metasploit-framework/modules/post/windows/gather/enum_ad_computers.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex'
require 'msf/core'
require 'msf/core/auxiliary/report'

class Metasploit3 < Msf::Post

  include Msf::Auxiliary::Report
  include Msf::Post::Windows::LDAP

  def initialize(info={})
    super( update_info( info,
        'Name'	       => 'Windows Gather Active Directory Computers',
        'Description'  => %Q{
            This module will enumerate computers in the default AD directory.

            Optional Attributes to use in ATTRIBS:
            objectClass, cn, description, distinguishedName, instanceType, whenCreated,
            whenChanged, uSNCreated, uSNChanged, name, objectGUID,
            userAccountControl, badPwdCount, codePage, countryCode,
            badPasswordTime, lastLogoff, lastLogon, localPolicyFlags,
            pwdLastSet, primaryGroupID, objectSid, accountExpires,
            logonCount, sAMAccountName, sAMAccountType, operatingSystem,
            operatingSystemVersion, operatingSystemServicePack, serverReferenceBL,
            dNSHostName, rIDSetPreferences, servicePrincipalName, objectCategory,
            netbootSCPBL, isCriticalSystemObject, frsComputerReferenceBL,
            lastLogonTimestamp, msDS-SupportedEncryptionTypes

            ActiveDirectory has a MAX_SEARCH limit of 1000 by default. Split search up
            if you hit that limit.

            Possible filters:
            (objectClass=computer) # All Computers
            (primaryGroupID=516)  # All Domain Controllers
            (&(objectCategory=computer)(operatingSystem=*server*)) # All Servers
        },
        'License'      => MSF_LICENSE,
        'Author'       => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' ],
        'Platform'     => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ],
        'References'	=>
        [
          ['URL', 'http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx'],
        ]
      ))

    register_options([
      OptInt.new('MAX_SEARCH', [true, 'Maximum values to retrieve, 0 for all.', 50]),
      OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),
      OptBool.new('STORE_DB', [true, 'Store file in DB (performance hit resolving IPs).', true]),
      OptString.new('ATTRIBS', [true, 'Attributes to retrieve.', 'dNSHostName,distinguishedName,description,operatingSystem,operatingSystemServicePack']),
      OptString.new('FILTER', [true, 'Search filter.', '(&(objectCategory=computer)(operatingSystem=*server*))'])
    ], self.class)
  end

  def run
    print_status("Connecting to default LDAP server")
    session_handle = bind_default_ldap_server(datastore['MAX_SEARCH'])

    return false unless session_handle

    print_status("Querying default naming context")

    query_result = query_ldap(session_handle, "", 0, "(objectClass=computer)", ["defaultNamingContext"])
    first_entry_attributes = query_result[0]['attributes']
    # Value from First Attribute of First Entry
    defaultNamingContext = first_entry_attributes[0]['values']

    print_status("Default Naming Context #{defaultNamingContext}")

    attributes = datastore['ATTRIBS'].gsub(/\s+/,"").split(',')

    search_filter = datastore['FILTER']
    print_status("Querying #{search_filter} - Please wait...")
    results = query_ldap(session_handle, defaultNamingContext, 2, search_filter, attributes)

    print_status("Unbinding from LDAP service.")
    wldap32.ldap_unbind(session_handle)

    if results.nil? or results.empty?
      return
    end

    # Results table holds raw string data
    results_table = Rex::Ui::Text::Table.new(
        'Header'     => "#{defaultNamingContext} Domain Computers",
        'Indent'     => 1,
        'SortIndex'  => -1,
        'Columns'    => attributes
      )

    # Hostnames holds DNS Names to Resolve
    hostnames = []
    # Reports are collections for easy database insertion
    reports = []
    results.each do |result|
      row = []

      report = {}
      result['attributes'].each do |attr|
        if attr['values'].nil?
          row << ""
        else
          row << attr['values']

          # Only perform these actions if the database is connected and we want
          # to store in the DB.
          if db and datastore['STORE_DB']
            case attr['name']
            when 'dNSHostName'
              dns = attr['values']
              report[:name] = dns
              hostnames << dns
            when 'operatingSystem'
              os = attr['values']
              index = os.index(/windows/i)
              if index
                name = 'Microsoft Windows'
                flavour = os[index..-1]
                report[:os_name] = name
                report[:os_flavor] = flavour
              else
                # Incase there are non-windows domain computers?!
                report[:os_name] = os
              end
            when 'distinguishedName'
              if attr['values'] =~ /Domain Controllers/i
                report[:purpose] = "DC"
              end
            when 'operatingSystemServicePack'
              report[:os_sp] = attr['values']
            when 'description'
              report[:info] = attr['values']
            end
          end
        end
      end

      reports << report
      results_table << row
    end

    if db and datastore['STORE_DB']
      print_status("Resolving IP addresses...")
      ip_results = client.net.resolve.resolve_hosts(hostnames, AF_INET)

