Redesigning the Credential Cracking Strategy

If you write auxiliary Metasploit modules, you are no doubt familiar with the venerable report_auth_note() -- this is the function you call in your module to let your database know about all your awesome new credentials. Well, it's been changed. More specifically, the database schema has changed. We now treat cracked credentials with all due deference and get them out of the notes table ghetto, and into a new table all their own, as befitting their stature (as of revision r10034).Why do I say the notes table is a ghetto? Well, notes are great because they're flexible and you can stuff basically anything you want in there. But, that flexibility came with some ugly costs -- all that freewheeling data is really hard to work with outside of Metasploit. Go ahead and do a select data from notes; and you'll see what I mean. Any client has to go and un-base64 it, then parse out all the fields, and even then nothing is really guaranteed. So, while notes are great for, well, internal notes, they're not so great for making useful things like cracked credentials more available to your other pen-testing gear.The schema and API change has made report_auth_note() (now aliased to report_creds()) a little more strict, in order to ensure that you can actually use those hard-earned credentials. The (continue reading...)