def __bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal,
found, proc_id, proc_count, wordlists,
custom_wordlist):
count = 0
rotator = 0
wordlist = Wordlist(wordlists, proc_id, getattr(proc_count, "value", 0),
custom_wordlist)
try:
for word in wordlist:
if found.value:
break
current = __functions__[hash_regex](password=word,
uppercase=False,
**kwargs)
count += 1
if not isinstance(word, basestring):
continue
if suffix:
word = word + suffix
try:
if hash_ == current:
if hash_regex == HASH.ORACLE_OLD: #only for cosmetic purposes
word = word.upper()
retVal.put((user, hash_, word))
clearConsoleLine()
infoMsg = "\r[%s] [INFO] cracked password '%s'" % (
time.strftime("%X"), word)
if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += " for user '%s'\n" % user
else:
infoMsg += " for hash '%s'\n" % hash_
dataToStdout(infoMsg, True)
found.value = True
elif (
proc_id == 0 or getattr(proc_count, "value", 0) == 1
) and count % HASH_MOD_ITEM_DISPLAY == 0 or hash_regex == HASH.ORACLE_OLD or hash_regex == HASH.CRYPT_GENERIC and IS_WIN:
rotator += 1
if rotator >= len(ROTATING_CHARS):
rotator = 0
status = 'current status: %s... %s' % (
word.ljust(5)[:5], ROTATING_CHARS[rotator])
if not user.startswith(DUMMY_USER_PREFIX):
status += ' (user: %s)' % user
dataToStdout("\r[%s] [INFO] %s" %
(time.strftime("%X"), status))
except KeyboardInterrupt:
raise
except (UnicodeEncodeError, UnicodeDecodeError):
pass # ignore possible encoding problems caused by some words in custom dictionaries
except Exception, ex:
print ex
warnMsg = "there was a problem while hashing entry: %s. " % repr(
word)
warnMsg += "Please report by e-mail to %s" % ML
logger.critical(warnMsg)
except KeyboardInterrupt:
pass
finally:
if hasattr(proc_count, 'value'):
proc_count.value -= 1
def _bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, proc_id,
proc_count, wordlists, custom_wordlist, api):
if IS_WIN:
coloramainit()
count = 0
rotator = 0
hashes = set([item[0][1] for item in attack_info])
wordlist = Wordlist(wordlists, proc_id, getattr(proc_count, "value", 0),
custom_wordlist)
try:
for word in wordlist:
if not attack_info:
break
if not isinstance(word, basestring):
continue
if suffix:
word = word + suffix
try:
current = __functions__[hash_regex](password=word,
uppercase=False)
count += 1
if current in hashes:
for item in attack_info[:]:
((user, hash_), _) = item
if hash_ == current:
retVal.put((user, hash_, word))
clearConsoleLine()
infoMsg = "\r[%s] [INFO] cracked password '%s'" % (
time.strftime("%X"), word)
if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += " for user '%s'\n" % user
else:
infoMsg += " for hash '%s'\n" % hash_
dataToStdout(infoMsg, True)
attack_info.remove(item)
elif (
proc_id == 0 or getattr(proc_count, "value", 0) == 1
) and count % HASH_MOD_ITEM_DISPLAY == 0 or hash_regex == HASH.ORACLE_OLD or hash_regex == HASH.CRYPT_GENERIC and IS_WIN:
rotator += 1
if rotator >= len(ROTATING_CHARS):
rotator = 0
status = 'current status: %s... %s' % (
word.ljust(5)[:5], ROTATING_CHARS[rotator])
if not api:
dataToStdout("\r[%s] [INFO] %s" %
(time.strftime("%X"), status))
except KeyboardInterrupt:
raise
except (UnicodeEncodeError, UnicodeDecodeError):
pass # ignore possible encoding problems caused by some words in custom dictionaries
except Exception, e:
warnMsg = "there was a problem while hashing entry: %s (%s). " % (
