Module: Msf::Exploit::Remote::MsLsad

Includes:

SMB::Client::Ipc

Defined in:

lib/msf/core/exploit/remote/ms_lsad.rb

Defined Under Namespace

Classes: MsLsadAuthenticationError, MsLsadConnectionError, MsLsadError, MsLsadUnexpectedReplyError

Constant Summary

LSA_UUID =

'12345778-1234-abcd-ef00-0123456789ab'.freeze

LSA_VERS =

'0.0'.freeze

LSARPC_ENDPOINT =

RubySMB::Dcerpc::Lsarpc.freeze

Constants included from SMB::Client

SMB::Client::CONST, SMB::Client::DCERPCClient, SMB::Client::DCERPCPacket, SMB::Client::DCERPCResponse, SMB::Client::DCERPCUUID, SMB::Client::NDR, SMB::Client::SIMPLE, SMB::Client::XCEPT

Instance Attribute Summary

• #lsarpc_pipe ⇒ Object readonly

  The currently connected LSARPC pipe.

Attributes included from SMB::Client

#simple

Attributes included from Tcp

#sock

Class Method Summary

• .connect_lsarpc(tree) ⇒ Object

Instance Method Summary

• #close_policy(policy_handle) ⇒ Object
• #disconnect_lsarpc ⇒ Object
• #map_security_principal_to_string(security_principal) ⇒ Object
• #open_policy2(impersonation_level, security_context_tracking_mode, access_mask) ⇒ Object
• #query_information_policy(policy_handle, information_class) ⇒ Object

Methods included from SMB::Client::Ipc

connect_ipc, disconnect_ipc

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from SMB::Client::Authenticated

#initialize

Methods included from Kerberos::ServiceAuthenticator::Options

#kerberos_auth_options

Methods included from Kerberos::Ticket::Storage

#initialize, #kerberos_storage_options, #kerberos_ticket_storage, store_ccache

Methods included from SMB::Client

#connect, #domain, #domain_username_split, #initialize, #smb_create, #smb_direct, #smb_enumprinters, #smb_enumprintproviders, #smb_file_exist?, #smb_file_rm, #smb_fingerprint, #smb_fingerprint_windows_lang, #smb_fingerprint_windows_sp, #smb_hostname, #smb_lanman_netshareenumall, #smb_login, #smb_lookup_share_type, #smb_netshareenumall, #smb_netsharegetinfo, #smb_open, #smb_peer_lm, #smb_peer_os, #smb_srvsvc_netshareenumall, #smb_srvsvc_netsharegetinfo, #smbhost, #splitname, #unicode

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #initialize, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Instance Attribute Details

#lsarpc_pipe ⇒ Object (readonly)

The currently connected LSARPC pipe

# File 'lib/msf/core/exploit/remote/ms_lsad.rb', line 23

def lsarpc_pipe
  @lsarpc_pipe
end

Class Method Details

.connect_lsarpc(tree) ⇒ Object

# File 'lib/msf/core/exploit/remote/ms_lsad.rb', line 88

def connect_lsarpc(tree)
  begin
    vprint_status('Connecting to Local Security Authority (LSA) Remote Protocol')
    self.lsarpc_pipe = tree.open_file(filename: 'lsarpc', write: true, read: true)

    raise MsLsadConnectionError.new('Could not open lsarpc pipe on remote SMB server.') unless lsarpc_pipe

    vprint_status('Binding to \\lsarpc...')
    self.lsarpc_pipe.bind(endpoint: LSARPC_ENDPOINT)
    vprint_good('Bound to \\lsarpc')

    self.lsarpc_pipe
  rescue RubySMB::Dcerpc::Error::FaultError => e
    elog(e.message, error: e)
    raise MsLsadUnexpectedReplyError, "Connection failed (DCERPC fault: #{e.status_name})"
  end
end

Instance Method Details

#close_policy(policy_handle) ⇒ Object

# File 'lib/msf/core/exploit/remote/ms_lsad.rb', line 72

def close_policy(policy_handle)
  self.lsarpc_pipe.lsar_close_handle(
    policy_handle: policy_handle
  ) if (self.lsarpc_pipe && policy_handle)
end

#disconnect_lsarpc ⇒ Object

# File 'lib/msf/core/exploit/remote/ms_lsad.rb', line 78

def disconnect_lsarpc
  begin
    self.lsarpc_pipe.close if self.lsarpc_pipe&.is_connected?
  rescue RubySMB::Error::UnexpectedStatusCode, RubySMB::Error::CommunicationError => e
    wlog e
  end
end

#map_security_principal_to_string(security_principal) ⇒ Object

# File 'lib/msf/core/exploit/remote/ms_lsad.rb', line 25

def map_security_principal_to_string(security_principal)
  case security_principal
  when 1
    'User'
  when 2
    'Group'
  when 3
    'Domain'
  when 4
    'Alias'
  when 5
    'Well-Known Group'
  when 6
    'Deleted Account'
  when 7
    'Invalid'
  when 8
    'Unknown'
  when '9'
    'Computer'
  when 10
    'Label'
  else
    'Unknown - Not a valid Security Principal'
  end
end

#open_policy2(impersonation_level, security_context_tracking_mode, access_mask) ⇒ Object

# File 'lib/msf/core/exploit/remote/ms_lsad.rb', line 52

def open_policy2(impersonation_level, security_context_tracking_mode, access_mask)
  self.lsarpc_pipe.lsar_open_policy2(
    system_name: simple.peerhost,
    object_attributes: {
      security_quality_of_service: {
        impersonation_level: impersonation_level,
        security_context_tracking_mode: security_context_tracking_mode
      }
    },
    access_mask: access_mask
  )
end

#query_information_policy(policy_handle, information_class) ⇒ Object

# File 'lib/msf/core/exploit/remote/ms_lsad.rb', line 65

def query_information_policy(policy_handle, information_class)
  self.lsarpc_pipe.lsar_query_information_policy(
    policy_handle: policy_handle,
    information_class: information_class
  )
end