Msf::Post::Windows::Accounts: Add domain_controller? method

[bcoles]

Adds a Msf::Post::Windows::Accounts.domain_controller? method and removes is_dc? methods from several modules in favor of using the new method.

Msf::Post::Windows::Accounts seemed like the best place to put this. We don't have an existing generic Msf::Post::Window::System mixin like we do for other platforms.

Despite retrieving values from the Registry, Msf::Post::Windows::Registry is not the right place for this method.

Msf::Post::Windows::Accounts makes heavy use of Railgun. This PR imports Msf::Post::Windows::Registry in Msf::Post::Windows::Accounts as a dependency. I'm not super keen on this, but on the other hand, this mixin will also be necessary if modifying other methods in Msf::Post::Windows::Registry to support non-Meterpreter sessions.

A method to determine whether the target host is a domain controller is useful, as evidenced by three modules which implemented this manually. Additionally, there are other modules which likely could or would have used this functionality if it was available.

For example, some modules attempt to access various NTDS related Registry keys blindly, and bail out with a generic error message if the keys don't exist. Checking first whether the host was a DC would allow a more intuitive error message. (These two example modules are not updated in this PR).

https://github.com/rapid7/metasploit-framework/blob/015ccfe62a1e12771eaf2750e1bc755227e27d0b/modules/post/windows/gather/ntds_location.rb#L37-L41

https://github.com/rapid7/metasploit-framework/blob/015ccfe62a1e12771eaf2750e1bc755227e27d0b/modules/post/windows/gather/credentials/domain_hashdump.rb#L105-L115

[bcoles]

How about the method in domain_hashdump here. Should that be consolidated too? It looks like it is also using a registry based lookup in addition to checking if the file is present.

That module requires the registry lookup to determine the NTDS path which is later accessed directly. Using the new domain_controller? method would be in addition to the existing code, rather than a replacement.

[cdelafuente-r7]

Thanks @bcoles! It looks good to me. I tested the 5 modules and verify the Domain Controller is detected correctly. I'll go ahead and land it.

Example output

post/windows/gather/credentials/domain_hashdump

msf6 post(windows/gather/credentials/domain_hashdump) > run verbose=true rhost=10.0.0.34 session=1

[*] Session has Admin privs
[*] Session is on a Domain Controller
[*] Pre-conditions met, attempting to copy NTDS.dit
[*] Using NTDSUTIL method
[*] NTDS database copied to C:\Windows\Temp\inQOWaLTi\Active Directory\ntds.dit
[*] NTDS File Size: 33554432 bytes
[*] Repairing NTDS database after copy...
[*]
Initiating REPAIR mode...
        Database: C:\Windows\Temp\inQOWaLTi\Active Directory\ntds.dit
  Temp. Database: TEMPREPAIR5332.EDB

Checking database integrity.

                     Scanning Status (% complete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................


Integrity check successful.

Note:
  It is recommended that you immediately perform a full backup
  of this database. If you restore a backup made before the
  repair, the database will be rolled back to the state
  it was in at the time of that backup.

Operation completed successfully in 5.469 seconds.

[-] Failed to properly parse database: extapi_ntds_parse: Operation failed: 1004
[-] Error 1004 is likely a jet database error because the ntds database is not in the regular format
[*] Deleting backup of NTDS.dit at C:\Windows\Temp\inQOWaLTi\Active Directory\ntds.dit
[*] Post module execution completed

modules/post/windows/gather/enum_domain_tokens

msf6 post(windows/gather/enum_domain_tokens) > run verbose=true session=2

[*] Running module against DC02
[*] Checking for Domain group and user tokens

Impersonation Tokens with Domain Context
========================================

 Token Type  Account Type  Name                                          Domain Admin
 ----------  ------------  ----                                          ------------
 Delegation  Group         MYLAB\Schema Admins                           false
 Delegation  Group         MYLAB\Denied RODC Password Replication Group  false
 Delegation  Group         MYLAB\Domain Admins                           false
 Delegation  Group         MYLAB\Domain Users                            false
 Delegation  Group         MYLAB\Enterprise Admins                       false
 Delegation  Group         MYLAB\Group Policy Creator Owners             false
 Delegation  Group         MYLAB\Netmon Users                            false
 Delegation  User          MYLAB\administrator                           false


[*] Checking for processes running under domain user

Processes under Domain Context
==============================

 Name                                     PID   Arch  User                 Domain Admin
 ----                                     ---   ----  ----                 ------------
 ApplicationFrameHost.exe                 6048  x64   MYLAB\administrator  false
 RuntimeBroker.exe                        5796  x64   MYLAB\administrator  false
 RuntimeBroker.exe                        6320  x64   MYLAB\administrator  false
 RuntimeBroker.exe                        3848  x64   MYLAB\administrator  false
 SearchUI.exe                             540   x64   MYLAB\administrator  false
 ShellExperienceHost.exe                  3500  x64   MYLAB\administrator  false
 ctfmon.exe                               5440  x64   MYLAB\administrator  false
 dllhost.exe                              1476  x64   MYLAB\administrator  false
 explorer.exe                             5464  x64   MYLAB\administrator  false
 jucheck.exe                              3100  x86   MYLAB\administrator  false
 jusched.exe                              6688  x86   MYLAB\administrator  false
 payload_meterpreter_reverse_tcp_x64.exe  2476  x64   MYLAB\administrator  false
 procexp64.exe                            5052  x64   MYLAB\administrator  false
 sihost.exe                               6008  x64   MYLAB\administrator  false
 smartscreen.exe                          6448  x64   MYLAB\administrator  false
 svchost.exe                              1564  x64   MYLAB\administrator  false
 svchost.exe                              1428  x64   MYLAB\administrator  false
 taskhostw.exe                            1996  x64   MYLAB\administrator  false
 vmtoolsd.exe                             6532  x64   MYLAB\administrator  false


[*] Post module execution completed

modules/post/windows/gather/ntds_grabber

msf6 post(windows/gather/ntds_grabber) > run verbose=true session=2

[+] Running as SYSTEM
[+] Running on a domain controller
[+] PowerShell is installed.
[+] The meterpreter is the same architecture as the OS!
[+] EXECUTING:
powershell.exe -EncodedCommand 7wC7AL8AIwBDAG8AbQBwAGwAZQB0AGUAIABzAGMAcgBpAHAAdAAgAGMAcgBlAGEAdABlAGQAIABiAHkAIABLAG8AZQBuACAAUgBpAGUA
...

modules/post/windows/gather/ntds_location

msf6 post(windows/gather/ntds_location) > run verbose=true session=2

NTDS.DIT is located at: C:\Windows\NTDS\ntds.dit
      Size: 20971520 bytes
   Created: 2021-10-06 17:59:51 +0200
  Modified: 2022-08-23 20:11:26 +0200
  Accessed: 2022-08-23 20:11:26 +0200
[*] Post module execution completed

modules/post/windows/gather/smart_hashdump

msf6 post(windows/gather/smart_hashdump) > run verbose=true session=2

[*] Running module against DC02
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /home/msfuser/.msf4/loot/20220823200112_default_10.0.0.34_windows.hashes_175178.txt
[+] Host is a Domain Controller
[*] Dumping password hashes...
  <redacted>
[*] Post module execution completed

[cdelafuente-r7]

Release Notes

This adds a Msf::Post::Windows::Accounts.domain_controller? method and removes is_dc? methods from several modules in favor of using the new method.