Module: Msf::Post::Windows::UserProfiles

Includes:
Accounts, Registry
Defined in:
lib/msf/core/post/windows/user_profiles.rb

Constant Summary

Constants included from Accounts

Accounts::DOMAIN_CONTROLLER_INFO, Accounts::GUID

Instance Method Summary collapse

Methods included from Accounts

#delete_user, #get_domain, #resolve_sid

Methods included from Registry

#registry_createkey, #registry_deletekey, #registry_deleteval, #registry_enumkeys, #registry_enumvals, #registry_getvaldata, #registry_getvalinfo, #registry_loadkey, #registry_setvaldata, #registry_unloadkey

Methods included from CliParse

#win_parse_error, #win_parse_results

Instance Method Details

#grab_user_profilesObject

Load the registry hive for each user on the machine and parse out the user profile information. Next, unload the hives we loaded and return the user profiles.


18
19
20
21
22
23
# File 'lib/msf/core/post/windows/user_profiles.rb', line 18

def grab_user_profiles
  hives = load_missing_hives()
  profiles = parse_profiles(hives)
  unload_our_hives(hives)
  return profiles
end

#load_missing_hivesObject

Load any user hives that are not already loaded.


74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# File 'lib/msf/core/post/windows/user_profiles.rb', line 74

def load_missing_hives
  hives=[]
  read_profile_list().each do |hive|
    hive['OURS']=false
    if hive['LOADED']== false
      if session.fs.file.exists?(hive['DAT'])
        hive['OURS'] = registry_loadkey(hive['HKU'], hive['DAT'])
        print_error("Error loading USER #{hive['SID']}: Hive could not be loaded, are you Admin?") unless hive['OURS']
      else
        print_error("Error loading USER #{hive['SID']}: Profile doesn't exist or cannot be accessed")
      end
    end
    hives << hive
  end
  return hives
end

#loaded_hivesObject

Return a list of loaded registry hives.


114
115
116
117
118
119
120
121
122
# File 'lib/msf/core/post/windows/user_profiles.rb', line 114

def loaded_hives
  hives=[]
  registry_enumkeys('HKU').each do |k|
    next unless k.include? "S-1-5-21"
    next if k.include? "_Classes"
    hives<< k
  end
  return hives
end

#parse_profile(hive) ⇒ Object

Get the user profile information from the hive specified by hive


50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# File 'lib/msf/core/post/windows/user_profiles.rb', line 50

def parse_profile(hive)
  profile={}
  sidinf = resolve_sid(hive['SID'].to_s)
  profile['UserName'] = sidinf[:name]
  profile['Domain'] = sidinf[:domain]
  profile['SID'] = hive['SID']
  profile['ProfileDir'] = hive['PROF']
  profile['AppData'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'AppData')
  profile['LocalAppData'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'Local AppData')
  profile['LocalSettings'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'Local Settings')
  profile['Desktop'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'Desktop')
  profile['MyDocs'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'Personal')
  profile['Favorites'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'Favorites')
  profile['History'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'History')
  profile['Cookies'] = registry_getvaldata("#{hive['HKU']}\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 'Cookies')
  profile['Temp'] = registry_getvaldata("#{hive['HKU']}\\Environment", 'TEMP').to_s.sub('%USERPROFILE%',profile['ProfileDir'])
  profile['Path'] = registry_getvaldata("#{hive['HKU']}\\Environment", 'PATH')

  return profile
end

#parse_profiles(hives) ⇒ Object

Return a list of user profiles parsed each of the hives in hives.


38
39
40
41
42
43
44
45
# File 'lib/msf/core/post/windows/user_profiles.rb', line 38

def parse_profiles(hives)
  profiles=[]
  hives.each do |hive|
    profile = parse_profile(hive)
    profiles << profile
  end
  return profiles
end

#read_profile_listObject

Read HKLMSOFTWAREMicrosoftWindows NTCurrentVersionProfileList to get a list of user profiles on the machine.


95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# File 'lib/msf/core/post/windows/user_profiles.rb', line 95

def read_profile_list
  hives=[]
  registry_enumkeys('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList').each do |profkey|
    next unless profkey.include? "S-1-5-21"
    hive={}
    hive['SID']=profkey
    hive['HKU']= "HKU\\#{profkey}"
    hive['PROF']= registry_getvaldata("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\#{profkey}", 'ProfileImagePath')
    hive['PROF']= session.fs.file.expand_path(hive['PROF']) if hive['PROF']
    hive['DAT']= "#{hive['PROF']}\\NTUSER.DAT"
    hive['LOADED'] = loaded_hives.include?(profkey)
    hives << hive
  end
  return hives
end

#unload_our_hives(hives) ⇒ Object

Unload any hives we loaded.


28
29
30
31
32
33
# File 'lib/msf/core/post/windows/user_profiles.rb', line 28

def unload_our_hives(hives)
  hives.each do |hive|
    next unless hive['OURS']==true
    registry_unloadkey(hive['HKU'])
  end
end