New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generate CSV Organisational Chart Data From AD #6377

Merged
merged 4 commits into from Apr 7, 2016

Conversation

Projects
None yet
7 participants
@stufus
Contributor

stufus commented Dec 21, 2015

Overview

This PR is for a module which can be used to aid the generation of an organisational chart based on information contained in Active Directory. The module itself uses ADSI to retrieve key information from AD (manager, title, description etc) fields and then present it in a CSV file in the form:

cn,description,title,phone,department,division,e-mail,company,reports_to

The reports_to field is the only one which is generated; everything else is taken directly from AD. The 'manager' field contains the DN of the manager assigned to that user, and this module simply uses a regular expression to obtain the CN field of the manager.

This can then be imported into tools like Microsoft Visio (using the organisational chart wizard) and it will construct a visual org chart from the information there. Although visio supports the ability to generate Org charts if it is on a domain joined machine, but there does not seem to be a way of doing this remotely (e.g. during a red teaming exercise).

This should not be confused with security groups and AD managed groups; this is purely an internal organisational hierarchy representation but could be very useful for situational awareness or in order to construct a more plausible or targeted internal phishing exercise.

Options

Option Value
ACTIVE_USERS_ONLY This will restrict the search for users to those whose accounts are Active. This would have the effect of excluding disabled accounts (e.g. employees who have resigned).
FILTER Any additional LDAP filtering that is required when searching for users.
WITH_MANAGERS_ONLY If this is TRUE, the module will only include users who have a manger set (internally, this is implemented by adding (manager=*) to the ADSI query filter). This could be useful if not everyone has a manager set, but could mean that the top executive is not included either.
STORE_LOOT Store the results in a CSV file in loot. You'll almost certainly want this set to TRUE.

Demo

For the purposes of this contrived example, the module has been configured to generate the CSV reporting information for everyone with 'IT' somewhere in their common name.

msf post(make_csv_orgchart) > show options

Module options (post/windows/gather/make_csv_orgchart):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   ACTIVE_USERS_ONLY   true             yes       Only include active users (i.e. not disabled ones)
   DOMAIN                               no        The domain to query or distinguished name (e.g. DC=test,DC=com)
   FILTER              cn=*IT*          no        Additional LDAP filter to use when searching for users
   MAX_SEARCH          500              yes       Maximum values to retrieve, 0 for all.
   SESSION             2                yes       The session to run this module on.
   STORE_LOOT          true             yes       Store the organisational chart information in CSV format in loot
   WITH_MANAGERS_ONLY  false            no       Only users with managers

msf post(make_csv_orgchart) > run

Users & Managers
================

 cn                                description                title                                phone  department  division  e-mail                     company  reports_to
 --                                -----------                -----                                -----  ----------  --------  ------                     -------  ----------
 IT Manager                                                   Deputy GOAT IT Director                                           it.manager@goat.stu                 IT Director
 IT Director                                                  Director of Goat IT                                               it.director@goat.stu                
 IT Leader: Badger                                            Team Leader of Blue Team Operations                               it.leader.badger@goat.stu           IT Manager
 IT Leader: Otter                                             Team Leader: Offensive Operations                                 it.leader.otter@goat.stu            IT Manager
 Oswold Otter (IT Team)                                       Consultant                                                        oswold.otter@goat.stu               IT Leader: Otter
 Bertie Badger (IT Security Team)  Default pass is badger123  IT Security Team Deputy                                           bertie.badger@goat.stu              IT Leader: Badger

[*] CSV Organisational Chart Information saved to: /usr/home/s/stuart/.msf4/loot/20151221175733_stufusdev_192.0.2.140_ad.orgchart_189769.txt
[*] Post module execution completed

The contents of the CSV file are shown below:

