metasploit-credential 6.0.23 → 6.0.24

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 70002be99f916bdcdb0fe202a8e2684de0cb336ed301cf849724e59955ab88f9
-  data.tar.gz: 7d9a5389806443237dd2889caf1acd92a836eab7331eb9ebe97cd591f975c70d
+  metadata.gz: 4b9e7598b0e2092c89cf53906e4f4a1095d8ab1a0db16909c7b6dfdb34f36126
+  data.tar.gz: 05d85b467d16961cd74ddca8d91b9a556917796d063e9220790ebbab5a8fdebf
 SHA512:
-  metadata.gz: 772f4d254bbb3faa24f218705f605c0273fe450769315da209567518f52d3f318ea55927a21be482df43584224152624934a4ef1174e8fdc29b35a0707067397
-  data.tar.gz: ec6628b22248b6fa058ad75a1c1336e1d804596e0ecdaa95a53877ca0abebbe528fca9caf2b257367847d3ad6e5a1ddbd98d1e42fd736e743bb29448bc89ccc1
+  metadata.gz: 29e2ef10c016b40770b87a09b91102717c8e65e47592c3774953f804ed95558020aef18abc8556218f413802afbd56798d2f5253e109b5e618de5b35cdaf0f0f
+  data.tar.gz: 9b66948b98ed071ddfe1942e73f5454ae9c9f718b352028e344aec532fa9b27f730f62024dde594174f5176d8f6dd3bb54f10649b0f90da148d13f20c8a73804

data/lib/metasploit/credential/creation.rb

@@ -39,20 +39,43 @@ module Metasploit::Credential::Creation
     old_realm_id = nil
 
     retry_transaction do
-      private  = Metasploit::Credential::Password.where(data: password).first_or_create!
-      public   = Metasploit::Credential::Public.where(username: username).first_or_create!
       old_core = Metasploit::Credential::Core.find(core_id)
       old_realm_id = old_core.realm.id if old_core.realm
+      if username.blank? && old_core.public
+        username = old_core.public.username
+      end
+      private  = Metasploit::Credential::Password.where(data: password).first_or_create!
+      public   = Metasploit::Credential::Public.where(username: username).first_or_create!
     end
 
     core = nil
 
     retry_transaction do
-      core = Metasploit::Credential::Core.where(public_id: public.id, private_id: private.id, realm_id: old_realm_id, workspace_id: old_core.workspace_id).first_or_initialize
-      if core.origin_id.nil?
-        origin      = Metasploit::Credential::Origin::CrackedPassword.where(metasploit_credential_core_id: core_id).first_or_create!
-        core.origin = origin
+      # Create the CrackedPassword origin for this specific originating
+      # core first, then look up a Core that is already tied to it.
+      # This prevents two different hashes that crack to the same
+      # password from collapsing into a single Core where only the
+      # first origin link is recorded.
+      origin = Metasploit::Credential::Origin::CrackedPassword.where(metasploit_credential_core_id: core_id).first_or_create!
+
+      core = Metasploit::Credential::Core.find_by(
+        origin_type: 'Metasploit::Credential::Origin::CrackedPassword',
+        origin_id: origin.id
+      )
+
+      unless core
+        core = Metasploit::Credential::Core.where(
+          public_id: public.id,
+          private_id: private.id,
+          realm_id: old_realm_id,
+          workspace_id: old_core.workspace_id
+        ).first_or_initialize
+
+        if core.origin_id.nil?
+          core.origin = origin
+        end
       end
+
       if opts[:task_id]
         core.tasks << Mdm::Task.find(opts[:task_id])
       end
@@ -136,6 +159,17 @@ module Metasploit::Credential::Creation
     end
 
     if opts.has_key?(:username)
+      # When cracking a hash, the caller may not know the username
+      # (e.g. krb5tgs / krb5asrep).  Fall back to the originating
+      # core's public so each cracked hash gets a distinct Core
+      # instead of all of them collapsing into a single BlankUsername
+      # Core where only the first origin link is recorded.
+      if opts[:username].blank? && opts[:origin_type] == :cracked_password && opts[:originating_core_id]
+        originating_core = Metasploit::Credential::Core.find_by(id: opts[:originating_core_id])
+        if originating_core&.public
+          opts = opts.merge(username: originating_core.public.username)
+        end
+      end
       core_opts[:public] = create_credential_public(opts)
     end
 
