Password Cracker: Mobile - Metasploit
This page contains detailed information about how to use the auxiliary/analyze/crack_mobile metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Password Cracker: Mobile
Module: auxiliary/analyze/crack_mobile
Source code: modules/auxiliary/analyze/crack_mobile.rb
Disclosure date: -
Last modification time: 2021-01-27 13:50:39 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module uses Hashcat to identify weak passwords that have been acquired from Android systems. These utilize MD5 or SHA1 hashing. Android (Samsung) SHA1 is format 5800 in Hashcat. Android (non-Samsung) SHA1 is format 110 in Hashcat. Android MD5 is format 10. JTR does not support Android hashes at the time of writing.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/analyze/crack_mobile
msf auxiliary(crack_mobile) > show targets
... a list of targets ...
msf auxiliary(crack_mobile) > set TARGET target-id
msf auxiliary(crack_mobile) > show options
... show and set options ...
msf auxiliary(crack_mobile) > exploit
Knowledge Base
Vulnerable Application
This module attempts to use a password cracker to decode mobile (Android) based password hashes, such as:
android-sha1
based passwordsandroid-samsung-sha1
based passwordsandroid-md5
based passwords
Formats:
Common | John | Hashcat |
---|---|---|
android-md5 | n/a | 10 |
android-samsung-sha1 | n/a | 5800 |
android-sha1 | n/a | 110 |
Sources of hashes can be found here: source
Verification Steps
- Have at least one user with a
android-sha1
,android-samsung-sha1
, orandroid-md5
password in the database - Start msfconsole
- Do:
use auxiliary/analyze/crack_mobile
- Do: set cracker of choice
- Do:
run
- You should hopefully crack a password.
Actions
hashcat
Use hashcat (default).
Options
MD5
Crack android-md5
based passwords. Default is true
SHA1
Crack android-sha1
(non-samsung) based passwords. Default is true
SAMSUNG
Crack android-samsung-sha1
based passwords. Default is true
CONFIG
The path to a John config file (JtR option: --config
). Default is metasploit-framework/data/john.conf
CRACKER_PATH
The absolute path to the cracker executable. Default behavior is to search path
.
CUSTOM_WORDLIST
The path to an optional custom wordlist. This file is added to the new wordlist which may include the other
USE
items like USE_CREDS
, and have MUTATE
or KORELOGIC
applied to it.
DeleteTempFiles
This option will prevent deletion of the wordlist and file containing hashes. This may be useful for
running the hashes through john if it wasn't cracked, or for debugging. Default is false
.
Fork
This option will set how many forks to use on john the ripper. Default is 1
(no forking).
INCREMENTAL
Run the cracker in incremental mode. Default is true
ITERATION_TIMEOUT
The max-run-time for each iteration of cracking
KORELOGIC
Apply the KoreLogic rules to Wordlist Mode (slower).
Default is false
.
MUTATE
Apply common mutations to the Wordlist (SLOW). Mutations are:
'@' => 'a'
'0' => 'o'
'3' => 'e'
'$' => 's'
'7' => 't'
'1' => 'l'
'5' => 's'
Default is false
.
POT
The path to a John POT file (JtR option: --pot
) to use instead. The pot
file is the data file which
records cracked password hashes. Kali linux's default location is /root/.john/john.pot
.
Default is ~/.msf4/john.pot
.
SHOWCOMMAND
Show the command being used run from the command line for debugging. Default is false
USE_CREDS
Use existing credential data saved in the database. Default is true
.
USE_DB_INFO
Use looted database schema info to seed the wordlist. This includes the Database Name, each Table Name,
and each Column Name. If the DB is MSSQL, the Instance Name is also used. Default is true
.
USE_DEFAULT_WORDLIST
Use the default metasploit wordlist in metasploit-framework/data/wordlists/password.lst
. Default is
true
.
USE_HOSTNAMES
Seed the wordlist with hostnames from the workspace. Default is true
.
USE_ROOT_WORDS
Use the Common Root Words Wordlist in metasploit-framework/data/wordlists/common_roots.txt
. Default
is true.
