Meatballs
commit
d2e1fdbbc3
|
|
@ -7,24 +7,23 @@ require 'msf/core'
|
|||
require 'rex'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
'Name' => 'Windows Gather Enumerate Domain Group',
|
||||
'Description' => %q{ This module extracts user accounts from specified group
|
||||
and stores the results in the loot. It will also verify if session
|
||||
account is in the group. Data is stored in loot in a format that
|
||||
is compatible with the token_hunter plugin. This module should be
|
||||
run over as session with domain credentials.},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Carlos Perez <carlos_perez[at]darkoperator.com>',
|
||||
'Stephen Haywood <haywoodsb[at]gmail.com>'
|
||||
],
|
||||
'Platform' => [ 'win' ],
|
||||
'SessionTypes' => [ 'meterpreter' ]
|
||||
))
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Windows Gather Enumerate Domain Group',
|
||||
'Description' => %q( This module extracts user accounts from specified group
|
||||
and stores the results in the loot. It will also verify if session
|
||||
account is in the group. Data is stored in loot in a format that
|
||||
is compatible with the token_hunter plugin. This module should be
|
||||
run over as session with domain credentials.),
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Carlos Perez <carlos_perez[at]darkoperator.com>',
|
||||
'Stephen Haywood <haywoodsb[at]gmail.com>'
|
||||
],
|
||||
'Platform' => [ 'win' ],
|
||||
'SessionTypes' => [ 'meterpreter' ]
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('GROUP', [true, 'Domain Group to enumerate', nil])
|
||||
|
|
@ -38,18 +37,16 @@ class Metasploit3 < Msf::Post
|
|||
cur_domain, cur_user = client.sys.config.getuid.split("\\")
|
||||
ltype = "domain.group.members"
|
||||
ctype = "text/plain"
|
||||
domain = ""
|
||||
|
||||
# Get Data
|
||||
usr_res = run_cmd("net groups \"#{datastore['GROUP']}\" /domain")
|
||||
dom_res = run_cmd("net config workstation")
|
||||
usr_res = cmd_exec("net groups \"#{datastore['GROUP']}\" /domain")
|
||||
|
||||
# Parse Returned data
|
||||
members = get_members(usr_res.split("\n"))
|
||||
domain = get_domain(dom_res.split("\n"))
|
||||
domain = get_env("USERDOMAIN")
|
||||
|
||||
# Show results if we have any, Error if we don't
|
||||
if ! members.empty?
|
||||
if !members.empty?
|
||||
|
||||
print_status("Found users in #{datastore['GROUP']}")
|
||||
|
||||
|
|
@ -61,9 +58,9 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
# Is our current user a member of this domain and group
|
||||
if is_member(cur_domain, cur_user, domain, members)
|
||||
print_status("Current sessions running as #{cur_domain}\\#{cur_user} is a member of #{datastore['GROUP']}!!")
|
||||
print_good("Current sessions running as #{cur_domain}\\#{cur_user} is a member of #{datastore['GROUP']}!")
|
||||
else
|
||||
print_error("Current session running as #{cur_domain}\\#{cur_user} is not a member of #{datastore['GROUP']}")
|
||||
print_status("Current session running as #{cur_domain}\\#{cur_user} is not a member of #{datastore['GROUP']}")
|
||||
end
|
||||
|
||||
# Store the captured data in the loot.
|
||||
|
|
@ -72,7 +69,6 @@ class Metasploit3 < Msf::Post
|
|||
else
|
||||
print_error("No members found for #{datastore['GROUP']}")
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def get_members(results)
|
||||
|
|
@ -90,41 +86,21 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
end
|
||||
|
||||
return members
|
||||
end
|
||||
|
||||
def get_domain(results)
|
||||
domain = ''
|
||||
|
||||
results.each do |line|
|
||||
if line =~ /Workstation domain \s+(.*)/ then domain = $1.strip end
|
||||
end
|
||||
|
||||
return domain
|
||||
members
|
||||
end
|
||||
|
||||
def is_member(cur_dom, cur_user, dom, users)
|
||||
|
||||
member = false
|
||||
|
||||
if cur_dom == dom
|
||||
users.each do |u|
|
||||
if u.downcase == cur_user.downcase then member = true end
|
||||
if u.downcase == cur_user.downcase
|
||||
member = true
|
||||
break
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
return member
|
||||
member
|
||||
end
|
||||
def run_cmd(cmd)
|
||||
process = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
|
||||
res = ""
|
||||
while (d = process.channel.read)
|
||||
break if d == ""
|
||||
res << d
|
||||
end
|
||||
process.channel.close
|
||||
process.close
|
||||
return res
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue