cdolla.cna

############
## CDolla ##
############
## Find targets where you're local admin and list users who logged in within the last 90 days.
## Author: Alyssa (ramen0x3f)
## Last updated: 2018-02-21

## Like Chris King's (raikiasec) CredNinja but less fancy. And in Aggressor. 
## CredNinja: https://github.com/Raikia/CredNinja

#### Usage ####
# 1. To scan a list of targets
## > Select all hosts in the Targets tab, right click, add note "cdolla"
## > From the beacon with the correct token: cdolla [-users]
# 2. To scan a single target
## > cdolla 10.10.10.10 [-users]

#### Notes ####
# > c is an alias for cdolla
# > if -users is specified, will also print users who logged in within last 90 days

global('@exclusions $getusers');
@exclusions = @('All Users', 'Default', 'Default User', 'Public', '.', '..');
$getusers = false; 

sub callback {
	@results = split("\n", $3);
	removeAt(@results, 0);

	if ( size(@results) ) {
		if ( $getusers ) {
			@users = @();
			foreach %r (@results) {
				@x = split("\t", %r);
				if ( @x[0] ismatch 'D' && @x[-1] !in @exclusions) {
					$date = parseDate("MM/dd/yyy HH:mm:ss", @x[2]);
					$ninetydays = ( ticks() - 7776000000 ); 
					if ( $ninetydays < $date ) {
						$diff = (ticks() - $date) / 86400000;
						add(@users, @x[-1] . " (" . $diff . ")");
					}
				}
			}
			blog($1, $2 . "\t" . join(", ", @users));
		}
		else {
			blog($1, $2); 
		}
	}
}

sub cdolla {
	$getusers = false;
	
	if ( $2 ismatch "-users" || $3 ismatch "-users" ) {
		blog($1, "Host:\t\t\tUsers (Last 90 days):");
		blog($1, "------------------------------------------------------");
		$getusers = true; 
	}
	else {
		blog($1, "Host:");
		blog($1, "-------------------------------");
	}

	if ( $2 && $2 !ismatch "-users" ) {
		bls($1, "\\\\" . $2 . "\\C$\\Users", &callback);
		return;
	}

	foreach %t (targets()) {
		if ( "note" in %t && %t['note'] ismatch "cdolla") {
			bls($1, "\\\\" . %t['address'] . "\\C$\\Users", &callback);
		}
	}
}

alias cdolla {
	cdolla($1, $2, $3);
}

alias c {
	cdolla($1, $2, $3);
}