Password Cracker: Mobile - Metasploit


This page contains detailed information about how to use the auxiliary/analyze/crack_mobile metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Password Cracker: Mobile
Module: auxiliary/analyze/crack_mobile
Source code: modules/auxiliary/analyze/crack_mobile.rb
Disclosure date: -
Last modification time: 2021-01-27 13:50:39 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module uses Hashcat to identify weak passwords that have been acquired from Android systems. These utilize MD5 or SHA1 hashing. Android (Samsung) SHA1 is format 5800 in Hashcat. Android (non-Samsung) SHA1 is format 110 in Hashcat. Android MD5 is format 10. JTR does not support Android hashes at the time of writing.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/analyze/crack_mobile
msf auxiliary(crack_mobile) > show targets
    ... a list of targets ...
msf auxiliary(crack_mobile) > set TARGET target-id
msf auxiliary(crack_mobile) > show options
    ... show and set options ...
msf auxiliary(crack_mobile) > exploit

Knowledge Base

Vulnerable Application

This module attempts to use a password cracker to decode mobile (Android) based password hashes, such as:

  • android-sha1 based passwords
  • android-samsung-sha1 based passwords
  • android-md5 based passwords

Formats:

Common John Hashcat
android-md5 n/a 10
android-samsung-sha1 n/a 5800
android-sha1 n/a 110

Sources of hashes can be found here: source

Verification Steps

  1. Have at least one user with a android-sha1, android-samsung-sha1, or android-md5 password in the database
  2. Start msfconsole
  3. Do: use auxiliary/analyze/crack_mobile
  4. Do: set cracker of choice
  5. Do: run
  6. You should hopefully crack a password.

Actions

hashcat

Use hashcat (default).

Options

MD5

Crack android-md5 based passwords. Default is true

SHA1

Crack android-sha1 (non-samsung) based passwords. Default is true

SAMSUNG

Crack android-samsung-sha1 based passwords. Default is true

CONFIG

The path to a John config file (JtR option: --config). Default is metasploit-framework/data/john.conf

CRACKER_PATH

The absolute path to the cracker executable. Default behavior is to search path.

CUSTOM_WORDLIST

The path to an optional custom wordlist. This file is added to the new wordlist which may include the other USE items like USE_CREDS, and have MUTATE or KORELOGIC applied to it.

DeleteTempFiles

This option will prevent deletion of the wordlist and file containing hashes. This may be useful for running the hashes through john if it wasn't cracked, or for debugging. Default is false.

Fork

This option will set how many forks to use on john the ripper. Default is 1 (no forking).

INCREMENTAL

Run the cracker in incremental mode. Default is true

ITERATION_TIMEOUT

The max-run-time for each iteration of cracking

KORELOGIC

Apply the KoreLogic rules to Wordlist Mode (slower). Default is false.

MUTATE

Apply common mutations to the Wordlist (SLOW). Mutations are:

  • '@' => 'a'
  • '0' => 'o'
  • '3' => 'e'
  • '$' => 's'
  • '7' => 't'
  • '1' => 'l'
  • '5' => 's'

Default is false.

POT

The path to a John POT file (JtR option: --pot) to use instead. The pot file is the data file which records cracked password hashes. Kali linux's default location is /root/.john/john.pot. Default is ~/.msf4/john.pot.

SHOWCOMMAND

Show the command being used run from the command line for debugging. Default is false

USE_CREDS

Use existing credential data saved in the database. Default is true.

USE_DB_INFO

Use looted database schema info to seed the wordlist. This includes the Database Name, each Table Name, and each Column Name. If the DB is MSSQL, the Instance Name is also used. Default is true.

USE_DEFAULT_WORDLIST

Use the default metasploit wordlist in metasploit-framework/data/wordlists/password.lst. Default is true.

USE_HOSTNAMES

Seed the wordlist with hostnames from the workspace. Default is true.

USE_ROOT_WORDS

Use the Common Root Words Wordlist in metasploit-framework/data/wordlists/common_roots.txt. Default is true.

WORDLIST

Run the cracker in dictionary/wordlist mode. Default is true

Scenarios

Sample Data

The following is data which can be used to test integration, including adding entries to a wordlist and pot file to test various aspects of the cracker.

creds add user:androidsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-sha1

Hashcat

We'll set ITERATION_TIMEOUT 60 for a quick crack, and ShowCommand true for easy debugging.

msf5 post(android/gather/hashdump) > creds add user:androidsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-sha1
msf5 post(android/gather/hashdump) > previous
msf5 auxiliary(analyze/crack_mobile) > set showcommand true
showcommand => true
msf5 auxiliary(analyze/crack_mobile) > run

[+] hashcat Version Detected: v5.1.0
[*] Hashes Written out to /tmp/hashes_tmp20191112-9775-19hbg7j
[*] Wordlist file written out to /tmp/jtrtmp20191112-9775-f3q0r1
[*] Checking android-sha1 hashes already cracked...
[*] Cracking android-sha1 hashes in pin mode...
[*]    Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191112-9775-19hbg7j ?d?d?d?d?d?d?d?d
nvmlDeviceGetFanSpeed(): Not Supported