@@ -256,7 +290,20 @@ module Metasploit::Credential::Creation
 
     core = nil
     retry_transaction do
-      core = Metasploit::Credential::Core.where(private_id: private_id, public_id: public_id, realm_id: realm_id, workspace_id: workspace_id).first_or_initialize
+      # When the origin is a CrackedPassword, look up by origin first
+      # so that each originating hash gets its own cracked Core.
+      # Without this, two different hashes that crack to the same
+      # password (and share public/realm/workspace) resolve to a
+      # single Core and only the first origin link is recorded.
+      if origin.is_a?(Metasploit::Credential::Origin::CrackedPassword)
+        core = Metasploit::Credential::Core.find_by(
+          origin_type: origin.class.to_s,
+          origin_id: origin.id
+        )
+      end
+
+      core ||= Metasploit::Credential::Core.where(private_id: private_id, public_id: public_id, realm_id: realm_id, workspace_id: workspace_id).first_or_initialize
+
       if core.origin_id.nil?
         core.origin = origin
       end

data/lib/metasploit/credential/version.rb

@@ -3,7 +3,7 @@
 module Metasploit
   module Credential
     # VERSION is managed by GemRelease
-    VERSION = '6.0.23'
+    VERSION = '6.0.24'
 
     # @return [String]
     #

data/spec/dummy/tmp/local_secret.txt

@@ -1 +1 @@
-56490bc7875b183426ab7522d696039f2b53b6a80d12149270b35d9f4566a35fdb2f3877591cdf0397c3278c5a27dc96f45a74737c441d6d4c966d32b93a201a
+a40adeaa65852477620cc75a2031e3330751540828be89231cc907bc82edda8d4d9f438dcf88844adc06d119dd172b75ceca305d75b355c4e8cb7532a6e7114a

data/spec/lib/metasploit/credential/creation_spec.rb

@@ -209,6 +209,48 @@ RSpec.describe Metasploit::Credential::Creation do
         expect( Metasploit::Credential::PostgresMD5.count ).to eq(1)
       end
     end
+
+    context 'when origin is cracked_password and username is blank' do
+      let(:named_public) { FactoryBot.create(:metasploit_credential_username) }
+      let(:hash_private) { FactoryBot.create(:metasploit_credential_nonreplayable_hash) }
+      let(:manual_origin) { FactoryBot.create(:metasploit_credential_origin_manual) }
+
+      let!(:originating_core) do
+        FactoryBot.create(:metasploit_credential_core,
+                          public: named_public, private: hash_private,
+                          workspace: workspace, origin: manual_origin)
+      end
+
+      let(:credential_data) {{
+        workspace_id: workspace.id,
+        origin_type: :cracked_password,
+        originating_core_id: originating_core.id,
+        username: '',
+        private_data: 'cracked_pw',
+        private_type: :password
+      }}
+
+      it 'falls back to the originating core public username instead of creating a BlankUsername' do
+        core = test_object.create_credential(credential_data)
+        expect(core.public.username).to eq(named_public.username)
+        expect(core.public).not_to be_a(Metasploit::Credential::BlankUsername)
+      end
+
+      it 'creates distinct Cores when two different hashes crack to the same password with blank usernames' do
+        hash_private2 = FactoryBot.create(:metasploit_credential_nonreplayable_hash)
+        named_public2 = FactoryBot.create(:metasploit_credential_username)
+        originating_core2 = FactoryBot.create(:metasploit_credential_core,
+                                              public: named_public2, private: hash_private2,
+                                              workspace: workspace, origin: manual_origin)
+
+        core1 = test_object.create_credential(credential_data)
+        core2 = test_object.create_credential(credential_data.merge(originating_core_id: originating_core2.id))
+
+        expect(core1.id).not_to eq(core2.id)
+        expect(core1.public.username).to eq(named_public.username)
+        expect(core2.public.username).to eq(named_public2.username)
+      end
+    end
   end
 
   context '#create_credential_and_login' do
@@ -463,6 +505,223 @@ RSpec.describe Metasploit::Credential::Creation do
 