repr(word), e)
warnMsg += "Please report by e-mail to '%s'" % DEV_EMAIL_ADDRESS
logger.critical(warnMsg)
except KeyboardInterrupt:
pass
finally:
if hasattr(proc_count, "value"):
with proc_count.get_lock():
proc_count.value -= 1
def _bruteProcessVariantA(attack_info, hash_regex, suffix, retVal, proc_id,
proc_count, wordlists, custom_wordlist, api):
if IS_WIN:
coloramainit()
count = 0
rotator = 0
hashes = set([item[0][1] for item in attack_info])
wordlist = Wordlist(wordlists, proc_id, getattr(proc_count, "value", 0),
custom_wordlist)
try:
for word in wordlist:
if not attack_info:
break
if not isinstance(word, basestring):
continue
if suffix:
word = word + suffix
try:
current = __functions__[hash_regex](password=word,
uppercase=False)
count += 1
if current in hashes:
for item in attack_info[:]:
((user, hash_), _) = item
if hash_ == current:
retVal.put((user, hash_, word))
clearConsoleLine()
infoMsg = u"\r[%s] [INFO] 破解密码'%s'" % (
time.strftime("%X"), word)
if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += u" 对于用户'%s'\n" % user
else:
infoMsg += u" 对于哈希 '%s'\n" % hash_
dataToStdout(infoMsg, True)
attack_info.remove(item)
elif (
proc_id == 0 or getattr(proc_count, "value", 0) == 1
) and count % HASH_MOD_ITEM_DISPLAY == 0 or hash_regex == HASH.ORACLE_OLD or hash_regex == HASH.CRYPT_GENERIC and IS_WIN:
rotator += 1
if rotator >= len(ROTATING_CHARS):
rotator = 0
status = u'当前状态: %s... %s' % (word.ljust(5)[:5],
ROTATING_CHARS[rotator])
if not api:
dataToStdout("\r[%s] [INFO] %s" %
(time.strftime("%X"), status))
except KeyboardInterrupt:
raise
except (UnicodeEncodeError, UnicodeDecodeError):
pass # 忽略自定义词典中由某些单词引起的可能的编码问题
except Exception, e:
warnMsg = u"哈希输入时出现问题: %s (%s). " % (repr(word), e)
warnMsg += u"请通过电子邮件报告'*****@*****.**'"
logger.critical(warnMsg)
except KeyboardInterrupt:
pass
finally:
if hasattr(proc_count, "value"):
with proc_count.get_lock():
proc_count.value -= 1
def _bruteProcessVariantB(user, hash_, kwargs, hash_regex, suffix, retVal,
found, proc_id, proc_count, wordlists,
custom_wordlist, api):
if IS_WIN:
coloramainit()
count = 0
rotator = 0
wordlist = Wordlist(wordlists, proc_id, getattr(proc_count, "value", 0),
custom_wordlist)
try:
for word in wordlist:
if found.value:
break
current = __functions__[hash_regex](password=word,
uppercase=False,
**kwargs)
count += 1
if not isinstance(word, basestring):
continue
if suffix:
word = word + suffix
try:
if hash_ == current:
if hash_regex == HASH.ORACLE_OLD: # only for cosmetic purposes
word = word.upper()
retVal.put((user, hash_, word))
clearConsoleLine()
infoMsg = u"\r[%s] [INFO] 破解密码 '%s'" % (
time.strftime("%X"), word)
if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += u" 对于用户 '%s'\n" % user
else:
infoMsg += u" 对于哈希 '%s'\n" % hash_
dataToStdout(infoMsg, True)
found.value = True
elif (proc_id == 0 or getattr(proc_count, "value", 0)
== 1) and count % HASH_MOD_ITEM_DISPLAY == 0:
rotator += 1
if rotator >= len(ROTATING_CHARS):
rotator = 0
status = u'当前状态: %s... %s' % (word.ljust(5)[:5],
ROTATING_CHARS[rotator])
if user and not user.startswith(DUMMY_USER_PREFIX):
status += ' (user: %s)' % user
if not api:
dataToStdout("\r[%s] [INFO] %s" %
(time.strftime("%X"), status))
except KeyboardInterrupt:
raise
except (UnicodeEncodeError, UnicodeDecodeError):
pass # ignore possible encoding problems caused by some words in custom dictionaries