[*] Cracking android-sha1 hashes in incremental mode...
[*]    Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191112-9775-19hbg7j
nvmlDeviceGetFanSpeed(): Not Supported

[*] Cracking android-sha1 hashes in wordlist mode...
[*]    Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --attack-mode=0 /tmp/hashes_tmp20191112-9775-19hbg7j /tmp/jtrtmp20191112-9775-f3q0r1
nvmlDeviceGetFanSpeed(): Not Supported

[+] Cracked Hashes
==============

 DB ID  Hash Type     Username     Cracked Password  Method
 -----  ---------     --------     ----------------  ------
 98     android-sha1  androidsha1  1234              Pin

[*] Auxiliary module execution completed

MD5, SHA1, SAMSUNG

Create a password with each type, passwords are all 1234.

msf5 > creds add user:samsungsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-samsung-sha1
msf5 > creds add user:androidsha1 hash:9860A48CA459D054F3FEF0F8518CF6872923DAE2:81fcb23bcadd6c5 jtr:android-sha1
msf5 > creds add user:androidmd5 hash:1C0A0FDB673FBA36BEAEB078322C7393:81fcb23bcadd6c5 jtr:android-md5

msf5 > use auxiliary/analyze/crack_mobile
msf5 auxiliary(analyze/crack_mobile) > run

[+] hashcat Version Detected: v5.1.0
[*] Hashes Written out to /tmp/hashes_tmp20191113-29506-1xydi7
[*] Wordlist file written out to /tmp/jtrtmp20191113-29506-aq6ph7
[*] Checking android-sha1 hashes already cracked...
[*] Cracking android-sha1 hashes in pin mode...
[*]    Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
nvmlDeviceGetFanSpeed(): Not Supported

[*] Cracking android-sha1 hashes in incremental mode...
[*]    Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
nvmlDeviceGetFanSpeed(): Not Supported

[*] Cracking android-sha1 hashes in wordlist mode...
[*]    Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
nvmlDeviceGetFanSpeed(): Not Supported

[+] Cracked Hashes
==============

 DB ID  Hash Type     Username     Cracked Password  Method
 -----  ---------     --------     ----------------  ------
 127    android-sha1  androidsha1  1234              Pin

[*] Checking android-samsung-sha1 hashes already cracked...
[*] Cracking android-samsung-sha1 hashes in pin mode...
[*]    Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
nvmlDeviceGetFanSpeed(): Not Supported

[*] Cracking android-samsung-sha1 hashes in incremental mode...
[*]    Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
nvmlDeviceGetFanSpeed(): Not Supported

[*] Cracking android-samsung-sha1 hashes in wordlist mode...
[*]    Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
nvmlDeviceGetFanSpeed(): Not Supported

[+] Cracked Hashes
==============

 DB ID  Hash Type             Username     Cracked Password  Method
 -----  ---------             --------     ----------------  ------
 126    android-samsung-sha1  samsungsha1  1234              Pin
 127    android-sha1          androidsha1  1234              Pin

[*] Checking android-md5 hashes already cracked...
[*] Cracking android-md5 hashes in pin mode...
[*]    Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
nvmlDeviceGetFanSpeed(): Not Supported

[*] Cracking android-md5 hashes in incremental mode...
[*]    Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
nvmlDeviceGetFanSpeed(): Not Supported

[*] Cracking android-md5 hashes in wordlist mode...
[*]    Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
nvmlDeviceGetFanSpeed(): Not Supported

[+] Cracked Hashes
==============

 DB ID  Hash Type             Username     Cracked Password  Method
 -----  ---------             --------     ----------------  ------
 126    android-samsung-sha1  samsungsha1  1234              Pin
 127    android-sha1          androidsha1  1234              Pin
 128    android-md5           androidmd5   1234              Pin

[*] Auxiliary module execution completed

Go back to menu.

Msfconsole Usage

Here is how the analyze/crack_mobile auxiliary module looks in the msfconsole:

msf6 > use auxiliary/analyze/crack_mobile

msf6 auxiliary(analyze/crack_mobile) > show info

       Name: Password Cracker: Mobile
     Module: auxiliary/analyze/crack_mobile
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  h00die

Available actions:
  Name     Description
  ----     -----------
  hashcat  Use Hashcat

