metasploit-framework/modules/post/windows/gather/enum_ad_computers.rb

345 lines
10 KiB
Ruby
Raw Normal View History

2012-12-17 14:07:35 +00:00
##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'rex'
2012-12-19 09:06:58 +00:00
require 'msf/core'
require 'msf/core/auxiliary/report'
2012-12-17 14:07:35 +00:00
class Metasploit3 < Msf::Post
2012-12-19 09:06:58 +00:00
include Msf::Auxiliary::Report
2012-12-17 14:07:35 +00:00
def initialize(info={})
super( update_info( info,
2013-02-10 17:12:51 +00:00
'Name' => 'Windows Gather Active Directory Computers',
2013-02-11 23:27:03 +00:00
'Description' => %Q{
2012-12-20 16:29:21 +00:00
This module will enumerate computers in the default AD directory.
2013-01-19 23:23:45 +00:00
2013-02-10 17:11:46 +00:00
Optional Attributes to use in ATTRIBS:
2013-01-19 23:23:45 +00:00
objectClass, cn, description, distinguishedName, instanceType, whenCreated,
whenChanged, uSNCreated, uSNChanged, name, objectGUID,
userAccountControl, badPwdCount, codePage, countryCode,
badPasswordTime, lastLogoff, lastLogon, localPolicyFlags,
pwdLastSet, primaryGroupID, objectSid, accountExpires,
logonCount, sAMAccountName, sAMAccountType, operatingSystem,
operatingSystemVersion, operatingSystemServicePack, serverReferenceBL,
dNSHostName, rIDSetPreferences, servicePrincipalName, objectCategory,
netbootSCPBL, isCriticalSystemObject, frsComputerReferenceBL,
lastLogonTimestamp, msDS-SupportedEncryptionTypes
2013-02-11 23:27:03 +00:00
ActiveDirectory has a MAX_SEARCH limit of 1000 by default. Split search up
if you hit that limit.
Possible filters:
(objectClass=computer) # All Computers
(primaryGroupID=516) # All Domain Controllers
(&(objectCategory=computer)(operatingSystem=*server*)) # All Servers
No reason this can't enumerate users/groups with the right filters and attribs.
2012-12-17 14:07:35 +00:00
},
'License' => MSF_LICENSE,
2012-12-19 09:06:58 +00:00
'Author' => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' ],
'Platform' => [ 'win' ],
2013-02-11 23:27:03 +00:00
'SessionTypes' => [ 'meterpreter' ],
'References' =>
[
['URL', 'http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx'],
]
2012-12-17 14:07:35 +00:00
))
2012-12-20 16:34:10 +00:00
2012-12-20 16:29:21 +00:00
register_options([
2013-02-11 23:27:03 +00:00
OptInt.new('MAX_SEARCH', [true, 'Maximum values to retrieve, 0 for all.', 50]),
OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),
OptBool.new('STORE_DB', [true, 'Store file in DB (performance hit resolving IPs).', true]),
OptString.new('ATTRIBS', [true, 'Attributes to retrieve.', 'dNSHostName,distinguishedName,description,operatingSystem,operatingSystemServicePack']),
OptString.new('FILTER', [true, 'Search filter.', '(&(objectCategory=computer)(operatingSystem=*server*))'])
2012-12-20 16:29:21 +00:00
], self.class)
2012-12-17 14:07:35 +00:00
end
2012-12-19 09:06:58 +00:00
def run
print_status("Connecting to default LDAP server")
2013-02-11 23:27:03 +00:00
session_handle = bind_default_ldap_server(datastore['MAX_SEARCH'])
2012-12-20 16:34:10 +00:00
2013-01-20 00:19:17 +00:00
return false unless session_handle
2012-12-20 16:34:10 +00:00
2012-12-19 09:06:58 +00:00
print_status("Querying default naming context")
2013-01-20 00:19:17 +00:00
query_result = query_ldap(session_handle, "", 0, "(objectClass=computer)", ["defaultNamingContext"])
first_entry_attributes = query_result[0]['attributes']
defaultNamingContext = first_entry_attributes[0]['values'] # Value from First Attribute of First Entry
2012-12-19 09:06:58 +00:00
print_status("Default Naming Context #{defaultNamingContext}")
2012-12-20 16:34:10 +00:00
2012-12-20 16:29:21 +00:00
attributes = datastore['ATTRIBS'].split(',')
2012-12-20 16:34:10 +00:00
2013-02-11 23:27:03 +00:00
search_filter = datastore['FILTER']
print_status("Querying #{search_filter} - Please wait...")
results = query_ldap(session_handle, defaultNamingContext, 2, search_filter, attributes)
2012-12-20 16:34:10 +00:00
2013-01-20 00:19:17 +00:00
print_status("Unbinding from LDAP service.")
wldap32.ldap_unbind(session_handle)
2013-02-10 17:03:32 +00:00
if results.nil? or results.empty?
return
end
2012-12-19 09:06:58 +00:00
results_table = Rex::Ui::Text::Table.new(
2013-02-10 21:42:15 +00:00
'Header' => "#{defaultNamingContext} Domain Computers",
2012-12-19 09:06:58 +00:00
'Indent' => 1,
'SortIndex' => -1,
'Columns' => attributes
)
2012-12-20 16:34:10 +00:00
2012-12-19 09:06:58 +00:00
results.each do |result|
row = []
2012-12-20 16:34:10 +00:00
2013-02-10 21:42:15 +00:00
report = {}
2012-12-19 09:06:58 +00:00
result['attributes'].each do |attr|
2012-12-20 16:29:21 +00:00
if attr['values'].nil?
row << ""
else
row << attr['values']
2013-02-10 21:42:15 +00:00
2013-02-11 23:27:03 +00:00
# Only perform these actions if the database is connected and we want
# to store in the DB.
if db and datastore['STORE_DB']
case attr['name']
when 'dNSHostName'
dns = attr['values']
ip = resolve_hostname(dns)
report.merge!( {:name => dns, :host => ip } )
when 'operatingSystem'
os = attr['values']
index = os.index(/windows/i)
unless index.nil?
name = 'Microsoft Windows'
flavour = os[index..-1]
report.merge!( {:os_name => name, :os_flavor => flavour} )
else
# Incase there are non-windows domain computers?!
report.merge!( {:os_name => os } )
end
when 'distinguishedName'
if attr['values'] =~ /Domain Controllers/i
report.merge!( {:purpose => "DC"} )
end
when 'operatingSystemServicePack'
report.merge!( {:os_sp => attr['values']} )
when 'description'
report.merge!( {:info => attr['values']} )
2013-02-10 21:42:15 +00:00
end
end
2012-12-20 16:29:21 +00:00
end
2012-12-19 09:06:58 +00:00
end
2013-02-11 23:27:03 +00:00
vprint_good("Database report: #{report.inspect}")
2013-02-10 21:52:31 +00:00
if report.include? :host
report_host(report)
2013-02-10 21:42:15 +00:00
end
2012-12-19 09:06:58 +00:00
results_table << row
2012-12-20 16:34:10 +00:00
2012-12-19 09:06:58 +00:00
end
2012-12-20 16:34:10 +00:00
2012-12-19 09:06:58 +00:00
print_line results_table.to_s
2013-02-11 23:27:03 +00:00
if datastore['STORE_LOOT']
2013-01-20 00:19:17 +00:00
stored_path = store_loot('ad.computers', 'text/plain', session, results_table.to_csv)
2012-12-20 16:29:21 +00:00
print_status("Results saved to: #{stored_path}")
end
2012-12-19 09:06:58 +00:00
end
2012-12-20 16:34:10 +00:00
2013-02-11 23:27:03 +00:00
# This really needs migrating to a meterpreter function
2013-02-10 21:42:15 +00:00
def resolve_hostname(hostname)
2013-02-10 21:52:31 +00:00
if client.platform =~ /^x64/
size = 64
addrinfoinmem = 32
else
size = 32
addrinfoinmem = 24
end
begin
vprint_status("Looking up IP for #{hostname}")
result = client.railgun.ws2_32.getaddrinfo(hostname, nil, nil, 4 )
if result['GetLastError'] == 11001
return nil
end
addrinfo = client.railgun.memread( result['ppResult'], size )
ai_addr_pointer = addrinfo[addrinfoinmem,4].unpack('L').first
sockaddr = client.railgun.memread( ai_addr_pointer, size/2 )
ip = sockaddr[4,4].unpack('N').first
hostip = Rex::Socket.addr_itoa(ip)
2013-02-10 21:42:15 +00:00
if hostip =~ /0\.0\.0\.0/
hostip = client.session_host
end
2013-02-10 21:52:31 +00:00
rescue ::Exception => e
print_error(e.to_s)
end
vprint_status("IP for #{hostname}: #{hostip}")
2013-02-10 21:42:15 +00:00
return hostip
end
2012-12-19 09:06:58 +00:00
def wldap32
return client.railgun.wldap32
end
2012-12-20 16:34:10 +00:00
2013-02-11 23:27:03 +00:00
def bind_default_ldap_server(size_limit)
2012-12-19 09:06:58 +00:00
vprint_status ("Initializing LDAP connection.")
