Meatballs
commit
d2e1fdbbc3
|
|
@ -7,24 +7,23 @@ require 'msf/core'
|
||||||
require 'rex'
|
require 'rex'
|
||||||
|
|
||||||
class Metasploit3 < Msf::Post
|
class Metasploit3 < Msf::Post
|
||||||
|
def initialize(info = {})
|
||||||
def initialize(info={})
|
super(update_info(info,
|
||||||
super( update_info( info,
|
'Name' => 'Windows Gather Enumerate Domain Group',
|
||||||
'Name' => 'Windows Gather Enumerate Domain Group',
|
'Description' => %q( This module extracts user accounts from specified group
|
||||||
'Description' => %q{ This module extracts user accounts from specified group
|
and stores the results in the loot. It will also verify if session
|
||||||
and stores the results in the loot. It will also verify if session
|
account is in the group. Data is stored in loot in a format that
|
||||||
account is in the group. Data is stored in loot in a format that
|
is compatible with the token_hunter plugin. This module should be
|
||||||
is compatible with the token_hunter plugin. This module should be
|
run over as session with domain credentials.),
|
||||||
run over as session with domain credentials.},
|
'License' => MSF_LICENSE,
|
||||||
'License' => MSF_LICENSE,
|
'Author' =>
|
||||||
'Author' =>
|
[
|
||||||
[
|
'Carlos Perez <carlos_perez[at]darkoperator.com>',
|
||||||
'Carlos Perez <carlos_perez[at]darkoperator.com>',
|
'Stephen Haywood <haywoodsb[at]gmail.com>'
|
||||||
'Stephen Haywood <haywoodsb[at]gmail.com>'
|
],
|
||||||
],
|
'Platform' => [ 'win' ],
|
||||||
'Platform' => [ 'win' ],
|
'SessionTypes' => [ 'meterpreter' ]
|
||||||
'SessionTypes' => [ 'meterpreter' ]
|
))
|
||||||
))
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptString.new('GROUP', [true, 'Domain Group to enumerate', nil])
|
OptString.new('GROUP', [true, 'Domain Group to enumerate', nil])
|
||||||
|
|
@ -38,18 +37,16 @@ class Metasploit3 < Msf::Post
|
||||||
cur_domain, cur_user = client.sys.config.getuid.split("\\")
|
cur_domain, cur_user = client.sys.config.getuid.split("\\")
|
||||||
ltype = "domain.group.members"
|
ltype = "domain.group.members"
|
||||||
ctype = "text/plain"
|
ctype = "text/plain"
|
||||||
domain = ""
|
|
||||||
|
|
||||||
# Get Data
|
# Get Data
|
||||||
usr_res = run_cmd("net groups \"#{datastore['GROUP']}\" /domain")
|
usr_res = cmd_exec("net groups \"#{datastore['GROUP']}\" /domain")
|
||||||
dom_res = run_cmd("net config workstation")
|
|
||||||
|
|
||||||
# Parse Returned data
|
# Parse Returned data
|
||||||
members = get_members(usr_res.split("\n"))
|
members = get_members(usr_res.split("\n"))
|
||||||
domain = get_domain(dom_res.split("\n"))
|
domain = get_env("USERDOMAIN")
|
||||||
|
|
||||||
# Show results if we have any, Error if we don't
|
# Show results if we have any, Error if we don't
|
||||||
if ! members.empty?
|
if !members.empty?
|
||||||
|
|
||||||
print_status("Found users in #{datastore['GROUP']}")
|
print_status("Found users in #{datastore['GROUP']}")
|
||||||
|
|
||||||
|
|
@ -61,9 +58,9 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
# Is our current user a member of this domain and group
|
# Is our current user a member of this domain and group
|
||||||
if is_member(cur_domain, cur_user, domain, members)
|
if is_member(cur_domain, cur_user, domain, members)
|
||||||
print_status("Current sessions running as #{cur_domain}\\#{cur_user} is a member of #{datastore['GROUP']}!!")
|
print_good("Current sessions running as #{cur_domain}\\#{cur_user} is a member of #{datastore['GROUP']}!")
|
||||||
else
|
else
|
||||||
print_error("Current session running as #{cur_domain}\\#{cur_user} is not a member of #{datastore['GROUP']}")
|
print_status("Current session running as #{cur_domain}\\#{cur_user} is not a member of #{datastore['GROUP']}")
|
||||||
end
|
end
|
||||||
|
|
||||||
# Store the captured data in the loot.
|
# Store the captured data in the loot.
|
||||||
|
|
@ -72,7 +69,6 @@ class Metasploit3 < Msf::Post
|
||||||
else
|
else
|
||||||
print_error("No members found for #{datastore['GROUP']}")
|
print_error("No members found for #{datastore['GROUP']}")
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def get_members(results)
|
def get_members(results)
|
||||||
|
|
@ -90,41 +86,21 @@ class Metasploit3 < Msf::Post
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
return members
|
members
|
||||||
end
|
|
||||||
|
|
||||||
def get_domain(results)
|
|
||||||
domain = ''
|
|
||||||
|
|
||||||
results.each do |line|
|
|
||||||
if line =~ /Workstation domain \s+(.*)/ then domain = $1.strip end
|
|
||||||
end
|
|
||||||
|
|
||||||
return domain
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def is_member(cur_dom, cur_user, dom, users)
|
def is_member(cur_dom, cur_user, dom, users)
|
||||||
|
|
||||||
member = false
|
member = false
|
||||||
|
|
||||||
if cur_dom == dom
|
if cur_dom == dom
|
||||||
users.each do |u|
|
users.each do |u|
|
||||||
if u.downcase == cur_user.downcase then member = true end
|
if u.downcase == cur_user.downcase
|
||||||
|
member = true
|
||||||
|
break
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
return member
|
member
|
||||||
end
|
end
|
||||||
def run_cmd(cmd)
|
|
||||||
process = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
|
|
||||||
res = ""
|
|
||||||
while (d = process.channel.read)
|
|
||||||
break if d == ""
|
|
||||||
res << d
|
|
||||||
end
|
|
||||||
process.channel.close
|
|
||||||
process.close
|
|
||||||
return res
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue