Finding Domain Names from Discovery

Many time when performing a penetration test against a Windows environment one of the most critical pieces of information to get is the domain name. As part of my discovery process one of the first things I do inside Metasploit after running a Nmap scan or a TCP Scan thru a pivot is to run the auxiliary module smb_version to get a more accurate finger print of this hosts. As part of the information gathered it gets:

  • OS Type and Name
  • Host Name
  • Domain/Workgroup

Now one of the things I noticed was that Domain and Workgroups where all tagged as domain. The information is saved with the service in the info field of the service, so what I did was parse that string for the machine name and workgroup name and placed those in variables so I can work with those for each service, check that it is not the same as the computer name or the 2 most common workgroup names out there that are MSHOME and WORKGROUP and show the output.

  1: <ruby>

  2: framework.db.workspace.services.find_all_by_state("open").each do |s|

  3:   if s.port == 445 and s.info =~ /windows/i

  4:     name = s.info.scan(/name:(\S*)\)/)[0].join

  5:     domain = s.info.scan(/domain:(\S*)\)/)[0].join

  6:     if ( domain !~ /WORKGROUP|MSHOME/) and (domain != name)

  7:       print_good("Name: #{name} Address: #{s.host.address} Domain: #{domain}")

  8:       print_good("Info: #{s.info}\n")

  9:     end

 10:   end

 11: end

 12: </ruby>

To do all of this I used the the resource file you see above. I first looked at the services saved in my current workspace and looked for all of those with a state of “open” and iterated thru each as seen in line 2 of the code. For each found service with the state of open I checked for the open port of 445 the SMB port and where the smb_version module saves it’s information and checked with a regular expression that the work windows was part of the information. For each one of the services that matched that criteria I extracted the name and domain using regular expressions as seen in lines 4 and 5 and saved those so I could compare then. On line 6 of the code I check that the workgroup does not matches the 2 common ones I mentioned and that the Domain Name is not the same as the computer as it happens on some versions of Windows XP, specially the home edition and print the information.

This is a quick and dirty way to enumerate possible domain names and the hosts in it to perform more specific windows attacks. Hope you found this little excerpt of code useful and servers as an example of how one is able to play with the information inside the database of Metasploit.