rex 2.0.8 → 2.0.9

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi.rb

@@ -26,9 +26,12 @@ class Console::CommandDispatcher::Extapi::Adsi
   #
   def commands
     {
-      "adsi_user_enum"     => "Enumerate all users on the specified domain.",
-      "adsi_computer_enum" => "Enumerate all computers on the specified domain.",
-      "adsi_domain_query"  => "Enumerate all objects on the specified domain that match a filter."
+      'adsi_user_enum'              => 'Enumerate all users on the specified domain.',
+      'adsi_group_enum'             => 'Enumerate all groups on the specified domain.',
+      'adsi_nested_group_user_enum' => 'Recursively enumerate users who are effectively members of the group specified.',
+      'adsi_computer_enum'          => 'Enumerate all computers on the specified domain.',
+      'adsi_dc_enum'                => 'Enumerate all domain controllers on the specified domain.',
+      'adsi_domain_query'           => 'Enumerate all objects on the specified domain that match a filter.'
     }
   end
 
@@ -36,46 +39,127 @@ class Console::CommandDispatcher::Extapi::Adsi
   # Name for this dispatcher
   #
   def name
-    "Extapi: ADSI Management"
+    'Extapi: ADSI Management'
+  end
+
+  #
+  # Options for the adsi_nested_group_user_enum command.
+  #
+  @@adsi_nested_group_user_enum_opts = Rex::Parser::Arguments.new(
+    '-h' => [false, 'Help banner'],
+    '-o' => [true,  'Path to output file.'],
+    '-m' => [true,  'Maximum results to return.'],
+    '-p' => [true,  'Result set page size.']
+  )
+
+  def adsi_nested_group_user_enum_usage
+    print_line('USAGE:')
+    print_line(' adsi_nested_group_user_enum <domain> <Group DN> [-h] [-m maxresults] [-p pagesize] [-o file]')
+    print_line
+    print_line('DESCRIPTION:')
+    print_line(' Enumerate the users who are members of the named group, taking nested groups into account.')
+    print_line(' For example, specifying the "Domain Admins" group DN will list all users who are effectively')
+    print_line(' members of the Domain Admins group, even if they are in practice members of intermediary groups.')
+    print_line
+    print_line('EXAMPLE:')
+    print_line(' The example below will list all members of the "Domain Admins" group on the STUFUS domain:')
+    print_line('  adsi_nested_group_user_enum STUFUS "CN=Domain Admins,CN=Users,DC=mwrinfosecurity,DC=com"')
+    print_line(@@adsi_nested_group_user_enum_opts.usage)
+  end
+
+  #
+  # Enumerate domain groups.
+  #
+  def cmd_adsi_nested_group_user_enum(*args)
+    args.unshift('-h') if args.length == 0
+    if args.include?('-h') || args.length < 2
+      adsi_nested_group_user_enum_usage
+      return true
+    end
+
+    domain = args.shift
+    groupdn = args.shift
+    # This OID (canonical name = LDAP_MATCHING_RULE_IN_CHAIN) will recursively search each 'memberof' parent
+    # https://support.microsoft.com/en-us/kb/275523 for more information -stufus
+    filter = "(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=#{groupdn}))"
+    fields = ['samaccountname', 'name', 'distinguishedname', 'description', 'comment']
+    args = [domain, filter] + fields + args
+    return cmd_adsi_domain_query(*args)
   end
 
   #
   # Options for the adsi_user_enum command.
   #
   @@adsi_user_enum_opts = Rex::Parser::Arguments.new(
-    "-h" => [ false, "Help banner" ],
-    "-m" => [ true, "Maximum results to return." ],
-    "-p" => [ true, "Result set page size." ]
+    '-h' => [false, 'Help banner.'],
+    '-o' => [true,  'Path to output file.'],
+    '-m' => [true,  'Maximum results to return.'],
+    '-p' => [true,  'Result set page size.']
   )
 
   def adsi_user_enum_usage
-    print(
-      "\nUsage: adsi_user_enum <domain> [-h] [-m maxresults] [-p pagesize]\n\n" +
-      "Enumerate the users on the target domain.\n\n" +
-      "Enumeration returns information such as the user name, SAM account name, locked\n" +
-      "status, desc, and comment.\n" +
-      @@adsi_user_enum_opts.usage)
+    print_line('USAGE:')
+    print_line(' adsi_user_enum <domain> [-h] [-m maxresults] [-p pagesize] [-o file]')
+    print_line
+    print_line('DESCRIPTION:')
+    print_line(' Enumerate all users on the target domain.')
+    print_line(' Enumeration returns information such as the user name, SAM account name, status, comments etc')
+    print_line(@@adsi_user_enum_opts.usage)
   end
 
   #
   # Enumerate domain users.
   #
   def cmd_adsi_user_enum(*args)
-    args.unshift("-h") if args.length == 0
-    if args.include?("-h")
+    args.unshift('-h') if args.length == 0
+    if args.include?('-h')
       adsi_user_enum_usage
       return true
     end
 
     domain = args.shift
-    filter = "(objectClass=user)"
-    fields = [
-      "samaccountname",
-      "name",
-      "distinguishedname",
-      "description",
-      "comment"
-      ]
+    filter = '(objectClass=user)'
+    fields = ['samaccountname', 'name', 'distinguishedname', 'description', 'comment']
+    args = [domain, filter] + fields + args
+    return cmd_adsi_domain_query(*args)
+  end
+
+  #
+  # Options for the adsi_group_enum command.
+  #
+  @@adsi_group_enum_opts = Rex::Parser::Arguments.new(
+    '-h' => [false, 'Help banner.'],
+    '-o' => [true,  'Path to output file.'],
+    '-m' => [true,  'Maximum results to return.'],
+    '-p' => [true,  'Result set page size.']
+  )
+
+  def adsi_group_enum_usage
+    print_line('USAGE:')
+    print_line(' adsi_nested_group_user_enum <domain> [-h] [-m maxresults] [-p pagesize] [-o file]')
+    print_line
+    print_line('DESCRIPTION:')
+    print_line(' Enumerate all groups on the target domain.')
+    print_line
+    print_line('EXAMPLE:')
+    print_line(' The example below will list all groups on the STUFUS domain.')
+    print_line('  adsi_group_enum STUFUS')
+    print_line(@@adsi_group_enum_opts.usage)
+  end
+
+  #
+  # Enumerate domain groups.
+  #
+  def cmd_adsi_group_enum(*args)
+    args.unshift('-h') if args.length == 0
+    if args.include?('-h')
+      adsi_group_enum_usage
+      return true
+    end
+
+    domain = args.shift
+    filter = '(objectClass=group)'
+    fields = ['name', 'distinguishedname', 'description',]
     args = [domain, filter] + fields + args
     return cmd_adsi_domain_query(*args)
   end
@@ -84,37 +168,74 @@ class Console::CommandDispatcher::Extapi::Adsi
   # Options for the adsi_computer_enum command.
   #
   @@adsi_computer_enum_opts = Rex::Parser::Arguments.new(
-    "-h" => [ false, "Help banner" ],
-    "-m" => [ true, "Maximum results to return." ],
-    "-p" => [ true, "Result set page size." ]
+    '-h' => [false, 'Help banner.'],
+    '-o' => [true,  'Path to output file.'],
+    '-m' => [true,  'Maximum results to return.'],
+    '-p' => [true,  'Result set page size.']
   )
 
   def adsi_computer_enum_usage
-    print(
-      "\nUsage: adsi_computer_enum <domain> [-h] [-m maxresults] [-p pagesize]\n\n" +
-      "Enumerate the computers on the target domain.\n\n" +
-      "Enumeration returns information such as the computer name, desc, and comment.\n" +
-      @@adsi_computer_enum_opts.usage)
+    print_line('USAGE:')
+    print_line(' adsi_computer_enum <domain> [-h] [-m maxresults] [-p pagesize] [-o file]')
+    print_line
+    print_line('DESCRIPTION:')
+    print_line(' Enumerate all computers on the target domain.')
+    print_line(@@adsi_computer_enum_opts.usage)
   end
 
   #
   # Enumerate domain computers.
   #
   def cmd_adsi_computer_enum(*args)
-    args.unshift("-h") if args.length == 0
-    if args.include?("-h")
+    args.unshift('-h') if args.length == 0
+    if args.include?('-h')
       adsi_computer_enum_usage
       return true
     end
 
     domain = args.shift
-    filter = "(objectClass=computer)"
-    fields = [
-      "name",
-      "distinguishedname",
-      "description",
-      "comment"
-      ]
+    filter = '(objectClass=computer)'
+    fields = ['name', 'dnshostname', 'distinguishedname', 'operatingsystem',
+              'operatingsystemversion', 'operatingsystemservicepack', 'description',
+              'comment' ]
+    args = [domain, filter] + fields + args
+    return cmd_adsi_domain_query(*args)
+  end
+
+  #
+  # Options for the adsi_dc_enum command.
+  #
+  @@adsi_dc_enum_opts = Rex::Parser::Arguments.new(
+    '-h' => [false, 'Help banner.'],
+    '-o' => [true,  'Path to output file.'],
+    '-m' => [true,  'Maximum results to return.'],
+    '-p' => [true,  'Result set page size.']
+  )
+
+  def adsi_dc_enum_usage
+    print_line('USAGE:')
+    print_line(' adsi_dc_enum <domain> [-h] [-m maxresults] [-p pagesize] [-o file]')
+    print_line
+    print_line('DESCRIPTION:')
+    print_line(' Enumerate the domain controllers on the target domain.')
+    print_line(@@adsi_dc_enum_opts.usage)
+  end
+
+  #
+  # Enumerate domain dcs.
+  #
+  def cmd_adsi_dc_enum(*args)
+    args.unshift('-h') if args.length == 0
+    if args.include?('-h')
+      adsi_dc_enum_usage
+      return true
+    end
+
+    domain = args.shift
+    # This LDAP filter will pull out domain controllers
+    filter = '(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))'
+    fields = ['name', 'dnshostname', 'distinguishedname', 'operatingsystem',
+              'operatingsystemversion', 'operatingsystemservicepack', 'description', 'comment' ]
     args = [domain, filter] + fields + args
     return cmd_adsi_domain_query(*args)
   end
@@ -123,17 +244,19 @@ class Console::CommandDispatcher::Extapi::Adsi
   # Options for the adsi_domain_query command.
   #
   @@adsi_domain_query_opts = Rex::Parser::Arguments.new(
-    "-h" => [ false, "Help banner" ],
-    "-m" => [ true, "Maximum results to return." ],
-    "-p" => [ true, "Result set page size." ]
+    '-h' => [false, 'Help banner.'],
+    '-o' => [true,  'Path to output file.'],
+    '-m' => [true,  'Maximum results to return.'],
+    '-p' => [true,  'Result set page size.']
   )
 
   def adsi_domain_query_usage
-    print(
-      "\nUsage: adsi_domain_query <domain> <filter> <field 1> [field 2 [field ..]] [-h] [-m maxresults] [-p pagesize]\n\n" +
-      "Enumerate the objects on the target domain.\n\n" +
-      "Enumeration returns the set of fields that are specified.\n" +
-      @@adsi_domain_query_opts.usage)
+    print_line('USAGE:')
+    print_line(' adsi_domain_query <domain> <filter> <field 1> [field 2 [field ..]] [-h] [-m maxresults] [-p pagesize] [-o file]')
+    print_line
+    print_line('DESCRIPTION:')
+    print_line(' Enumerates the objects on the target domain, returning the set of fields that are specified.')
+    print_line(@@adsi_domain_query_opts.usage)
   end
 
   #
@@ -143,22 +266,25 @@ class Console::CommandDispatcher::Extapi::Adsi
     page_size = DEFAULT_PAGE_SIZE
     max_results = DEFAULT_MAX_RESULTS
 
-    args.unshift("-h") if args.length < 3
+    args.unshift('-h') if args.length < 3
+    output_file = nil
 
     @@adsi_domain_query_opts.parse(args) { |opt, idx, val|
       case opt
-      when "-p"
+      when '-p'
         page_size = val.to_i
-      when "-m"
+      when '-o'
+        output_file = val
+      when '-m'
         max_results = val.to_i
-      when "-h"
+      when '-h'
         adsi_domain_query_usage
         return true
       end
     }
 
     # Assume that the flags are passed in at the end. Safe?
-    switch_index = args.index { |a| a.start_with?("-") }
+    switch_index = args.index { |a| a.start_with?('-') }
     if switch_index
       args = args.first(switch_index)
     end
@@ -181,11 +307,16 @@ class Console::CommandDispatcher::Extapi::Adsi
 
     print_line
     print_line(table.to_s)
-
     print_line("Total objects: #{objects[:results].length}")
-
     print_line
 
+    if output_file
+      ::File.open(output_file, 'w') do |f|
+        f.write("#{table.to_s}\n")
+        f.write("\nTotal objects: #{objects[:results].length}\n")
+      end
+    end
+
     return true
   end
 
@@ -210,7 +341,7 @@ protected
         # for UI level stuff, rendering raw as hex is really the only option
         values << Rex::Text.to_hex(v[:value], '')
       when :array
-        val = "#{to_table_row(v[:value]).join(", ")}"
+        val = "#{to_table_row(v[:value]).join(', ')}"
 
         # we'll truncate the output of the array because it could be excessive if we
         # don't. Users who want the detail of this stuff should probably script it.
@@ -224,7 +355,7 @@ protected
       when :path
         values << "Vol: #{v[:volume]}, Path: #{v[:path]}, Type: #{v[:vol_type]}"
       when :unknown
-        values << "(unknown)"
+        values << '(unknown)'
       end
     end
 

