modules/post/windows/gather/enum_computers.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Post::Windows::Accounts
  include Msf::Post::Windows::Registry

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather Enumerate Computers',
        'Description' => %q{
          This module will enumerate computers included in the primary Active Directory domain.
        },
        'License' => MSF_LICENSE,
        'Author' => [ 'Joshua Abraham <jabra[at]rapid7.com>'],
        'Platform' => [ 'win'],
        'SessionTypes' => %w[meterpreter powershell shell],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => []
        },
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_net_resolve_host
            ]
          }
        }
      )
    )
  end

  def run
    hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']
    print_status("Running module against #{hostname} (#{session.session_host})")

    domain = get_domain_name

    fail_with(Failure::Unknown, 'Could not retrieve domain name. Is the host part of a domain?') unless domain

    netbios_domain_name = domain.split('.').first.upcase

    hostname_list = get_domain_computers

    if hostname_list.empty?
      print_error('No computers found')
      return
    end

    list_computers(netbios_domain_name, hostname_list)
  end

  # Takes the host name and makes use of nslookup to resolve the IP
  #
  # @param [String] host Hostname
  # @return [String] ip The resolved IP
  def resolve_host(host)
    vprint_status("Looking up IP for #{host}")
    return host if Rex::Socket.dotted_ip?(host)

    ip = []
    data = cmd_exec("nslookup #{host}")
    if data =~ /Name/
      # Remove unnecessary data and get the section with the addresses
      returned_data = data.split(/Name:/)[1]
      # check each element of the array to see if they are IP
      returned_data.gsub(/\r\n\t |\r\n|Aliases:|Addresses:|Address:/, ' ').split(' ').each do |e|
        if Rex::Socket.dotted_ip?(e)
          ip << e
        end
      end
    end

    if ip.blank?
      'Not resolvable'
    else
      ip.join(', ')
    end
  end

  def get_domain_computers
    computer_list = []
    divisor = "-------------------------------------------------------------------------------\r\n"
    net_view_response = cmd_exec('net view')
    unless net_view_response.include?(divisor)
      print_error("The net view command failed with: #{net_view_response}")
      return []
    end

    raw_list = net_view_response.split(divisor)[1]
    raw_list.sub!(/The command completed successfully\./, '')
    raw_list.gsub!(/\\\\/, '')
    raw_list.split(' ').each do |m|
      computer_list << m
    end

    computer_list
  end

  def list_computers(domain, hosts)
    tbl = Rex::Text::Table.new(
      'Header' => 'List of identified Hosts.',
      'Indent' => 1,
      'Columns' =>
        [
          'Domain',
          'Hostname',
          'IPs',
        ]
    )
    hosts.each do |hostname|
      hostip = resolve_host(hostname)
      tbl << [domain, hostname, hostip]
    end

    print_line("\n#{tbl}\n")

    report_note(
      host: session,
      type: 'domain.hosts',
      data: tbl.to_csv
    )
  end
end
Add feature #5912 2011-11-10 03:13:57 -06:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add feature #5912 2011-11-10 03:13:57 -06:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Post`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`include Msf::Post::File`
Makes improvement to enum_computers module 2023-09-20 12:11:21 +01:00			`include Msf::Post::Windows::Accounts`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`include Msf::Post::Windows::Registry`
Add feature #5912 2011-11-10 03:13:57 -06:00
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Windows Gather Enumerate Computers',`
			`'Description' => %q{`
Makes improvement to enum_computers module 2023-09-20 12:11:21 +01:00			`This module will enumerate computers included in the primary Active Directory domain.`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`},`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`'License' => MSF_LICENSE,`
			`'Author' => [ 'Joshua Abraham <jabra[at]rapid7.com>'],`
			`'Platform' => [ 'win'],`
Makes improvement to enum_computers module 2023-09-20 12:11:21 +01:00			`'SessionTypes' => %w[meterpreter powershell shell],`
			`'Notes' => {`
			`'Stability' => [CRASH_SAFE],`
			`'Reliability' => [],`
			`'SideEffects' => []`
			`},`
Add Meterpreter compatibility metadata 2021-10-06 13:43:31 +01:00			`'Compat' => {`
			`'Meterpreter' => {`
			`'Commands' => %w[`
			`stdapi_net_resolve_host`
			`]`
			`}`
			`}`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`)`
			`)`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`end`
Add feature #5912 2011-11-10 03:13:57 -06:00
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`def run`
Makes improvement to enum_computers module 2023-09-20 12:11:21 +01:00			`hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']`
			`print_status("Running module against #{hostname} (#{session.session_host})")`

