Merge remote-tracking branch 'upstream/staging/electro-release' into staging/electro-release

Author: limhoff-r7

.yardopts

@@ -3,6 +3,8 @@
 --exclude \.ut\.rb/
 --exclude \.ts\.rb/
 --files CONTRIBUTING.md,COPYING,HACKING,LICENSE
+app/**/*.rb
 lib/msf/**/*.rb
+lib/metasploit/**/*.rb
 lib/rex/**/*.rb
 plugins/**/*.rb

Gemfile

@@ -7,9 +7,9 @@ group :db do
   # Needed for Msf::DbManager
   gem 'activerecord', '>= 3.0.0', '< 4.0.0'
   # Metasploit::Credential database models
-  gem 'metasploit-credential', '~> 0.7.8'
+  gem 'metasploit-credential', '>= 0.7.10.pre.core.pre.search', '< 0.8'
   # Database models shared between framework and Pro.
-  gem 'metasploit_data_models', '>= 0.18.0', '< 0.19'
+  gem 'metasploit_data_models', '~> 0.19'
   # Needed for module caching in Mdm::ModuleDetails
   gem 'pg', '>= 0.11'
 end

Gemfile.lock

@@ -41,6 +41,8 @@ GEM
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     arel (3.0.3)
+    arel-helpers (2.0.0)
+      activerecord (>= 3.1.0, < 5)
     bcrypt (3.1.7)
     builder (3.0.4)
     coderay (1.1.0)
@@ -58,18 +60,19 @@ GEM
     json (1.8.1)
     metasploit-concern (0.1.1)
       activesupport (~> 3.0, >= 3.0.0)
-    metasploit-credential (0.7.8)
+    metasploit-credential (0.7.10.pre.core.pre.search)
       metasploit-concern (~> 0.1.0)
       metasploit-model (>= 0.25.6)
-      metasploit_data_models (>= 0.18.0.pre.compatibility, < 0.19)
+      metasploit_data_models (~> 0.19)
       pg
       rubyntlm
       rubyzip (~> 1.1)
     metasploit-model (0.25.6)
       activesupport
-    metasploit_data_models (0.18.0)
+    metasploit_data_models (0.19.0)
       activerecord (>= 3.2.13, < 4.0.0)
       activesupport
+      arel-helpers
       metasploit-concern (~> 0.1.0)
       metasploit-model (>= 0.25.1, < 0.26)
       pg
@@ -156,9 +159,9 @@ DEPENDENCIES
   factory_girl (>= 4.1.0)
   factory_girl_rails
   fivemat (= 1.2.1)
-  metasploit-credential (~> 0.7.8)
+  metasploit-credential (>= 0.7.10.pre.core.pre.search, < 0.8)
   metasploit-framework!
-  metasploit_data_models (>= 0.18.0, < 0.19)
+  metasploit_data_models (~> 0.19)
   network_interface (~> 0.0.1)
   pcaprub
   pg (>= 0.11)

