metasploit-framework/modules/post/windows/gather/enum_ad_computers.rb

##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'rex'
require 'msf/core'
require 'msf/core/auxiliary/report'

class Metasploit3 < Msf::Post

	include Msf::Auxiliary::Report

	def initialize(info={})
		super( update_info( info,
				'Name'	       => 'Windows Gather Active Directory Computers',
				'Description'  => %Q{
						This module will enumerate computers in the default AD directory.

						Optional Attributes to use in ATTRIBS:
						objectClass, cn, description, distinguishedName, instanceType, whenCreated,
						whenChanged, uSNCreated, uSNChanged, name, objectGUID,
						userAccountControl, badPwdCount, codePage, countryCode,
						badPasswordTime, lastLogoff, lastLogon, localPolicyFlags,
						pwdLastSet, primaryGroupID, objectSid, accountExpires,
						logonCount, sAMAccountName, sAMAccountType, operatingSystem,
						operatingSystemVersion, operatingSystemServicePack, serverReferenceBL,
						dNSHostName, rIDSetPreferences, servicePrincipalName, objectCategory,
						netbootSCPBL, isCriticalSystemObject, frsComputerReferenceBL,
						lastLogonTimestamp, msDS-SupportedEncryptionTypes

						ActiveDirectory has a MAX_SEARCH limit of 1000 by default. Split search up
						if you hit that limit.

						Possible filters:
						(objectClass=computer) # All Computers
						(primaryGroupID=516)  # All Domain Controllers
						(&(objectCategory=computer)(operatingSystem=*server*)) # All Servers

						No reason this can't enumerate users/groups with the right filters and attribs.
				},
				'License'      => MSF_LICENSE,
				'Author'       => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' ],
				'Platform'     => [ 'win' ],
				'SessionTypes' => [ 'meterpreter' ],
				'References'	=>
				[
					['URL', 'http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx'],
				]
			))

		register_options([
			OptInt.new('MAX_SEARCH', [true, 'Maximum values to retrieve, 0 for all.', 50]),
			OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),
			OptBool.new('STORE_DB', [true, 'Store file in DB (performance hit resolving IPs).', true]),
			OptString.new('ATTRIBS', [true, 'Attributes to retrieve.', 'dNSHostName,distinguishedName,description,operatingSystem,operatingSystemServicePack']),
			OptString.new('FILTER', [true, 'Search filter.', '(&(objectCategory=computer)(operatingSystem=*server*))'])
		], self.class)
	end

	def run
		print_status("Connecting to default LDAP server")
		session_handle = bind_default_ldap_server(datastore['MAX_SEARCH'])

		return false unless session_handle

		print_status("Querying default naming context")

		query_result = query_ldap(session_handle, "", 0, "(objectClass=computer)", ["defaultNamingContext"])
		first_entry_attributes = query_result[0]['attributes']
		defaultNamingContext = first_entry_attributes[0]['values'] # Value from First Attribute of First Entry

		print_status("Default Naming Context #{defaultNamingContext}")

		attributes = datastore['ATTRIBS'].gsub(/\s+/,"").split(',')

		search_filter = datastore['FILTER']
		print_status("Querying #{search_filter} - Please wait...")
		results = query_ldap(session_handle, defaultNamingContext, 2, search_filter, attributes)

		print_status("Unbinding from LDAP service.")
		wldap32.ldap_unbind(session_handle)

		if results.nil? or results.empty?
			return
		end

		results_table = Rex::Ui::Text::Table.new(
				'Header'     => "#{defaultNamingContext} Domain Computers",
				'Indent'     => 1,
				'SortIndex'  => -1,
				'Columns'    => attributes
			)

		results.each do |result|
			row = []

			report = {}
			result['attributes'].each do |attr|
				if attr['values'].nil?
					row << ""
				else
					row << attr['values']

					# Only perform these actions if the database is connected and we want
					# to store in the DB.
					if db and datastore['STORE_DB']
						case attr['name']
						when 'dNSHostName'
							dns = attr['values']
							ip = resolve_hostname(dns)
							report.merge!( {:name => dns, :host => ip } )
						when 'operatingSystem'
							os = attr['values']
							index = os.index(/windows/i)
							unless index.nil?
								name = 'Microsoft Windows'
								flavour = os[index..-1]
								report.merge!( {:os_name => name, :os_flavor => flavour} )
							else
								# Incase there are non-windows domain computers?!
								report.merge!( {:os_name => os } )
							end
						when 'distinguishedName'
							if attr['values'] =~ /Domain Controllers/i
								report.merge!( {:purpose => "DC"} )
							end
						when 'operatingSystemServicePack'
							report.merge!( {:os_sp => attr['values']} )
						when 'description'
							report.merge!( {:info => attr['values']} )
						end
					end
				end
			end

			vprint_good("Database report: #{report.inspect}")
			if report.include? :host
				report_host(report)
			end

			results_table << row

		end

		print_line results_table.to_s
		if datastore['STORE_LOOT']
			stored_path = store_loot('ad.computers', 'text/plain', session, results_table.to_csv)
			print_status("Results saved to: #{stored_path}")
		end
	end

