_tere tere Password
mysql-sha1_tere *5AD8F88516BD021DD43F171E2C785C69F8E54ADB Nonreplayable hash mysql-sha1
simon A Password
simon 4F8BC1809CB2AF77 Nonreplayable hash des,oracle
SYSTEM THALES Password
SYSTEM 9EEDFA0AD26C6D52 Nonreplayable hash des,oracle
DEMO epsilon Password
DEMO S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Nonreplayable hash raw-sha1,oracle
oracle11_epsilon epsilon Password
oracle11_epsilon S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C Nonreplayable hash raw-sha1,oracle
oracle12c_epsilon epsilon Password
oracle12c_epsilon H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B Nonreplayable hash pbkdf2,oracle12c
example password Password
example md5be86a79bf2043622d58d5453c47d4860 Postgres md5 raw-md5,postgres
Go back to menu.
Msfconsole Usage
Here is how the analyze/apply_pot auxiliary module looks in the msfconsole:
msf6 > use auxiliary/analyze/apply_pot
msf6 auxiliary(analyze/apply_pot) > show info
Name: Apply Pot File To Hashes
Module: auxiliary/analyze/apply_pot
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
h00die
Available actions:
Name Description
---- -----------
john Use John the Ripper
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CONFIG no The path to a John config file to use instead of the default
CRACKER_PATH no The absolute path to the cracker executable
FORK 1 no Forks for John the Ripper to use
POT no The path to a John POT file to use instead of the default
Description:
This module uses a John the Ripper or Hashcat .pot file to crack any
password hashes in the creds database instantly. JtR's --show
functionality is used to help combine all the passwords into an easy
to use format.
Module Options
This is a complete list of options available in the analyze/apply_pot auxiliary module:
msf6 auxiliary(analyze/apply_pot) > show options
Module options (auxiliary/analyze/apply_pot):
Name Current Setting Required Description
---- --------------- -------- -----------
CONFIG no The path to a John config file to use instead of the default
CRACKER_PATH no The absolute path to the cracker executable
FORK 1 no Forks for John the Ripper to use
POT no The path to a John POT file to use instead of the default
Auxiliary action:
Name Description
---- -----------
john Use John the Ripper
Advanced Options
Here is a complete list of advanced options supported by the analyze/apply_pot auxiliary module:
msf6 auxiliary(analyze/apply_pot) > show advanced
Module advanced options (auxiliary/analyze/apply_pot):
Name Current Setting Required Description
---- --------------- -------- -----------
DeleteTempFiles true no Delete temporary wordlist and hash files
OptimizeKernel true no Utilize Optimized Kernels in Hashcat
ShowCommand true no Print the cracker command being used
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the analyze/apply_pot module can do:
msf6 auxiliary(analyze/apply_pot) > show actions
Auxiliary actions:
Name Description
---- -----------
john Use John the Ripper
Evasion Options
Here is the full list of possible evasion options supported by the analyze/apply_pot auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(analyze/apply_pot) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Related Pull Requests
- #14669 Merged Pull Request: ensure selected cracker is available and viable
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #14382 Merged Pull Request: update apply_pot to the hashcat generation
- #11695 Merged Pull Request: Password Cracker Overhaul (ie hashcat)
- #11570 Merged Pull Request: add no cleanup to jtr modules
- #11351 Merged Pull Request: jtr modernizations (again again again)
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/analyze/crack_aix
- auxiliary/analyze/crack_databases
- auxiliary/analyze/crack_linux
- auxiliary/analyze/crack_mobile
- auxiliary/analyze/crack_osx
- auxiliary/analyze/crack_webapps
- auxiliary/analyze/crack_windows
- auxiliary/analyze/modbus_zip
- auxiliary/admin/wemo/crockpot
- auxiliary/scanner/dcerpc/petitpotam
- exploit/linux/http/linksys_apply_cgi
- exploit/linux/http/linksys_e1500_apply_exec
- exploit/linux/http/linksys_wrt160nv2_apply_exec
- exploit/linux/http/linksys_wrt54gl_apply_exec
- exploit/unix/webapp/actualanalyzer_ant_cookie_exec
- exploit/windows/misc/manageengine_eventlog_analyzer_rce
- exploit/windows/oracle/client_system_analyzer_upload
Authors
- h00die
Version
This page has been produced using Metasploit Framework version 6.1.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
