Password Cracker: AIX - Metasploit


This page contains detailed information about how to use the auxiliary/analyze/crack_aix metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Password Cracker: AIX
Module: auxiliary/analyze/crack_aix
Source code: modules/auxiliary/analyze/crack_aix.rb
Disclosure date: -
Last modification time: 2021-01-27 13:50:39 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from passwd files on AIX systems. These utilize DES hashing. DES is format 1500 in Hashcat. DES is descrypt in JTR.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/analyze/crack_aix
msf auxiliary(crack_aix) > show targets
    ... a list of targets ...
msf auxiliary(crack_aix) > set TARGET target-id
msf auxiliary(crack_aix) > show options
    ... show and set options ...
msf auxiliary(crack_aix) > exploit

Knowledge Base

Vulnerable Application

This module attempts to use a password cracker to decode AIX based password hashes, such as:

  • DES based passwords

Formats:

Common John Hashcat
des descript 1500

Sources of hashes can be found here: source, source2

Verification Steps

  1. Have at least one user with a des password in the database
  2. Start msfconsole
  3. Do: use auxiliary/analyze/crack_aix
  4. Do: set cracker of choice
  5. Do: run
  6. You should hopefully crack a password.

Actions

john

Use john the ripper (default).

hashcat

Use hashcat.

Options

CONFIG

The path to a John config file (JtR option: --config). Default is metasploit-framework/data/john.conf

CRACKER_PATH

The absolute path to the cracker executable. Default behavior is to search path.

CUSTOM_WORDLIST

The path to an optional custom wordlist. This file is added to the new wordlist which may include the other USE items like USE_CREDS, and have MUTATE or KORELOGIC applied to it.

DeleteTempFiles

This option will prevent deletion of the wordlist and file containing hashes. This may be useful for running the hashes through john if it wasn't cracked, or for debugging. Default is false.

Fork

This option will set how many forks to use on john the ripper. Default is 1 (no forking).

INCREMENTAL

Run the cracker in incremental mode. Default is true

ITERATION_TIMEOUT

The max-run-time for each iteration of cracking

KORELOGIC

Apply the KoreLogic rules to Wordlist Mode (slower). Default is false.

MUTATE

Apply common mutations to the Wordlist (SLOW). Mutations are:

  • '@' => 'a'
  • '0' => 'o'
  • '3' => 'e'
  • '$' => 's'
  • '7' => 't'
  • '1' => 'l'
  • '5' => 's'

Default is false.

POT

The path to a John POT file (JtR option: --pot) to use instead. The pot file is the data file which records cracked password hashes. Kali linux's default location is /root/.john/john.pot. Default is ~/.msf4/john.pot.

SHOWCOMMAND

Show the command being used run from the command line for debugging. Default is false

USE_CREDS

Use existing credential data saved in the database. Default is true.

USE_DB_INFO

Use looted database schema info to seed the wordlist. This includes the Database Name, each Table Name, and each Column Name. If the DB is MSSQL, the Instance Name is also used. Default is true.

USE_DEFAULT_WORDLIST

Use the default metasploit wordlist in metasploit-framework/data/wordlists/password.lst. Default is true.

USE_HOSTNAMES

Seed the wordlist with hostnames from the workspace. Default is true.

USE_ROOT_WORDS

Use the Common Root Words Wordlist in metasploit-framework/data/wordlists/common_roots.txt. Default is true.

WORDLIST

Run the cracker in dictionary/wordlist mode. Default is true

Scenarios

Sample Data

The following is data which can be used to test integration, including adding entries to a wordlist and pot file to test various aspects of the cracker.

creds add user:des2_password hash:rEK1ecacw.7.c jtr:des
creds add user:des_password hash:rEK1ecacw.7.c jtr:des
creds add user:des_55 hash:rDpJV6xlcXxRM jtr:des
creds add user:des_pot_55 hash:fakeV6xlcXxRM jtr:des
creds add user:des_passphrase hash:qiyh4XPJGsOZ2MEAyLkfWqeQ jtr:des
echo "fakeV6xlcXxRM:55" >> /root/.msf4/john.pot
echo "test" > /tmp/wordlist
echo "password" >> /tmp/wordlist

