issue with none domain machines fixed and added host resolution and reporting on domain controller using some of Mubix railgun fu

git-svn-id: file:///home/svn/framework3/trunk@13895 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-12 23:15:07 +00:00 · 2011-10-12 23:15:07 +00:00 · ab8b8802b5
parent 4d4b07db40
commit ab8b8802b5
1 changed files with 58 additions and 18 deletions
--- a/modules/post/windows/gather/enum_domain.rb
+++ b/modules/post/windows/gather/enum_domain.rb
@ -22,7 +22,7 @@ class Metasploit3 < Msf::Post
 			'Name'          => "Windows Gather Enumerate Domain",
 			'Description'   => %q{
 				This module identifies the primary domain via the registry. The registry value used is:
-				HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName.
+				HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\DCName.
 				},
 			'License'       => MSF_LICENSE,
 			'Version'       => '$Revision$',
@ -45,28 +45,68 @@ class Metasploit3 < Msf::Post
 	end

 	def get_domain()
-		subkey = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History"
-		v_name = "DCName"
-		domain = reg_getvaldata(subkey, v_name)
-
-		if domain != nil and domain != ""
-			return domain.split('.')[1].upcase
-		else
-			return ""
+		domain = nil
+		begin
+			subkey = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History"
+			v_name = "DCName"
+			domain = reg_getvaldata(subkey, v_name)
+		rescue
+			print_error("This host is not part of a domain.")
 		end
+		return domain
+	end
+
+	def gethost(hostname)
+		hostip = nil
+		if client.platform =~ /^x64/
+			size = 64
+			addrinfoinmem = 32
+		else
+			size = 32
+			addrinfoinmem = 24
+		end
+
+		## get IP for host
+		begin
+			vprint_status("Looking up IP for #{hostname}")
+			result = client.railgun.ws2_32.getaddrinfo(hostname, nil, nil, 4 )
+			if result['GetLastError'] == 11001
+				return nil
+			end
+			addrinfo = client.railgun.memread( result['ppResult'], size )
+			ai_addr_pointer = addrinfo[addrinfoinmem,4].unpack('L').first
+			sockaddr = client.railgun.memread( ai_addr_pointer, size/2 )
+			ip = sockaddr[4,4].unpack('N').first
+			hostip = Rex::Socket.addr_itoa(ip)
+		rescue ::Exception => e
+			print_error(e)
+		end
+		return hostip
 	end

 	def run
 		domain = get_domain()
-		print_error("domain not found") if domain == ""
-
-		report_note(
-			:host   => session,
-			:type   => 'windows.domain',
-			:data   => { :domain => domain },
-			:update => :unique_data
-		)
-		print_good("FOUND Domain: #{domain}")
+		if not domain.nil?
+			dom_info =  domain.scan(/\\\\(\w*)\.(\S*)/)[0]
+			report_note(
+				:host   => session,
+				:type   => 'windows.domain',
+				:data   => { :domain => dom_info[1] },
+				:update => :unique_data
+			)
+			print_good("FOUND Domain: #{dom_info[1]}")
+			dc_ip = gethost(dom_info[0])
+			if not dc_ip.nil?
+				print_good("FOUND Domain Constroler: #{dom_info[0]} #{dc_ip}")
+				report_host({
+						:host => dc_ip,
+						:name => dom_info[0],
+						:info => "Domain controller for #{dom_info[1]}"
+					})
+			else
+				print_good("FOUND Domain Constroler: #{dom_info[0]}")
+			end
+		end
 	end
 end