	# This really needs migrating to a meterpreter function
	def resolve_hostname(hostname)
		if client.platform =~ /^x64/
			size = 64
			addrinfoinmem = 32
		else
			size = 32
			addrinfoinmem = 24
		end

		begin
			vprint_status("Looking up IP for #{hostname}")
			result = client.railgun.ws2_32.getaddrinfo(hostname, nil, nil, 4 )
			if result['GetLastError'] == 11001
				return nil
			end
			addrinfo = client.railgun.memread( result['ppResult'], size )
			ai_addr_pointer = addrinfo[addrinfoinmem,4].unpack('L').first
			sockaddr = client.railgun.memread( ai_addr_pointer, size/2 )
			ip = sockaddr[4,4].unpack('N').first
			hostip = Rex::Socket.addr_itoa(ip)

			if hostip =~ /0\.0\.0\.0/
				hostip = client.session_host
			end
		rescue ::Exception => e
			print_error(e.to_s)
		end
		vprint_status("IP for #{hostname}: #{hostip}")
		return hostip
	end

	def wldap32
		return client.railgun.wldap32
	end

	def bind_default_ldap_server(size_limit)
		vprint_status ("Initializing LDAP connection.")
		session_handle = wldap32.ldap_sslinitA("\x00\x00\x00\x00", 389, 0)['return']
		vprint_status("LDAP Handle: #{session_handle}")

		if session_handle == 0
			print_error("Unable to connect to LDAP server")
			wldap32.ldap_unbind(session_handle)
			return false
		end

		vprint_status ("Setting Sizelimit Option")
		sl_resp = wldap32.ldap_set_option(session_handle, 0x03, size_limit) #0x03:LDAP_OPT_SIZELIMIT

		vprint_status ("Binding to LDAP server.")
		bind = wldap32.ldap_bind_sA(session_handle, nil, nil, 0x0486)['return'] #LDAP_AUTH_NEGOTIATE 0x0486

		if bind != 0
			print_error("Unable to bind to LDAP server")
			wldap32.ldap_unbind(session_handle)
			return false
		end

		return session_handle
	end

	def get_entry(pEntry)
		return client.railgun.memread(pEntry,41).unpack('LLLLLLLLLSCCC')
	end

	# Get BERElement data structure from LDAPMessage
	def get_ber(msg)
		ber = client.railgun.memread(msg[2],60).unpack('L*')

		# BER Pointer is different between x86 and x64
		if client.platform =~ /x86/
			ber_data = client.railgun.memread(ber[3], ber[0])
		else
			ber_data = client.railgun.memread(ber[4], ber[0])
		end

		return ber_data
	end

	# Search through the BER for our Attr string. Pull the values.
	def get_values_from_ber(ber_data, attr)
		attr_offset = ber_data.index(attr)

		if attr_offset.nil?
			vprint_status("Attribute not found in BER.")
			return nil
		end

		# Value starts after our attribute string
		values_offset = attr_offset + attr.length
		values_start_offset = values_offset + 8
		values_len_offset = values_offset + 5
		curr_len_offset = values_offset + 7

		values_length =  ber_data[values_len_offset].unpack('C')[0]
		values_end_offset = values_start_offset + values_length

		curr_length = ber_data[curr_len_offset].unpack('C')[0]
		curr_start_offset = values_start_offset
		curr_end_offset = curr_start_offset + curr_length

		values = []
		while (curr_end_offset < values_end_offset)
			values << ber_data[curr_start_offset..curr_end_offset]

			break unless ber_data[curr_end_offset] == "\x04"

			curr_len_offset = curr_end_offset + 1
			curr_length = ber_data[curr_len_offset].unpack('C')[0]
			curr_start_offset = curr_end_offset + 2
			curr_end_offset = curr_end_offset + curr_length + 2
		end

		# Strip trailing 0 or \x04 which is used to delimit values
		values.map! {|x| x[0..x.length-2]}

		return values
	end

	def query_ldap(session_handle, base, scope, filter, attributes)
		vprint_status ("Searching LDAP directory.")
		search = wldap32.ldap_search_sA(session_handle, base, scope, filter, nil, 0, 4)
		vprint_status("search: #{search}")

		if search['return'] == 0x04 # LDAP_SIZELIMIT_EXCEEDED - parse out what we found anyway...
			print_error("LDAP_SIZELIMIT_EXCEEDED, parsing what we retrieved, try increasing the MAX_SEARCH value [0:LDAP_NO_LIMIT]")
		elsif search['return'] != 0
			print_error("No results")
			wldap32.ldap_msgfree(search['res'])
			return
		end

		search_count = wldap32.ldap_count_entries(session_handle, search['res'])['return']

		if(search_count == 0)
			print_error("No entries retrieved")
			wldap32.ldap_msgfree(search['res'])
			return
		end

		print_status("Entries retrieved: #{search_count}")

		vprint_status("Retrieving results...")

		pEntries = []
		entry_results = []

		if datastore['MAX_SEARCH'] == 0
			max_search = search_count
		else
			max_search = [datastore['MAX_SEARCH'], search_count].min
		end

		0.upto(max_search - 1) do |i|

			if(i==0)
				pEntries[0] = wldap32.ldap_first_entry(session_handle, search['res'])['return']
			end

			if(pEntries[i] == 0)
				print_error("Failed to get entry.")
				wldap32.ldap_unbind(session_handle)
				wldap32.ldap_msgfree(search['res'])
				return
			end

			vprint_status("Entry #{i}: 0x#{pEntries[i].to_s(16)}")

			entry = get_entry(pEntries[i])

			# Entries are a linked list...
			if client.platform =~ /x86/
				pEntries[i+1] = entry[3]
			else
				pEntries[i+1] = entry[4]
			end

			ber = get_ber(entry)

			attribute_results = []
			attributes.each do |attr|
				vprint_status("Attr: #{attr}")
				value_results = ""

				values = get_values_from_ber(ber, attr)

				values_result = ""
				values_result = values.join(',') unless values.nil?
				vprint_status("Values #{values}")

				attribute_results << {"name" => attr, "values" => values_result}
			end

			entry_results << {"id" => i, "attributes" => attribute_results}
		end

		return entry_results
	end
end