infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use the cred API correctly

bug/bundler_fix
wchen-r7 2015-07-20 18:40:48 -05:00
parent 99c29052c7
commit 1e17ac4ec7
1 changed files with 46 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
View File

@ -21,7 +21,6 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'SMB Domain User Enumeration',
'Version' => '$Revision $',
'Description' => 'Determine what domain users are logged into a remote system via a DCERPC to NetWkstaUserEnum.',
'Author' =>
[
@ -46,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
idx += 4
val_actual = resp[idx,4].unpack("V")[0]
idx += 4
value = resp[idx,val_actual*2]
value = resp[idx,val_actual*2]
idx += val_actual * 2
idx += val_actual % 2 * 2 # alignment
@ -54,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
return value,idx
end
def parse_NetWkstaEnumUsersInfo(resp)
def parse_net_wksta_enum_users_info(resp)
accounts = [ Hash.new() ]
idx = 20
@ -72,10 +71,10 @@ class Metasploit3 < Msf::Auxiliary
1.upto(count) do
# wkssvc_NetWkstaEnumUsersInfo -> Info -> PtrCt0 -> User() -> Ptr -> ID1 max count
account_name,idx = parse_value(resp, idx)
logon_domain,idx = parse_value(resp, idx)
other_domains,idx = parse_value(resp, idx)
logon_server,idx = parse_value(resp, idx)
account_name,idx = parse_value(resp, idx)
logon_domain,idx = parse_value(resp, idx)
other_domains,idx = parse_value(resp, idx)
logon_server,idx = parse_value(resp, idx)
accounts << {
:account_name => account_name,
@ -96,6 +95,35 @@ class Metasploit3 < Msf::Auxiliary
@smbdirect || datastore['SMBDirect']
end
def store_username(username, res, ip, rport)
service_data = {
address: ip,
port: rport,
service_name: 'smb',
protocol: 'tcp',
workspace_id: myworkspace_id,
proof: res
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: username
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
status: Metasploit::Model::Login::Status::UNTRIED
}
login_data.merge!(service_data)
create_credential_login(login_data)
end
def run_host(ip)
[[139, false], [445, true]].each do |info|
@ -115,22 +143,22 @@ class Metasploit3 < Msf::Auxiliary
begin
dcerpc_bind(handle)
stub =
NDR.uwstring("\\\\" + ip) + # Server Name
NDR.long(1) + # Level
NDR.long(1) + # Ctr
NDR.long(rand(0xffffffff)) + # ref id
NDR.long(0) + # entries read
NDR.long(0) + # null ptr to user0
NDR.uwstring("\\\\" + ip) + # Server Name
NDR.long(1) + # Level
NDR.long(1) + # Ctr
NDR.long(rand(0xffffffff)) + # ref id
NDR.long(0) + # entries read
NDR.long(0) + # null ptr to user0
NDR.long(0xffffffff) + # Prefmaxlen
NDR.long(rand(0xffffffff)) + # ref id
NDR.long(0) # null ptr to resume handle
NDR.long(0xffffffff) + # Prefmaxlen
NDR.long(rand(0xffffffff)) + # ref id
NDR.long(0) # null ptr to resume handle
dcerpc.call(2,stub)
resp = dcerpc.last_response ? dcerpc.last_response.stub_data : nil
accounts = parse_NetWkstaEnumUsersInfo(resp)
accounts = parse_net_wksta_enum_users_info(resp)
accounts.shift
if datastore['VERBOSE']
@ -154,16 +182,7 @@ class Metasploit3 < Msf::Auxiliary
end
print_good("#{ip} - Found user: #{comp_user}")
credential_core = create_credential(
origin_type: :service,
address: ip,
port: rport,
service_name: 'smb',
protocol: 'tcp',
module_fullname: self.fullname,
workspace_id: myworkspace.id,
username: comp_user
)
store_username(comp_user, resp, ip, rport)
end
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e