diff --git a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb index e86382a9d8..e8775e681f 100644 --- a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb +++ b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb @@ -21,7 +21,6 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'SMB Domain User Enumeration', - 'Version' => '$Revision $', 'Description' => 'Determine what domain users are logged into a remote system via a DCERPC to NetWkstaUserEnum.', 'Author' => [ @@ -46,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary idx += 4 val_actual = resp[idx,4].unpack("V")[0] idx += 4 - value = resp[idx,val_actual*2] + value = resp[idx,val_actual*2] idx += val_actual * 2 idx += val_actual % 2 * 2 # alignment @@ -54,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary return value,idx end - def parse_NetWkstaEnumUsersInfo(resp) + def parse_net_wksta_enum_users_info(resp) accounts = [ Hash.new() ] idx = 20 @@ -72,10 +71,10 @@ class Metasploit3 < Msf::Auxiliary 1.upto(count) do # wkssvc_NetWkstaEnumUsersInfo -> Info -> PtrCt0 -> User() -> Ptr -> ID1 max count - account_name,idx = parse_value(resp, idx) - logon_domain,idx = parse_value(resp, idx) - other_domains,idx = parse_value(resp, idx) - logon_server,idx = parse_value(resp, idx) + account_name,idx = parse_value(resp, idx) + logon_domain,idx = parse_value(resp, idx) + other_domains,idx = parse_value(resp, idx) + logon_server,idx = parse_value(resp, idx) accounts << { :account_name => account_name, @@ -96,6 +95,35 @@ class Metasploit3 < Msf::Auxiliary @smbdirect || datastore['SMBDirect'] end + def store_username(username, res, ip, rport) + service_data = { + address: ip, + port: rport, + service_name: 'smb', + protocol: 'tcp', + workspace_id: myworkspace_id, + proof: res + } + + credential_data = { + origin_type: :service, + module_fullname: fullname, + username: username + } + + credential_data.merge!(service_data) + + credential_core = create_credential(credential_data) + + login_data = { + core: credential_core, + status: Metasploit::Model::Login::Status::UNTRIED + } + + login_data.merge!(service_data) + create_credential_login(login_data) + end + def run_host(ip) [[139, false], [445, true]].each do |info| @@ -115,22 +143,22 @@ class Metasploit3 < Msf::Auxiliary begin dcerpc_bind(handle) stub = - NDR.uwstring("\\\\" + ip) + # Server Name - NDR.long(1) + # Level - NDR.long(1) + # Ctr - NDR.long(rand(0xffffffff)) + # ref id - NDR.long(0) + # entries read - NDR.long(0) + # null ptr to user0 + NDR.uwstring("\\\\" + ip) + # Server Name + NDR.long(1) + # Level + NDR.long(1) + # Ctr + NDR.long(rand(0xffffffff)) + # ref id + NDR.long(0) + # entries read + NDR.long(0) + # null ptr to user0 - NDR.long(0xffffffff) + # Prefmaxlen - NDR.long(rand(0xffffffff)) + # ref id - NDR.long(0) # null ptr to resume handle + NDR.long(0xffffffff) + # Prefmaxlen + NDR.long(rand(0xffffffff)) + # ref id + NDR.long(0) # null ptr to resume handle dcerpc.call(2,stub) resp = dcerpc.last_response ? dcerpc.last_response.stub_data : nil - accounts = parse_NetWkstaEnumUsersInfo(resp) + accounts = parse_net_wksta_enum_users_info(resp) accounts.shift if datastore['VERBOSE'] @@ -154,16 +182,7 @@ class Metasploit3 < Msf::Auxiliary end print_good("#{ip} - Found user: #{comp_user}") - credential_core = create_credential( - origin_type: :service, - address: ip, - port: rport, - service_name: 'smb', - protocol: 'tcp', - module_fullname: self.fullname, - workspace_id: myworkspace.id, - username: comp_user - ) + store_username(comp_user, resp, ip, rport) end rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e