Password Cracker: OSX - Metasploit
This page contains detailed information about how to use the auxiliary/analyze/crack_osx metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Password Cracker: OSX
Module: auxiliary/analyze/crack_osx
Source code: modules/auxiliary/analyze/crack_osx.rb
Disclosure date: -
Last modification time: 2021-01-27 13:50:39 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module uses John the Ripper or Hashcat to identify weak passwords that have been acquired from OSX systems. The module will only crack xsha from OSX 10.4-10.6, xsha512 from 10.7, and PBKDF2 from OSX 10.8+.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/analyze/crack_osx
msf auxiliary(crack_osx) > show targets
... a list of targets ...
msf auxiliary(crack_osx) > set TARGET target-id
msf auxiliary(crack_osx) > show options
... show and set options ...
msf auxiliary(crack_osx) > exploit
Knowledge Base
Vulnerable Application
This module attempts to use a password cracker to decode Mac OS X based password hashes, such as:
XSHA
based passwords (10.4-10.6)XSHA512
based passwords (10.7)PBKDF2-HMAC-SHA512
based passwords (10.8+)
Common | John | Hashcat |
---|---|---|
xsha | xsha | 122 |
xsha512 | xsha512 | 1722 |
pbkdf2-hmac-sha512 | pbkdf2-hmac-sha512 | 7100 |
Sources of hashes can be found here: source, source2
Verification Steps
- Have at least one user with an
xsha
,xsha512
,pbkdf2-hmac-sha512
password hash in the database - Start msfconsole
- Do:
use auxiliary/analyze/crack_osx
- Do: set cracker of choice
- Do:
run
- You should hopefully crack a password.
Actions
john
Use john the ripper (default).
hashcat
Use hashcat.
Options
CONFIG
The path to a John config file (JtR option: --config
). Default is metasploit-framework/data/john.conf
CRACKER_PATH
The absolute path to the cracker executable. Default behavior is to search path
.
CUSTOM_WORDLIST
The path to an optional custom wordlist. This file is added to the new wordlist which may include the other
USE
items like USE_CREDS
, and have MUTATE
or KORELOGIC
applied to it.
DeleteTempFiles
This option will prevent deletion of the wordlist and file containing hashes. This may be useful for
running the hashes through john if it wasn't cracked, or for debugging. Default is false
.
Fork
This option will set how many forks to use on john the ripper. Default is 1
(no forking).
INCREMENTAL
Run the cracker in incremental mode. Default is true
ITERATION_TIMEOUT
The max-run-time for each iteration of cracking.
KORELOGIC
Apply the KoreLogic rules to Wordlist Mode (slower).
Default is false
.
MUTATE
Apply common mutations to the Wordlist (SLOW). Mutations are:
'@' => 'a'
'0' => 'o'
'3' => 'e'
'$' => 's'
'7' => 't'
'1' => 'l'
'5' => 's'
Default is false
.
PBKDF2-HMAC-SHA512
Crack SHA12 hashes. Default is true
.
POT
The path to a John POT file (JtR option: --pot
) to use instead. The pot
file is the data file which
records cracked password hashes. Kali linux's default location is /root/.john/john.pot
.
Default is ~/.msf4/john.pot
.
SHOWCOMMAND
Show the command being used run from the command line for debugging. Default is false
USE_CREDS
Use existing credential data saved in the database. Default is true
.
USE_DB_INFO
Use looted database schema info to seed the wordlist. This includes the Database Name, each Table Name,
and each Column Name. If the DB is MSSQL, the Instance Name is also used. Default is true
.
USE_DEFAULT_WORDLIST
Use the default metasploit wordlist in metasploit-framework/data/wordlists/password.lst
. Default is
true
.
USE_HOSTNAMES
Seed the wordlist with hostnames from the workspace. Default is true
.
USE_ROOT_WORDS
Use the Common Root Words Wordlist in metasploit-framework/data/wordlists/common_roots.txt
. Default
is true.
WORDLIST
Run the cracker in dictionary/wordlist mode. Default is true
XSHA
Crack xsha based hashes. Default is true
.
Scenarios
Sample Data
The following is data which can be used to test integration, including adding entries to a wordlist and pot file to test various aspects of the cracker.
creds add user:buddahh hash:7E4F6138BE21EF6A61365A4D3270DAD24A6544EE188ED422 jtr:xsha
creds add user:mama hash:3063D72395EB1A92D9BA9B8C2DF4074A081EDD1954E6B2BA jtr:xsha
creds add user:hashcat hash:1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683 jtr:xsha
creds add user:hashcat hash:$ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f9$
echo "" > /root/.msf4/john.pot
echo "3063D72395EB1A92D9BA9B8C2DF4074A081EDD1954E6B2BA:mama" >> /root/.msf4/john.pot
echo "md5be86a79bf20fake2d58d5453c47d4860:password" >> /root/.msf4/john.pot
echo "password" > /tmp/wordlist
echo "buddahh" >> /tmp/wordlist
John the Ripper
We'll set ITERATION_TIMEOUT 60
for a quick crack, and ShowCommand true
for easy debugging.
resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
CUSTOM_WORDLIST => /tmp/wordlist
resource (hashes_hashcat.rb)> setg ShowCommand true
ShowCommand => true
resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
USE_DEFAULT_WORDLIST => false
resource (hashes_hashcat.rb)> setg DeleteTempFiles false
DeleteTempFiles => false
resource (hashes_hashcat.rb)> setg USE_CREDS false
USE_CREDS => false
resource (hashes_hashcat.rb)> setg USE_DB_INFO false
USE_DB_INFO => false
resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
USE_HOSTNAMES => false
resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
USE_ROOT_WORDS => false
resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
ITERATION_TIMEOUT => 60
resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_osx
resource (hashes_hashcat.rb)> run
[+] john Version Detected: 1.9.0-jumbo-1 OMP
[*] Hashes Written out to /tmp/hashes_tmp20190531-30487-6zp8aw
[*] Wordlist file written out to /tmp/jtrtmp20190531-30487-7w6deh
[*] Checking xsha hashes already cracked...
[*] Cracking xsha hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=u7NpglLW --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
Using default input encoding: UTF-8
Warning: poor OpenMP scalability for this hash type, consider --fork=8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 DONE (2019-05-31 16:03) 100.0g/s 819200p/s 819200c/s 819200C/s test3:::..Password1\!99
Use the "--show" option to display all of the cracked passwords reliably
Session completed
[*] Cracking xsha hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=u7NpglLW --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
Using default input encoding: UTF-8
[*] Cracking xsha hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=u7NpglLW --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
Using default input encoding: UTF-8
[*] Cracking xsha hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=u7NpglLW --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
Using default input encoding: UTF-8
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1398 xsha xsha_buddahh buddahh Single
1399 xsha xsha_mama mama Already Cracked/POT
[*] Checking xsha512 hashes already cracked...
[*] Cracking xsha512 hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=A5BIrZX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha512 --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
2g 0:00:00:00 DONE (2019-05-31 16:03) 66.66g/s 568866p/s 1137Kc/s 1137KC/s test3:::..t1900
Use the "--show --format=xsha512" options to display all of the cracked passwords reliably
Session completed
[*] Cracking xsha512 hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=A5BIrZX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha512 --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
Using default input encoding: UTF-8
[*] Cracking xsha512 hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=A5BIrZX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha512 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
Using default input encoding: UTF-8
[*] Cracking xsha512 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=A5BIrZX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=xsha512 --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
Using default input encoding: UTF-8
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1398 xsha xsha_buddahh buddahh Single
1399 xsha xsha_mama mama Already Cracked/POT
1401 xsha512 xsha512_password password Single
1402 xsha512 xsha512_hashcat hashcat Single
[*] Checking PBKDF2-HMAC-SHA512 hashes already cracked...
[*] Cracking PBKDF2-HMAC-SHA512 hashes in single mode...
[*] Cracking Command: /usr/sbin/john --session=BdToxfX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA512 --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=single --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
Using default input encoding: UTF-8
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:00 DONE (2019-05-31 16:03) 9.090g/s 290.9p/s 290.9c/s 290.9C/s test3:::..Thales
Use the "--show --format=PBKDF2-HMAC-SHA512" options to display all of the cracked passwords reliably
Session completed
[*] Cracking PBKDF2-HMAC-SHA512 hashes in normal mode
[*] Cracking Command: /usr/sbin/john --session=BdToxfX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA512 --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
Using default input encoding: UTF-8
[*] Cracking PBKDF2-HMAC-SHA512 hashes in incremental mode...
[*] Cracking Command: /usr/sbin/john --session=BdToxfX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA512 --incremental=Digits --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
Using default input encoding: UTF-8
[*] Cracking PBKDF2-HMAC-SHA512 hashes in wordlist mode...
