Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Common
8
  include Msf::Post::Windows::Registry
9
  include Msf::Post::Windows::NetAPI
10
  include Msf::Post::Windows::Accounts
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name'	=> 'Windows Gather Enumerate Active Domain Users',
17
        'Description' => %q{
18
          This module will enumerate computers included in the primary Domain and attempt
19
          to list all locations the targeted user has sessions on. If the HOST option is specified
20
          the module will target only that host. If the HOST is specified and USER is set to nil, all users
21
          logged into that host will be returned.'
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [
25
          'Etienne Stalmans <etienne[at]sensepost.com>',
26
          'Ben Campbell'
27
        ],
28
        'Platform' => [ 'win' ],
29
        'SessionTypes' => [ 'meterpreter' ]
30
      )
31
    )
32
    register_options(
33
      [
34
        OptString.new('USER', [false, 'Target User for NetSessionEnum']),
35
        OptString.new('HOST', [false, 'Target a specific host']),
36
      ]
37
    )
38
  end
39

40
  def run
41
    sessions = []
42
    user = datastore['USER']
43
    host = datastore['HOST']
44

45
    if host
46
      if user
47
        print_status("Attempting to identify #{user} on #{host}...")
48
      else
49
        print_status("Attempting to get all logged in users on #{host}...")
50
      end
51
      sessions = net_session_enum(host, user)
52
    elsif user
53
      # Domain must be NETBIOS style rather than DNS style
54
      domain = get_domain
55

56
      if domain.blank?
57
        fail_with(Failure::Unknown, 'Machine is not part of a domain.')
58
      else
59
        domain = domain.split('.').first.upcase
60
        print_status("Using domain: #{domain}")
61
        print_status('Getting list of domain hosts...')
62
      end
63

64
      hosts = net_server_enum(SV_TYPE_ALL, domain)
65

66
      if hosts
67
        len = hosts.count
68
        print_status("#{len} host(s) found")
69

70
        hosts.each do |host|
71
          sessions << net_session_enum(host[:name], user)
72
        end
73
      end
74

75
      sessions.flatten!
76
    else
77
      fail_with(Failure::BadConfig, 'Invalid options, either HOST or USER must be specified.')
78
    end
79

80
    if sessions.nil? || (sessions.count == 0)
81
      fail_with(Failure::Unknown, 'No sessions found')
82
    else
83
      print_status("#{sessions.count} session(s) identified")
84

85
      sessions.each do |s|
86
        if s
87
          print_good("#{s[:username]} logged in at #{s[:hostname]} and has been idle for #{s[:idletime]} seconds")
88
        end
89
      end
90
    end
91
  end
92
end
93

94