modules/post/windows/gather/enum_onedrive.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Priv
  include Msf::Post::Common
  include Msf::Post::File
  include Msf::Post::Windows::Registry
  include Msf::Post::Windows::UserProfiles

  SYNC_ENGINES_KEYS = ['LibraryType', 'LastModifiedTime', 'MountPoint', 'UrlNamespace'].freeze
  ONEDRIVE_ACCOUNT_KEYS = ['Business', 'ServiceEndpointUri', 'SPOResourceId', 'UserEmail', 'UserFolder', 'UserName'].freeze
  PERSONAL_ONEDRIVE_KEYS = ['UserEmail', 'UserFolder'].freeze

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'OneDrive Sync Provider Enumeration Module',
        'Description' => %q{
          This module will identify the Office 365 OneDrive endpoints for both business and personal accounts
          across all users (providing access is permitted). It is useful for identifying document libraries
          that may otherwise not be obvious which could contain sensitive or useful information.
        },
        'License' => MSF_LICENSE,
        'Platform' => ['win'],
        'SessionTypes' => ['meterpreter'],
        'Author' => ['Stuart Morgan <stuart.morgan[at]mwrinfosecurity.com>'],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [IOC_IN_LOGS],
          'Reliability' => []
        }
      )
    )
  end

  def display_report(sid, info, sync_used, sync_all, results_table)
    info.each do |key, result|
      next if result['ScopeIdToMountPointPathCache'].nil? || result['ScopeIdToMountPointPathCache'].empty?

      row = []
      print_line
      print_line "  #{key}"
      print_line "  #{'=' * key.length}"
      print_line
      row << sid
      row << key
      ONEDRIVE_ACCOUNT_KEYS.each do |col|
        row << result[col].to_s
        if result['Business'] == '1' || PERSONAL_ONEDRIVE_KEYS.include?(col)
          print_line "    #{col}: #{result[col]}"
        end
      end
      result['ScopeIdToMountPointPathCache'].each do |scopes|
        subrow = row.clone
        print_line
        SYNC_ENGINES_KEYS.each do |sync|
          subrow << scopes[sync].to_s
          print_line "    | #{sync}: #{scopes[sync]}"
        end
        results_table << subrow
      end
    end

    sync_all_list = []
    sync_all.each do |key, _result|
      sync_all_list.push(key)
    end

    diff = sync_all_list - sync_used
    if !(diff.nil? || diff.empty?)
      print_line
      print_line '  ORPHANED'
      print_line '  ========'
      diff.each do |scopeid|
        csvrow = []
        print_line
        # Augment the CSV
        csvrow << sid
        csvrow << ''
        ONEDRIVE_ACCOUNT_KEYS.each do |_od|
          csvrow << ''
        end
        SYNC_ENGINES_KEYS.each do |sync|
          csvrow << sync_all[scopeid][sync]
          print_line "  #{sync}: #{sync_all[scopeid][sync]}"
        end
        results_table << csvrow
      end
    end
  end

  def get_syncengine_data(master, syncengines)
    all_syncengines = {}
    syncengines.each do |sync_provider| # Sync provider names are normally Personal for personal accounts
      # or a hash value that is unique to each business account.
      tmp_sync_provider_info = {}
      SYNC_ENGINES_KEYS.each do |key|
        tmp_sync_provider_info[key] = registry_getvaldata("#{master}\\#{sync_provider}", key).to_s
      end
      all_syncengines[sync_provider] = tmp_sync_provider_info
    end
    all_syncengines
  end

  def get_onedrive_accounts(reg, accounts, syncdata)
    all_oda = {}
    synctargets_used = []
    ret = {}
    reg.each do |ses|
      newses = {}
      scopeids = registry_enumvals("#{accounts}\\#{ses}\\ScopeIdToMountPointPathCache")
      next if scopeids.nil? || scopeids.empty?

