109 lines
2.7 KiB
Ruby
109 lines
2.7 KiB
Ruby
##
|
|
# $Id$
|
|
##
|
|
|
|
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# Framework web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/framework/
|
|
##
|
|
|
|
require 'msf/core'
|
|
require 'rex'
|
|
require 'msf/core/post/windows/registry'
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
include Msf::Post::Registry
|
|
|
|
def initialize(info={})
|
|
super( update_info( info,
|
|
'Name' => 'Enumerate logged on users',
|
|
'Description' => %q{ This module will enumerate current and recent logged on users},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
|
|
'Version' => '$Revision$',
|
|
'Platform' => [ 'windows' ],
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
))
|
|
register_options(
|
|
[
|
|
OptBool.new('CURRENT', [ true, 'Enumerate currently logged on users', true]),
|
|
OptBool.new('RECENT' , [ true, 'Enumerate Recently logged on users' , true])
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
def ls_logged
|
|
sids = []
|
|
sids << registry_enumkeys("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList")
|
|
tbl = Rex::Ui::Text::Table.new(
|
|
'Header' => "Logged Users",
|
|
'Indent' => 1,
|
|
'Columns' =>
|
|
[
|
|
"SID",
|
|
"Profile Path"
|
|
])
|
|
sids.flatten.each do |sid|
|
|
profile_path = registry_getvaldata("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\#{sid}","ProfileImagePath")
|
|
tbl << [sid,profile_path]
|
|
end
|
|
print_line("\n" + tbl.to_s + "\n")
|
|
end
|
|
|
|
def ls_current
|
|
key_base, username = "",""
|
|
tbl = Rex::Ui::Text::Table.new(
|
|
'Header' => "Current Logged Users",
|
|
'Indent' => 1,
|
|
'Columns' =>
|
|
[
|
|
"SID",
|
|
"User"
|
|
])
|
|
registry_enumkeys("HKU").each do |sid|
|
|
case sid
|
|
when "S-1-5-18"
|
|
username = "SYSTEM"
|
|
tbl << [sid,username]
|
|
when "S-1-5-19"
|
|
username = "Local Service"
|
|
tbl << [sid,username]
|
|
when "S-1-5-20"
|
|
username = "Network Service"
|
|
tbl << [sid,username]
|
|
else
|
|
if sid =~ /S-1-5-21-\d*-\d*-\d*-\d*$/
|
|
key_base = "HKU\\#{sid}"
|
|
os = session.sys.config.sysinfo['OS']
|
|
if os =~ /(Windows 7|2008|Vista)/
|
|
username = registry_getvaldata("#{key_base}\\Volatile Environment","USERNAME")
|
|
elsif os =~ /(2000|NET|XP)/
|
|
appdata_var = registry_getvaldata("#{key_base}\\Volatile Environment","APPDATA")
|
|
username = appdata_var.scan(/^\w\:\D*\\(\D*)\\\D*$/)
|
|
end
|
|
tbl << [sid,username]
|
|
end
|
|
end
|
|
end
|
|
print_line("\n" + tbl.to_s + "\n")
|
|
end
|
|
|
|
|
|
def run
|
|
print_status("Running against session #{datastore['SESSION']}")
|
|
|
|
if datastore['CURRENT']
|
|
ls_current
|
|
end
|
|
|
|
if datastore['RECENT']
|
|
ls_logged
|
|
end
|
|
|
|
end
|
|
end
|