From e42bbcbcbbde2fc7a0945ee12f7a92019940d362 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 16 Feb 2015 14:03:15 +0000
Subject: [PATCH 1/6] Enum_ad modules should retrive userPrincipalName as it
 may differ to the sAMAccountName value.

---
 modules/post/windows/gather/enum_ad_user_comments.rb |  3 +--
 modules/post/windows/gather/enum_ad_users.rb         | 12 +++++++++---
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/modules/post/windows/gather/enum_ad_user_comments.rb b/modules/post/windows/gather/enum_ad_user_comments.rb
index 8e2dded9e2..22519eae57 100644
--- a/modules/post/windows/gather/enum_ad_user_comments.rb
+++ b/modules/post/windows/gather/enum_ad_user_comments.rb
@@ -31,7 +31,7 @@ class Metasploit3 < Msf::Post
 
     register_options([
       OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),
-      OptString.new('FIELDS', [true, 'Fields to retrieve.','sAMAccountName,userAccountControl,comment,description']),
+      OptString.new('FIELDS', [true, 'Fields to retrieve.','userPrincipalName,sAMAccountName,userAccountControl,comment,description']),
       OptString.new('FILTER', [true, 'Search filter.','(&(&(objectCategory=person)(objectClass=user))(|(description=*pass*)(comment=*pass*)))']),
     ], self.class)
   end
@@ -63,7 +63,6 @@ class Metasploit3 < Msf::Post
     q[:results].each do |result|
       row = []
 
-      report = {}
       result.each do |field|
         if field[:value].nil?
           row << ""
diff --git a/modules/post/windows/gather/enum_ad_users.rb b/modules/post/windows/gather/enum_ad_users.rb
index 94cbbc526e..808d3bcbce 100644
--- a/modules/post/windows/gather/enum_ad_users.rb
+++ b/modules/post/windows/gather/enum_ad_users.rb
@@ -12,7 +12,13 @@ class Metasploit3 < Msf::Post
   include Msf::Post::Windows::Accounts
 
   UAC_DISABLED = 0x02
-  USER_FIELDS = ['sAMAccountName', 'userAccountControl', 'lockoutTime', 'mail', 'primarygroupid', 'description'].freeze
+  USER_FIELDS = ['userPrincipalName',
+                 'sAMAccountName',
+                 'userAccountControl',
+                 'lockoutTime',
+                 'mail',
+                 'primarygroupid',
+                 'description'].freeze
 
   def initialize(info = {})
     super(update_info(
@@ -108,8 +114,8 @@ class Metasploit3 < Msf::Post
       end
 
       username = result.first[:value]
-      uac = result[1][:value]
-      lockout_time = result[2][:value]
+      uac = result[2][:value]
+      lockout_time = result[3][:value]
       store_username(username, uac, lockout_time, domain, domain_ip)
 
       results_table << row

From 3a894a29de941a303d2b6ef331b2328bbf4a905a Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 16 Feb 2015 15:02:01 +0000
Subject: [PATCH 2/6] Dont use magic values and use the userPrincipalName as
 the username

---
 modules/post/windows/gather/enum_ad_users.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/post/windows/gather/enum_ad_users.rb b/modules/post/windows/gather/enum_ad_users.rb
index 808d3bcbce..476b6e8129 100644
--- a/modules/post/windows/gather/enum_ad_users.rb
+++ b/modules/post/windows/gather/enum_ad_users.rb
@@ -113,9 +113,9 @@ class Metasploit3 < Msf::Post
         end
       end
 
-      username = result.first[:value]
-      uac = result[2][:value]
-      lockout_time = result[3][:value]
+      username = result[USER_FIELDS.index('userPrincipalName')][:value]
+      uac = result[USER_FIELDS.index('userAccountControl')][:value]
+      lockout_time = result[USER_FIELDS.index('lockoutTime')][:value]
       store_username(username, uac, lockout_time, domain, domain_ip)
 
       results_table << row

From b77aed1c56f32807481dc5bd31e70a4eba08551d Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 16 Feb 2015 15:08:09 +0000
Subject: [PATCH 3/6] UPN is optional, should use sAMAccountName

---
 modules/post/windows/gather/enum_ad_users.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/post/windows/gather/enum_ad_users.rb b/modules/post/windows/gather/enum_ad_users.rb
index 476b6e8129..9075a60fba 100644
--- a/modules/post/windows/gather/enum_ad_users.rb
+++ b/modules/post/windows/gather/enum_ad_users.rb
@@ -12,8 +12,8 @@ class Metasploit3 < Msf::Post
   include Msf::Post::Windows::Accounts
 
   UAC_DISABLED = 0x02
-  USER_FIELDS = ['userPrincipalName',
-                 'sAMAccountName',
+  USER_FIELDS = ['sAMAccountName',
+                 'userPrincipalName',
                  'userAccountControl',
                  'lockoutTime',
                  'mail',
@@ -113,7 +113,7 @@ class Metasploit3 < Msf::Post
         end
       end
 
-      username = result[USER_FIELDS.index('userPrincipalName')][:value]
+      username = result[USER_FIELDS.index('sAMAccountName')][:value]
       uac = result[USER_FIELDS.index('userAccountControl')][:value]
       lockout_time = result[USER_FIELDS.index('lockoutTime')][:value]
       store_username(username, uac, lockout_time, domain, domain_ip)

From 12f282882966c71a05d335f0e5aed9857a2d3264 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 16 Feb 2015 15:24:28 +0000
Subject: [PATCH 4/6] Allow additional fields

---
 modules/post/windows/gather/enum_ad_users.rb | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/modules/post/windows/gather/enum_ad_users.rb b/modules/post/windows/gather/enum_ad_users.rb
index 9075a60fba..a57a450dba 100644
--- a/modules/post/windows/gather/enum_ad_users.rb
+++ b/modules/post/windows/gather/enum_ad_users.rb
@@ -41,6 +41,7 @@ class Metasploit3 < Msf::Post
       OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),
       OptBool.new('EXCLUDE_LOCKED', [true, 'Exclude in search locked accounts..', false]),
       OptBool.new('EXCLUDE_DISABLED', [true, 'Exclude from search disabled accounts.', false]),
+      OptString.new('ADDITIONAL_FIELDS', [false, 'Additional fields to retrieve, comma sperated', nil]),
       OptEnum.new('UAC', [true, 'Filter on User Account Control Setting.', 'ANY',
                           [
                             'ANY',
@@ -54,10 +55,17 @@ class Metasploit3 < Msf::Post
   end
 
   def run
+    @user_fields = USER_FIELDS.dup
+
+    if datastore['ADDITIONAL_FIELDS']
+      additional_fields = datastore['ADDITIONAL_FIELDS'].gsub(/\s+/,"").split(',')
+      @user_fields.push(*additional_fields)
+    end
+
     max_search = datastore['MAX_SEARCH']
 
     begin
-      q = query(query_filter, max_search, USER_FIELDS)
+      q = query(query_filter, max_search, @user_fields)
     rescue ::RuntimeError, ::Rex::Post::Meterpreter::RequestError => e
       # Can't bind or in a network w/ limited accounts
       print_error(e.message)
@@ -99,7 +107,7 @@ class Metasploit3 < Msf::Post
       'Header'     => "Domain Users",
       'Indent'     => 1,
       'SortIndex'  => -1,
-      'Columns'    => USER_FIELDS
+      'Columns'    => @user_fields 
     )
 
     results.each do |result|
@@ -113,9 +121,9 @@ class Metasploit3 < Msf::Post
         end
       end
 
-      username = result[USER_FIELDS.index('sAMAccountName')][:value]
-      uac = result[USER_FIELDS.index('userAccountControl')][:value]
-      lockout_time = result[USER_FIELDS.index('lockoutTime')][:value]
+      username = result[@user_fields.index('sAMAccountName')][:value]
+      uac = result[@user_fields.index('userAccountControl')][:value]
+      lockout_time = result[@user_fields.index('lockoutTime')][:value]
       store_username(username, uac, lockout_time, domain, domain_ip)
 
       results_table << row

From 6559b43f1ea2dd47c5c2d9241d289795a6b97446 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 16 Feb 2015 15:46:45 +0000
Subject: [PATCH 5/6] EOL Spaces argh

---
 modules/post/windows/gather/enum_ad_users.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/windows/gather/enum_ad_users.rb b/modules/post/windows/gather/enum_ad_users.rb
index a57a450dba..61f883485e 100644
--- a/modules/post/windows/gather/enum_ad_users.rb
+++ b/modules/post/windows/gather/enum_ad_users.rb
@@ -107,7 +107,7 @@ class Metasploit3 < Msf::Post
       'Header'     => "Domain Users",
       'Indent'     => 1,
       'SortIndex'  => -1,
-      'Columns'    => @user_fields 
+      'Columns'    => @user_fields
     )
 
     results.each do |result|

From ecefad946e1d7398a0c850a932d3f8766abd91c2 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 17 Feb 2015 14:39:34 +0000
Subject: [PATCH 6/6] Spellingz

---
 modules/post/windows/gather/enum_ad_users.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/windows/gather/enum_ad_users.rb b/modules/post/windows/gather/enum_ad_users.rb
index 61f883485e..e0cba065b2 100644
--- a/modules/post/windows/gather/enum_ad_users.rb
+++ b/modules/post/windows/gather/enum_ad_users.rb
@@ -41,7 +41,7 @@ class Metasploit3 < Msf::Post
       OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),
       OptBool.new('EXCLUDE_LOCKED', [true, 'Exclude in search locked accounts..', false]),
       OptBool.new('EXCLUDE_DISABLED', [true, 'Exclude from search disabled accounts.', false]),
-      OptString.new('ADDITIONAL_FIELDS', [false, 'Additional fields to retrieve, comma sperated', nil]),
+      OptString.new('ADDITIONAL_FIELDS', [false, 'Additional fields to retrieve, comma separated', nil]),
       OptEnum.new('UAC', [true, 'Filter on User Account Control Setting.', 'ANY',
                           [
                             'ANY',