Skip to content

Commit

Permalink
Merge pull request #473 from m-1-k-3/pw-cracking
Browse files Browse the repository at this point in the history
JTR crack multiple hash types
  • Loading branch information
m-1-k-3 authored Feb 7, 2023
2 parents 77bdbe1 + 51be7d0 commit 868e96d
Show file tree
Hide file tree
Showing 6 changed files with 70 additions and 12 deletions.
10 changes: 5 additions & 5 deletions helpers/helpers_emba_print.sh
Original file line number Diff line number Diff line change
Expand Up @@ -76,12 +76,12 @@ module_log_init()
module_title()
{
local MODULE_TITLE
MODULE_TITLE="$1"
MODULE_TITLE="${1:-}"
local MODULE_TITLE_FORMAT
MODULE_TITLE_FORMAT="[""${BLUE}""+""${NC}""] ""${CYAN}""${BOLD}""$MODULE_TITLE""${NC}""\\n""${BOLD}""=================================================================""${NC}"
echo -e "\\n\\n""$MODULE_TITLE_FORMAT"
echo -e "\\n\\n""$MODULE_TITLE_FORMAT" || true
if [[ "${2:-}" != "no_log" ]] ; then
echo -e "$(format_log "$MODULE_TITLE_FORMAT")" | tee -a "$LOG_FILE" >/dev/null
echo -e "$(format_log "$MODULE_TITLE_FORMAT")" | tee -a "$LOG_FILE" >/dev/null || true
if [[ $LOG_GREP -eq 1 ]] ; then
write_grep_log "$MODULE_TITLE" "MODULE_TITLE"
fi
Expand All @@ -95,8 +95,8 @@ sub_module_title()
SUB_MODULE_TITLE="${1:-}"
local SUB_MODULE_TITLE_FORMAT
SUB_MODULE_TITLE_FORMAT="\\n""${BLUE}""==>""${NC}"" ""${CYAN}""$SUB_MODULE_TITLE""${NC}""\\n-----------------------------------------------------------------"
echo -e "$SUB_MODULE_TITLE_FORMAT"
echo -e "$(format_log "$SUB_MODULE_TITLE_FORMAT")" | tee -a "$LOG_FILE" >/dev/null
echo -e "$SUB_MODULE_TITLE_FORMAT" || true
echo -e "$(format_log "$SUB_MODULE_TITLE_FORMAT")" | tee -a "$LOG_FILE" >/dev/null || true
if [[ $LOG_GREP -eq 1 ]] ; then
SUB_MODULE_COUNT=$((SUB_MODULE_COUNT + 1))
write_grep_log "$SUB_MODULE_TITLE" "SUB_MODULE_TITLE"
Expand Down
9 changes: 8 additions & 1 deletion modules/S108_stacs_password_search.sh
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,16 @@ S108_stacs_password_search()
local MESSAGE=""

if command -v stacs > /dev/null ; then
stacs --skip-unprocessable --rule-pack "$STACS_RULES_DIR"/credential.json "$FIRMWARE_PATH" > "$STACS_LOG_FILE" || true
stacs --skip-unprocessable --rule-pack "$STACS_RULES_DIR"/credential.json "$FIRMWARE_PATH" 2> "$TMP_DIR"/stacs.err 1> "$STACS_LOG_FILE" || true

if [[ -f "$TMP_DIR"/stacs.err ]]; then
print_ln
print_output "[*] STACS log:"
tee -a "$LOG_FILE" < "$TMP_DIR"/stacs.err
fi

if [[ -f "$STACS_LOG_FILE" && $(jq ".runs[0] .results[] | .message[]" "$STACS_LOG_FILE" | wc -l) -gt 0 ]]; then
print_ln
ELEMENTS_="$(jq ".runs[0] .results[] .message.text" "$STACS_LOG_FILE" | wc -l)"
print_output "[+] Found $ORANGE$ELEMENTS_$GREEN credential areas:"
write_csv_log "Message" "PW_PATH" "PW_HASH" "PW_HASH_real"
Expand Down
55 changes: 53 additions & 2 deletions modules/S109_jtr_local_pw_cracking.sh
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ S109_jtr_local_pw_cracking()
local JTR_FINAL_STAT=""
local CRACKED_HASH=""
local CRACKED=0
local JTR_TIMEOUT="60m"
local JTR_TIMEOUT="3600"

# This module waits for S108_stacs_password_search
# check emba.log for S108_stacs_password_search starting
Expand Down Expand Up @@ -69,7 +69,58 @@ S109_jtr_local_pw_cracking()
print_output "[*] Starting jtr with a runtime of $ORANGE$JTR_TIMEOUT$NC on the following data:"
tee -a "$LOG_FILE" < "$LOG_PATH_MODULE"/jtr_hashes.txt
print_ln
timeout --preserve-status --signal SIGINT "$JTR_TIMEOUT" john --progress-every=120 "$LOG_PATH_MODULE"/jtr_hashes.txt | tee -a "$LOG_FILE" || true
john --progress-every=120 "$LOG_PATH_MODULE"/jtr_hashes.txt 2>&1 | tee -a "$LOG_FILE" || true &
PID="$!"
COUNT=0
while [[ "$COUNT" -le "$JTR_TIMEOUT" ]];do
((COUNT+=1))
if ! pgrep john > /dev/null; then
# if no john process is running it means we are finished with cracking passwords
# and we can exit the while loop for waiting
break
fi
sleep 1
done
if [[ "$COUNT" -ge "$JTR_TIMEOUT" ]]; then
# we are running out of time and kill john
kill "$PID" || true
fi

