2011-10-03 21:05:54 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-10-03 21:05:54 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Post
|
2013-09-05 18:41:25 +00:00
|
|
|
include Msf::Post::Windows::Priv
|
2011-10-03 21:05:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "Windows Gather Enumerate Domain",
|
|
|
|
'Description' => %q{
|
|
|
|
This module identifies the primary domain via the registry. The registry value used is:
|
|
|
|
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Platform' => ['win'],
|
|
|
|
'SessionTypes' => ['meterpreter'],
|
|
|
|
'Author' => ['Joshua Abraham <jabra[at]rapid7.com>']
|
|
|
|
))
|
|
|
|
end
|
2011-10-03 21:05:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def reg_getvaldata(key,valname)
|
|
|
|
value = nil
|
|
|
|
begin
|
|
|
|
root_key, base_key = client.sys.registry.splitkey(key)
|
|
|
|
open_key = client.sys.registry.open_key(root_key, base_key, KEY_READ)
|
|
|
|
v = open_key.query_value(valname)
|
|
|
|
value = v.data
|
|
|
|
open_key.close
|
|
|
|
rescue
|
|
|
|
end
|
|
|
|
return value
|
|
|
|
end
|
2011-10-03 21:05:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def get_domain()
|
|
|
|
domain = nil
|
|
|
|
begin
|
|
|
|
subkey = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History"
|
|
|
|
v_name = "DCName"
|
|
|
|
domain = reg_getvaldata(subkey, v_name)
|
|
|
|
rescue
|
|
|
|
print_error("This host is not part of a domain.")
|
|
|
|
end
|
|
|
|
return domain
|
|
|
|
end
|
2011-10-03 21:05:54 +00:00
|
|
|
|
2013-09-24 20:58:04 +00:00
|
|
|
def gethost(hostorip)
|
|
|
|
#check for valid ip and return if it is
|
|
|
|
return hostorip if Rex::Socket.dotted_ip?(hostorip)
|
2011-10-12 23:15:07 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
## get IP for host
|
2013-09-24 20:58:04 +00:00
|
|
|
vprint_status("Looking up IP for #{hostorip}")
|
|
|
|
result = client.net.resolve.resolve_host(hostorip)
|
|
|
|
return result[:ip] if result[:ip]
|
|
|
|
return nil if result[:ip].nil? or result[:ip].empty?
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2011-10-03 21:05:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run
|
|
|
|
domain = get_domain()
|
|
|
|
if not domain.nil? and domain =~ /\./
|
|
|
|
dom_info = domain.split('.')
|
|
|
|
dom_info[0].sub!(/\\\\/,'')
|
|
|
|
report_note(
|
|
|
|
:host => session,
|
|
|
|
:type => 'windows.domain',
|
|
|
|
:data => { :domain => dom_info[1] },
|
|
|
|
:update => :unique_data
|
|
|
|
)
|
|
|
|
print_good("FOUND Domain: #{dom_info[1]}")
|
|
|
|
dc_ip = gethost(dom_info[0])
|
|
|
|
if not dc_ip.nil?
|
|
|
|
print_good("FOUND Domain Controller: #{dom_info[0]} (IP: #{dc_ip})")
|
|
|
|
report_host({
|
|
|
|
:host => dc_ip,
|
|
|
|
:name => dom_info[0],
|
|
|
|
:info => "Domain controller for #{dom_info[1]}"
|
|
|
|
})
|
|
|
|
else
|
|
|
|
print_good("FOUND Domain Controller: #{dom_info[0]}")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2011-10-03 21:05:54 +00:00
|
|
|
end
|