     end
 
+    context 'when two different hashes crack to the same password' do
+      let(:public_user1) { FactoryBot.create(:metasploit_credential_username) }
+      let(:public_user2) { FactoryBot.create(:metasploit_credential_username) }
+      let(:hash1) { FactoryBot.create(:metasploit_credential_nonreplayable_hash) }
+      let(:hash2) { FactoryBot.create(:metasploit_credential_nonreplayable_hash) }
+      let(:manual_origin) { FactoryBot.create(:metasploit_credential_origin_manual) }
+      let(:cracked_password) { 'cracked_same_password' }
+
+      let!(:hash_core1) do
+        FactoryBot.create(:metasploit_credential_core,
+                          public: public_user1, private: hash1,
+                          realm: realm, workspace: workspace, origin: manual_origin)
+      end
+
+      let!(:hash_core2) do
+        FactoryBot.create(:metasploit_credential_core,
+                          public: public_user2, private: hash2,
+                          realm: realm, workspace: workspace, origin: manual_origin)
+      end
+
+      it 'creates separate Cores for each originating hash' do
+        core1 = test_object.create_cracked_credential(
+          core_id: hash_core1.id,
+          username: public_user1.username,
+          password: cracked_password
+        )
+        core2 = test_object.create_cracked_credential(
+          core_id: hash_core2.id,
+          username: public_user2.username,
+          password: cracked_password
+        )
+
+        expect(core1.id).not_to eq(core2.id)
+      end
+
+      it 'records distinct CrackedPassword origins pointing to each originating core' do
+        core1 = test_object.create_cracked_credential(
+          core_id: hash_core1.id,
+          username: public_user1.username,
+          password: cracked_password
+        )
+        core2 = test_object.create_cracked_credential(
+          core_id: hash_core2.id,
+          username: public_user2.username,
+          password: cracked_password
+        )
+
+        expect(core1.origin).to be_a(Metasploit::Credential::Origin::CrackedPassword)
+        expect(core2.origin).to be_a(Metasploit::Credential::Origin::CrackedPassword)
+        expect(core1.origin.metasploit_credential_core_id).to eq(hash_core1.id)
+        expect(core2.origin.metasploit_credential_core_id).to eq(hash_core2.id)
+      end
+
+      context 'when both hashes share the same username and realm' do
+        let(:shared_public) { FactoryBot.create(:metasploit_credential_username) }
+
+        let!(:hash_core_a) do
+          FactoryBot.create(:metasploit_credential_core,
+                            public: shared_public, private: hash1,
+                            realm: realm, workspace: workspace, origin: manual_origin)
+        end
+
+        let!(:hash_core_b) do
+          FactoryBot.create(:metasploit_credential_core,
+                            public: shared_public, private: hash2,
+                            realm: realm, workspace: workspace, origin: manual_origin)
+        end
+
+        it 'reuses the existing Core but creates distinct CrackedPassword origins for each hash' do
+          core_a = test_object.create_cracked_credential(
+            core_id: hash_core_a.id,
+            username: shared_public.username,
+            password: cracked_password
+          )
+          core_b = test_object.create_cracked_credential(
+            core_id: hash_core_b.id,
+            username: shared_public.username,
+            password: cracked_password
+          )
+
+          # Both resolve to the same Core because public/private/realm/workspace match
+          expect(core_a.id).to eq(core_b.id)
+
+          # But distinct CrackedPassword origins are still recorded for each originating hash
+          origins = Metasploit::Credential::Origin::CrackedPassword.where(
+            metasploit_credential_core_id: [hash_core_a.id, hash_core_b.id]
+          )
+          expect(origins.count).to eq(2)
+        end
+      end
+    end
+
+    context 'when username is blank' do
+      let(:named_public) { FactoryBot.create(:metasploit_credential_username) }
+      let(:hash_private) { FactoryBot.create(:metasploit_credential_nonreplayable_hash) }
+      let(:manual_origin) { FactoryBot.create(:metasploit_credential_origin_manual) }
+
+      let!(:originating_core) do
+        FactoryBot.create(:metasploit_credential_core,
+                          public: named_public, private: hash_private,
+                          realm: realm, workspace: workspace, origin: manual_origin)
+      end
+
+      it 'falls back to the originating core public username' do
+        core = test_object.create_cracked_credential(
+          core_id: originating_core.id,
+          username: '',
+          password: password
+        )
+
+        expect(core.public.username).to eq(named_public.username)
+      end
+
+      it 'does not create a BlankUsername record for the cracked credential' do
+        blank_count_before = Metasploit::Credential::BlankUsername.count
+        test_object.create_cracked_credential(
+          core_id: originating_core.id,
+          username: '',
+          password: password