WORDLIST
Run the cracker in dictionary/wordlist mode. Default is true
Scenarios
Sample Data
The following is data which can be used to test integration, including adding entries to a wordlist and pot file to test various aspects of the cracker.
creds add user:androidsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-sha1
Hashcat
We'll set ITERATION_TIMEOUT 60
for a quick crack, and ShowCommand true
for easy debugging.
msf5 post(android/gather/hashdump) > creds add user:androidsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-sha1
msf5 post(android/gather/hashdump) > previous
msf5 auxiliary(analyze/crack_mobile) > set showcommand true
showcommand => true
msf5 auxiliary(analyze/crack_mobile) > run
[+] hashcat Version Detected: v5.1.0
[*] Hashes Written out to /tmp/hashes_tmp20191112-9775-19hbg7j
[*] Wordlist file written out to /tmp/jtrtmp20191112-9775-f3q0r1
[*] Checking android-sha1 hashes already cracked...
[*] Cracking android-sha1 hashes in pin mode...
[*] Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191112-9775-19hbg7j ?d?d?d?d?d?d?d?d
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking android-sha1 hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191112-9775-19hbg7j
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking android-sha1 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --attack-mode=0 /tmp/hashes_tmp20191112-9775-19hbg7j /tmp/jtrtmp20191112-9775-f3q0r1
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
98 android-sha1 androidsha1 1234 Pin
[*] Auxiliary module execution completed
MD5, SHA1, SAMSUNG
Create a password with each type, passwords are all 1234
.
msf5 > creds add user:samsungsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-samsung-sha1
msf5 > creds add user:androidsha1 hash:9860A48CA459D054F3FEF0F8518CF6872923DAE2:81fcb23bcadd6c5 jtr:android-sha1
msf5 > creds add user:androidmd5 hash:1C0A0FDB673FBA36BEAEB078322C7393:81fcb23bcadd6c5 jtr:android-md5
msf5 > use auxiliary/analyze/crack_mobile
msf5 auxiliary(analyze/crack_mobile) > run
[+] hashcat Version Detected: v5.1.0
[*] Hashes Written out to /tmp/hashes_tmp20191113-29506-1xydi7
[*] Wordlist file written out to /tmp/jtrtmp20191113-29506-aq6ph7
[*] Checking android-sha1 hashes already cracked...
[*] Cracking android-sha1 hashes in pin mode...
[*] Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking android-sha1 hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking android-sha1 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
127 android-sha1 androidsha1 1234 Pin
[*] Checking android-samsung-sha1 hashes already cracked...
[*] Cracking android-samsung-sha1 hashes in pin mode...
[*] Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking android-samsung-sha1 hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking android-samsung-sha1 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
126 android-samsung-sha1 samsungsha1 1234 Pin
127 android-sha1 androidsha1 1234 Pin
[*] Checking android-md5 hashes already cracked...
[*] Cracking android-md5 hashes in pin mode...
[*] Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking android-md5 hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking android-md5 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
126 android-samsung-sha1 samsungsha1 1234 Pin
127 android-sha1 androidsha1 1234 Pin
128 android-md5 androidmd5 1234 Pin
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the analyze/crack_mobile auxiliary module looks in the msfconsole:
msf6 > use auxiliary/analyze/crack_mobile
msf6 auxiliary(analyze/crack_mobile) > show info
Name: Password Cracker: Mobile
Module: auxiliary/analyze/crack_mobile
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
h00die
Available actions:
Name Description
---- -----------
hashcat Use Hashcat
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CONFIG no The path to a John config file to use instead of the default
CRACKER_PATH no The absolute path to the cracker executable
CUSTOM_WORDLIST no The path to an optional custom wordlist
FORK 1 no Forks for John the Ripper to use
INCREMENTAL true no Run in incremental mode
ITERATION_TIMEOUT no The max-run-time for each iteration of cracking
KORELOGIC false no Apply the KoreLogic rules to John the Ripper Wordlist Mode(slower)
MD5 true no Include Android-MD5 hashes
MUTATE false no Apply common mutations to the Wordlist (SLOW)
POT no The path to a John POT file to use instead of the default
SAMSUNG true no Include Samsung SHA1 hashes
SHA1 true no Include Android-SHA1 hashes
USE_CREDS true no Use existing credential data saved in the database
USE_DB_INFO true no Use looted database schema info to seed the wordlist
USE_DEFAULT_WORDLIST true no Use the default metasploit wordlist
USE_HOSTNAMES true no Seed the wordlist with hostnames from the workspace
USE_ROOT_WORDS true no Use the Common Root Words Wordlist
WORDLIST true no Run in wordlist mode
Description:
This module uses Hashcat to identify weak passwords that have been
acquired from Android systems. These utilize MD5 or SHA1 hashing.