except Exception, e:
warnMsg = u"哈希输入时出现问题:: %s (%s). " % (repr(word), e)
warnMsg += u"请通过电子邮件报告'*****@*****.**'"
logger.critical(warnMsg)
except KeyboardInterrupt:
pass
finally:
if hasattr(proc_count, "value"):
with proc_count.get_lock():
proc_count.value -= 1
def dictionaryAttack(attack_dict):
suffix_list = [""]
hash_regexes = []
results = []
resumes = []
processException = False
user_hash = []
for (_, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0]
regex = hashRecognition(hash_)
if regex and regex not in hash_regexes:
hash_regexes.append(regex)
infoMsg = "using hash method '%s'" % __functions__[
regex].func_name
logger.info(infoMsg)
for hash_regex in hash_regexes:
keys = set()
attack_info = []
for (user, hashes) in attack_dict.items():
for hash_ in hashes:
if not hash_:
continue
hash_ = hash_.split()[0]
if re.match(hash_regex, hash_):
item = None
if hash_regex not in (HASH.CRYPT_GENERIC, HASH.WORDPRESS):
hash_ = hash_.lower()
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD,
HASH.MD5_GENERIC, HASH.SHA1_GENERIC):
item = [(user, hash_), {}]
elif hash_regex in (HASH.ORACLE_OLD, HASH.POSTGRES):
item = [(user, hash_), {'username': user}]
elif hash_regex in (HASH.ORACLE):
item = [(user, hash_), {'salt': hash_[-20:]}]
elif hash_regex in (HASH.MSSQL, HASH.MSSQL_OLD):
item = [(user, hash_), {'salt': hash_[6:14]}]
elif hash_regex in (HASH.CRYPT_GENERIC):
item = [(user, hash_), {'salt': hash_[0:2]}]
elif hash_regex in (HASH.WORDPRESS):
item = [(user, hash_), {
'salt': hash_[4:12],
'count': 1 << ITOA64.index(hash_[3]),
'prefix': hash_[:12]
}]
if item and hash_ not in keys:
resumed = hashDBRetrieve(hash_)
if not resumed:
attack_info.append(item)
user_hash.append(item[0])
else:
infoMsg = "resuming password '%s' for hash '%s'" % (
resumed, hash_)
if user and not user.startswith(DUMMY_USER_PREFIX):
infoMsg += " for user '%s'" % user
logger.info(infoMsg)
resumes.append((user, hash_, resumed))
keys.add(hash_)
if not attack_info:
continue
if not kb.wordlist:
while not kb.wordlist:
# the slowest of all methods hence smaller default dict
if hash_regex in (HASH.ORACLE_OLD, HASH.WORDPRESS):
dictPaths = [paths.SMALL_DICT]
else:
dictPaths = [paths.WORDLIST]
message = "what dictionary do you want to use?\n"
message += "[1] default dictionary file '%s' (press Enter)\n" % dictPaths[
0]
message += "[2] custom dictionary file\n"
message += "[3] file with list of dictionary files"
choice = readInput(message, default="1")
try:
if choice == "2":
message = "what's the custom dictionary's location?\n"
dictPaths = [readInput(message)]
logger.info("using custom dictionary")
elif choice == "3":
message = "what's the list file location?\n"
listPath = readInput(message)
checkFile(listPath)
dictPaths = getFileItems(listPath)
logger.info("using custom list of dictionaries")
else:
logger.info("using default dictionary")
for dictPath in dictPaths:
checkFile(dictPath)
kb.wordlist = Wordlist(dictPaths)
if _multiprocessing:
kb.wordlist.lock = _multiprocessing.Lock()
except sqlmapFilePathException, msg:
warnMsg = "there was a problem while loading dictionaries"
warnMsg += " ('%s')" % msg
logger.critical(warnMsg)
message = "do you want to use common password suffixes? (slow!) [y/N] "
test = readInput(message, default="N")
if test[0] in ("y", "Y"):
suffix_list += COMMON_PASSWORD_SUFFIXES