      # Merge resolved array with reports
      reports.each do |report|
        ip_results.each do |ip_result|
          if ip_result[:hostname] == report[:name]
            report[:host] = ip_result[:ip]
            vprint_good("Database report: #{report.inspect}")
            report_host(report)
          end
        end
      end
    end

    print_line results_table.to_s
    if datastore['STORE_LOOT']
      stored_path = store_loot('ad.computers', 'text/plain', session, results_table.to_csv)
      print_status("Results saved to: #{stored_path}")
    end
  end

end
Initial working AD_LDAP lookup 2012-12-17 14:07:35 +00:00			`##`
Catch mis-formatted bracket comments. 2013-10-15 19:52:12 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Initial working AD_LDAP lookup 2012-12-17 14:07:35 +00:00			`##`

			`require 'rex'`
Further refactoring 2012-12-19 09:06:58 +00:00			`require 'msf/core'`
			`require 'msf/core/auxiliary/report'`
Initial working AD_LDAP lookup 2012-12-17 14:07:35 +00:00
			`class Metasploit3 < Msf::Post`

Retab changes for PR #1473 2013-09-05 21:19:05 +00:00			`include Msf::Auxiliary::Report`
Share the wealth Move LDAP methods to a Post mixin. 2013-11-23 21:42:09 +00:00			`include Msf::Post::Windows::LDAP`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00
			`def initialize(info={})`
			`super( update_info( info,`
			`'Name' => 'Windows Gather Active Directory Computers',`
			`'Description' => %Q{`
			`This module will enumerate computers in the default AD directory.`

			`Optional Attributes to use in ATTRIBS:`
			`objectClass, cn, description, distinguishedName, instanceType, whenCreated,`
			`whenChanged, uSNCreated, uSNChanged, name, objectGUID,`
			`userAccountControl, badPwdCount, codePage, countryCode,`
			`badPasswordTime, lastLogoff, lastLogon, localPolicyFlags,`
			`pwdLastSet, primaryGroupID, objectSid, accountExpires,`
			`logonCount, sAMAccountName, sAMAccountType, operatingSystem,`
			`operatingSystemVersion, operatingSystemServicePack, serverReferenceBL,`
			`dNSHostName, rIDSetPreferences, servicePrincipalName, objectCategory,`
			`netbootSCPBL, isCriticalSystemObject, frsComputerReferenceBL,`
			`lastLogonTimestamp, msDS-SupportedEncryptionTypes`

			`ActiveDirectory has a MAX_SEARCH limit of 1000 by default. Split search up`
			`if you hit that limit.`

			`Possible filters:`
			`(objectClass=computer) # All Computers`
			`(primaryGroupID=516) # All Domain Controllers`
			`(&(objectCategory=computer)(operatingSystem=server)) # All Servers`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' ],`
			`'Platform' => [ 'win' ],`
			`'SessionTypes' => [ 'meterpreter' ],`
			`'References' =>`
			`[`
			`['URL', 'http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx'],`
			`]`
			`))`

			`register_options([`
			`OptInt.new('MAX_SEARCH', [true, 'Maximum values to retrieve, 0 for all.', 50]),`
			`OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),`
			`OptBool.new('STORE_DB', [true, 'Store file in DB (performance hit resolving IPs).', true]),`
			`OptString.new('ATTRIBS', [true, 'Attributes to retrieve.', 'dNSHostName,distinguishedName,description,operatingSystem,operatingSystemServicePack']),`
			`OptString.new('FILTER', [true, 'Search filter.', '(&(objectCategory=computer)(operatingSystem=server))'])`
			`], self.class)`
			`end`

			`def run`
			`print_status("Connecting to default LDAP server")`
			`session_handle = bind_default_ldap_server(datastore['MAX_SEARCH'])`