Check supported:
  No

Basic options:
  Name                  Current Setting  Required  Description
  ----                  ---------------  --------  -----------
  CONFIG                                 no        The path to a John config file to use instead of the default
  CRACKER_PATH                           no        The absolute path to the cracker executable
  CUSTOM_WORDLIST                        no        The path to an optional custom wordlist
  FORK                  1                no        Forks for John the Ripper to use
  INCREMENTAL           true             no        Run in incremental mode
  ITERATION_TIMEOUT                      no        The max-run-time for each iteration of cracking
  KORELOGIC             false            no        Apply the KoreLogic rules to John the Ripper Wordlist Mode(slower)
  MD5                   true             no        Include Android-MD5 hashes
  MUTATE                false            no        Apply common mutations to the Wordlist (SLOW)
  POT                                    no        The path to a John POT file to use instead of the default
  SAMSUNG               true             no        Include Samsung SHA1 hashes
  SHA1                  true             no        Include Android-SHA1 hashes
  USE_CREDS             true             no        Use existing credential data saved in the database
  USE_DB_INFO           true             no        Use looted database schema info to seed the wordlist
  USE_DEFAULT_WORDLIST  true             no        Use the default metasploit wordlist
  USE_HOSTNAMES         true             no        Seed the wordlist with hostnames from the workspace
  USE_ROOT_WORDS        true             no        Use the Common Root Words Wordlist
  WORDLIST              true             no        Run in wordlist mode

Description:
  This module uses Hashcat to identify weak passwords that have been 
  acquired from Android systems. These utilize MD5 or SHA1 hashing. 
  Android (Samsung) SHA1 is format 5800 in Hashcat. Android 
  (non-Samsung) SHA1 is format 110 in Hashcat. Android MD5 is format 
  10. JTR does not support Android hashes at the time of writing.

Module Options

This is a complete list of options available in the analyze/crack_mobile auxiliary module:

msf6 auxiliary(analyze/crack_mobile) > show options

Module options (auxiliary/analyze/crack_mobile):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   CONFIG                                 no        The path to a John config file to use instead of the default
   CRACKER_PATH                           no        The absolute path to the cracker executable
   CUSTOM_WORDLIST                        no        The path to an optional custom wordlist
   FORK                  1                no        Forks for John the Ripper to use
   INCREMENTAL           true             no        Run in incremental mode
   ITERATION_TIMEOUT                      no        The max-run-time for each iteration of cracking
   KORELOGIC             false            no        Apply the KoreLogic rules to John the Ripper Wordlist Mode(slower)
   MD5                   true             no        Include Android-MD5 hashes
   MUTATE                false            no        Apply common mutations to the Wordlist (SLOW)
   POT                                    no        The path to a John POT file to use instead of the default
   SAMSUNG               true             no        Include Samsung SHA1 hashes
   SHA1                  true             no        Include Android-SHA1 hashes
   USE_CREDS             true             no        Use existing credential data saved in the database
   USE_DB_INFO           true             no        Use looted database schema info to seed the wordlist
   USE_DEFAULT_WORDLIST  true             no        Use the default metasploit wordlist
   USE_HOSTNAMES         true             no        Seed the wordlist with hostnames from the workspace
   USE_ROOT_WORDS        true             no        Use the Common Root Words Wordlist
   WORDLIST              true             no        Run in wordlist mode

Auxiliary action:

   Name     Description
   ----     -----------
   hashcat  Use Hashcat

Advanced Options

Here is a complete list of advanced options supported by the analyze/crack_mobile auxiliary module:

msf6 auxiliary(analyze/crack_mobile) > show advanced

Module advanced options (auxiliary/analyze/crack_mobile):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   DeleteTempFiles  true             no        Delete temporary wordlist and hash files
   OptimizeKernel   true             no        Utilize Optimized Kernels in Hashcat
   ShowCommand      true             no        Print the cracker command being used
   VERBOSE          false            no        Enable detailed status messages
   WORKSPACE                         no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the analyze/crack_mobile module can do:

msf6 auxiliary(analyze/crack_mobile) > show actions

Auxiliary actions:

   Name     Description
   ----     -----------
   hashcat  Use Hashcat

Evasion Options

Here is the full list of possible evasion options supported by the analyze/crack_mobile auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(analyze/crack_mobile) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

This module cannot run without a database connected. Use db_connect to connect to a database.

Here is a relevant code snippet related to the "This module cannot run without a database connected. Use db_connect to connect to a database." error message:

123:	    # hashes is a reference list used by hashcat only
124:	    cracker.hash_path, hashes = hash_file(hashes_regex)
125:	
126:	    wordlist = wordlist_file
127:	    unless wordlist
128:	      print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
129:	      return
130:	    end
131:	
132:	    wordlist.close
133:	    print_status "Wordlist file written out to #{wordlist.path}"

No applicable hashes in database to crack

Here is a relevant code snippet related to the "No applicable hashes in database to crack" error message:

239:	      wrote_hash = true
240:	    end
241:	    hashlist.close
242:	    unless wrote_hash # check if we wrote anything and bail early if we didn't
243:	      hashlist.delete
244:	      fail_with Failure::NotFound, 'No applicable hashes in database to crack'
245:	    end
246:	    print_status "Hashes Written out to #{hashlist.path}"
247:	    return hashlist.path, hashes
248:	  end
249:	end

Go back to menu.

Go back to menu.

See Also

Check also the following modules related to this module:

Authors

  • h00die

Version

This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.