SMB SID User Enumeration

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
  
class MetasploitModule < Msf::Auxiliary  
  
# Exploit mixins should be called first  
include Msf::Exploit::Remote::MsLsad  
include Msf::Exploit::Remote::MsLsat  
include Msf::Exploit::Remote::DCERPC  
  
# Scanner mixin should be near last  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
include Msf::OptionalSession::SMB  
  
def initialize  
super(  
'Name' => 'SMB SID User Enumeration (LookupSid)',  
'Description' => 'Determine what users exist via brute force SID lookups.  
This module can enumerate both local and domain accounts by setting  
ACTION to either LOCAL or DOMAIN',  
'Author' => 'hdm',  
'License' => MSF_LICENSE,  
'DefaultOptions' =>  
{  
# Samba doesn't like this option, so we disable so we are compatible with  
# both Windows and Samba for enumeration.  
'DCERPC::fake_bind_multi' => false  
},  
'Actions' =>  
[  
['LOCAL', { 'Description' => 'Enumerate local accounts' } ],  
['DOMAIN', { 'Description' => 'Enumerate domain accounts' } ]  
],  
'DefaultAction' => 'LOCAL',  
)  
  
register_options(  
[  
OptInt.new('MinRID', [ false, "Starting RID to check", 500 ]),  
OptInt.new('MaxRID', [ false, "Maximum RID to check", 4000 ])  
]  
)  
end  
  
def rport  
@rport  
end  
  
def smb_direct  
@smb_direct  
end  
  
def connect(*args, **kwargs)  
super(*args, **kwargs, direct: @smb_direct)  
end  
  
def run_session  
smb_services = [{ port: self.simple.peerport, direct: self.simple.direct }]  
smb_services.map { |smb_service| run_service(smb_service[:port], smb_service[:direct]) }  
end  
  
def run_rhost  
if datastore['RPORT'].blank? || datastore['RPORT'] == 0  
smb_services = [  
{ port: 445, direct: true },  
{ port: 139, direct: false }  
]  
else  
smb_services = [  
{ port: datastore['RPORT'], direct: datastore['SMBDirect'] }  
]  
end  
  
smb_services.map { |smb_service| run_service(smb_service[:port], smb_service[:direct]) }  
end  
  
def run_service(port, direct)  
@rport = port  
@smb_direct = direct  
  
ipc_tree = connect_ipc  
lsarpc_pipe = connect_lsarpc(ipc_tree)  
endpoint = RubySMB::Dcerpc::Lsarpc.freeze  
policy_handle = open_policy2(endpoint::SECURITY_IMPERSONATION, endpoint::SECURITY_CONTEXT_CONTINUOUS_UPDATES, endpoint::MAXIMUM_ALLOWED)  
  
account_policy = query_information_policy(policy_handle, endpoint::POLICY_ACCOUNT_DOMAIN_INFORMATION)  
primary_policy = query_information_policy(policy_handle, endpoint::POLICY_PRIMARY_DOMAIN_INFORMATION)  
  
info = {  
local: {  
name: primary_policy[:policy_information][:name].encode('ASCII-8BIT'),  
sid: primary_policy[:policy_information][:sid].to_s.encode('ASCII-8BIT')  
},  
domain: {  
name: account_policy[:policy_information][:domain_name].encode('ASCII-8BIT'),  
sid: account_policy[:policy_information][:domain_sid].to_s.encode('ASCII-8BIT')  
}  
}  
  
# Store the domain information  
report_note(  
:host => self.simple.peerhost,  
:proto => 'tcp',  
:port => self.simple.peerport,  
:type => 'smb.domain.lookupsid',  
:data => info[:domain]  
)  
  
pipe_info = "PIPE(#{lsarpc_pipe.name})"  
local_info = "LOCAL(#{info[:local][:name]} - #{info[:local][:sid]})"  
domain_info = "DOMAIN(#{info[:domain][:name]} - #{info[:domain][:sid]})"  
all_info = "#{pipe_info} #{local_info} #{domain_info}"  
print_status(all_info)  
  
target_sid = case action.name.upcase  
when 'LOCAL'  
info[:local][:sid] == 'null' ? info[:domain][:sid] : info[:local][:sid]  
when 'DOMAIN'  
# Fallthrough to the host SID if no domain SID was returned  
if info[:domain][:sid] == 'null'  
print_error 'No domain SID identified, falling back to the local SID...'  
info[:local][:sid]  
else  
info[:domain][:sid]  
end  
end  
  
min_rid = datastore['MinRID']  
max_rid = datastore['MaxRID']  
  
output = []  
  
# Brute force through a common RID range  
min_rid.upto(max_rid) do |rid|  
print "%bld%blu[*]%clr Trying RID #{rid} / #{max_rid}\r"  
begin  
sid = "#{target_sid}-#{rid}"  
sids = lookup_sids(policy_handle, sid, endpoint::LSAP_LOOKUP_WKSTA)  
sids.each do |sid|  
output << [ map_security_principal_to_string(sid[:type]), sid[:name], rid ]  
end  
rescue RubySMB::Dcerpc::Error::LsarpcError => e  
# Ignore unmapped RIDs  
unless e.message.match?(/STATUS_NONE_MAPPED/) || e.message.match?(/STATUS_SOME_MAPPED/)  
wlog e  
end  
end  
end  
  
output  
  
rescue Msf::Exploit::Remote::SMB::Client::Ipc::SmbIpcAuthenticationError => e  
print_warning e.message  
nil  
rescue ::Timeout::Error  
rescue ::Exception => e  
print_error("Error: #{e.class} #{e}")  
ensure  
close_policy(policy_handle)  
disconnect_lsarpc  
disconnect_ipc(ipc_tree)  
end  
  
def format_results(results)  
sids_table = Rex::Text::Table.new(  
'Indent' => 4,  
'Header' => "SMB Lookup SIDs Output",  
'Columns' =>  
[  
'Type',  
'Name',  
'RID'  
],  
'SortIndex' => 2, # Sort by RID  
)  
  
# Each result contains 0 or more arrays containing: SID Type, Name, RID  
results.compact.each do |result_set|  
result_set.each { |result| sids_table << result }  
end  
  
sids_table  
end  
  
# Fingerprint a single host  
def run_host(_ip)  
if session  
self.simple = session.simple_client  
results = run_session  
else  
results = run_rhost  
end  
  
results_table = format_results(results)  
results_table.rows = results_table.rows.uniq # Remove potentially duplicate entries from port 139 & 445  
  
print_line  
print_line results_table.to_s  
end  
end  
`