      ONEDRIVE_ACCOUNT_KEYS.each do |key|
        newses[key] = registry_getvaldata("#{accounts}\\#{ses}", key).to_s
      end

      newses['ScopeIdToMountPointPathCache'] = []
      scopeids.each do |sid|
        target = syncdata[sid]
        if newses['Business'] != '1'
          target = syncdata['Personal']
          synctargets_used.push('Personal')
        else
          synctargets_used.push(sid)
        end
        newses['ScopeIdToMountPointPathCache'].push(target)
      end
      all_oda[ses] = newses
    end
    ret['oda'] = all_oda
    ret['synctargets_used'] = synctargets_used
    ret
  end

  def run
    # Obtain all user hives
    userhives = load_missing_hives
    got_results = false

    # Prepare the results table
    results_table = Rex::Text::Table.new(
      'Header' => 'OneDrive Sync Information',
      'Indent' => 1,
      'SortIndex' => -1,
      'Columns' => ['SID', 'Name'] + ONEDRIVE_ACCOUNT_KEYS + SYNC_ENGINES_KEYS
    )

    if userhives.nil? || userhives.empty?
      fail_with(Failure::UnexpectedReply, 'Unable to load the missing hives needed to enumerate the target!')
    end
    # Loop through each of the hives
    userhives.each do |hive|
      next if hive['HKU'].nil?

      print_status("Looking for OneDrive sync information for #{hive['SID']}")
      master_key = "#{hive['HKU']}\\Software\\SyncEngines\\Providers\\OneDrive"
      saved_syncengines = registry_enumkeys(master_key)
      if saved_syncengines.nil? || saved_syncengines.empty?
        print_error("(#{hive['HKU']}) No OneDrive accounts found.")
        next
      end

      # Obtain the sync endpoints from the above subkey
      all_syncengines = get_syncengine_data(master_key, saved_syncengines)

      str_onedrive_accounts = "#{hive['HKU']}\\Software\\Microsoft\\OneDrive\\Accounts"
      reg_onedrive_accounts = registry_enumkeys(str_onedrive_accounts)
      if reg_onedrive_accounts.nil? || reg_onedrive_accounts.empty?
        print_error("(#{hive['HKU']}) No OneDrive accounts found.")
        next
      end

      result = get_onedrive_accounts(reg_onedrive_accounts, str_onedrive_accounts, all_syncengines)

      if result['oda'].nil? || result['oda'].empty?
        print_error("(#{hive['HKU']}) No OneDrive accounts found.")
        next
      end

      got_results = true
      print_good("OneDrive sync information for #{hive['SID']}")
      display_report(hive['SID'], result['oda'], result['synctargets_used'], all_syncengines, results_table)
    end

    print_line

    if got_results
      stored_path = store_loot('onedrive.syncinformation', 'text/csv', session, results_table.to_csv, 'onedrive_syncinformation.csv', 'OneDrive sync endpoints')
      print_good("OneDrive sync information saved to #{stored_path} in CSV format.")
    end

    # Clean up
    unload_our_hives(userhives)
  end
end
Using my putty module as a template 2021-01-07 17:42:28 +00:00			`##`
			`# This module requires Metasploit: https://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Post`
			`include Msf::Post::Windows::Priv`
			`include Msf::Post::Common`
			`include Msf::Post::File`
			`include Msf::Post::Windows::Registry`
Obtain the initial endpoint mapping 2021-01-07 18:19:53 +00:00			`include Msf::Post::Windows::UserProfiles`
Using my putty module as a template 2021-01-07 17:42:28 +00:00
rubocop 2021-01-07 21:02:04 +00:00			`SYNC_ENGINES_KEYS = ['LibraryType', 'LastModifiedTime', 'MountPoint', 'UrlNamespace'].freeze`
			`ONEDRIVE_ACCOUNT_KEYS = ['Business', 'ServiceEndpointUri', 'SPOResourceId', 'UserEmail', 'UserFolder', 'UserName'].freeze`
			`PERSONAL_ONEDRIVE_KEYS = ['UserEmail', 'UserFolder'].freeze`
Using my putty module as a template 2021-01-07 17:42:28 +00:00
			`def initialize(info = {})`
rubocop 2021-01-07 21:02:04 +00:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'OneDrive Sync Provider Enumeration Module',`
			`'Description' => %q{`
			`This module will identify the Office 365 OneDrive endpoints for both business and personal accounts`
			`across all users (providing access is permitted). It is useful for identifying document libraries`
			`that may otherwise not be obvious which could contain sensitive or useful information.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Platform' => ['win'],`
			`'SessionTypes' => ['meterpreter'],`
Add missing module notes for stability reliability and side effects 2023-02-03 18:12:53 +00:00			`'Author' => ['Stuart Morgan <stuart.morgan[at]mwrinfosecurity.com>'],`
			`'Notes' => {`
			`'Stability' => [CRASH_SAFE],`
			`'SideEffects' => [IOC_IN_LOGS],`
			`'Reliability' => []`
			`}`
rubocop 2021-01-07 21:02:04 +00:00			`)`
			`)`
Using my putty module as a template 2021-01-07 17:42:28 +00:00			`end`

Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00			`def display_report(sid, info, sync_used, sync_all, results_table)`
Tidied up, presenting results 2021-01-07 19:24:56 +00:00			`info.each do \|key, result\|`
rubocop 2021-01-07 21:02:04 +00:00			`next if result['ScopeIdToMountPointPathCache'].nil? \|\| result['ScopeIdToMountPointPathCache'].empty?`

Tidied up business/personal discriminator 2021-01-07 19:34:11 +00:00			`row = []`
fixed bug with multiple teamsites & improved formatting 2021-01-07 20:32:53 +00:00			`print_line`
Tidied up, presenting results 2021-01-07 19:24:56 +00:00			`print_line " #{key}"`
rubocop 2021-01-07 21:02:04 +00:00			`print_line " #{'=' * key.length}"`
Tidied up, presenting results 2021-01-07 19:24:56 +00:00			`print_line`
save results into csv loot 2021-01-07 20:00:42 +00:00			`row << sid`
			`row << key`
Tidied up business/personal discriminator 2021-01-07 19:34:11 +00:00			`ONEDRIVE_ACCOUNT_KEYS.each do \|col\|`
save results into csv loot 2021-01-07 20:00:42 +00:00			`row << result[col].to_s`
rubocop 2021-01-07 21:02:04 +00:00			`if result['Business'] == '1' \|\| PERSONAL_ONEDRIVE_KEYS.include?(col)`
			`print_line " #{col}: #{result[col]}"`
Tidied up business/personal discriminator 2021-01-07 19:34:11 +00:00			`end`
Tidied up, presenting results 2021-01-07 19:24:56 +00:00			`end`
rubocop 2021-01-07 21:02:04 +00:00			`result['ScopeIdToMountPointPathCache'].each do \|scopes\|`
save results into csv loot 2021-01-07 20:00:42 +00:00			`subrow = row.clone`
Tidied up, presenting results 2021-01-07 19:24:56 +00:00			`print_line`
			`SYNC_ENGINES_KEYS.each do \|sync\|`
save results into csv loot 2021-01-07 20:00:42 +00:00			`subrow << scopes[sync].to_s`
rubocop 2021-01-07 21:02:04 +00:00			`print_line " \| #{sync}: #{scopes[sync]}"`
Tidied up, presenting results 2021-01-07 19:24:56 +00:00			`end`
save results into csv loot 2021-01-07 20:00:42 +00:00			`results_table << subrow`
Using my putty module as a template 2021-01-07 17:42:28 +00:00			`end`
			`end`
Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00
			`sync_all_list = []`
rubocop 2021-01-08 14:32:18 +00:00			`sync_all.each do \|key, _result\|`
			`sync_all_list.push(key)`
Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00			`end`

			`diff = sync_all_list - sync_used`
rubocop 2021-01-08 14:32:18 +00:00			`if !(diff.nil? \|\| diff.empty?)`
Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00			`print_line`
rubocop 2021-01-08 14:32:18 +00:00			`print_line ' ORPHANED'`
			`print_line ' ========'`
Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00			`diff.each do \|scopeid\|`
			`csvrow = []`
			`print_line`
			`# Augment the CSV`
			`csvrow << sid`
rubocop 2021-01-08 14:32:18 +00:00			`csvrow << ''`
			`ONEDRIVE_ACCOUNT_KEYS.each do \|_od\|`
			`csvrow << ''`
Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00			`end`
			`SYNC_ENGINES_KEYS.each do \|sync\|`
			`csvrow << sync_all[scopeid][sync]`
			`print_line " #{sync}: #{sync_all[scopeid][sync]}"`
			`end`
			`results_table << csvrow`
			`end`
			`end`
Using my putty module as a template 2021-01-07 17:42:28 +00:00			`end`

rubocop 2021-01-07 21:02:04 +00:00			`def get_syncengine_data(master, syncengines)`
Obtain the initial endpoint mapping 2021-01-07 18:19:53 +00:00			`all_syncengines = {}`
Add in first round of fixes for review comments 2021-01-27 16:54:24 -06:00			`syncengines.each do \|sync_provider\| # Sync provider names are normally Personal for personal accounts`
Run rubocop 2021-01-28 15:56:48 +00:00			`# or a hash value that is unique to each business account.`
Add in first round of fixes for review comments 2021-01-27 16:54:24 -06:00			`tmp_sync_provider_info = {}`
Obtain the initial endpoint mapping 2021-01-07 18:19:53 +00:00			`SYNC_ENGINES_KEYS.each do \|key\|`
Add in first round of fixes for review comments 2021-01-27 16:54:24 -06:00			`tmp_sync_provider_info[key] = registry_getvaldata("#{master}\\#{sync_provider}", key).to_s`
Obtain the initial endpoint mapping 2021-01-07 18:19:53 +00:00			`end`
Add in first round of fixes for review comments 2021-01-27 16:54:24 -06:00			`all_syncengines[sync_provider] = tmp_sync_provider_info`
Obtain the initial endpoint mapping 2021-01-07 18:19:53 +00:00			`end`
			`all_syncengines`
			`end`

rubocop 2021-01-07 21:02:04 +00:00			`def get_onedrive_accounts(reg, accounts, syncdata)`
Obtains information correctly 2021-01-07 18:54:30 +00:00			`all_oda = {}`
Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00			`synctargets_used = []`
			`ret = {}`
Obtains information correctly 2021-01-07 18:54:30 +00:00			`reg.each do \|ses\|`
			`newses = {}`
Add in first round of fixes for review comments 2021-01-27 16:54:24 -06:00			`scopeids = registry_enumvals("#{accounts}\\#{ses}\\ScopeIdToMountPointPathCache")`
			`next if scopeids.nil? \|\| scopeids.empty?`

Obtains information correctly 2021-01-07 18:54:30 +00:00			`ONEDRIVE_ACCOUNT_KEYS.each do \|key\|`
			`newses[key] = registry_getvaldata("#{accounts}\\#{ses}", key).to_s`
fixed bug with multiple teamsites & improved formatting 2021-01-07 20:32:53 +00:00			`end`
rubocop 2021-01-07 21:02:04 +00:00
			`newses['ScopeIdToMountPointPathCache'] = []`
fixed bug with multiple teamsites & improved formatting 2021-01-07 20:32:53 +00:00			`scopeids.each do \|sid\|`
			`target = syncdata[sid]`
rubocop 2021-01-07 21:02:04 +00:00			`if newses['Business'] != '1'`
			`target = syncdata['Personal']`
Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00			`synctargets_used.push('Personal')`
			`else`
			`synctargets_used.push(sid)`
Obtains information correctly 2021-01-07 18:54:30 +00:00			`end`
rubocop 2021-01-07 21:02:04 +00:00			`newses['ScopeIdToMountPointPathCache'].push(target)`
Obtains information correctly 2021-01-07 18:54:30 +00:00			`end`
			`all_oda[ses] = newses`
			`end`
Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00			`ret['oda'] = all_oda`
			`ret['synctargets_used'] = synctargets_used`
			`ret`
Obtains information correctly 2021-01-07 18:54:30 +00:00			`end`

Using my putty module as a template 2021-01-07 17:42:28 +00:00			`def run`
Obtains information correctly 2021-01-07 18:54:30 +00:00			`# Obtain all user hives`
rubocop 2021-01-07 21:02:04 +00:00			`userhives = load_missing_hives`
Add in documentation updates and improve some areas of the module to remove false statements and clean up output and code styling 2021-01-29 10:17:48 -06:00			`got_results = false`
Obtains information correctly 2021-01-07 18:54:30 +00:00
Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00			`# Prepare the results table`
			`results_table = Rex::Text::Table.new(`
			`'Header' => 'OneDrive Sync Information',`
			`'Indent' => 1,`
			`'SortIndex' => -1,`
			`'Columns' => ['SID', 'Name'] + ONEDRIVE_ACCOUNT_KEYS + SYNC_ENGINES_KEYS`
			`)`