+        )
+
+        # The cracked Core should use the originating core's named username,
+        # not create a new BlankUsername
+        cracked_core = Metasploit::Credential::Core.last
+        expect(cracked_core.public).not_to be_a(Metasploit::Credential::BlankUsername)
+        expect(Metasploit::Credential::BlankUsername.count).to eq(blank_count_before)
+      end
+
+      context 'with two different hashes that both have named publics' do
+        let(:named_public2) { FactoryBot.create(:metasploit_credential_username) }
+        let(:hash_private2) { FactoryBot.create(:metasploit_credential_nonreplayable_hash) }
+
+        let!(:originating_core2) do
+          FactoryBot.create(:metasploit_credential_core,
+                            public: named_public2, private: hash_private2,
+                            realm: realm, workspace: workspace, origin: manual_origin)
+        end
+
+        it 'creates separate Cores each with the correct username from their originating core' do
+          core1 = test_object.create_cracked_credential(
+            core_id: originating_core.id,
+            username: '',
+            password: password
+          )
+          core2 = test_object.create_cracked_credential(
+            core_id: originating_core2.id,
+            username: '',
+            password: password
+          )
+
+          expect(core1.id).not_to eq(core2.id)
+          expect(core1.public.username).to eq(named_public.username)
+          expect(core2.public.username).to eq(named_public2.username)
+        end
+      end
+    end
+
+    context 'end-to-end: two different hash types (e.g. krb5tgs and krb5asrep) cracked to the same password' do
+      let(:krb5tgs_public) { Metasploit::Credential::Username.create!(username: 'krb5tgs') }
+      let(:krb5asrep_public) { Metasploit::Credential::Username.create!(username: 'krb5asrep') }
+      let(:krb5tgs_hash) { FactoryBot.create(:metasploit_credential_nonreplayable_hash) }
+      let(:krb5asrep_hash) { FactoryBot.create(:metasploit_credential_nonreplayable_hash) }
+      let(:manual_origin) { FactoryBot.create(:metasploit_credential_origin_manual) }
+      let(:cracked_pw) { 'hashcat' }
+
+      let!(:krb5tgs_core) do
+        FactoryBot.create(:metasploit_credential_core,
+                          public: krb5tgs_public, private: krb5tgs_hash,
+                          workspace: workspace, origin: manual_origin)
+      end
+
+      let!(:krb5asrep_core) do
+        FactoryBot.create(:metasploit_credential_core,
+                          public: krb5asrep_public, private: krb5asrep_hash,
+                          workspace: workspace, origin: manual_origin)
+      end
+
+      it 'creates 2 new cracked Cores in addition to the 2 originals' do
+        expect {
+          test_object.create_cracked_credential(core_id: krb5tgs_core.id, username: '', password: cracked_pw)
+          test_object.create_cracked_credential(core_id: krb5asrep_core.id, username: '', password: cracked_pw)
+        }.to change { Metasploit::Credential::Core.count }.by(2)
+      end
+
+      it 'links each cracked Core back to its originating hash via CrackedPassword origin' do
+        cracked1 = test_object.create_cracked_credential(core_id: krb5tgs_core.id, username: '', password: cracked_pw)
+        cracked2 = test_object.create_cracked_credential(core_id: krb5asrep_core.id, username: '', password: cracked_pw)
+
+        expect(cracked1.origin).to be_a(Metasploit::Credential::Origin::CrackedPassword)
+        expect(cracked2.origin).to be_a(Metasploit::Credential::Origin::CrackedPassword)
+        expect(cracked1.origin.metasploit_credential_core_id).to eq(krb5tgs_core.id)
+        expect(cracked2.origin.metasploit_credential_core_id).to eq(krb5asrep_core.id)
+      end
+
+      it 'uses the originating core username for each cracked Core instead of BlankUsername' do
+        cracked1 = test_object.create_cracked_credential(core_id: krb5tgs_core.id, username: '', password: cracked_pw)
+        cracked2 = test_object.create_cracked_credential(core_id: krb5asrep_core.id, username: '', password: cracked_pw)
+
+        expect(cracked1.public.username).to eq('krb5tgs')
+        expect(cracked2.public.username).to eq('krb5asrep')
+      end
+
+      it 'allows looking up the cracked password from each originating hash core' do
+        test_object.create_cracked_credential(core_id: krb5tgs_core.id, username: '', password: cracked_pw)
+        test_object.create_cracked_credential(core_id: krb5asrep_core.id, username: '', password: cracked_pw)
+
+        # Simulate the lookup that creds display does: find cracked Cores by their CrackedPassword origin
+        cracked_cores = Metasploit::Credential::Core.where(origin_type: 'Metasploit::Credential::Origin::CrackedPassword')
+        cracked_by_originating_id = cracked_cores.each_with_object({}) do |core, map|
+          map[core.origin.metasploit_credential_core_id] = core
+        end
+
+        expect(cracked_by_originating_id[krb5tgs_core.id].private.data).to eq(cracked_pw)
+        expect(cracked_by_originating_id[krb5asrep_core.id].private.data).to eq(cracked_pw)
+      end
+    end
+
   end
 
