Merge pull request #2 from Meatballs1/pr2107

Spacing and bugfixes

Author: staaldraad

lib/msf/core/post/windows/netapi.rb

@@ -11,6 +11,17 @@ module NetAPI
 	SV_TYPE_DOMAIN_BAKCTRL = 10
 	SV_TYPE_DOMAIN_CTRL = 4
 
+	ERROR_ACCESS_DENIED = 5
+	ERROR_NOT_ENOUGH_MEMORY = 8
+	ERROR_INVALID_PARAMETER = 87
+	ERROR_INVALID_LEVEL = 124
+	ERROR_MORE_DATA = 234
+	ERROR_NO_BROWSER_SERVERS_FOUND = 6118
+
+	NERR_ClientNameNotFound = 2312
+	NERR_InvalidComputer = 2351
+	NERR_UserNotFound = 2221
+
 	def UnicodeByteStringToAscii(str)
 		length = (str.index "\0\0\0") + 1
 		Rex::Text.to_ascii(str[0..length])
@@ -23,6 +34,8 @@ def netapi_buffer_free(ptr)
 	end
 
 	def net_server_enum(server_type=SV_TYPE_ALL, domain=nil)
+		hosts = []
+
 		result = client.railgun.netapi32.NetServerEnum(
 				nil,    # servername
 				100,    # level (100/101)
@@ -36,38 +49,22 @@ def net_server_enum(server_type=SV_TYPE_ALL, domain=nil)
 		)
 
 		case result['return']
-			when 5
-				vprint_error("Access Denied when trying to enum hosts.")
-				return nil
-			when 6118
-				vprint_error("No Browser servers found.")
-				return nil
-			when 50
-				vprint_error("Request not supported.")
-				return nil
-			when 2184
-				vprint_error("Service not installed.")
-				return nil
 			when 0
-				vprint_status("Success.")
-			when 87
-				vprint_error ("Invalid parameter.")
+				hosts = read_server_structs(result['bufptr'], result['totalentries'])
+			when ERROR_NO_BROWSER_SERVERS_FOUND
+				print_error("ERROR_NO_BROWSER_SERVERS_FOUND")
+				return nil
+			when ERROR_MORE_DATA
+				vprint_error("ERROR_MORE_DATA")
 				return nil
-			else
-				if result['return'] != 234
-					vprint_status("Unaccounted for error code: #{result['return']}")
-					return nil
-				end
 		end
 
-		hosts = read_server_structs(result['bufptr'], result['totalentries'])
-
 		netapi_buffer_free(result['bufptr'])
 
 		return hosts
 	end
 
-	def read_server_structs(start_ptr, count)
+	def read_server_structs(start_ptr, count, domain, server_type)
 		base = 0
 		struct_size = 8
 		hosts = []
@@ -85,21 +82,26 @@ def read_server_structs(start_ptr, count)
 		return hosts
 	end
 
-	def getSessions(hostname, username)
+	def net_session_enum(hostname, username)
+		sessions = []
+
 		result = client.railgun.netapi32.NetSessionEnum(
-				hostname,
-				nil,
-				username,
-				10,
-				4,
-				MAX_PREFERRED_LENGTH,
-				4,
-				4,
-				nil
+				hostname,   # servername
+				nil,        # UncClientName
+				username,   # username
+				10,         # level
+				4,          # bufptr
+				MAX_PREFERRED_LENGTH, # prefmaxlen
+				4,          # entriesread
+				4,          # totalentries
+				nil         # resume_handle
 		)
 
 		case result['return']
-			when 5
+			when 0
+				vprint_error("#{hostname} Session identified")
+				sessions = read_session_structs(result['bufptr'], result['totalentries'], hostname)
+			when ERROR_ACCESS_DENIED
 				vprint_error("#{hostname} Access denied...")
 				return nil
 			when 53
@@ -108,19 +110,15 @@ def getSessions(hostname, username)
 			when 123
 				vprint_error("Invalid host: #{hostname}")
 				return nil
-			when 0
-				vprint_status("#{hostname} Session identified")
-			when 2221 #username not found
+			when NERR_UserNotFound
 				return nil
+			when ERROR_MORE_DATA
+				vprint_error("#{hostname} ERROR_MORE_DATA")
 			else
-				if result['return'] != 234
-					vprint_error("Unaccounted for error code: #{result['return']}")
-					return nil
-				end
+				vprint_error("Unaccounted for error code: #{result['return']}")
+				return nil
 		end
 