Add in first round of fixes for review comments 2021-01-27 16:54:24 -06:00			`if userhives.nil? \|\| userhives.empty?`
Run rubocop 2021-01-28 15:56:48 +00:00			`fail_with(Failure::UnexpectedReply, 'Unable to load the missing hives needed to enumerate the target!')`
Add in first round of fixes for review comments 2021-01-27 16:54:24 -06:00			`end`
Obtains information correctly 2021-01-07 18:54:30 +00:00			`# Loop through each of the hives`
			`userhives.each do \|hive\|`
rubocop 2021-01-07 21:02:04 +00:00			`next if hive['HKU'].nil?`
Tidied up, presenting results 2021-01-07 19:24:56 +00:00
			`print_status("Looking for OneDrive sync information for #{hive['SID']}")`
Obtains information correctly 2021-01-07 18:54:30 +00:00			`master_key = "#{hive['HKU']}\\Software\\SyncEngines\\Providers\\OneDrive"`
			`saved_syncengines = registry_enumkeys(master_key)`
Added more verbose account checks as per gwilcox's request 2021-01-28 15:54:06 +00:00			`if saved_syncengines.nil? \|\| saved_syncengines.empty?`
Add in documentation updates and improve some areas of the module to remove false statements and clean up output and code styling 2021-01-29 10:17:48 -06:00			`print_error("(#{hive['HKU']}) No OneDrive accounts found.")`
Run rubocop 2021-01-28 15:56:48 +00:00			`next`
Added more verbose account checks as per gwilcox's request 2021-01-28 15:54:06 +00:00			`end`
Run rubocop 2021-01-28 15:56:48 +00:00
Obtains information correctly 2021-01-07 18:54:30 +00:00			`# Obtain the sync endpoints from the above subkey`
			`all_syncengines = get_syncengine_data(master_key, saved_syncengines)`

			`str_onedrive_accounts = "#{hive['HKU']}\\Software\\Microsoft\\OneDrive\\Accounts"`
			`reg_onedrive_accounts = registry_enumkeys(str_onedrive_accounts)`
Added more verbose account checks as per gwilcox's request 2021-01-28 15:54:06 +00:00			`if reg_onedrive_accounts.nil? \|\| reg_onedrive_accounts.empty?`
Add in documentation updates and improve some areas of the module to remove false statements and clean up output and code styling 2021-01-29 10:17:48 -06:00			`print_error("(#{hive['HKU']}) No OneDrive accounts found.")`
Run rubocop 2021-01-28 15:56:48 +00:00			`next`
Added more verbose account checks as per gwilcox's request 2021-01-28 15:54:06 +00:00			`end`
Add in first round of fixes for review comments 2021-01-27 16:54:24 -06:00
Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00			`result = get_onedrive_accounts(reg_onedrive_accounts, str_onedrive_accounts, all_syncengines)`
Obtains information correctly 2021-01-07 18:54:30 +00:00
Added more verbose account checks as per gwilcox's request 2021-01-28 15:54:06 +00:00			`if result['oda'].nil? \|\| result['oda'].empty?`
Add in documentation updates and improve some areas of the module to remove false statements and clean up output and code styling 2021-01-29 10:17:48 -06:00			`print_error("(#{hive['HKU']}) No OneDrive accounts found.")`
Run rubocop 2021-01-28 15:56:48 +00:00			`next`
Added more verbose account checks as per gwilcox's request 2021-01-28 15:54:06 +00:00			`end`
fixed bug with multiple teamsites & improved formatting 2021-01-07 20:32:53 +00:00
Add in documentation updates and improve some areas of the module to remove false statements and clean up output and code styling 2021-01-29 10:17:48 -06:00			`got_results = true`
Add in first round of fixes for review comments 2021-01-27 16:54:24 -06:00			`print_good("OneDrive sync information for #{hive['SID']}")`
Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00			`display_report(hive['SID'], result['oda'], result['synctargets_used'], all_syncengines, results_table)`
Using my putty module as a template 2021-01-07 17:42:28 +00:00			`end`
Obtains information correctly 2021-01-07 18:54:30 +00:00
Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00			`print_line`
Added more verbose account checks as per gwilcox's request 2021-01-28 15:54:06 +00:00
Add in documentation updates and improve some areas of the module to remove false statements and clean up output and code styling 2021-01-29 10:17:48 -06:00			`if got_results`
Added more verbose account checks as per gwilcox's request 2021-01-28 15:54:06 +00:00			`stored_path = store_loot('onedrive.syncinformation', 'text/csv', session, results_table.to_csv, 'onedrive_syncinformation.csv', 'OneDrive sync endpoints')`
			`print_good("OneDrive sync information saved to #{stored_path} in CSV format.")`
			`end`
Added checks for orphaned accounts and fixed a bug around CSV generation 2021-01-08 14:31:31 +00:00
Obtains information correctly 2021-01-07 18:54:30 +00:00			`# Clean up`
			`unload_our_hives(userhives)`
Using my putty module as a template 2021-01-07 17:42:28 +00:00			`end`
			`end`