infoMsg = "starting dictionary-based cracking (%s)" % __functions__[
hash_regex].func_name
logger.info(infoMsg)
for item in attack_info:
((user, _), _) = item
if user and not user.startswith(DUMMY_USER_PREFIX):
kb.wordlist.append(normalizeUnicode(user))
if hash_regex in (HASH.MYSQL, HASH.MYSQL_OLD, HASH.MD5_GENERIC,
HASH.SHA1_GENERIC):
for suffix in suffix_list:
if len(attack_info) == len(results) or processException:
break
if suffix:
clearConsoleLine()
infoMsg = "using suffix '%s'" % suffix
logger.info(infoMsg)
kb.wordlist.rewind()
retVal = None
processes = []
try:
if _multiprocessing and not IS_WIN:
if _multiprocessing.cpu_count() > 1:
infoMsg = "starting %d processes " % _multiprocessing.cpu_count(
)
singleTimeLogMessage(infoMsg)
retVal = _multiprocessing.Queue()
count = _multiprocessing.Value(
'i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
p = _multiprocessing.Process(
target=__bruteProcessVariantA,
args=(attack_info, hash_regex, kb.wordlist,
suffix, retVal, i, count))
processes.append(p)
for p in processes:
p.start()
for p in processes:
p.join()
else:
warnMsg = "multiprocessing hash cracking is currently "
warnMsg += "not supported on this platform"
singleTimeWarnMessage(warnMsg)
retVal = Queue()
__bruteProcessVariantA(attack_info, hash_regex,
kb.wordlist, suffix, retVal, 0,
1)
except KeyboardInterrupt:
print
processException = True
warnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"
logger.warn(warnMsg)
for process in processes:
process.terminate()
process.join()
finally:
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
_, hash_, word = item = retVal.get(block=False)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
else:
for ((user, hash_), kwargs) in attack_info:
if processException:
break
count = 0
found = False
for suffix in suffix_list:
if found or processException:
break
if suffix:
clearConsoleLine()
infoMsg = "using suffix '%s'" % suffix
logger.info(infoMsg)
kb.wordlist.rewind()
retVal = None
processes = []
try:
if _multiprocessing and not IS_WIN:
if _multiprocessing.cpu_count() > 1:
infoMsg = "starting %d processes " % _multiprocessing.cpu_count(
)
singleTimeLogMessage(infoMsg)
retVal = _multiprocessing.Queue()
found_ = _multiprocessing.Value('i', False)
count = _multiprocessing.Value(
'i', _multiprocessing.cpu_count())
for i in xrange(_multiprocessing.cpu_count()):
p = _multiprocessing.Process(
target=__bruteProcessVariantB,
args=(user, hash_, kwargs, hash_regex,
kb.wordlist, suffix, retVal, found_,
i, count))
processes.append(p)
for p in processes:
p.start()
for p in processes:
p.join()
found = found_.value != 0
else:
warnMsg = "multiprocessing hash cracking is currently "
warnMsg += "not supported on this platform"
singleTimeWarnMessage(warnMsg)
class Value():
pass
retVal = Queue()
found_ = Value()
found_.value = False
__bruteProcessVariantB(user, hash_, kwargs,
hash_regex, kb.wordlist,
suffix, retVal, found_, 0,
1)
found = found_.value
except KeyboardInterrupt:
print
processException = True
warnMsg = "user aborted during dictionary-based attack phase (Ctrl+C was pressed)"
logger.warn(warnMsg)
for process in processes:
process.terminate()
process.join()
finally:
if retVal:
conf.hashDB.beginTransaction()
while not retVal.empty():
_, hash_, word = item = retVal.get(block=False)
hashDBWrite(hash_, word)
results.append(item)
conf.hashDB.endTransaction()
clearConsoleLine()