			`domain = get_domain_name`

			`fail_with(Failure::Unknown, 'Could not retrieve domain name. Is the host part of a domain?') unless domain`

			`netbios_domain_name = domain.split('.').first.upcase`

			`hostname_list = get_domain_computers`

			`if hostname_list.empty?`
			`print_error('No computers found')`
			`return`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`end`
Makes improvement to enum_computers module 2023-09-20 12:11:21 +01:00
			`list_computers(netbios_domain_name, hostname_list)`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`end`
Add feature #5912 2011-11-10 03:13:57 -06:00
Removes Meterpreter logic 2023-10-02 16:21:12 +01:00			`# Takes the host name and makes use of nslookup to resolve the IP`
Removes mixin 2023-09-21 13:44:39 +01:00			`#`
			`# @param [String] host Hostname`
			`# @return [String] ip The resolved IP`
			`def resolve_host(host)`
			`vprint_status("Looking up IP for #{host}")`
			`return host if Rex::Socket.dotted_ip?(host)`

			`ip = []`
Removes Meterpreter logic 2023-10-02 16:21:12 +01:00			`data = cmd_exec("nslookup #{host}")`
			`if data =~ /Name/`
			`# Remove unnecessary data and get the section with the addresses`
			`returned_data = data.split(/Name:/)[1]`
			`# check each element of the array to see if they are IP`
			`returned_data.gsub(/\r\n\t \|\r\n\|Aliases:\|Addresses:\|Address:/, ' ').split(' ').each do \|e\|`
			`if Rex::Socket.dotted_ip?(e)`
			`ip << e`
Removes mixin 2023-09-21 13:44:39 +01:00			`end`
			`end`
			`end`

			`if ip.blank?`
			`'Not resolvable'`
			`else`
			`ip.join(', ')`
			`end`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`end`
Add feature #5912 2011-11-10 03:13:57 -06:00
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`def get_domain_computers`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`computer_list = []`
Addresses PR feedback 2023-10-12 10:59:29 +01:00			`divisor = "-------------------------------------------------------------------------------\r\n"`
			`net_view_response = cmd_exec('net view')`
			`unless net_view_response.include?(divisor)`
			`print_error("The net view command failed with: #{net_view_response}")`
			`return []`
			`end`
Add feature #5912 2011-11-10 03:13:57 -06:00
Addresses PR feedback 2023-10-12 10:59:29 +01:00			`raw_list = net_view_response.split(divisor)[1]`
Makes improvement to enum_computers module 2023-09-20 12:11:21 +01:00			`raw_list.sub!(/The command completed successfully\./, '')`
			`raw_list.gsub!(/\\\\/, '')`
			`raw_list.split(' ').each do \|m\|`
			`computer_list << m`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`end`
Makes improvement to enum_computers module 2023-09-20 12:11:21 +01:00
			`computer_list`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`end`
Add feature #5912 2011-11-10 03:13:57 -06:00
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`def list_computers(domain, hosts)`
replace old rex::ui::text::table refs 2016-08-10 13:30:09 -05:00			`tbl = Rex::Text::Table.new(`
Makes improvement to enum_computers module 2023-09-20 12:11:21 +01:00			`'Header' => 'List of identified Hosts.',`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`'Indent' => 1,`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`'Columns' =>`
Makes improvement to enum_computers module 2023-09-20 12:11:21 +01:00			`[`
			`'Domain',`
			`'Hostname',`
			`'IPs',`
			`]`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`)`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`hosts.each do \|hostname\|`
Removes mixin 2023-09-21 13:44:39 +01:00			`hostip = resolve_host(hostname)`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`tbl << [domain, hostname, hostip]`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`end`
Makes improvement to enum_computers module 2023-09-20 12:11:21 +01:00
			`print_line("\n#{tbl}\n")`
Add feature #5912 2011-11-10 03:13:57 -06:00
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`report_note(`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`host: session,`
			`type: 'domain.hosts',`
			`data: tbl.to_csv`
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`)`
			`end`
Add feature #5912 2011-11-10 03:13:57 -06:00			`end`