Generate CSV Organizational Chart Data Using Manager Information - Metasploit
This page contains detailed information about how to use the post/windows/gather/make_csv_orgchart metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Generate CSV Organizational Chart Data Using Manager Information
Module: post/windows/gather/make_csv_orgchart
Source code: modules/post/windows/gather/make_csv_orgchart.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will generate a CSV file containing all users and their managers, which can be imported into Visio which will render it.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/windows/gather/make_csv_orgchart
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/windows/gather/make_csv_orgchart
msf post(make_csv_orgchart) > show options
... show and set options ...
msf post(make_csv_orgchart) > set SESSION session-id
msf post(make_csv_orgchart) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/windows/gather/make_csv_orgchart")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Introduction
This module can be used to aid the generation of an organizational chart based on information contained in Active Directory. The module itself uses ADSI to retrieve key information from AD (manager, title, description etc) fields and then present it in a CSV file in the form:
cn,description,title,phone,department,division,e-mail,company,reports_to
The reports_to field is the only one which is generated; everything else is taken directly from AD. The 'manager' field contains the DN of the manager assigned to that user, and this module simply uses a regular expression to obtain the CN field of the manager.
This can then be imported into tools like Microsoft Visio (using the organizational chart wizard) and it will construct a visual org chart from the information there. Although visio supports the ability to generate Org charts if it is on a domain joined machine, but there does not seem to be a way of doing this remotely (e.g. during a red teaming exercise).
This should not be confused with security groups and AD managed groups; this is purely an internal organizational hierarchy representation but could be very useful for situational awareness or in order to construct a more plausible or targeted internal phishing exercise.
Options
| Option | Value |
|---|---|
| ACTIVE_USERS_ONLY | This will restrict the search for users to those whose accounts are Active. This would have the effect of excluding disabled accounts (e.g. employees who have resigned). |
| FILTER | Any additional LDAP filtering that is required when searching for users. |
| WITH_MANAGERS_ONLY | If this is TRUE, the module will only include users who have a manger set (internally, this is implemented by adding (manager=*) to the ADSI query filter). This could be useful if not everyone has a manager set, but could mean that the top executive is not included either. |
| STORE_LOOT | Store the results in a CSV file in loot. You'll almost certainly want this set to TRUE. |
Demo
For the purposes of this contrived example, the module has been configured to generate the CSV reporting information for everyone with 'IT' somewhere in their common name.
msf post(make_csv_orgchart) > show options
Module options (post/windows/gather/make_csv_orgchart):
Name Current Setting Required Description
---- --------------- -------- -----------
ACTIVE_USERS_ONLY true yes Only include active users (i.e. not disabled ones)
DOMAIN no The domain to query or distinguished name (e.g. DC=test,DC=com)
FILTER cn=*IT* no Additional LDAP filter to use when searching for users
MAX_SEARCH 500 yes Maximum values to retrieve, 0 for all.
SESSION 2 yes The session to run this module on.
STORE_LOOT true yes Store the organisational chart information in CSV format in loot
WITH_MANAGERS_ONLY false no Only users with managers
msf post(make_csv_orgchart) > run
Users & Managers
================
cn description title phone department division e-mail company reports_to
-- ----------- ----- ----- ---------- -------- ------ ------- ----------
IT Manager Deputy GOAT IT Director [email protected] IT Director
IT Director Director of Goat IT [email protected]
IT Leader: Badger Team Leader of Blue Team Operations [email protected] IT Manager
IT Leader: Otter Team Leader: Offensive Operations [email protected] IT Manager
Oswold Otter (IT Team) Consultant [email protected] IT Leader: Otter
Bertie Badger (IT Security Team) Default pass is badger123 IT Security Team Deputy [email protected] IT Leader: Badger
[*] CSV Organisational Chart Information saved to: /usr/home/s/stuart/.msf4/loot/20151221175733_stufusdev_192.0.2.140_ad.orgchart_189769.txt
[*] Post module execution completed
The contents of the CSV file are shown below:
$ cat /usr/home/s/stuart/.msf4/loot/20151221175733_stufusdev_192.0.2.140_ad.orgchart_189769.txt
cn,description,title,phone,department,division,e-mail,company,reports_to
"IT Manager","","Deputy GOAT IT Director","","","","[email protected]","","IT Director"
"IT Director","","Director of Goat IT","","","","[email protected]","",""
"IT Leader: Badger","","Team Leader of Blue Team Operations","","","","[email protected]","","IT Manager"
"IT Leader: Otter","","Team Leader: Offensive Operations","","","","[email protected]","","IT Manager"
"Oswold Otter (IT Team)","","Consultant","","","","[email protected]","","IT Leader: Otter"
"Bertie Badger (IT Security Team)","Default pass is badger123","IT Security Team Deputy","","","","[email protected]","","IT Leader: Badger"
When this was imported into Visio with default options set, it produced the following organisational chart:
Go back to menu.