# lets check our log if we can find further hashes
mapfile -t JTR_FORMATS < <(grep "option to force loading hashes of that type instead" "$LOG_FILE" || true)

# if we have further hashes we are processing these now
if [[ "${#JTR_FORMATS[@]}" -gt 0 ]] && [[ "$COUNT" -lt "$JTR_TIMEOUT" ]] ; then
print_ln
print_output "[*] Further password hashes detected:"
for JTR_FORMAT in "${JTR_FORMATS[@]}"; do
JTR_FORMAT="$(echo "$JTR_FORMAT" | cut -d '=' -f2 | awk '{print $1}' | tr -d '"' )"
print_output "$(indent "$(orange "Detected hash type: $JTR_FORMAT")")"
done

for JTR_FORMAT in "${JTR_FORMATS[@]}"; do
print_ln
echo "[*] COUNT: $COUNT"
JTR_FORMAT="$(echo "$JTR_FORMAT" | cut -d '=' -f2 | awk '{print $1}' | tr -d '"' )"
print_output "[*] Testing password hash types $ORANGE$JTR_FORMAT$NC"
john --format="$JTR_FORMAT" --progress-every=120 "$LOG_PATH_MODULE"/jtr_hashes.txt 2>&1 | tee -a "$LOG_FILE" || true &
PID="$!"

while [[ "$COUNT" -le "$JTR_TIMEOUT" ]];do
((COUNT+=1))
if ! pgrep john > /dev/null; then
# if no john process is running it means we are finished with cracking passwords
# and we can exit the while loop for waiting
break
fi
sleep 1
done
if [[ "$COUNT" -ge "$JTR_TIMEOUT" ]]; then
# we are running out of time and kill john
kill "$PID" || true
fi
done
fi
print_ln
NEG_LOG=1

Expand Down
2 changes: 1 addition & 1 deletion modules/S12_binary_protection.sh
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ S12_binary_protection()
FILE=$(print_path "$FILE")

printf "\t%-22.22s %-25.25s %-20.20s %-20.20s %-20.20s %-20.20s %-20.20s %-5.5s %s\n" \
"$RELRO" "$CANARY" "$NX" "$PIE" "$RPATH" "$RUNPATH" "$SYMBOLS" "$FORTIFY" "$FILE" | tee -a "$TMP_DIR"/s12.tmp
"$RELRO" "$CANARY" "$NX" "$PIE" "$RPATH" "$RUNPATH" "$SYMBOLS" "$FORTIFY" "$FILE" | tee -a "$TMP_DIR"/s12.tmp || true
BIN_PROT_COUNTER=$((BIN_PROT_COUNTER+1))
fi
done
Expand Down
4 changes: 2 additions & 2 deletions modules/S15_bootloader_check.sh
Original file line number Diff line number Diff line change
Expand Up @@ -253,9 +253,9 @@ check_bootloader()
local OBSD_FILE1=""
local OBSD_FILE2=""
# mapfile -t OBSD_PATH1 < <(mod_path "/usr/mdec/biosboot")
mapfile -t OBSD_PATH1 < <(find "$FIRMWARE_PATH" -xdev -type f -iwholename "/usr/mdec/biosboot")
mapfile -t OBSD_PATH1 < <(find "$FIRMWARE_PATH" -xdev -type f -iwholename "/usr/mdec/biosboot" || true)
# mapfile -t OBSD_PATH2 < <(mod_path "/boot")
mapfile -t OBSD_PATH2 < <(find "$FIRMWARE_PATH" -xdev -type f -iwholename "/boot")
mapfile -t OBSD_PATH2 < <(find "$FIRMWARE_PATH" -xdev -type f -iwholename "/boot" || true)
for OBSD_FILE1 in "${OBSD_PATH1[@]}" ; do
for OBSD_FILE2 in "${OBSD_PATH2[@]}" ; do
if [[ -f "$OBSD_FILE2" ]] && [[ -f "OBSD_FILE2" ]] ; then
Expand Down
2 changes: 1 addition & 1 deletion modules/S26_kernel_vuln_verifier.sh
Original file line number Diff line number Diff line change
Expand Up @@ -245,7 +245,7 @@ S26_kernel_vuln_verifier()
if [[ -d "$LOG_DIR""/firmware" ]]; then
print_output "[*] Identify kernel modules symbols ..."
find "$LOG_DIR/firmware" -name "*.ko" -exec readelf -a {} \; | grep FUNC | sed 's/.*FUNC//' | \
awk '{print $4}' | sed 's/\[\.\.\.\]//' >> "$LOG_PATH_MODULE"/symbols.txt
awk '{print $4}' | sed 's/\[\.\.\.\]//' >> "$LOG_PATH_MODULE"/symbols.txt || true
fi

uniq "$LOG_PATH_MODULE"/symbols.txt > "$LOG_PATH_MODULE"/symbols_uniq.txt
Expand Down

0 comments on commit 868e96d

Please sign in to comment.