2011-10-03 21:05:54 +00:00
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 13:50:46 -05:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-10-03 21:05:54 +00:00
|
|
|
##
|
|
|
|
|
|
2016-03-08 14:02:44 +01:00
|
|
|
class MetasploitModule < Msf::Post
|
2022-08-29 15:42:31 +10:00
|
|
|
include Msf::Post::Windows::Accounts
|
2011-10-03 21:05:54 +00:00
|
|
|
|
2020-03-20 14:15:18 +08:00
|
|
|
def initialize(info = {})
|
2021-09-10 12:53:39 +01:00
|
|
|
super(
|
|
|
|
|
update_info(
|
|
|
|
|
info,
|
2022-08-29 15:42:31 +10:00
|
|
|
'Name' => 'Windows Gather Enumerate Domain',
|
2021-09-10 12:53:39 +01:00
|
|
|
'Description' => %q{
|
2022-08-29 15:42:31 +10:00
|
|
|
This module identifies the primary Active Directory domain name
|
|
|
|
|
and domain controller.
|
2021-09-10 12:53:39 +01:00
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Platform' => ['win'],
|
2022-08-29 15:42:31 +10:00
|
|
|
'SessionTypes' => %w[meterpreter shell powershell],
|
2021-10-06 13:43:31 +01:00
|
|
|
'Author' => ['Joshua Abraham <jabra[at]rapid7.com>'],
|
2022-08-29 15:42:31 +10:00
|
|
|
'Notes' => {
|
|
|
|
|
'Stability' => [CRASH_SAFE],
|
|
|
|
|
'Reliability' => [],
|
|
|
|
|
'SideEffects' => []
|
|
|
|
|
},
|
2021-10-06 13:43:31 +01:00
|
|
|
'Compat' => {
|
|
|
|
|
'Meterpreter' => {
|
|
|
|
|
'Commands' => %w[
|
|
|
|
|
stdapi_net_resolve_host
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-09-10 12:53:39 +01:00
|
|
|
)
|
|
|
|
|
)
|
2011-10-12 23:15:07 +00:00
|
|
|
end
|
2011-10-03 21:05:54 +00:00
|
|
|
|
2022-08-29 15:42:31 +10:00
|
|
|
def resolve_host(host)
|
|
|
|
|
return host if Rex::Socket.dotted_ip?(host)
|
|
|
|
|
|
|
|
|
|
return unless client.respond_to?(:net)
|
|
|
|
|
|
|
|
|
|
vprint_status("Resolving host #{host}")
|
|
|
|
|
|
|
|
|
|
result = client.net.resolve.resolve_host(host)
|
2011-10-12 23:15:07 +00:00
|
|
|
|
2022-08-29 15:42:31 +10:00
|
|
|
return if result[:ip].blank?
|
|
|
|
|
|
|
|
|
|
result[:ip]
|
2011-10-03 21:05:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run
|
2022-08-29 15:42:31 +10:00
|
|
|
domain = get_domain_name
|
|
|
|
|
|
2022-09-08 13:35:22 -05:00
|
|
|
fail_with(Failure::Unknown, 'Could not retrieve domain name. Is the host part of a domain?') unless domain && !domain.empty?
|
2022-08-29 15:42:31 +10:00
|
|
|
|
|
|
|
|
print_good("Domain FQDN: #{domain}")
|
|
|
|
|
|
|
|
|
|
report_note(
|
|
|
|
|
host: session,
|
|
|
|
|
type: 'windows.domain',
|
|
|
|
|
data: { domain: domain },
|
|
|
|
|
update: :unique_data
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
netbios_domain_name = domain.split('.').first.upcase
|
|
|
|
|
|
|
|
|
|
print_good("Domain NetBIOS Name: #{netbios_domain_name}")
|
|
|
|
|
|
|
|
|
|
domain_controller = get_primary_domain_controller
|
|
|
|
|
|
2022-09-08 13:35:22 -05:00
|
|
|
fail_with(Failure::Unknown, 'Could not retrieve domain controller name') unless domain_controller && !domain_controller.empty?
|
2022-08-29 15:42:31 +10:00
|
|
|
|
|
|
|
|
dc_ip = resolve_host(domain_controller)
|
|
|
|
|
if dc_ip.nil?
|
|
|
|
|
print_good("Domain Controller: #{domain_controller}")
|
|
|
|
|
else
|
|
|
|
|
print_good("Domain Controller: #{domain_controller} (IP: #{dc_ip})")
|
|
|
|
|
report_host({
|
|
|
|
|
host: dc_ip,
|
|
|
|
|
name: domain_controller,
|
|
|
|
|
info: "Domain controller for #{domain}"
|
|
|
|
|
})
|
2011-10-12 23:15:07 +00:00
|
|
|
end
|
2011-10-03 21:05:54 +00:00
|
|
|
end
|
|
|
|
|
end
|
