Path: blob/master/modules/auxiliary/admin/dcerpc/samr_account.rb
33276 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'ruby_smb/dcerpc/client'67class MetasploitModule < Msf::Auxiliary8include Msf::Exploit::Remote::SMB::Client::Authenticated9include Msf::Exploit::Remote::DCERPC10include Msf::Auxiliary::Report11include Msf::Exploit::Remote::MsSamr::Account12include Msf::OptionalSession::SMB13include Msf::Exploit::Deprecated1415moved_from 'auxiliary/admin/dcerpc/samr_computer'1617def initialize(info = {})18super(19update_info(20info,21'Name' => 'SAMR Account Management',22'Description' => %q{23Add, lookup and delete user / machine accounts via MS-SAMR. By default24standard active directory users can add up to 10 new computers to the25domain (MachineAccountQuota). Administrative privileges however are required26to delete the created accounts, or to create/delete user accounts.27},28'License' => MSF_LICENSE,29'Author' => [30'JaGoTu', # @jagotu Original Impacket code31'Spencer McIntyre',32'smashery'33],34'References' => [35['URL', 'https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py'],36['ATT&CK', Mitre::Attack::Technique::T1136_002_DOMAIN_ACCOUNT]37],38'Notes' => {39'Reliability' => [],40'Stability' => [],41'SideEffects' => [ IOC_IN_LOGS ],42'AKA' => ['samr_computer', 'samr_user']43},44'Actions' => [45[ 'ADD_COMPUTER', { 'Description' => 'Add a computer account' } ],46[ 'ADD_USER', { 'Description' => 'Add a user account' } ],47[ 'DELETE_ACCOUNT', { 'Description' => 'Delete a computer or user account' } ],48[ 'LOOKUP_ACCOUNT', { 'Description' => 'Lookup a computer or user account' } ]49],50'DefaultAction' => 'ADD_COMPUTER'51)52)5354register_options([55Opt::RPORT(445)56])57end5859def run60send("action_#{action.name.downcase}")61rescue MsSamrConnectionError => e62fail_with(Failure::Unreachable, e.message)63rescue MsSamrAuthenticationError => e64fail_with(Failure::NoAccess, e.message)65rescue MsSamrNotFoundError => e66fail_with(Failure::NotFound, e.message)67rescue MsSamrBadConfigError => e68fail_with(Failure::BadConfig, e.message)69rescue MsSamrUnexpectedReplyError => e70fail_with(Failure::UnexpectedReply, e.message)71rescue MsSamrUnknownError => e72fail_with(Failure::Unknown, e.message)73rescue SmbIpcAuthenticationError => e74fail_with(Failure::Unknown, e.message)75end7677def action_add_user78fail_with(Failure::BadConfig, 'This action requires ACCOUNT_NAME to be specified.') if datastore['ACCOUNT_NAME'].blank?79print_status('Adding user')80with_ipc_tree do |opts|81add_account(:user, opts)82end83end8485def action_add_computer86print_status('Adding computer')87with_ipc_tree do |opts|88add_account(:computer, opts)89end90end9192def action_delete_account93fail_with(Failure::BadConfig, 'This action requires ACCOUNT_NAME to be specified.') if datastore['ACCOUNT_NAME'].blank?94with_ipc_tree do |opts|95delete_account(opts)96end97end9899def action_lookup_account100fail_with(Failure::BadConfig, 'This action requires ACCOUNT_NAME to be specified.') if datastore['ACCOUNT_NAME'].blank?101with_ipc_tree do |opts|102lookup_account(opts)103end104end105106# @yieldparam options [Hash] If a SMB session is present, a hash with the IPC tree present. Empty hash otherwise.107# @return [void]108def with_ipc_tree109opts = {}110if session111print_status("Using existing session #{session.sid}")112self.simple = session.simple_client113opts[:tree] = simple.client.tree_connect("\\\\#{session.client.dispatcher.tcp_socket.peerhost}\\IPC$")114end115116yield opts117ensure118opts[:tree].disconnect! if opts[:tree]119end120end121122123