CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/enum_domain.rb
Views: 11655
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Windows::Accounts

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'Windows Gather Enumerate Domain',

14
        'Description' => %q{

15
          This module identifies the primary Active Directory domain name

16
          and domain controller.

17
        },

18
        'License' => MSF_LICENSE,

19
        'Platform' => ['win'],

20
        'SessionTypes' => %w[meterpreter shell powershell],

21
        'Author' => ['Joshua Abraham <jabra[at]rapid7.com>'],

22
        'Notes' => {

23
          'Stability' => [CRASH_SAFE],

24
          'Reliability' => [],

25
          'SideEffects' => []

26
        },

27
        'Compat' => {

28
          'Meterpreter' => {

29
            'Commands' => %w[

30
              stdapi_net_resolve_host

31
            ]

32
          }

33
        }

34
      )

35
    )

36
  end

37


38
  def resolve_host(host)

39
    return host if Rex::Socket.dotted_ip?(host)

40


41
    return unless client.respond_to?(:net)

42


43
    vprint_status("Resolving host #{host}")

44


45
    result = client.net.resolve.resolve_host(host)

46


47
    return if result[:ip].blank?

48


49
    result[:ip]

50
  end

51


52
  def run

53
    domain = get_domain_name

54


55
    fail_with(Failure::Unknown, 'Could not retrieve domain name. Is the host part of a domain?') unless domain && !domain.empty?

56


57
    print_good("Domain FQDN: #{domain}")

58


59
    report_note(

60
      host: session,

61
      type: 'windows.domain',

62
      data: { domain: domain },

63
      update: :unique_data

64
    )

65


66
    netbios_domain_name = domain.split('.').first.upcase

67


68
    print_good("Domain NetBIOS Name: #{netbios_domain_name}")

69


70
    domain_controller = get_primary_domain_controller

71


72
    fail_with(Failure::Unknown, 'Could not retrieve domain controller name') unless domain_controller && !domain_controller.empty?

73


74
    dc_ip = resolve_host(domain_controller)

75
    if dc_ip.nil?

76
      print_good("Domain Controller: #{domain_controller}")

77
    else

78
      print_good("Domain Controller: #{domain_controller} (IP: #{dc_ip})")

79
      report_host({

80
        host: dc_ip,

81
        name: domain_controller,

82
        info: "Domain controller for #{domain}"

83
      })

84
    end

85
  end

86
end

87


88