   context '#create_credential_origin_import' do
@@ -981,6 +1240,100 @@ RSpec.describe Metasploit::Credential::Creation do
       expect(core.tasks).to include(task)
     end
 
+    context 'when origin is a CrackedPassword' do
+      let(:manual_origin) { FactoryBot.create(:metasploit_credential_origin_manual) }
+      let(:hash1) { FactoryBot.create(:metasploit_credential_nonreplayable_hash) }
+      let(:hash2) { FactoryBot.create(:metasploit_credential_nonreplayable_hash) }
+      let(:cracked_pw) { FactoryBot.create(:metasploit_credential_password) }
+      let(:pub1) { FactoryBot.create(:metasploit_credential_username) }
+      let(:pub2) { FactoryBot.create(:metasploit_credential_username) }
+      let(:rlm) { FactoryBot.create(:metasploit_credential_realm) }
+      let(:ws) { FactoryBot.create(:mdm_workspace) }
+
+      let!(:hash_core1) do
+        FactoryBot.create(:metasploit_credential_core,
+                          public: pub1, private: hash1,
+                          realm: rlm, workspace: ws, origin: manual_origin)
+      end
+
+      let!(:hash_core2) do
+        FactoryBot.create(:metasploit_credential_core,
+                          public: pub2, private: hash2,
+                          realm: rlm, workspace: ws, origin: manual_origin)
+      end
+
+      it 'creates separate Cores when CrackedPassword origins have different publics' do
+        origin1 = Metasploit::Credential::Origin::CrackedPassword.create!(metasploit_credential_core_id: hash_core1.id)
+        origin2 = Metasploit::Credential::Origin::CrackedPassword.create!(metasploit_credential_core_id: hash_core2.id)
+
+        core1 = test_object.create_credential_core(
+          origin: origin1,
+          public: pub1,
+          private: cracked_pw,
+          realm: rlm,
+          workspace_id: ws.id
+        )
+        core2 = test_object.create_credential_core(
+          origin: origin2,
+          public: pub2,
+          private: cracked_pw,
+          realm: rlm,
+          workspace_id: ws.id
+        )
+
+        expect(core1.id).not_to eq(core2.id)
+        expect(core1.origin_id).to eq(origin1.id)
+        expect(core2.origin_id).to eq(origin2.id)
+      end
+
+      it 'returns the existing Core when called again with the same CrackedPassword origin' do
+        origin1 = Metasploit::Credential::Origin::CrackedPassword.create!(metasploit_credential_core_id: hash_core1.id)
+
+        core_first = test_object.create_credential_core(
+          origin: origin1,
+          public: pub1,
+          private: cracked_pw,
+          realm: rlm,
+          workspace_id: ws.id
+        )
+        core_second = test_object.create_credential_core(
+          origin: origin1,
+          public: pub1,
+          private: cracked_pw,
+          realm: rlm,
+          workspace_id: ws.id
+        )
+
+        expect(core_first.id).to eq(core_second.id)
+      end
+
+      it 'looks up by origin before falling back to public/private/realm/workspace' do
+        origin1 = Metasploit::Credential::Origin::CrackedPassword.create!(metasploit_credential_core_id: hash_core1.id)
+
+        core = test_object.create_credential_core(
+          origin: origin1,
+          public: pub1,
+          private: cracked_pw,
+          realm: rlm,
+          workspace_id: ws.id
+        )
+
+        # Calling again with the same origin returns the same core
+        # even though the lookup by origin happens first
+        core_again = test_object.create_credential_core(
+          origin: origin1,
+          public: pub1,
+          private: cracked_pw,
+          realm: rlm,
+          workspace_id: ws.id
+        )
+
+        expect(core.id).to eq(core_again.id)
+        expect(core.origin).to be_a(Metasploit::Credential::Origin::CrackedPassword)
+        expect(core.origin.metasploit_credential_core_id).to eq(hash_core1.id)
+      end
+    end
+
   end
 
   context '#create_credential_login' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: metasploit-credential
 version: !ruby/object:Gem::Version
-  version: 6.0.23
+  version: 6.0.24
 platform: ruby
 authors:
 - Metasploit Hackers
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-04-21 00:00:00.000000000 Z
+date: 2026-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: metasploit-concern