Android (Samsung) SHA1 is format 5800 in Hashcat. Android
(non-Samsung) SHA1 is format 110 in Hashcat. Android MD5 is format
10. JTR does not support Android hashes at the time of writing.
Module Options
This is a complete list of options available in the analyze/crack_mobile auxiliary module:
msf6 auxiliary(analyze/crack_mobile) > show options
Module options (auxiliary/analyze/crack_mobile):
Name Current Setting Required Description
---- --------------- -------- -----------
CONFIG no The path to a John config file to use instead of the default
CRACKER_PATH no The absolute path to the cracker executable
CUSTOM_WORDLIST no The path to an optional custom wordlist
FORK 1 no Forks for John the Ripper to use
INCREMENTAL true no Run in incremental mode
ITERATION_TIMEOUT no The max-run-time for each iteration of cracking
KORELOGIC false no Apply the KoreLogic rules to John the Ripper Wordlist Mode(slower)
MD5 true no Include Android-MD5 hashes
MUTATE false no Apply common mutations to the Wordlist (SLOW)
POT no The path to a John POT file to use instead of the default
SAMSUNG true no Include Samsung SHA1 hashes
SHA1 true no Include Android-SHA1 hashes
USE_CREDS true no Use existing credential data saved in the database
USE_DB_INFO true no Use looted database schema info to seed the wordlist
USE_DEFAULT_WORDLIST true no Use the default metasploit wordlist
USE_HOSTNAMES true no Seed the wordlist with hostnames from the workspace
USE_ROOT_WORDS true no Use the Common Root Words Wordlist
WORDLIST true no Run in wordlist mode
Auxiliary action:
Name Description
---- -----------
hashcat Use Hashcat
Advanced Options
Here is a complete list of advanced options supported by the analyze/crack_mobile auxiliary module:
msf6 auxiliary(analyze/crack_mobile) > show advanced
Module advanced options (auxiliary/analyze/crack_mobile):
Name Current Setting Required Description
---- --------------- -------- -----------
DeleteTempFiles true no Delete temporary wordlist and hash files
OptimizeKernel true no Utilize Optimized Kernels in Hashcat
ShowCommand true no Print the cracker command being used
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the analyze/crack_mobile module can do:
msf6 auxiliary(analyze/crack_mobile) > show actions
Auxiliary actions:
Name Description
---- -----------
hashcat Use Hashcat
Evasion Options
Here is the full list of possible evasion options supported by the analyze/crack_mobile auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(analyze/crack_mobile) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
This module cannot run without a database connected. Use db_connect to connect to a database.
Here is a relevant code snippet related to the "This module cannot run without a database connected. Use db_connect to connect to a database." error message:
123: # hashes is a reference list used by hashcat only
124: cracker.hash_path, hashes = hash_file(hashes_regex)
125:
126: wordlist = wordlist_file
127: unless wordlist
128: print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
129: return
130: end
131:
132: wordlist.close
133: print_status "Wordlist file written out to #{wordlist.path}"
No applicable hashes in database to crack
Here is a relevant code snippet related to the "No applicable hashes in database to crack" error message:
239: wrote_hash = true
240: end
241: hashlist.close
242: unless wrote_hash # check if we wrote anything and bail early if we didn't
243: hashlist.delete
244: fail_with Failure::NotFound, 'No applicable hashes in database to crack'
245: end
246: print_status "Hashes Written out to #{hashlist.path}"
247: return hashlist.path, hashes
248: end
249: end
Go back to menu.
Related Pull Requests
- #14669 Merged Pull Request: ensure selected cracker is available and viable
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #12593 Merged Pull Request: fixes for android hashdump
- #12497 Merged Pull Request: Android hashdumper
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/analyze/crack_aix
- auxiliary/analyze/crack_databases
- auxiliary/analyze/crack_linux
- auxiliary/analyze/crack_osx
- auxiliary/analyze/crack_webapps
- auxiliary/analyze/crack_windows
- auxiliary/analyze/apply_pot
- auxiliary/analyze/modbus_zip
- auxiliary/scanner/http/wp_mobileedition_file_read
- auxiliary/scanner/http/wp_mobile_pack_info_disclosure
- exploit/apple_ios/email/mobilemail_libtiff
- exploit/linux/http/mobileiron_core_log4shell
- exploit/linux/http/mobileiron_mdm_hessian_rce
- exploit/multi/http/mobilecartly_upload_exec
- exploit/unix/webapp/wp_mobile_detector_upload_execute
- exploit/windows/misc/mobile_mouse_rce
- exploit/unix/webapp/actualanalyzer_ant_cookie_exec
- exploit/windows/misc/manageengine_eventlog_analyzer_rce
- exploit/windows/oracle/client_system_analyzer_upload
Authors
- h00die
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.