lib/metasploit/framework/community_string_collection.rb

@@ -0,0 +1,74 @@
+require 'metasploit/framework/credential'
+
+module Metasploit
+  module Framework
+
+    # This class is responsible for taking datastore options from the snmp_login module
+    # and yielding appropriate {Metasploit::Framework::Credential}s to the {Metasploit::Framework::LoginScanner::SNMP}.
+    # This one has to be different from {credentialCollection} as it will only have a {Metasploit::Framework::Credential#public}
+    # It may be slightly confusing that the attribues are called password and pass_file, because this is what the legacy
+    # module used. However, community Strings are now considered more to be public credentials than private ones.
+    class CommunityStringCollection
+      # @!attribute pass_file
+      #   Path to a file containing passwords, one per line
+      #   @return [String]
+      attr_accessor :pass_file
+
+      # @!attribute password
+      #   @return [String]
+      attr_accessor :password
+
+      # @!attribute prepended_creds
+      #   List of credentials to be tried before any others
+      #
+      #   @see #prepend_cred
+      #   @return [Array<Credential>]
+      attr_accessor :prepended_creds
+
+      # @option opts [String] :pass_file See {#pass_file}
+      # @option opts [String] :password See {#password}
+      # @option opts [Array<Credential>] :prepended_creds ([]) See {#prepended_creds}
+      def initialize(opts = {})
+        opts.each do |attribute, value|
+          public_send("#{attribute}=", value)
+        end
+        self.prepended_creds ||= []
+      end
+
+      # Combines all the provided credential sources into a stream of {Credential}
+      # objects, yielding them one at a time
+      #
+      # @yieldparam credential [Metasploit::Framework::Credential]
+      # @return [void]
+      def each
+        begin
+          if pass_file.present?
+            pass_fd = File.open(pass_file, 'r:binary')
+            pass_fd.each_line do |line|
+              line.chomp!
+              yield Metasploit::Framework::Credential.new(public: line, paired: false)
+            end
+          end
+
+          if password.present?
+            yield Metasploit::Framework::Credential.new(public: password, paired: false)
+          end
+
+        ensure
+          pass_fd.close if pass_fd && !pass_fd.closed?
+        end
+      end
+
+      # Add {Credential credentials} that will be yielded by {#each}
+      #
+      # @see prepended_creds
+      # @param cred [Credential]
+      # @return [self]
+      def prepend_cred(cred)
+        prepended_creds.unshift cred
+        self
+      end
+
+    end
+  end
+end

lib/metasploit/framework/credential.rb

@@ -78,7 +78,9 @@ def to_s
       end
 
       def ==(other)
-        other.public == self.public && other.private == self.private && other.realm == self.realm
+        other.respond_to?(:public) && other.public == self.public &&
+        other.respond_to?(:private) && other.private == self.private &&
+        other.respond_to?(:realm) && other.realm == self.realm
       end
 
       def to_credential

lib/metasploit/framework/jtr/cracker.rb

@@ -119,6 +119,8 @@ def crack_command
 
           if config.present?
             cmd << ( "--config=" + config )
+          else
+            cmd << ( "--config=" + john_config_file )
           end
 
           if pot.present?
@@ -162,6 +164,13 @@ def each_cracked_password
           end
         end
 
+        # This method returns the path to a default john.conf file.
+        #
+        # @return [String] the path to the default john.conf file
+        def john_config_file
+          ::File.join( ::Msf::Config.data_directory, "john", "confs", "john.conf" )
+        end
+
         # This method returns the path to a default john.pot file.
         #
         # @return [String] the path to the default john.pot file
@@ -189,6 +198,8 @@ def show_command
 
           if config
             cmd << "--config=#{config}"
+          else
+            cmd << ( "--config=" + john_config_file )
           end
 
           cmd << hash_path
@@ -199,11 +210,11 @@ def show_command
         # This method tries to identify the correct version of the pre-shipped
         # JtR binaries to use based on the platform.
         #
-        # @return [NilClass] if the correct bianry could not be determined
+        # @return [NilClass] if the correct binary could not be determined
         # @return [String] the path to the selected binary
         def select_shipped_binary
           cpuinfo_base = ::File.join(Msf::Config.data_directory, "cpuinfo")
-          runpath = nil
+          run_path = nil
           if File.directory?(cpuinfo_base)
             data = nil
 
