## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' require 'rex' require 'msf/core/post/windows/registry' class Metasploit3 < Msf::Post include Msf::Post::Registry def initialize(info={}) super( update_info( info, 'Name' => 'Enumerate logged on users', 'Description' => %q{ This module will enumerate current and recent logged on users}, 'License' => MSF_LICENSE, 'Author' => [ 'Carlos Perez '], 'Version' => '$Revision$', 'Platform' => [ 'windows' ], 'SessionTypes' => [ 'meterpreter' ] )) register_options( [ OptBool.new('CURRENT', [ true, 'Enumerate currently logged on users', true]), OptBool.new('RECENT' , [ true, 'Enumerate Recently logged on users' , true]) ], self.class) end def ls_logged sids = [] sids << registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList") tbl = Rex::Ui::Text::Table.new( 'Header' => "Logged Users", 'Indent' => 1, 'Columns' => [ "SID", "Profile Path" ]) sids.flatten.each do |sid| profile_path = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\#{sid}","ProfileImagePath") tbl << [sid,profile_path] end print_line("\n" + tbl.to_s + "\n") end def ls_current key_base, username = "","" tbl = Rex::Ui::Text::Table.new( 'Header' => "Current Logged Users", 'Indent' => 1, 'Columns' => [ "SID", "User" ]) registry_enumkeys("HKU").each do |sid| case sid when "S-1-5-18" username = "SYSTEM" tbl << [sid,username] when "S-1-5-19" username = "Local Service" tbl << [sid,username] when "S-1-5-20" username = "Network Service" tbl << [sid,username] else if sid =~ /S-1-5-21-\d*-\d*-\d*-\d*$/ key_base = "HKU\\#{sid}" os = session.sys.config.sysinfo['OS'] if os =~ /(Windows 7|2008|Vista)/ username = registry_getvaldata("#{key_base}\\Volatile Environment","USERNAME") elsif os =~ /(2000|NET|XP)/ appdata_var = registry_getvaldata("#{key_base}\\Volatile Environment","APPDATA") username = appdata_var.scan(/^\w\:\D*\\(\D*)\\\D*$/) end tbl << [sid,username] end end end print_line("\n" + tbl.to_s + "\n") end def run print_status("Running against session #{datastore['SESSION']}") if datastore['CURRENT'] ls_current end if datastore['RECENT'] ls_logged end end end