-		sessions = read_session_structs(result['bufptr'], result['totalentries'], hostname)
-
 		netapi_buffer_free(result['bufptr'])
 
 		return sessions

modules/post/windows/gather/enum_domain_users.rb

@@ -14,10 +14,10 @@ def initialize(info={})
 		super( update_info( info,
 			'Name'	       => 'Windows Gather Enumerate Active Domain Users',
 			'Description'  => %q{
-				This module will enumerate computers included in the primary Domain and attempt
-				to list all locations the targeted user has sessions on. If a the HOST option is specified
-				the module will target only that host. If the HOST is specified and USER is set to nil, all users
-				logged into that host will be returned.'
+					This module will enumerate computers included in the primary Domain and attempt
+					to list all locations the targeted user has sessions on. If a the HOST option is specified
+					the module will target only that host. If the HOST is specified and USER is set to nil, all users
+					logged into that host will be returned.'
 				},
 				'License'      => MSF_LICENSE,
 				'Author'       => [ 'Etienne Stalmans <etienne[at]sensepost.com>'],
@@ -32,50 +32,50 @@ def initialize(info={})
 	end
 
 	def run
-	sessions = []
-	user = datastore['USER']
-	host = datastore['HOST']
+		sessions = []
+		user = datastore['USER']
+		host = datastore['HOST']
 
-	if host
-		if user
-			print_status("Attempting to identify #{user} on #{host}...")
-		else
-			print_status("Attempting to get all logged in users on #{host}...")
-		end
-		sessions = getSessions(host, user)
-
-	elsif user
-		domain = getdomain
+		if host
+			if user
+				print_status("Attempting to identify #{user} on #{host}...")
+			else
+				print_status("Attempting to get all logged in users on #{host}...")
+			end
+			sessions = net_session_enum(host, user)
+		elsif user
+			domain = getdomain
 
-		unless domain.empty?
-		print_status ("Using domain: #{domain}")
-		print_status ("Getting list of domain hosts...")
-		hosts = net_server_enum(SV_TYPE_ALL, domain)
+			unless domain.empty?
+				print_status ("Using domain: #{domain}")
+				print_status ("Getting list of domain hosts...")
+			end
 
-		if hosts
-			len = hosts.count
-			print_status("#{len} host(s) found")
+			hosts = net_server_enum(SV_TYPE_ALL, domain)
 
-					hosts.each do |host|
-						sessions << getSessions(host[:name], user)
-					end
+			if hosts
+				len = hosts.count
+				print_status("#{len} host(s) found")
 
-					sessions.flatten!
+				hosts.each do |host|
+					sessions << net_session_enum(host[:name], user)
 				end
 			end
+
+			sessions.flatten!
 		else
-				print_error("Invalid options, either HOST or USER must be specified.")
-				return
+			print_error("Invalid options, either HOST or USER must be specified.")
+			return
 		end
 
-		if sessions.count == 0
+		if sessions.nil? or sessions.count == 0
 			print_error("No sessions found")
 			return
 		else
 			print_status("#{sessions.count} session(s) identified")
 		end
 
-			if sessions and sessions.count > 0
+		if sessions and sessions.count > 0
 			sessions.each do |s|
 				if s
 					print_good("#{s[:username]} logged in at #{s[:hostname]} and has been idle for #{s[:idletime]} seconds")