			`return false unless session_handle`

			`print_status("Querying default naming context")`

			`query_result = query_ldap(session_handle, "", 0, "(objectClass=computer)", ["defaultNamingContext"])`
			`first_entry_attributes = query_result[0]['attributes']`
Save egypt from eol comments 2013-11-23 22:11:46 +00:00			`# Value from First Attribute of First Entry`
			`defaultNamingContext = first_entry_attributes[0]['values']`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00
			`print_status("Default Naming Context #{defaultNamingContext}")`

			`attributes = datastore['ATTRIBS'].gsub(/\s+/,"").split(',')`

			`search_filter = datastore['FILTER']`
			`print_status("Querying #{search_filter} - Please wait...")`
			`results = query_ldap(session_handle, defaultNamingContext, 2, search_filter, attributes)`

			`print_status("Unbinding from LDAP service.")`
			`wldap32.ldap_unbind(session_handle)`

			`if results.nil? or results.empty?`
			`return`
			`end`

Use meterp dns lookup 2013-09-24 18:58:09 +00:00			`# Results table holds raw string data`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00			`results_table = Rex::Ui::Text::Table.new(`
			`'Header' => "#{defaultNamingContext} Domain Computers",`
			`'Indent' => 1,`
			`'SortIndex' => -1,`
			`'Columns' => attributes`
			`)`

Use meterp dns lookup 2013-09-24 18:58:09 +00:00			`# Hostnames holds DNS Names to Resolve`
			`hostnames = []`
			`# Reports are collections for easy database insertion`
			`reports = []`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00			`results.each do \|result\|`
			`row = []`

			`report = {}`
			`result['attributes'].each do \|attr\|`
			`if attr['values'].nil?`
			`row << ""`
			`else`
			`row << attr['values']`

			`# Only perform these actions if the database is connected and we want`
			`# to store in the DB.`
			`if db and datastore['STORE_DB']`
			`case attr['name']`
			`when 'dNSHostName'`
			`dns = attr['values']`
Use meterp dns lookup 2013-09-24 18:58:09 +00:00			`report[:name] = dns`
			`hostnames << dns`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00			`when 'operatingSystem'`
			`os = attr['values']`
			`index = os.index(/windows/i)`
Address @jlee-r7's comments 2013-11-23 19:42:33 +00:00			`if index`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00			`name = 'Microsoft Windows'`
			`flavour = os[index..-1]`
Use meterp dns lookup 2013-09-24 18:58:09 +00:00			`report[:os_name] = name`
			`report[:os_flavor] = flavour`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00			`else`
			`# Incase there are non-windows domain computers?!`
Use meterp dns lookup 2013-09-24 18:58:09 +00:00			`report[:os_name] = os`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00			`end`
			`when 'distinguishedName'`
			`if attr['values'] =~ /Domain Controllers/i`
Use meterp dns lookup 2013-09-24 18:58:09 +00:00			`report[:purpose] = "DC"`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00			`end`
			`when 'operatingSystemServicePack'`
Use meterp dns lookup 2013-09-24 18:58:09 +00:00			`report[:os_sp] = attr['values']`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00			`when 'description'`
Use meterp dns lookup 2013-09-24 18:58:09 +00:00			`report[:info] = attr['values']`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00			`end`
			`end`
			`end`
			`end`

Use meterp dns lookup 2013-09-24 18:58:09 +00:00			`reports << report`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00			`results_table << row`
Use meterp dns lookup 2013-09-24 18:58:09 +00:00			`end`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00
Use meterp dns lookup 2013-09-24 18:58:09 +00:00			`if db and datastore['STORE_DB']`
			`print_status("Resolving IP addresses...")`
			`ip_results = client.net.resolve.resolve_hosts(hostnames, AF_INET)`

			`# Merge resolved array with reports`
			`reports.each do \|report\|`
			`ip_results.each do \|ip_result\|`
			`if ip_result[:hostname] == report[:name]`
			`report[:host] = ip_result[:ip]`
			`vprint_good("Database report: #{report.inspect}")`
			`report_host(report)`
			`end`
			`end`
			`end`
Retab changes for PR #1473 2013-09-05 21:19:05 +00:00			`end`

			`print_line results_table.to_s`
			`if datastore['STORE_LOOT']`
			`stored_path = store_loot('ad.computers', 'text/plain', session, results_table.to_csv)`
			`print_status("Results saved to: #{stored_path}")`
			`end`
			`end`

Initial working AD_LDAP lookup 2012-12-17 14:07:35 +00:00			`end`
Significant speed improvement 2013-02-10 17:03:32 +00:00