nixawk
commented
9 years ago Closed nixawk closed 8 years ago
nixawk
commented
9 years ago nixawk
commented
9 years ago the same issue on enum_ad_computers , and so on.
msf post(enum_ad_computers) > show options
Module options (post/windows/gather/enum_ad_computers):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN PENTEST.COM no The domain to query or distinguished name (e.g. DC=test,DC=com)
FIELDS dNSHostName,distinguishedName,description,operatingSystem,operatingSystemServicePack yes FIELDS to retrieve.
FILTER (&(objectCategory=computer)(operatingSystem=*server*)) yes Search filter.
MAX_SEARCH 500 yes Maximum values to retrieve, 0 for all.
SESSION 7 yes The session to run this module on.
STORE_DB false yes Store file in DB (performance hit resolving IPs).
STORE_LOOT false yes Store file in loot.
msf post(enum_ad_computers) > run
[-] Post failed: Rex::Post::Meterpreter::RequestError extapi_adsi_domain_query: Operation failed: 2147950651
[-] Call stack:
[-] /opt/metasploit-framework/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb:49:in `domain_query'
[-] /opt/metasploit-framework/lib/msf/core/post/windows/ldap.rb:126:in `query'
[-] /opt/metasploit-framework/modules/post/windows/gather/enum_ad_computers.rb:63:in `run'
[*] Post module execution completed
bcook-r7
commented
9 years ago I believe this error code maps to ERROR_DS_LOCAL_ERROR,"A local error has occurred.", which is unfortunately not a lot go go on. Could you describe your environment a little more?
nixawk
commented
9 years ago Windows Domain Controller is installed. Please read installation tutorial, and I've selected "Windows Server 2008" for the forest function level.
meterpreter > sysinfo
Computer : WIN-XUMIF9WPKIP
OS : Windows 2008 (Build 6001, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : PENTEST
Logged On Users : 2
Meterpreter : x64/win64Domain Users
C:\Windows\system32>net user /domain
net user /domain
User accounts for \\
-------------------------------------------------------------------------------
Administrator debug Guest
asm ruby krbtgt
python
The command completed with one or more errors.debug's Computer
meterpreter > sysinfo
Computer : CORELAN-LAB
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : zh_CN
Domain : PENTEST
Logged On Users : 3
Meterpreter : x86/win32We should reproduce #5950 also so we are sure to have the same environment. This feels related perhaps to how the VMs are setup.
jvazquez-r7
commented
8 years ago I just did a fast test here, since just deployed a 2008 domain controller with "Windows Server 2008" for the forest function level. And the enum_ad_computers module is working correctly for me with a session on the DC:
msf exploit(handler) > run
[*] Started reverse handler on 172.16.158.1:4444
[*] Starting the payload handler...
[*] Sending stage (885806 bytes) to 172.16.158.222
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.222:51141) at 2015-09-21 11:22:44 -0500
meterpreter > getuid
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 DEMO\juan @ WIN-K87LF45HPDK 172.16.158.1:4444 -> 172.16.158.222:51141 (172.16.158.222)
> use post/windows/gather/enum_ad_computers
msf post(enum_ad_computers) > show options
Module options (post/windows/gather/enum_ad_computers):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN no The domain to query or distinguished name (e.g. DC=test,DC=com)
FIELDS dNSHostName,distinguishedName,description,operatingSystem,operatingSystemServicePack yes FIELDS to retrieve.
FILTER (&(objectCategory=computer)(operatingSystem=*server*)) yes Search filter.
MAX_SEARCH 500 yes Maximum values to retrieve, 0 for all.
SESSION yes The session to run this module on.
STORE_DB false yes Store file in DB (performance hit resolving IPs).
STORE_LOOT false yes Store file in loot.
msf post(enum_ad_computers) > set DOMAIN DC=demo,DC=local
DOMAIN => DC=demo,DC=local
msf post(enum_ad_computers) > set SESSION 1
SESSION => 1
msf post(enum_ad_computers) > run
Domain Computers
================
dNSHostName distinguishedName description operatingSystem operatingSystemServicePack
----------- ----------------- ----------- --------------- --------------------------
WIN-K87LF45HPDK.demo.local CN=WIN-K87LF45HPDK,OU=Domain Controllers,DC=demo,DC=local Windows Server 2008 R2 Standard
[*] Post module execution completedThen I've tried to join an XP client into the domain, it joined successfully. But when I try to run the module on a session from the client machine it is what I get:
msf post(enum_ad_computers) > run
[-] Post failed: Rex::Post::Meterpreter::RequestError extapi_adsi_domain_query: Operation failed: 2147950650
[-] Call stack:
[-] /Users/jvazquez/Projects/Code/metasploit-framework/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb:49:in `domain_query'
[-] /Users/jvazquez/Projects/Code/metasploit-framework/lib/msf/core/post/windows/ldap.rb:126:in `query'
[-] /Users/jvazquez/Projects/Code/metasploit-framework/modules/post/windows/gather/enum_ad_computers.rb:63:in `run'
[*] Post module execution completedAnd I think it is expected really, since extapi_adsi_domain_query will use ADSI APIs not available on the session host, as far as I can say. According to the windows documentation they are available on Windows Vista and upper for Windows clients. For example ADsOpenObject https://msdn.microsoft.com/en-us/library/aa772238(v=vs.85).aspx
jvazquez-r7
commented
8 years ago @all3g do you mind to share with us if the modules work with sessions from the DC (which is a Win2008 server if I'm not wrong), or from sessions on a Windows 7 Client?
jvazquez-r7
commented
8 years ago That said, normally modules using the LDAP mixin are handling ::Rex::Post::Meterpreter::RequestError when calling query. But three modules are forgetting to do it: enum_laps, enum_ad_bitlocker and enum_ad_computers.
The PR #5993 fix these three modules to handle exceptions, so only an error shows up, instead of an unhandled exception.