John the Ripper

We'll set ITERATION_TIMEOUT 60 for a quick crack, and ShowCommand true for easy debugging.

resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
CUSTOM_WORDLIST => /tmp/wordlist
resource (hashes_hashcat.rb)> setg ShowCommand true
ShowCommand => true
resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
USE_DEFAULT_WORDLIST => false
resource (hashes_hashcat.rb)> setg DeleteTempFiles false
DeleteTempFiles => false
resource (hashes_hashcat.rb)> setg USE_CREDS false
USE_CREDS => false
resource (hashes_hashcat.rb)> setg USE_DB_INFO false
USE_DB_INFO => false
resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
USE_HOSTNAMES => false
resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
USE_ROOT_WORDS => false
resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
ITERATION_TIMEOUT => 60
resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_aix
resource (hashes_hashcat.rb)> run
[+] john Version Detected: 1.9.0-jumbo-1 OMP
[*] Hashes Written out to /tmp/hashes_tmp20190531-27621-1ucwc3l
[*] Wordlist file written out to /tmp/jtrtmp20190531-27621-qk76qr
[*] Checking descrypt hashes already cracked...
[*] Cracking descrypt hashes in single mode...
[*]    Cracking Command: /usr/sbin/john --session=Z5uRTsvO --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --wordlist=/tmp/jtrtmp20190531-27621-qk76qr --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-27621-1ucwc3l
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 DONE (2019-05-31 15:06) 100.0g/s 1103Kp/s 4415Kc/s 4415KC/s test3:::..t1900
Warning: passwords printed above might be partial and not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[*] Cracking descrypt hashes in normal mode
[*]    Cracking Command: /usr/sbin/john --session=Z5uRTsvO --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --max-run-time=60 /tmp/hashes_tmp20190531-27621-1ucwc3l
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
3g 0:00:00:00 DONE 1/3 (2019-05-31 15:06) 300.0g/s 614200p/s 614400c/s 614400C/s des_pass..Dde_pass
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[*] Cracking descrypt hashes in incremental mode...
[*]    Cracking Command: /usr/sbin/john --session=Z5uRTsvO --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-27621-1ucwc3l
Using default input encoding: UTF-8
[*] Cracking descrypt hashes in wordlist mode...
[*]    Cracking Command: /usr/sbin/john --session=Z5uRTsvO --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=descrypt --wordlist=/tmp/jtrtmp20190531-27621-qk76qr --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-27621-1ucwc3l
Using default input encoding: UTF-8
[+] Cracked Hashes
==============

 DB ID  Hash Type  Username        Cracked Password  Method
 -----  ---------  --------        ----------------  ------
 1250   descrypt   des2_password   password          Single
 1251   descrypt   des_password    password          Single
 1252   descrypt   des_55          55                Normal
 1253   descrypt   des_pot_55      55                Already Cracked/POT
 1254   descrypt   des_passphrase  passphrase        Normal

[*] Auxiliary module execution completed
resource (hashes_hashcat.rb)> creds
Credentials
===========

host  origin  service  public          private                   realm  private_type        JtR Format
----  ------  -------  ------          -------                   -----  ------------        ----------
                       des2_password   rEK1ecacw.7.c                    Nonreplayable hash  des
                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
                       des_55          rDpJV6xlcXxRM                    Nonreplayable hash  des
                       des_pot_55      fakeV6xlcXxRM                    Nonreplayable hash  des
                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
                       des_pot_55      55                               Password            
                       des2_password   password                         Password            
                       des_password    password                         Password            
                       des_55          55                               Password            
                       des_passphrase  passphrase                       Password

Hashcat

We'll set ITERATION_TIMEOUT 60 for a quick crack, and ShowCommand true for easy debugging.

resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
CUSTOM_WORDLIST => /tmp/wordlist
resource (hashes_hashcat.rb)> setg ShowCommand true
ShowCommand => true
resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
USE_DEFAULT_WORDLIST => false
resource (hashes_hashcat.rb)> setg DeleteTempFiles false
DeleteTempFiles => false
resource (hashes_hashcat.rb)> setg USE_CREDS false
USE_CREDS => false
resource (hashes_hashcat.rb)> setg USE_DB_INFO false
USE_DB_INFO => false
resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
USE_HOSTNAMES => false
resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
USE_ROOT_WORDS => false
resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
ITERATION_TIMEOUT => 60
resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_aix
resource (hashes_hashcat.rb)> set action hashcat
action => hashcat
resource (hashes_hashcat.rb)> run
[+] hashcat Version Detected: v5.1.0
[*] Hashes Written out to /tmp/hashes_tmp20190531-27714-1ct3bn3
[*] Wordlist file written out to /tmp/jtrtmp20190531-27714-1j3q151
[*] Checking descrypt hashes already cracked...
[*] Cracking descrypt hashes in incremental mode...
[*]    Cracking Command: /usr/bin/hashcat --session=wCGD0gD0 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1500 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-27714-1ct3bn3
nvmlDeviceGetFanSpeed(): Not Supported

[*] Cracking descrypt hashes in wordlist mode...
[*]    Cracking Command: /usr/bin/hashcat --session=wCGD0gD0 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1500 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-27714-1ct3bn3 /tmp/jtrtmp20190531-27714-1j3q151
nvmlDeviceGetFanSpeed(): Not Supported

[+] Cracked Hashes
==============

 DB ID  Hash Type  Username       Cracked Password  Method
 -----  ---------  --------       ----------------  ------
 1260   descrypt   des2_password  password          Wordlist
 1261   descrypt   des_password   password          Wordlist
 1262   descrypt   des_55         55                Incremental
 1263   descrypt   des_pot_55     55                Already Cracked/POT

[*] Auxiliary module execution completed
resource (hashes_hashcat.rb)> creds
Credentials
===========

host  origin  service  public          private                   realm  private_type        JtR Format
----  ------  -------  ------          -------                   -----  ------------        ----------
                       des2_password   rEK1ecacw.7.c                    Nonreplayable hash  des
                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
                       des_55          rDpJV6xlcXxRM                    Nonreplayable hash  des
                       des_pot_55      fakeV6xlcXxRM                    Nonreplayable hash  des
                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
                       des_pot_55      55                               Password            
                       des_55          55                               Password            
                       des2_password   password                         Password            
                       des_password    password                         Password

Go back to menu.

Msfconsole Usage

Here is how the analyze/crack_aix auxiliary module looks in the msfconsole:

msf6 > use auxiliary/analyze/crack_aix

msf6 auxiliary(analyze/crack_aix) > show info

       Name: Password Cracker: AIX
     Module: auxiliary/analyze/crack_aix
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  theLightCosine <[email protected]>
  hdm <[email protected]>
  h00die

Available actions:
  Name     Description
  ----     -----------
  hashcat  Use Hashcat
  john     Use John the Ripper

Check supported:
  No

Basic options:
  Name                  Current Setting  Required  Description
  ----                  ---------------  --------  -----------
  CONFIG                                 no        The path to a John config file to use instead of the default
  CRACKER_PATH                           no        The absolute path to the cracker executable
  CUSTOM_WORDLIST                        no        The path to an optional custom wordlist
  FORK                  1                no        Forks for John the Ripper to use
  INCREMENTAL           true             no        Run in incremental mode
  ITERATION_TIMEOUT                      no        The max-run-time for each iteration of cracking
  KORELOGIC             false            no        Apply the KoreLogic rules to John the Ripper Wordlist Mode(slower)
  MUTATE                false            no        Apply common mutations to the Wordlist (SLOW)
  POT                                    no        The path to a John POT file to use instead of the default
  USE_CREDS             true             no        Use existing credential data saved in the database
  USE_DB_INFO           true             no        Use looted database schema info to seed the wordlist
  USE_DEFAULT_WORDLIST  true             no        Use the default metasploit wordlist
  USE_HOSTNAMES         true             no        Seed the wordlist with hostnames from the workspace
  USE_ROOT_WORDS        true             no        Use the Common Root Words Wordlist
  WORDLIST              true             no        Run in wordlist mode

Description:
  This module uses John the Ripper or Hashcat to identify weak 
  passwords that have been acquired from passwd files on AIX systems. 
  These utilize DES hashing. DES is format 1500 in Hashcat. DES is 
  descrypt in JTR.

Module Options

This is a complete list of options available in the analyze/crack_aix auxiliary module:

msf6 auxiliary(analyze/crack_aix) > show options

Module options (auxiliary/analyze/crack_aix):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   CONFIG                                 no        The path to a John config file to use instead of the default
   CRACKER_PATH                           no        The absolute path to the cracker executable
   CUSTOM_WORDLIST                        no        The path to an optional custom wordlist
   FORK                  1                no        Forks for John the Ripper to use
   INCREMENTAL           true             no        Run in incremental mode
   ITERATION_TIMEOUT                      no        The max-run-time for each iteration of cracking
   KORELOGIC             false            no        Apply the KoreLogic rules to John the Ripper Wordlist Mode(slower)
   MUTATE                false            no        Apply common mutations to the Wordlist (SLOW)
   POT                                    no        The path to a John POT file to use instead of the default
   USE_CREDS             true             no        Use existing credential data saved in the database
   USE_DB_INFO           true             no        Use looted database schema info to seed the wordlist
   USE_DEFAULT_WORDLIST  true             no        Use the default metasploit wordlist
   USE_HOSTNAMES         true             no        Seed the wordlist with hostnames from the workspace
   USE_ROOT_WORDS        true             no        Use the Common Root Words Wordlist
   WORDLIST              true             no        Run in wordlist mode

Auxiliary action:

   Name  Description
   ----  -----------
   john  Use John the Ripper

Advanced Options

Here is a complete list of advanced options supported by the analyze/crack_aix auxiliary module:

msf6 auxiliary(analyze/crack_aix) > show advanced

Module advanced options (auxiliary/analyze/crack_aix):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   DeleteTempFiles  true             no        Delete temporary wordlist and hash files
   OptimizeKernel   true             no        Utilize Optimized Kernels in Hashcat
   ShowCommand      true             no        Print the cracker command being used
   VERBOSE          false            no        Enable detailed status messages
   WORKSPACE                         no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the analyze/crack_aix module can do:

msf6 auxiliary(analyze/crack_aix) > show actions

Auxiliary actions:

   Name     Description
   ----     -----------
   hashcat  Use Hashcat
   john     Use John the Ripper

Evasion Options

Here is the full list of possible evasion options supported by the analyze/crack_aix auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(analyze/crack_aix) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

This module cannot run without a database connected. Use db_connect to connect to a database.

Here is a relevant code snippet related to the "This module cannot run without a database connected. Use db_connect to connect to a database." error message:

123:	    cracker.hash_path, hashes = hash_file(hashes_regex)
124:	
125:	    # generate our wordlist and close the file handle.  max length of DES is 8
126:	    wordlist = wordlist_file(8)
127:	    unless wordlist
128:	      print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
129:	      return
130:	    end
131:	
132:	    wordlist.close
133:	    print_status "Wordlist file written out to #{wordlist.path}"

No applicable hashes in database to crack

Here is a relevant code snippet related to the "No applicable hashes in database to crack" error message:

228:	      wrote_hash = true
229:	    end
230:	    hashlist.close
231:	    unless wrote_hash # check if we wrote anything and bail early if we didn't
232:	      hashlist.delete
233:	      fail_with Failure::NotFound, 'No applicable hashes in database to crack'
234:	    end
235:	    print_status "Hashes Written out to #{hashlist.path}"
236:	    return hashlist.path, hashes
237:	  end
238:	end

Go back to menu.

Go back to menu.

See Also

Check also the following modules related to this module:

Authors

  • theLightCosine
  • hdm
  • h00die

Version

This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.