Lucene search
K

Windows Gather Active Directory Users

This module enumerates user accounts in the default Active Domain (AD) directory and stores them in the database. It can also list members of a specified group by performing a recursive/nested search

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Auxiliary::Report
  include Msf::Post::Windows::LDAP
  include Msf::Post::Windows::Accounts

  UAC_DISABLED = 0x02
  USER_FIELDS = [
    'sAMAccountName',
    'name',
    'userPrincipalName',
    'userAccountControl',
    'lockoutTime',
    'mail',
    'primarygroupid',
    'description'
  ].freeze

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather Active Directory Users',
        'Description' => %q{
          This module will enumerate user accounts in the default Active Domain (AD) directory and stores
          them in the database. If GROUP_MEMBER is set to the DN of a group, this will list the members of
          that group by performing a recursive/nested search (i.e. it will list users who are members of
          groups that are members of groups that are members of groups (etc) which eventually include the
          target group DN.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Ben Campbell',
          'Carlos Perez <carlos_perez[at]darkoperator.com>',
          'Stuart Morgan <stuart.morgan[at]mwrinfosecurity.com>'
        ],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_net_resolve_host
            ]
          }
        }
      )
    )

    register_options([
      OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),
      OptBool.new('EXCLUDE_LOCKED', [true, 'Exclude in search locked accounts..', false]),
      OptBool.new('EXCLUDE_DISABLED', [true, 'Exclude from search disabled accounts.', false]),
      OptString.new('ADDITIONAL_FIELDS', [false, 'Additional fields to retrieve, comma separated', nil]),
      OptString.new('FILTER', [false, 'Customised LDAP filter', nil]),
      OptString.new('GROUP_MEMBER', [false, 'Recursively list users that are effectve members of the group DN specified.', nil]),
      OptEnum.new('UAC', [
        true, 'Filter on User Account Control Setting.', 'ANY',
        [
          'ANY',
          'NO_PASSWORD',
          'CHANGE_PASSWORD',
          'NEVER_EXPIRES',
          'SMARTCARD_REQUIRED',
          'NEVER_LOGGEDON'
        ]
      ])
    ])
  end

  def run
    @user_fields = USER_FIELDS.dup

    if datastore['ADDITIONAL_FIELDS']
      additional_fields = datastore['ADDITIONAL_FIELDS'].gsub(/\s+/, '').split(',')
      @user_fields.push(*additional_fields)
    end

    max_search = datastore['MAX_SEARCH']

    begin
      q = query(query_filter, max_search, @user_fields)
    rescue ::RuntimeError, ::Rex::Post::Meterpreter::RequestError => e
      # Can't bind or in a network w/ limited accounts
      print_error(e.message)
      return
    end

    if q.nil? || q[:results].empty?
      print_status('No results returned.')
    else
      results_table = parse_results(q[:results])
      print_line results_table.to_s

      if datastore['STORE_LOOT']
        stored_path = store_loot('ad.users', 'text/plain', session, results_table.to_csv)
        print_good("Results saved to: #{stored_path}")
      end
    end
  end

  def account_disabled?(uac)
    (uac & UAC_DISABLED) > 0
  end

  def account_locked?(lockout_time)
    lockout_time > 0
  end

  # Takes the results of LDAP query, parses them into a table
  # and records and usernames as {Metasploit::Credential::Core}s in
  # the database.
  #
  # @param results [Array<Array<Hash>>] The LDAP query results to parse
  # @return [Rex::Text::Table] the table containing all the result data
  def parse_results(results)
    domain = datastore['DOMAIN'] || get_domain
    domain_ip = client.net.resolve.resolve_host(domain)[:ip]
    # Results table holds raw string data
    results_table = Rex::Text::Table.new(
      'Header' => 'Domain Users',
      'Indent' => 1,
      'SortIndex' => -1,
      'Columns' => @user_fields
    )

    results.each do |result|
      row = []

      result.each do |field|
        if field.nil?
          row << ''
        else
          row << field[:value]
        end
      end

      username = result[@user_fields.index('sAMAccountName')][:value]
      uac = result[@user_fields.index('userAccountControl')][:value]
      lockout_time = result[@user_fields.index('lockoutTime')][:value]
      store_username(username, uac, lockout_time, domain, domain_ip)

      results_table << row
    end
    results_table
  end

  # Builds the LDAP query 'filter' used to find our User Accounts based on
  # criteria set by user in the Datastore.
  #
  # @return [String] the LDAP query string
  def query_filter
    inner_filter = '(objectCategory=person)(objectClass=user)'
    inner_filter << '(!(lockoutTime>=1))' if datastore['EXCLUDE_LOCKED']
    inner_filter << '(!(userAccountControl:1.2.840.113556.1.4.803:=2))' if datastore['EXCLUDE_DISABLED']
    inner_filter << "(memberof:1.2.840.113556.1.4.1941:=#{datastore['GROUP_MEMBER']})" if datastore['GROUP_MEMBER']
    inner_filter << "(#{datastore['FILTER']})" unless datastore['FILTER'].blank?
    case datastore['UAC']
    when 'ANY'
    when 'NO_PASSWORD'
      inner_filter << '(userAccountControl:1.2.840.113556.1.4.803:=32)'
    when 'CHANGE_PASSWORD'
      inner_filter << '(!sAMAccountType=805306370)(pwdlastset=0)'
    when 'NEVER_EXPIRES'
      inner_filter << '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
    when 'SMARTCARD_REQUIRED'
      inner_filter << '(userAccountControl:1.2.840.113556.1.4.803:=262144)'
    when 'NEVER_LOGGEDON'
      inner_filter << '(|(lastlogon=0)(!lastlogon=*))'
    end
    "(&#{inner_filter})"
  end

  def store_username(username, uac, lockout_time, realm, domain_ip)
    service_data = {
      address: domain_ip,
      port: 445,
      service_name: 'smb',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :session,
      session_id: session_db_id,
      post_reference_name: refname,
      username: username,
      realm_value: realm,
      realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
    }

    credential_data.merge!(service_data)

    # Create the Metasploit::Credential::Core object
    credential_core = create_credential(credential_data)

    if account_disabled?(uac.to_i)
      status = Metasploit::Model::Login::Status::DISABLED
    elsif account_locked?(lockout_time.to_i)
      status = Metasploit::Model::Login::Status::LOCKED_OUT
    else
      status = Metasploit::Model::Login::Status::UNTRIED
    end

    # Assemble the options hash for creating the Metasploit::Credential::Login object
    login_data = {
      core: credential_core,
      status: status
    }

    login_data[:last_attempted_at] = DateTime.now unless (status == Metasploit::Model::Login::Status::UNTRIED)

    # Merge in the service data and create our Login
    login_data.merge!(service_data)
    create_credential_login(login_data)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation