From 29b03701d1348ca2a49de9de655499cc2b70da70 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Mon, 24 Jan 2011 17:25:52 +0000 Subject: [PATCH] Fixes #3531, Use new accounts mixin to resolve SID->Account Names git-svn-id: file:///home/svn/framework3/trunk@11630 4d416f70-5f16-0410-b530-b9f4589650da --- .../windows/gather/enum_logged_on_users.rb | 49 +++++++++---------- 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/modules/post/windows/gather/enum_logged_on_users.rb b/modules/post/windows/gather/enum_logged_on_users.rb index dea9fa2f8b..da46fbcb18 100644 --- a/modules/post/windows/gather/enum_logged_on_users.rb +++ b/modules/post/windows/gather/enum_logged_on_users.rb @@ -12,10 +12,12 @@ require 'msf/core' require 'rex' require 'msf/core/post/windows/registry' +require 'msf/core/post/windows/accounts' class Metasploit3 < Msf::Post include Msf::Post::Registry + include Msf::Post::Accounts def initialize(info={}) super( update_info( info, @@ -40,20 +42,26 @@ class Metasploit3 < Msf::Post sids = [] sids << registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList") tbl = Rex::Ui::Text::Table.new( - 'Header' => "Logged Users", + 'Header' => "Recently Logged Users", 'Indent' => 1, 'Columns' => [ "SID", "Profile Path" ]) - sids.flatten.each do |sid| - profile_path = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\#{sid}","ProfileImagePath") - tbl << [sid,profile_path] + sids.flatten.map do |sid| + info = resolve_sid(sid) + + if !info.nil? && info[:type] == :user + profile_path = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\#{sid}","ProfileImagePath") + + tbl << [sid,profile_path] + end end print_line("\n" + tbl.to_s + "\n") end + def ls_current key_base, username = "","" tbl = Rex::Ui::Text::Table.new( @@ -64,35 +72,22 @@ class Metasploit3 < Msf::Post "SID", "User" ]) - registry_enumkeys("HKU").each do |sid| - case sid - when "S-1-5-18" - username = "SYSTEM" - tbl << [sid,username] - when "S-1-5-19" - username = "Local Service" - tbl << [sid,username] - when "S-1-5-20" - username = "Network Service" - tbl << [sid,username] - else - if sid =~ /S-1-5-21-\d*-\d*-\d*-\d*$/ - key_base = "HKU\\#{sid}" - os = session.sys.config.sysinfo['OS'] - if os =~ /(Windows 7|2008|Vista)/ - username = registry_getvaldata("#{key_base}\\Volatile Environment","USERNAME") - elsif os =~ /(2000|NET|XP)/ - appdata_var = registry_getvaldata("#{key_base}\\Volatile Environment","APPDATA") - username = appdata_var.scan(/^\w\:\D*\\(\D*)\\\D*$/) - end - tbl << [sid,username] + registry_enumkeys("HKU").each do |maybe_sid| + # There is junk like .DEFAULT we want to avoid + if maybe_sid =~ /^S(?:-\d+){2,}$/ + info = resolve_sid(maybe_sid) + + if !info.nil? && info[:type] == :user + username = info[:domain] << '\\' << info[:name] + + tbl << [maybe_sid,username] end end end + print_line("\n" + tbl.to_s + "\n") end - def run print_status("Running against session #{datastore['SESSION']}")