@@ -215,11 +226,11 @@ def select_shipped_binary
                 end
                 case data
                   when /sse2/
-                    run_path ||= "run.win32.sse2/john.exe"
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.win32.sse2", "john.exe")
                   when /mmx/
-                    run_path ||= "run.win32.mmx/john.exe"
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.win32.mmx", "john.exe")
                   else
-                    run_path ||= "run.win32.any/john.exe"
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.win32.any", "john.exe")
                 end
               when /x86_64-linux/
                 fname = "#{cpuinfo_base}/cpuinfo.ia64.bin"
@@ -229,9 +240,9 @@ def select_shipped_binary
                 end
                 case data
                   when /mmx/
-                    run_path ||= "run.linux.x64.mmx/john"
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.linux.x64.mmx", "john")
                   else
-                    run_path ||= "run.linux.x86.any/john"
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.linux.x86.any", "john")
                 end
               when /i[\d]86-linux/
                 fname = "#{cpuinfo_base}/cpuinfo.ia32.bin"
@@ -241,15 +252,15 @@ def select_shipped_binary
                 end
                 case data
                   when /sse2/
-                    run_path ||= "run.linux.x86.sse2/john"
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.linux.x86.sse2", "john")
                   when /mmx/
-                    run_path ||= "run.linux.x86.mmx/john"
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.linux.x86.mmx", "john")
                   else
-                    run_path ||= "run.linux.x86.any/john"
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.linux.x86.any", "john")
                 end
             end
           end
-          runpath
+          run_path
         end
 
 

lib/metasploit/framework/login_scanner/http.rb

@@ -96,6 +96,8 @@ def set_sane_defaults
           self.connection_timeout ||= 20
           self.max_send_size = 0 if self.max_send_size.nil?
           self.send_delay = 0 if self.send_delay.nil?
+          self.uri = '/' if self.uri.blank?
+          self.method = 'GET' if self.method.blank?
 
           # Note that this doesn't cover the case where ssl is unset and
           # port is something other than a default. In that situtation,

lib/metasploit/framework/login_scanner/mysql.rb

@@ -78,7 +78,7 @@ def attempt_login(credential)
         # This method sets the sane defaults for things
         # like timeouts and TCP evasion options
         def set_sane_defaults
-          self.connection_timeout || 30
+          self.connection_timeout ||= 30
           self.port               ||= DEFAULT_PORT
           self.max_send_size      ||= 0
           self.send_delay         ||= 0

lib/msf/core/auxiliary/jtr.rb

@@ -41,6 +41,12 @@ def initialize(info = {})
 
   end
 
+  # @param pwd [String] Password recovered from cracking an LM hash
+  # @param hash [String] NTLM hash for this password
+  # @return [String] `pwd` converted to the correct case to match the
+  #   given NTLM hash
+  # @return [nil] if no case matches the NT hash. This can happen when
+  #   `pwd` came from a john run that only cracked half of the LM hash
   def john_lm_upper_to_ntlm(pwd, hash)
     pwd  = pwd.upcase
     hash = hash.upcase

modules/auxiliary/analyze/jtr_crack_fast.rb

@@ -30,7 +30,7 @@ def initialize
   def run
     cracker = new_john_cracker
 
-    #generate our wordlist and close the file handle
+    # generate our wordlist and close the file handle
     wordlist = wordlist_file
     wordlist.close
     print_status "Wordlist file written out to #{wordlist.path}"
@@ -53,10 +53,10 @@ def run
       end
 
       if format == 'lm'
-        print_status "Cracking #{format} hashes in incremental mode (LanMan)..."
+        print_status "Cracking #{format} hashes in incremental mode (All4)..."
         cracker_instance.rules = nil
         cracker_instance.wordlist = nil
-        cracker_instance.incremental = 'LanMan'
+        cracker_instance.incremental = 'All4'
         cracker_instance.crack do |line|
           print_status line.chomp
         end
@@ -98,6 +98,12 @@ def run
             end
           end
           password = john_lm_upper_to_ntlm(password, nt_hash)
+          # password can be nil if the hash is broken (i.e., the NT and
+          # LM sides don't actually match) or if john was only able to
+          # crack one half of the LM hash. In the latter case, we'll
+          # have a line like:
+          #  username:???????WORD:...:...:::
+          next if password.nil?
         end
 
         print_good "#{username}:#{password}:#{core_id}"