metasploit-framework/modules/post/windows/gather/enum_logged_on_users.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'
require 'msf/core/post/windows/accounts'

class Metasploit3 < Msf::Post

	include Msf::Post::Windows::Registry
	include Msf::Post::Windows::Accounts

	def initialize(info={})
		super( update_info( info,
				'Name'          => 'Windows Gather Logged On User Enumeration (Registry)',
				'Description'   => %q{ This module will enumerate current and recently logged on Windows users},
				'License'       => MSF_LICENSE,
				'Author'        => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
				'Version'       => '$Revision$',
				'Platform'      => [ 'windows' ],
				'SessionTypes'  => [ 'meterpreter' ]
			))
		register_options(
			[
				OptBool.new('CURRENT', [ true, 'Enumerate currently logged on users', true]),
				OptBool.new('RECENT' , [ true, 'Enumerate Recently logged on users' , true])
			], self.class)

	end


	def ls_logged
		sids = []
		sids << registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList")
		tbl = Rex::Ui::Text::Table.new(
			'Header'  => "Recently Logged Users",
			'Indent'  => 1,
			'Columns' =>
			[
				"SID",
				"Profile Path"
			])
		sids.flatten.map do |sid|
			profile_path = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\#{sid}","ProfileImagePath")
			tbl << [sid,profile_path]
		end
		print_line("\n" + tbl.to_s + "\n")
		store_loot("host.users.recent", "text/plain", session, tbl.to_s, "recent_users.txt", "Recent Users")		
	end


	def ls_current
		key_base, username = "",""
		tbl = Rex::Ui::Text::Table.new(
			'Header'  => "Current Logged Users",
			'Indent'  => 1,
			'Columns' =>
			[
				"SID",
				"User"
			])
		registry_enumkeys("HKU").each do |maybe_sid|
			# There is junk like .DEFAULT we want to avoid
			if maybe_sid =~ /^S(?:-\d+){2,}$/
				info = resolve_sid(maybe_sid)

				if !info.nil? && info[:type] == :user
					username = info[:domain] << '\\' << info[:name]

					tbl << [maybe_sid,username]
				end
			end
		end

		print_line("\n" + tbl.to_s + "\n")
		store_loot("host.users.active", "text/plain", session, tbl.to_s, "active_users.txt", "Active Users")		
	end

	def run
		print_status("Running against session #{datastore['SESSION']}")

		if datastore['CURRENT']
			ls_current
		end

		if datastore['RECENT']
			ls_logged
		end

	end
end
fix header comments git-svn-id: file:///home/svn/framework3/trunk@11560 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-12 18:29:56 +00:00			`##`
			`# $Id$`
			`##`
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00
fix header comments git-svn-id: file:///home/svn/framework3/trunk@11560 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-12 18:29:56 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
fix header comments git-svn-id: file:///home/svn/framework3/trunk@11560 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-12 18:29:56 +00:00			`# http://metasploit.com/framework/`
			`##`
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00
			`require 'msf/core'`
			`require 'rex'`
Update windows/registry mixin path for module import git-svn-id: file:///home/svn/framework3/trunk@11551 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-12 00:11:43 +00:00			`require 'msf/core/post/windows/registry'`
Fixes #3531, Use new accounts mixin to resolve SID->Account Names git-svn-id: file:///home/svn/framework3/trunk@11630 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-24 17:25:52 +00:00			`require 'msf/core/post/windows/accounts'`
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00
			`class Metasploit3 < Msf::Post`

Change Post Mixin for Windows platform in its own separate class and minor fixes on modules and scripts git-svn-id: file:///home/svn/framework3/trunk@12990 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-21 00:38:04 +00:00			`include Msf::Post::Windows::Registry`
			`include Msf::Post::Windows::Accounts`
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00
			`def initialize(info={})`
			`super( update_info( info,`
Post module title changes for consistency git-svn-id: file:///home/svn/framework3/trunk@12455 4d416f70-5f16-0410-b530-b9f4589650da 2011-04-27 16:25:15 +00:00			`'Name' => 'Windows Gather Logged On User Enumeration (Registry)',`
Cosmetic cleanup of post modules git-svn-id: file:///home/svn/framework3/trunk@11830 4d416f70-5f16-0410-b530-b9f4589650da 2011-02-26 02:47:40 +00:00			`'Description' => %q{ This module will enumerate current and recently logged on Windows users},`
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00			`'License' => MSF_LICENSE,`
			`'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],`
			`'Version' => '$Revision$',`
			`'Platform' => [ 'windows' ],`
			`'SessionTypes' => [ 'meterpreter' ]`
			`))`
			`register_options(`
			`[`
			`OptBool.new('CURRENT', [ true, 'Enumerate currently logged on users', true]),`
			`OptBool.new('RECENT' , [ true, 'Enumerate Recently logged on users' , true])`
			`], self.class)`

			`end`


			`def ls_logged`
Keywords and formatting git-svn-id: file:///home/svn/framework3/trunk@11548 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 22:30:40 +00:00			`sids = []`
			`sids << registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList")`
			`tbl = Rex::Ui::Text::Table.new(`
Fixes #3531, Use new accounts mixin to resolve SID->Account Names git-svn-id: file:///home/svn/framework3/trunk@11630 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-24 17:25:52 +00:00			`'Header' => "Recently Logged Users",`
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00			`'Indent' => 1,`
			`'Columns' =>`
removed spaces git-svn-id: file:///home/svn/framework3/trunk@11566 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-12 23:25:00 +00:00			`[`
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00			`"SID",`
			`"Profile Path"`
			`])`
Fixes #3531, Use new accounts mixin to resolve SID->Account Names git-svn-id: file:///home/svn/framework3/trunk@11630 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-24 17:25:52 +00:00			`sids.flatten.map do \|sid\|`
See #3531, Apply fix from Chao Mu git-svn-id: file:///home/svn/framework3/trunk@11649 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-26 15:55:35 +00:00			`profile_path = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\#{sid}","ProfileImagePath")`
			`tbl << [sid,profile_path]`
fixed indenting git-svn-id: file:///home/svn/framework3/trunk@11557 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-12 17:33:46 +00:00			`end`
			`print_line("\n" + tbl.to_s + "\n")`
Store enumerated data as loot git-svn-id: file:///home/svn/framework3/trunk@11826 4d416f70-5f16-0410-b530-b9f4589650da 2011-02-25 21:48:03 +00:00			`store_loot("host.users.recent", "text/plain", session, tbl.to_s, "recent_users.txt", "Recent Users")`
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00			`end`

Fixes #3531, Use new accounts mixin to resolve SID->Account Names git-svn-id: file:///home/svn/framework3/trunk@11630 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-24 17:25:52 +00:00
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00			`def ls_current`
Keywords and formatting git-svn-id: file:///home/svn/framework3/trunk@11548 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 22:30:40 +00:00			`key_base, username = "",""`
			`tbl = Rex::Ui::Text::Table.new(`
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00			`'Header' => "Current Logged Users",`
			`'Indent' => 1,`
			`'Columns' =>`
removed spaces git-svn-id: file:///home/svn/framework3/trunk@11566 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-12 23:25:00 +00:00			`[`
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00			`"SID",`
			`"User"`
			`])`
Fixes #3531, Use new accounts mixin to resolve SID->Account Names git-svn-id: file:///home/svn/framework3/trunk@11630 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-24 17:25:52 +00:00			`registry_enumkeys("HKU").each do \|maybe_sid\|`
			`# There is junk like .DEFAULT we want to avoid`
			`if maybe_sid =~ /^S(?:-\d+){2,}$/`
			`info = resolve_sid(maybe_sid)`

			`if !info.nil? && info[:type] == :user`
			`username = info[:domain] << '\\' << info[:name]`

			`tbl << [maybe_sid,username]`
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00			`end`
			`end`
fixed indenting git-svn-id: file:///home/svn/framework3/trunk@11557 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-12 17:33:46 +00:00			`end`
Fixes #3531, Use new accounts mixin to resolve SID->Account Names git-svn-id: file:///home/svn/framework3/trunk@11630 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-24 17:25:52 +00:00
fixed indenting git-svn-id: file:///home/svn/framework3/trunk@11557 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-12 17:33:46 +00:00			`print_line("\n" + tbl.to_s + "\n")`
Store enumerated data as loot git-svn-id: file:///home/svn/framework3/trunk@11826 4d416f70-5f16-0410-b530-b9f4589650da 2011-02-25 21:48:03 +00:00			`store_loot("host.users.active", "text/plain", session, tbl.to_s, "active_users.txt", "Active Users")`
migrated enum logged on users script to module git-svn-id: file:///home/svn/framework3/trunk@11540 4d416f70-5f16-0410-b530-b9f4589650da 2011-01-11 02:02:11 +00:00			`end`

			`def run`
			`print_status("Running against session #{datastore['SESSION']}")`

			`if datastore['CURRENT']`
			`ls_current`
			`end`

			`if datastore['RECENT']`
			`ls_logged`
			`end`

			`end`
			`end`