Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
module Metasploit
2
  module Framework
3
    module NTDS
4
      require 'metasploit/framework/ntds/account'
5
      # This class represent an NTDS parser. It interacts with the Meterpreter Client
6
      # to provide a simple interface for enumerating AD user accounts.
7
      class Parser
8

9
        # The size, in Bytes, of a batch of NTDS accounts
10
        BATCH_SIZE = (Metasploit::Framework::NTDS::Account::ACCOUNT_SIZE * 20)
11

12
        #@return [Rex::Post::Meterpreter::Channels::Pool] The Meterpreter NTDS Parser Channel
13
        attr_accessor :channel
14
        #@return [Msf::Session] The Meterpreter Client
15
        attr_accessor :client
16
        #@return [String] The path to the NTDS.dit file on the remote system
17
        attr_accessor :file_path
18

19
        def initialize(client, file_path='')
20
          raise ArgumentError, "Invalid Filepath" unless file_path.present?
21
          @file_path = file_path
22
          @channel = client.extapi.ntds.parse(file_path)
23
          @client = client
24
        end
25

26
        # Yields a [Metasploit::Framework::NTDS::Account] for each account found
27
        # in the remote NTDS.dit file.
28
        #
29
        # @yield [account]
30
        # @yieldparam account [Metasploit::Framework::NTDS::Account] an AD user account
31
        # @yieldreturn [void] does not return a value
32
         def each_account
33
           raw_batch_data = pull_batch
34
           until raw_batch_data.nil?
35
             batch = raw_batch_data.dup
36
             while batch.present?
37
               raw_data = batch.slice!(0,Metasploit::Framework::NTDS::Account::ACCOUNT_SIZE)
38
               # Make sure our data isn't all Null-bytes
39
               if raw_data.match(/[^\x00]/)
40
                 account = Metasploit::Framework::NTDS::Account.new(raw_data)
41
                 yield account
42
               end
43
             end
44
             raw_batch_data = pull_batch
45
           end
46
           channel.close
47
         end
48

49
        private
50

51
        def pull_batch
52
          if channel.cid.nil?
53
            dlog("NTDS Parser Channel was closed, reopening")
54
            reopen_channel
55
          end
56
          begin
57
            raw_batch_data = channel.read(BATCH_SIZE)
58
          rescue EOFError => e
59
            elog('NTDS Parser: Error pulling batch', error: e)
60
            raw_batch_data = nil
61
          end
62
          raw_batch_data
63
        end
64

65
        def reopen_channel
66
          @channel = client.extapi.ntds.parse(file_path)
67
        end
68

69
      end
70
    end
71
  end
72
end
73

74