Update 1: No this doesn’t need to be in memory since you control the system but it was a fun challenge
Update 2: The info from the ‘adduser’ payload says ‘Create a new user and add them to local administration group’ – I’m guessing since I ran this on a DC is why I didn’t notice this but it is something to keep in mind when running this script.
Update 3: Here is a powershell way of doing things from a CSV, you can do some passwords in the CSV and keep it for reference too. I think this is the best solution I’ve found to inlude mine: http://unlockpowershell.wordpress.com/2010/10/12/creating-random-users-for-a-domain/
Adding users to a domain that you create for learning, training, or just for testing things out on can be quite tedious. Most of the time I just put a few users to simulate the different ‘levels’ I need for my testing. However that doesn’t really give someone you’re training much to think about, i.e. It’s really easy to identify the ‘interesting’ users when there are only a couple to pick from.
I am certainly not the first one to solve this problem:
- http://www.petri.co.il/create_users_for_testing_purposes.htm
- http://blog.commandlinekungfu.com/2010/07/episode-104-fricken-users.html
- https://twitter.com/#!/Carlos_Perez/status/71373112494661632
These work perfectly and are all really easy. The problem for me is that with some the username is too similar and/or the passwords are the same/similar.
Well, of course I had to do it in Metasploit. (No, not everything has to be in Metasploit, but in this instance it actually helps a lot and you’ll see why in a sec)
Easiest way to get a bunch of random users is to download a list of names, I used this one:
http://packetstormsecurity.org/files/32083/other-names.gz.html
And of course you need passwords too, and there isn’t a better list than the RockYou list. Skull Security has it over here:
http://www.skullsecurity.org/wiki/index.php/Passwords
TL:DR; You can download the Meterpreter script here: addusers.rb
Start off by importing all the names and passwords into arrays we can manipulate easier:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
|
The ‘usercount’ variable will be used for out loop on how many users to create. Next, just to shake things up we create another array of common suffixes:
1 2 3 4 5 6 7 8 9 10 11 12 |
|
Now to loop through the account creation, and since I’m not a big fan of running cmd.exe (staying in memory is one of the staples of Meterpreter) we’ll do it by injecting $usercount amount of the windows/adduser payload into our current process.
For usernames I take a random name and use it’s first letter, and then another random selection for the rest. This makes it look like a first initial + last name username scheme.
For passwords I throw a bit of twist in there I randomly select to have a ‘bad/ok/good’ password and use just a random selection, random selection + a date or number we generated earlier, or a double random selection put together, respectively.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
|
Know what’s great about this? With just a few changed lines you can slam all of the user creation payloads into one binary and have a binary you can run any time you want to gen a bunch of users quickly. (Good to mess with CCDC blue teams too!