diff --git a/lib/rex/post/meterpreter/extensions/priv/passwd.rb b/lib/rex/post/meterpreter/extensions/priv/passwd.rb new file mode 100644 index 0000000000..7977833826 --- /dev/null +++ b/lib/rex/post/meterpreter/extensions/priv/passwd.rb @@ -0,0 +1,61 @@ +#!/usr/bin/ruby + +module Rex +module Post +module Meterpreter +module Extensions +module Priv + +### +# +# This class wraps a SAM hash entry. +# +### +class SamUser + + # + # Initializes the class from a hash string like this: + # + # Administrator:500:aad3b435b51404eeaadfb435b51404ee:31d6cfe0d16de931b73c59d7e0c089c0::: + # + def initialize(hash_str) + self.user_name, self.user_id, self.lanman, self.ntlm = hash_str.split(/:/) + + self.hash_string = hash_str + end + + # + # Returns the hash string that was supplied to the constructor. + # + def to_s + hash_string + end + + # + # The raw hash string that was passed to the class constructor. + # + attr_reader :hash_string + # + # The username from the SAM database entry. + # + attr_reader :user_name + # + # The user's unique identifier from the SAM database. + # + attr_reader :user_id + # + # The LM hash. + # + attr_reader :lanman + # + # The NTLM hash. + # + attr_reader :ntlm + +protected + + attr_writer :hash_string, :user_name, :user_id, :lanman, :ntlm # :nodoc: + +end + +end; end; end; end; end diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb index 9ad34c3603..351d660018 100644 --- a/lib/rex/post/meterpreter/extensions/priv/priv.rb +++ b/lib/rex/post/meterpreter/extensions/priv/priv.rb @@ -1,6 +1,7 @@ #!/usr/bin/ruby require 'rex/post/meterpreter/extensions/priv/tlv' +require 'rex/post/meterpreter/extensions/priv/passwd' module Rex module Post @@ -39,7 +40,9 @@ class Priv < Extension response = client.send_request( Packet.create_request('priv_passwd_get_sam_hashes')) - response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/) + response.get_tlv_value(TLV_TYPE_SAM_HASHES).split(/\n/).map { |hash| + SamUser.new(hash) + } end end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb new file mode 100644 index 0000000000..b5466797ab --- /dev/null +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb @@ -0,0 +1,57 @@ +require 'rex/post/meterpreter' + +module Rex +module Post +module Meterpreter +module Ui + +### +# +# Privilege escalation extension user interface. +# +### +class Console::CommandDispatcher::Priv + + require 'rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd' + + Klass = Console::CommandDispatcher::Priv + + Dispatchers = + [ + Klass::Passwd, + ] + + include Console::CommandDispatcher + + # + # Initializes an instance of the priv command interaction. + # + def initialize(shell) + super + + Dispatchers.each { |d| + shell.enstack_dispatcher(d) + } + end + + # + # List of supported commands. + # + def commands + { + } + end + + # + # Name for this dispatcher + # + def name + "Privilege Escalation" + end + +end + +end +end +end +end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb new file mode 100644 index 0000000000..34f91b6756 --- /dev/null +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/passwd.rb @@ -0,0 +1,51 @@ +require 'rex/post/meterpreter' + +module Rex +module Post +module Meterpreter +module Ui + +### +# +# The password database portion of the privilege escalation extension. +# +### +class Console::CommandDispatcher::Priv::Passwd + + Klass = Console::CommandDispatcher::Priv::Passwd + + include Console::CommandDispatcher + + # + # List of supported commands. + # + def commands + { + "samdump" => "Dumps the contents of the SAM database" + } + end + + # + # Name for this dispatcher. + # + def name + "Priv: Password database" + end + + # + # Displays the contents of the SAM database + # + def cmd_samdump(*args) + client.priv.sam_hashes.each { |user| + print_line("#{user.to_s}") + } + + return true + end + +end + +end +end +end +end