forked from rapid7/metasploit-framework
-
Notifications
You must be signed in to change notification settings - Fork 3
/
local_admin_search.rb
78 lines (68 loc) · 2.22 KB
/
local_admin_search.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv
include Msf::Auxiliary::Scanner
def initialize(info={})
super(
'Name' => 'Windows Local Admin Search',
'Description' => %q{
This module will identify systems in a given range that the
supplied domain user (should migrate into a user pid) has administrative
access to by using the windows api OpenSCManagerA to establishing a handle
to the remote host.
},
'License' => MSF_LICENSE,
'Version' => '$Revision: 14767 $',
'Author' => [ 'Brandon McCann "zeknox" <bmccann [at] accuvant.com>',
'Royce Davis "r3dy" <rdavis [at] accuvant.com>',
'Thomas McCarthy "smilingracoon" <esmilingraccoon [at] gmail.com>'],
'Platform' => [ 'windows'],
'SessionTypes' => [ 'meterpreter' ]
)
end
def run()
if is_system?
# running as SYSTEM and will not pass any network credentials
print_error "Running as SYSTEM, module should be run with USER level rights"
return
else
super
end
end
# main contrl method
def run_host(ip)
connect(ip)
end
# method to connect to remote host using windows api
def connect(host)
user = client.sys.config.getuid
# use railgun and OpenSCManagerA api to connect to remote host
adv = client.railgun.advapi32
manag = adv.OpenSCManagerA("\\\\#{host}", nil, 0xF003F) # SC_MANAGER_ALL_ACCESS
if(manag["return"] != 0) # we have admin rights
print_good("#{host.ljust(16)} #{user} - Local admin found")
# close the handle if connection was made
adv.CloseServiceHandle(manag["return"])
# report the success to the db
db_note(host,user)
else
# we dont have admin rights
print_error("#{host.ljust(16)} #{user} - No Local Admin rights")
end
end
def db_note(host, user)
# write the local admin privs to the database
if db
store_loot(
"#{user}.localadmin",'text/plain',session,"#{host}:#{user}",'hosts_localadmin.txt','Local Admin on Hosts'
)
end
end
end