[*] Cracking Command: /usr/sbin/john --session=BdToxfX9 --nolog --config=/root/metasploit-framework/data/jtr/john.conf --pot=/root/.msf4/john.pot --format=PBKDF2-HMAC-SHA512 --wordlist=/tmp/jtrtmp20190531-30487-7w6deh --rules=wordlist --max-run-time=60 /tmp/hashes_tmp20190531-30487-6zp8aw
Using default input encoding: UTF-8
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1398 xsha xsha_buddahh buddahh Single
1399 xsha xsha_mama mama Already Cracked/POT
1401 xsha512 xsha512_password password Single
1402 xsha512 xsha512_hashcat hashcat Single
1403 PBKDF2-HMAC-SHA512 pbkdf2_hashcat hashcat Single
[*] Auxiliary module execution completed
resource (hashes_hashcat.rb)> creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
xsha_buddahh 7E4F6138BE21EF6A61365A4D3270DAD24A6544EE188ED422 Nonreplayable hash xsha
xsha_mama 3063D72395EB1A92D9BA9B8C2DF4074A081EDD1954E6B2BA Nonreplayable hash xsha
xsha_hashcat 1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683 Nonreplayable hash xsha
xsha512_password 229499e73f6ff50fbd76fa1a0b11fe10964b51b57ee0bc7ca29a5fdccaf264e132eb682abeb40a3513a1fe26397ddcd1b5d0161e5e3ff308377994f4bed4172efcc25f8a Nonreplayable hash xsha512
xsha512_hashcat 648742485c9b0acd786a233b2330197223118111b481abfa0ab8b3e8ede5f014fc7c523991c007db6882680b09962d16fd9c45568260531bdb34804a5e31c22b4cfeb32d Nonreplayable hash xsha512
pbkdf2_hashcat $ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f96cbcb20a1ffb400718c20382030f637892f776627d34e021bad4f81b7de8222 Nonreplayable hash PBKDF2-HMAC-SHA512
xsha_mama mama Password
xsha_buddahh buddahh Password
xsha512_password password Password
xsha512_hashcat hashcat Password
pbkdf2_hashcat hashcat Password
[*] Starting persistent handler(s)...
Hashcat
We'll set ITERATION_TIMEOUT 60
for a quick crack, and ShowCommand true
for easy debugging.
resource (hashes_hashcat.rb)> setg CUSTOM_WORDLIST /tmp/wordlist
CUSTOM_WORDLIST => /tmp/wordlist
resource (hashes_hashcat.rb)> setg ShowCommand true
ShowCommand => true
resource (hashes_hashcat.rb)> setg USE_DEFAULT_WORDLIST false
USE_DEFAULT_WORDLIST => false
resource (hashes_hashcat.rb)> setg DeleteTempFiles false
DeleteTempFiles => false
resource (hashes_hashcat.rb)> setg USE_CREDS false
USE_CREDS => false
resource (hashes_hashcat.rb)> setg USE_DB_INFO false
USE_DB_INFO => false
resource (hashes_hashcat.rb)> setg USE_HOSTNAMES false
USE_HOSTNAMES => false
resource (hashes_hashcat.rb)> setg USE_ROOT_WORDS false
USE_ROOT_WORDS => false
resource (hashes_hashcat.rb)> setg ITERATION_TIMEOUT 60
ITERATION_TIMEOUT => 60
resource (hashes_hashcat.rb)> use auxiliary/analyze/crack_osx
resource (hashes_hashcat.rb)> set action hashcat
action => hashcat
resource (hashes_hashcat.rb)> run
[+] hashcat Version Detected: v5.1.0
[*] Hashes Written out to /tmp/hashes_tmp20190531-31439-ulynqs
[*] Wordlist file written out to /tmp/jtrtmp20190531-31439-1bcms0z
[*] Checking xsha hashes already cracked...
[*] Cracking xsha hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=YpmTr019 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=122 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking xsha hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=YpmTr019 --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=122 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs /tmp/jtrtmp20190531-31439-1bcms0z
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1421 xsha xsha_buddahh buddahh Wordlist
1422 xsha xsha_mama mama Already Cracked/POT
1423 xsha xsha_hashcat hashcat Wordlist
[*] Checking xsha512 hashes already cracked...
[*] Cracking xsha512 hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=HNDjhJcJ --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1722 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking xsha512 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=HNDjhJcJ --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=1722 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs /tmp/jtrtmp20190531-31439-1bcms0z
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1421 xsha xsha_buddahh buddahh Wordlist
1422 xsha xsha_mama mama Already Cracked/POT
1423 xsha xsha_hashcat hashcat Wordlist
1424 xsha512 xsha512_password password Wordlist
1425 xsha512 xsha512_hashcat hashcat Wordlist
[*] Checking PBKDF2-HMAC-SHA512 hashes already cracked...
[*] Cracking PBKDF2-HMAC-SHA512 hashes in incremental mode...
[*] Cracking Command: /usr/bin/hashcat --session=Tnilqjei --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=7100 --increment --increment-max=4 --attack-mode=3 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs
nvmlDeviceGetFanSpeed(): Not Supported
[*] Cracking PBKDF2-HMAC-SHA512 hashes in wordlist mode...
[*] Cracking Command: /usr/bin/hashcat --session=Tnilqjei --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=7100 --attack-mode=0 --runtime=60 /tmp/hashes_tmp20190531-31439-ulynqs /tmp/jtrtmp20190531-31439-1bcms0z
nvmlDeviceGetFanSpeed(): Not Supported
[+] Cracked Hashes
==============
DB ID Hash Type Username Cracked Password Method
----- --------- -------- ---------------- ------
1421 xsha xsha_buddahh buddahh Wordlist
1422 xsha xsha_mama mama Already Cracked/POT
1423 xsha xsha_hashcat hashcat Wordlist
1424 xsha512 xsha512_password password Wordlist
1425 xsha512 xsha512_hashcat hashcat Wordlist
1426 PBKDF2-HMAC-SHA512 pbkdf2_hashcat hashcat Wordlist
[*] Auxiliary module execution completed
resource (hashes_hashcat.rb)> creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
xsha_buddahh 7E4F6138BE21EF6A61365A4D3270DAD24A6544EE188ED422 Nonreplayable hash xsha
xsha_mama 3063D72395EB1A92D9BA9B8C2DF4074A081EDD1954E6B2BA Nonreplayable hash xsha
xsha_hashcat 1430823483d07626ef8be3fda2ff056d0dfd818dbfe47683 Nonreplayable hash xsha
xsha512_password 229499e73f6ff50fbd76fa1a0b11fe10964b51b57ee0bc7ca29a5fdccaf264e132eb682abeb40a3513a1fe26397ddcd1b5d0161e5e3ff308377994f4bed4172efcc25f8a Nonreplayable hash xsha512
xsha512_hashcat 648742485c9b0acd786a233b2330197223118111b481abfa0ab8b3e8ede5f014fc7c523991c007db6882680b09962d16fd9c45568260531bdb34804a5e31c22b4cfeb32d Nonreplayable hash xsha512
pbkdf2_hashcat $ml$35460$93a94bd24b5de64d79a5e49fa372827e739f4d7b6975c752c9a0ff1e5cf72e05$752351df64dd2ce9dc9c64a72ad91de6581a15c19176266b44d98919dfa81f0f96cbcb20a1ffb400718c20382030f637892f776627d34e021bad4f81b7de8222 Nonreplayable hash PBKDF2-HMAC-SHA512
xsha_mama mama Password
xsha_hashcat hashcat Password
xsha_buddahh buddahh Password
xsha512_hashcat hashcat Password
xsha512_password password Password
pbkdf2_hashcat hashcat Password
Go back to menu.
Msfconsole Usage
Here is how the analyze/crack_osx auxiliary module looks in the msfconsole:
msf6 > use auxiliary/analyze/crack_osx
msf6 auxiliary(analyze/crack_osx) > show info
Name: Password Cracker: OSX
Module: auxiliary/analyze/crack_osx
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
h00die
Available actions:
Name Description
---- -----------
hashcat Use Hashcat
john Use John the Ripper
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CONFIG no The path to a John config file to use instead of the default
CRACKER_PATH no The absolute path to the cracker executable
CUSTOM_WORDLIST no The path to an optional custom wordlist
FORK 1 no Forks for John the Ripper to use
INCREMENTAL true no Run in incremental mode
ITERATION_TIMEOUT no The max-run-time for each iteration of cracking
KORELOGIC false no Apply the KoreLogic rules to John the Ripper Wordlist Mode(slower)
MUTATE false no Apply common mutations to the Wordlist (SLOW)
PBKDF2 true no Include PBKDF2-HMAC-SHA512 hashes from 10.8+
POT no The path to a John POT file to use instead of the default
USE_CREDS true no Use existing credential data saved in the database
USE_DB_INFO true no Use looted database schema info to seed the wordlist
USE_DEFAULT_WORDLIST true no Use the default metasploit wordlist
USE_HOSTNAMES true no Seed the wordlist with hostnames from the workspace
USE_ROOT_WORDS true no Use the Common Root Words Wordlist
WORDLIST true no Run in wordlist mode
XSHA true no Include XSHA hashes from 10.4-10.6
XSHA512 true no Include XSHA512 hashes from 10.7
Description:
This module uses John the Ripper or Hashcat to identify weak
passwords that have been acquired from OSX systems. The module will
only crack xsha from OSX 10.4-10.6, xsha512 from 10.7, and PBKDF2
from OSX 10.8+.
Module Options
This is a complete list of options available in the analyze/crack_osx auxiliary module:
msf6 auxiliary(analyze/crack_osx) > show options
Module options (auxiliary/analyze/crack_osx):
Name Current Setting Required Description
---- --------------- -------- -----------
CONFIG no The path to a John config file to use instead of the default
CRACKER_PATH no The absolute path to the cracker executable
CUSTOM_WORDLIST no The path to an optional custom wordlist
FORK 1 no Forks for John the Ripper to use
INCREMENTAL true no Run in incremental mode
ITERATION_TIMEOUT no The max-run-time for each iteration of cracking
KORELOGIC false no Apply the KoreLogic rules to John the Ripper Wordlist Mode(slower)
MUTATE false no Apply common mutations to the Wordlist (SLOW)
PBKDF2 true no Include PBKDF2-HMAC-SHA512 hashes from 10.8+
POT no The path to a John POT file to use instead of the default
USE_CREDS true no Use existing credential data saved in the database
USE_DB_INFO true no Use looted database schema info to seed the wordlist
USE_DEFAULT_WORDLIST true no Use the default metasploit wordlist
USE_HOSTNAMES true no Seed the wordlist with hostnames from the workspace
USE_ROOT_WORDS true no Use the Common Root Words Wordlist
WORDLIST true no Run in wordlist mode
XSHA true no Include XSHA hashes from 10.4-10.6
XSHA512 true no Include XSHA512 hashes from 10.7
Auxiliary action:
Name Description
---- -----------
john Use John the Ripper
Advanced Options
Here is a complete list of advanced options supported by the analyze/crack_osx auxiliary module:
msf6 auxiliary(analyze/crack_osx) > show advanced
Module advanced options (auxiliary/analyze/crack_osx):
Name Current Setting Required Description
---- --------------- -------- -----------
DeleteTempFiles true no Delete temporary wordlist and hash files
OptimizeKernel true no Utilize Optimized Kernels in Hashcat
ShowCommand true no Print the cracker command being used
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the analyze/crack_osx module can do:
msf6 auxiliary(analyze/crack_osx) > show actions
Auxiliary actions:
Name Description
---- -----------
hashcat Use Hashcat
john Use John the Ripper
Evasion Options
Here is the full list of possible evasion options supported by the analyze/crack_osx auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(analyze/crack_osx) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
This module cannot run without a database connected. Use db_connect to connect to a database.
Here is a relevant code snippet related to the "This module cannot run without a database connected. Use db_connect to connect to a database." error message:
125: cracker.hash_path, hashes = hash_file(hashes_regex)
126:
127: # generate our wordlist and close the file handle.
128: wordlist = wordlist_file
129: unless wordlist
130: print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
131: return
132: end
133:
134: wordlist.close
135: print_status "Wordlist file written out to #{wordlist.path}"
No applicable hashes in database to crack
Here is a relevant code snippet related to the "No applicable hashes in database to crack" error message:
228: wrote_hash = true
229: end
230: hashlist.close
231: unless wrote_hash # check if we wrote anything and bail early if we didn't
232: hashlist.delete
233: fail_with Failure::NotFound, 'No applicable hashes in database to crack'
234: end
235: print_status "Hashes Written out to #{hashlist.path}"
236: return hashlist.path, hashes
237: end
238: end
Go back to menu.
Related Pull Requests
- #14669 Merged Pull Request: ensure selected cracker is available and viable
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #11695 Merged Pull Request: Password Cracker Overhaul (ie hashcat)
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/analyze/crack_aix
- auxiliary/analyze/crack_databases
- auxiliary/analyze/crack_linux
- auxiliary/analyze/crack_webapps
- auxiliary/analyze/crack_windows
- auxiliary/scanner/http/wp_mobileedition_file_read
- auxiliary/scanner/http/wp_mobile_pack_info_disclosure
- exploit/apple_ios/email/mobilemail_libtiff
- exploit/linux/http/mobileiron_mdm_hessian_rce
- exploit/multi/http/mobilecartly_upload_exec
- exploit/unix/webapp/wp_mobile_detector_upload_execute
- auxiliary/analyze/crack_mobile
- auxiliary/analyze/apply_pot
- auxiliary/analyze/modbus_zip
- exploit/unix/webapp/actualanalyzer_ant_cookie_exec
- exploit/windows/misc/manageengine_eventlog_analyzer_rce
- exploit/windows/oracle/client_system_analyzer_upload
Authors
- h00die
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.