metasploit-framework/modules/post/windows/gather/ntds_location.rb

51 lines
1.8 KiB
Ruby
Raw Normal View History

2015-12-15 22:31:00 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/priv'
require 'msf/core/post/common'
require 'msf/core/post/windows/registry'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Windows::Registry
def initialize(info = {})
super(update_info(info,
'Name' => "NTDS.DIT Location Module",
'Description' => %q{
This module will find the location of the NTDS.DIT file (from the registry), check that it exists
and display it on the screen. Useful if you wish to manually acquire the file using ntdsutil or vss.
},
'License' => MSF_LICENSE,
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Author' => ['Stuart Morgan <stuart.morgan[at]mwrinfosecurity.com>']
))
end
def run
2015-12-15 23:10:06 +00:00
# Find the NTDS.DIT location in the registry
2015-12-15 23:12:14 +00:00
ntds = registry_getvaldata("HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters", "DSA Database file").to_s
unless ntds
print_error("Unable to find the NTDS.DIT location.")
return
2015-12-15 23:10:06 +00:00
end
if file?(ntds)
2015-12-15 23:12:14 +00:00
f = client.fs.file.stat(ntds)
print_line("NTDS.DIT is located at: #{ntds}")
2015-12-15 23:13:02 +00:00
print_line(" Size: #{f.size.to_s} bytes")
print_line(" Created: #{f.ctime.to_s}")
print_line(" Modified: #{f.mtime.to_s}")
print_line(" Accessed: #{f.atime.to_s}")
2015-12-15 23:10:06 +00:00
else
2015-12-15 23:12:14 +00:00
print_error("NTDS.DIT is reportedly located at '#{ntds}' but the file does not appear to exist")
2015-12-15 23:10:06 +00:00
end
2015-12-15 22:31:00 +00:00
end
end