Msfconsole Usage
Here is how the windows/gather/make_csv_orgchart post exploitation module looks in the msfconsole:
msf6 > use post/windows/gather/make_csv_orgchart
msf6 post(windows/gather/make_csv_orgchart) > show info
Name: Generate CSV Organizational Chart Data Using Manager Information
Module: post/windows/gather/make_csv_orgchart
Platform: Windows
Arch:
Rank: Normal
Provided by:
Stuart Morgan <[email protected]>
Compatible session types:
Meterpreter
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ACTIVE_USERS_ONLY true yes Only include active users (i.e. not disabled ones)
DOMAIN no The domain to query or distinguished name (e.g. DC=test,DC=com)
FILTER no Additional LDAP filter to use when searching for users
MAX_SEARCH 500 yes Maximum values to retrieve, 0 for all.
SESSION yes The session to run this module on.
STORE_LOOT true yes Store the organizational chart information in CSV format in loot
WITH_MANAGERS_ONLY false yes Only users with managers
Description:
This module will generate a CSV file containing all users and their
managers, which can be imported into Visio which will render it.
Module Options
This is a complete list of options available in the windows/gather/make_csv_orgchart post exploitation module:
msf6 post(windows/gather/make_csv_orgchart) > show options
Module options (post/windows/gather/make_csv_orgchart):
Name Current Setting Required Description
---- --------------- -------- -----------
ACTIVE_USERS_ONLY true yes Only include active users (i.e. not disabled ones)
DOMAIN no The domain to query or distinguished name (e.g. DC=test,DC=com)
FILTER no Additional LDAP filter to use when searching for users
MAX_SEARCH 500 yes Maximum values to retrieve, 0 for all.
SESSION yes The session to run this module on.
STORE_LOOT true yes Store the organizational chart information in CSV format in loot
WITH_MANAGERS_ONLY false yes Only users with managers
Advanced Options
Here is a complete list of advanced options supported by the windows/gather/make_csv_orgchart post exploitation module:
msf6 post(windows/gather/make_csv_orgchart) > show advanced
Module advanced options (post/windows/gather/make_csv_orgchart):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the windows/gather/make_csv_orgchart module can do:
msf6 post(windows/gather/make_csv_orgchart) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the windows/gather/make_csv_orgchart post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(windows/gather/make_csv_orgchart) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
No results returned.
Here is a relevant code snippet related to the "No results returned." error message:
51: print_error(e.message)
52: return
53: end
54:
55: if q.nil? || q[:results].empty?
56: print_status('No results returned.')
57: else
58: user_fields << 'reports_to'
59: results_table = parse_results(q[:results])
60: print_line results_table.to_s
61: if datastore['STORE_LOOT']
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7200 Merged Pull Request: Rex::Ui::Text cleanup
- #6377 Merged Pull Request: Generate CSV Organisational Chart Data From AD
Go back to menu.
See Also
Check also the following modules related to this module:
- post/windows/gather/ad_to_sqlite
- post/windows/gather/arp_scanner
- post/windows/gather/avast_memory_dump
- post/windows/gather/bitcoin_jacker
- post/windows/gather/bitlocker_fvek
- post/windows/gather/bloodhound
- post/windows/gather/cachedump
- post/windows/gather/checkvm
- post/windows/gather/dnscache_dump
- post/windows/gather/dumplinks
- post/windows/gather/enum_ad_bitlocker
- post/windows/gather/enum_ad_computers
- post/windows/gather/enum_ad_groups
- post/windows/gather/enum_ad_managedby_groups
- post/windows/gather/enum_ad_service_principal_names
- post/windows/gather/enum_ad_to_wordlist
- post/windows/gather/enum_ad_user_comments
- post/windows/gather/enum_ad_users
- post/windows/gather/enum_applications
- post/windows/gather/enum_artifacts
- post/windows/gather/exchange
- post/windows/gather/file_from_raw_ntfs
- post/windows/gather/get_bookmarks
- post/windows/gather/hashdump
- post/windows/gather/local_admin_search_enum
- post/windows/gather/lsa_secrets
- post/windows/gather/memory_dump
- post/windows/gather/memory_grep
- post/windows/gather/netlm_downgrade
- post/windows/gather/ntds_grabber
- post/windows/gather/ntds_location
- post/windows/gather/outlook
- post/windows/gather/phish_windows_credentials
- post/windows/gather/psreadline_history
- post/windows/gather/resolve_sid
- post/windows/gather/reverse_lookup
- post/windows/gather/screen_spy
- post/windows/gather/smart_hashdump
- post/windows/gather/tcpnetstat
- post/windows/gather/usb_history
- post/windows/gather/win_privs
- post/windows/gather/wmic_command
- post/windows/gather/word_unc_injector
Authors
- Stuart Morgan <stuart.morgan[at]mwrinfosecurity.com>
Version
This page has been produced using Metasploit Framework version 6.2.1-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