$ cat /usr/home/s/stuart/.msf4/loot/20151221175733_stufusdev_192.0.2.140_ad.orgchart_189769.txt
cn,description,title,phone,department,division,e-mail,company,reports_to
"IT Manager","","Deputy GOAT IT Director","","","","it.manager@goat.stu","","IT Director"
"IT Director","","Director of Goat IT","","","","it.director@goat.stu","",""
"IT Leader: Badger","","Team Leader of Blue Team Operations","","","","it.leader.badger@goat.stu","","IT Manager"
"IT Leader: Otter","","Team Leader: Offensive Operations","","","","it.leader.otter@goat.stu","","IT Manager"
"Oswold Otter (IT Team)","","Consultant","","","","oswold.otter@goat.stu","","IT Leader: Otter"
"Bertie Badger (IT Security Team)","Default pass is badger123","IT Security Team Deputy","","","","bertie.badger@goat.stu","","IT Leader: Badger"

When this was imported into Visio with default options set, it produced the following organisational chart:

screenshot_orgchart

Further Work

This can be extended in a number of ways, including:

  1. Performing the graphical rendering of the organisational chart in ruby to avoid dependencies on 3rd party tools.
  2. Being more intelligent in the retrieval of the CSV information; e.g. deriving the top executive and following the chain to avoid ancillary accounts.
  3. Retrieving more useful fields and exporting in more formats.
@nixawk

This comment has been minimized.

Contributor

nixawk commented Dec 23, 2015

Good.

@vysec

This comment has been minimized.

Contributor

vysec commented Dec 23, 2015

wow nice work!

@stufus

This comment has been minimized.

Contributor

stufus commented Dec 23, 2015

@all3g, @vysec thanks both :)

@bcook-r7 bcook-r7 self-assigned this Mar 6, 2016

@bcook-r7

This comment has been minimized.

Contributor

bcook-r7 commented Apr 6, 2016

This is also a good candidate for converting the PR to generate a module knowledge base.

@bcook-r7 bcook-r7 assigned wchen-r7 and unassigned bcook-r7 Apr 6, 2016

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Apr 7, 2016

Works for me. I'll port the doc now.

msf post(make_csv_orgchart) > run

Users & Managers
================

 cn                    description                                                                              title  phone  department  division  e-mail              company  reports_to
 --                    -----------                                                                              -----  -----  ----------  --------  ------              -------  ----------
 Administrator         Built-in account for administering the computer/domain                                                                                                    
 IUSR_SINN3R-QIXN9TA2  Built-in account for anonymous access to Internet Information Services                                                                                    
 IWAM_SINN3R-QIXN9TA2  Built-in account for Internet Information Services to start out of process applications                                                                   
 ASPNET                Account used for running the ASP.NET worker process (aspnet_wp.exe)                                                                                       
 sinn3r                                                                                                                                             sinn3r@test.sinn3r           

[*] CSV Organisational Chart Information saved to: /Users/wchen/.msf4/loot/20160407170434_default_192.168.1.109_ad.orgchart_578191.txt
[*] Post module execution completed
msf post(make_csv_orgchart) >
@vysec

This comment has been minimized.

Contributor

vysec commented Apr 7, 2016

Next step, mine internet for photographs to fill the avatar square? :)

wchen-r7 added a commit to wchen-r7/metasploit-framework that referenced this pull request Apr 7, 2016

@wchen-r7 wchen-r7 merged commit 751a070 into rapid7:master Apr 7, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Apr 7, 2016

@Meatballs1

This comment has been minimized.

Contributor

Meatballs1 commented Apr 8, 2016

You dont need to mine the internet, AD will store pictures itself. Should pull those down! :D

@Meatballs1

This comment has been minimized.

Contributor

Meatballs1 commented Apr 8, 2016

thumbnailPhoto

@vysec

This comment has been minimized.

Contributor

vysec commented Apr 8, 2016

Sounds too good to be true that.

@stufus

This comment has been minimized.

Contributor

stufus commented Apr 12, 2016

@wchen-r7 Thanks for merging :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment