Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/post/windows/gather/enum_dirperms.rb
Views: 11655
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Post6include Msf::Post::Windows::Accounts78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Windows Gather Directory Permissions Enumeration',13'Description' => %q{14This module enumerates directories and lists the permissions set15on found directories. Please note: if the PATH option isn't specified,16then the module will start enumerate whatever is in the target machine's17%PATH% variable.18},19'License' => MSF_LICENSE,20'Platform' => ['win'],21'SessionTypes' => ['meterpreter'],22'Author' => [23'Kx499',24'Ben Campbell',25'sinn3r'26],27'Compat' => {28'Meterpreter' => {29'Commands' => %w[30stdapi_fs_stat31]32}33}34)35)3637register_options(38[39OptString.new('PATH', [ false, 'Directory to begin search from', '']),40OptEnum.new('FILTER', [ false, 'Filter to limit results by', 'NA', [ 'NA', 'R', 'W', 'RW' ]]),41OptInt.new('DEPTH', [ true, 'Depth to drill down into subdirs, O = no limit', 0]),42]43)44end4546def enum_subdirs(perm_filter, dpath, maxdepth, token)47filter = datastore['FILTER']48filter = nil if datastore['FILTER'] == 'NA'4950begin51dirs = session.fs.dir.foreach(dpath)52rescue Rex::Post::Meterpreter::RequestError53# Sometimes we cannot see the dir54dirs = []55end5657if (maxdepth >= 1) || (maxdepth < 0)58dirs.each do |d|59next if d =~ /^(\.|\.\.)$/6061realpath = dpath + '\\' + d62next unless session.fs.file.stat(realpath).directory?6364perm = check_dir_perms(realpath, token)65if perm_filter && perm && perm.include?(perm_filter)66print_status(perm + "\t" + realpath)67end68enum_subdirs(perm_filter, realpath, maxdepth - 1, token)69end70end71end7273def get_paths74p = datastore['PATH']75return [p] if !p.nil? && !p.empty?7677begin78p = cmd_exec('cmd.exe', '/c echo %PATH%')79rescue Rex::Post::Meterpreter::RequestError => e80vprint_error(e.message)81return []82end83print_status("Option 'PATH' isn't specified. Using system %PATH%")84if p.include?(';')85return p.split(';')86else87return [p]88end89end9091def get_token92print_status('Getting impersonation token...')93begin94t = get_imperstoken95rescue ::Exception => e96# Failure due to timeout, access denied, etc.97t = nil98vprint_error("Error #{e.message} while using get_imperstoken()")99vprint_error(e.backtrace)100end101return t102end103104def enum_perms(perm_filter, token, depth, paths)105paths.each do |path|106next if path.empty?107108path = path.strip109110print_status("Checking directory permissions from: #{path}")111112perm = check_dir_perms(path, token)113next if perm.nil?114115# Show the permission of the parent directory116if perm_filter && perm.include?(perm_filter)117print_status(perm + "\t" + path)118end119120# call recursive function to loop through and check all sub directories121enum_subdirs(perm_filter, path, depth, token)122end123end124125def run126perm_filter = datastore['FILTER']127perm_filter = nil if datastore['FILTER'] == 'NA'128129paths = get_paths130if paths.empty?131print_error('Unable to get the path')132return133end134135depth = -1136if datastore['DEPTH'] > 0137depth = datastore['DEPTH']138end139140t = get_token141142if t143print_status("Got token: #{t}...")144enum_perms(perm_filter, t, depth, paths)145else146print_error('Getting impersonation token failed')147end148end149end150151152