session_handle = wldap32.ldap_sslinitA("\x00\x00\x00\x00", 389, 0)['return']
vprint_status("LDAP Handle: #{session_handle}")
2012-12-20 16:34:10 +00:00
2012-12-19 09:06:58 +00:00
if session_handle == 0
print_error("Unable to connect to LDAP server")
2013-01-20 00:19:17 +00:00
wldap32.ldap_unbind(session_handle)
return false
2012-12-19 09:06:58 +00:00
end
2012-12-17 14:07:35 +00:00
2013-02-11 23:27:03 +00:00
vprint_status ("Setting Sizelimit Option")
sl_resp = wldap32.ldap_set_option(session_handle, 0x03, size_limit) #0x03:LDAP_OPT_SIZELIMIT
2012-12-19 09:06:58 +00:00
vprint_status ("Binding to LDAP server.")
2013-01-20 00:19:17 +00:00
bind = wldap32.ldap_bind_sA(session_handle, nil, nil, 0x0486)['return'] #LDAP_AUTH_NEGOTIATE 0x0486
2012-12-20 16:34:10 +00:00
2012-12-19 09:06:58 +00:00
if bind != 0
print_error("Unable to bind to LDAP server")
2013-01-20 00:19:17 +00:00
wldap32.ldap_unbind(session_handle)
return false
2012-12-20 16:34:10 +00:00
end
2012-12-19 09:06:58 +00:00
return session_handle
end
2012-12-17 14:07:35 +00:00
2013-02-10 17:03:32 +00:00
# Get BERElement data structure from LDAPMessage
def get_ber(pEntry)
msg = client.railgun.memread(pEntry,41).unpack('LLLLLLLLLSCCC')
ber = client.railgun.memread(msg[2],60).unpack('L*')
2013-02-10 17:39:24 +00:00
# BER Pointer is different between x86 and x64
if client.platform =~ /x86/
ber_data = client.railgun.memread(ber[3], ber[0])
else
ber_data = client.railgun.memread(ber[4], ber[0])
end
2013-02-10 17:03:32 +00:00
return ber_data
end
# Search through the BER for our Attr string. Pull the values.
def get_values_from_ber(ber_data, attr)
attr_offset = ber_data.index(attr)
if attr_offset.nil?
vprint_status("Attribute not found in BER.")
return nil
end
# Value starts after our attribute string
values_offset = attr_offset + attr.length
values_start_offset = values_offset + 8
values_len_offset = values_offset + 5
curr_len_offset = values_offset + 7
values_length = ber_data[values_len_offset].unpack('C')[0]
values_end_offset = values_start_offset + values_length
curr_length = ber_data[curr_len_offset].unpack('C')[0]
curr_start_offset = values_start_offset
curr_end_offset = curr_start_offset + curr_length
values = []
while (curr_end_offset < values_end_offset)
values << ber_data[curr_start_offset..curr_end_offset]
break unless ber_data[curr_end_offset] == "\x04"
curr_len_offset = curr_end_offset + 1
curr_length = ber_data[curr_len_offset].unpack('C')[0]
curr_start_offset = curr_end_offset + 2
curr_end_offset = curr_end_offset + curr_length + 2
end
# Strip trailing 0 or \x04 which is used to delimit values
values.map! {|x| x[0..x.length-2]}
return values
end
2012-12-19 09:06:58 +00:00
def query_ldap(session_handle, base, scope, filter, attributes)
vprint_status ("Searching LDAP directory.")
2012-12-20 16:34:10 +00:00
search = wldap32.ldap_search_sA(session_handle, base, scope, filter, nil, 0, 4)
2012-12-17 14:07:35 +00:00
vprint_status("search: #{search}")
2012-12-20 16:34:10 +00:00
2013-02-11 23:27:03 +00:00
if search['return'] == 0x04 # LDAP_SIZELIMIT_EXCEEDED - parse out what we found anyway...
print_error("LDAP_SIZELIMIT_EXCEEDED, parsing what we retrieved, try increasing the MAX_SEARCH value [0:LDAP_NO_LIMIT]")
elsif search['return'] != 0
2012-12-17 14:07:35 +00:00
print_error("No results")
2012-12-17 15:29:04 +00:00
wldap32.ldap_msgfree(search['res'])
2012-12-17 14:07:35 +00:00
return
end
2012-12-19 09:06:58 +00:00
search_count = wldap32.ldap_count_entries(session_handle, search['res'])['return']
2013-01-20 00:19:17 +00:00
if(search_count == 0)
print_error("No entries retrieved")
wldap32.ldap_msgfree(search['res'])
return
end
2012-12-17 15:29:04 +00:00
print_status("Entries retrieved: #{search_count}")
2012-12-20 16:34:10 +00:00
2012-12-19 09:06:58 +00:00
vprint_status("Retrieving results...")
2012-12-20 16:34:10 +00:00
2012-12-17 14:07:35 +00:00
entries = {}
2012-12-19 09:06:58 +00:00
entry_results = []
2012-12-20 16:34:10 +00:00
2012-12-20 16:29:21 +00:00
if datastore['MAX_SEARCH'] == 0
max_search = search_count
else
max_search = [datastore['MAX_SEARCH'], search_count].min
end
2012-12-20 16:34:10 +00:00
2013-01-20 00:19:17 +00:00
0.upto(max_search - 1) do |i|
2012-12-20 16:34:10 +00:00
2013-01-20 00:19:17 +00:00
if(i==0)
entries[0] = wldap32.ldap_first_entry(session_handle, search['res'])['return']
2012-12-17 14:07:35 +00:00
else
2012-12-19 09:06:58 +00:00
entries[i] = wldap32.ldap_next_entry(session_handle, entries[i-1])['return']
2012-12-17 14:07:35 +00:00
end
2013-01-20 00:19:17 +00:00
if(entries[i] == 0)
print_error("Failed to get entry.")
wldap32.ldap_unbind(session_handle)
wldap32.ldap_msgfree(search['res'])
return
end
2013-02-10 17:03:32 +00:00
vprint_status("Entry #{i}: 0x#{entries[i].to_s(16)}")
ber = get_ber(entries[i])
2012-12-20 16:34:10 +00:00
2012-12-19 09:06:58 +00:00
attribute_results = []
2012-12-17 14:07:35 +00:00
attributes.each do |attr|
2012-12-19 09:06:58 +00:00
vprint_status("Attr: #{attr}")
2013-02-10 17:03:32 +00:00
value_results = ""
2012-12-20 16:34:10 +00:00
2013-02-10 17:03:32 +00:00
values = get_values_from_ber(ber, attr)
2012-12-20 16:34:10 +00:00
2013-02-10 17:03:32 +00:00
values_result = ""
2013-02-11 23:27:03 +00:00
values_result = values.join(',') unless values.nil?
2013-02-10 17:03:32 +00:00
vprint_status("Values #{values}")
2012-12-17 14:07:35 +00:00
2013-02-10 17:03:32 +00:00
attribute_results << {"name" => attr, "values" => values_result}
2012-12-17 14:07:35 +00:00
end
2012-12-20 16:34:10 +00:00
2012-12-19 09:06:58 +00:00
entry_results << {"id" => i, "attributes" => attribute_results}
2012-12-17 14:07:35 +00:00
end
2012-12-20 16:34:10 +00:00
2012-12-19 09:06:58 +00:00
return entry_results
2012-12-17 14:07:35 +00:00
end
end
2013-02-10 17:03:32 +00:00