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb

@@ -26,7 +26,7 @@ class Console::CommandDispatcher::Kiwi
   # Name for this dispatcher
   #
   def name
-    "Kiwi"
+    'Kiwi'
   end
 
   #
@@ -46,10 +46,9 @@ class Console::CommandDispatcher::Kiwi
     print_line("  '#####'    Ported to Metasploit by OJ Reeves `TheColonial` * * */")
     print_line
 
-    if (client.platform =~ /x86/) and (client.sys.config.sysinfo['Architecture'] =~ /x64/)
-
+    if client.platform =~ /x86/ and client.sys.config.sysinfo['Architecture'] =~ /x64/
       print_line
-      print_warning "Loaded x86 Kiwi on an x64 architecture."
+      print_warning('Loaded x86 Kiwi on an x64 architecture.')
     end
   end
 
@@ -58,19 +57,19 @@ class Console::CommandDispatcher::Kiwi
   #
   def commands
     {
-      "creds_wdigest"         => "Retrieve WDigest creds",
-      "creds_msv"             => "Retrieve LM/NTLM creds (hashes)",
-      "creds_livessp"         => "Retrieve LiveSSP creds",
-      "creds_ssp"             => "Retrieve SSP creds",
-      "creds_tspkg"           => "Retrieve TsPkg creds",
-      "creds_kerberos"        => "Retrieve Kerberos creds",
-      "creds_all"             => "Retrieve all credentials",
-      "golden_ticket_create"  => "Create a golden kerberos ticket",
-      "kerberos_ticket_use"   => "Use a kerberos ticket",
-      "kerberos_ticket_purge" => "Purge any in-use kerberos tickets",
-      "kerberos_ticket_list"  => "List all kerberos tickets",
-      "lsa_dump"              => "Dump LSA secrets",
-      "wifi_list"             => "List wifi profiles/creds"
+      'creds_wdigest'         => 'Retrieve WDigest creds',
+      'creds_msv'             => 'Retrieve LM/NTLM creds (hashes)',
+      'creds_livessp'         => 'Retrieve LiveSSP creds',
+      'creds_ssp'             => 'Retrieve SSP creds',
+      'creds_tspkg'           => 'Retrieve TsPkg creds',
+      'creds_kerberos'        => 'Retrieve Kerberos creds',
+      'creds_all'             => 'Retrieve all credentials',
+      'golden_ticket_create'  => 'Create a golden kerberos ticket',
+      'kerberos_ticket_use'   => 'Use a kerberos ticket',
+      'kerberos_ticket_purge' => 'Purge any in-use kerberos tickets',
+      'kerberos_ticket_list'  => 'List all kerberos tickets',
+      'lsa_dump'              => 'Dump LSA secrets',
+      'wifi_list'             => 'List wifi profiles/creds'
     }
   end
 
@@ -80,7 +79,7 @@ class Console::CommandDispatcher::Kiwi
   def cmd_lsa_dump(*args)
     check_privs
 
-    print_status("Dumping LSA secrets")
+    print_status('Dumping LSA secrets')
     lsa = client.kiwi.lsa_dump
 
     # the format of this data doesn't really lend itself nicely to
@@ -142,24 +141,24 @@ class Console::CommandDispatcher::Kiwi
   # Valid options for the golden ticket creation functionality.
   #
   @@golden_ticket_create_opts = Rex::Parser::Arguments.new(
-    "-h" => [ false, "Help banner" ],
-    "-u" => [ true,  "Name of the user to create the ticket for" ],
-    "-i" => [ true,  "ID of the user to associate the ticket with" ],
-    "-g" => [ true,  "Comma-separated list of group identifiers to include (eg: 501,502)" ],
-    "-d" => [ true,  "Name of the target domain (FQDN)" ],
-    "-k" => [ true,  "krbtgt domain user NTLM hash" ],
-    "-t" => [ true,  "Local path of the file to store the ticket in" ],
-    "-s" => [ true,  "SID of the domain" ]
+    '-h' => [ false, 'Help banner' ],
+    '-u' => [ true,  'Name of the user to create the ticket for' ],
+    '-i' => [ true,  'ID of the user to associate the ticket with' ],
+    '-g' => [ true,  'Comma-separated list of group identifiers to include (eg: 501,502)' ],
+    '-d' => [ true,  'Name of the target domain (FQDN)' ],
+    '-k' => [ true,  'krbtgt domain user NTLM hash' ],
+    '-t' => [ true,  'Local path of the file to store the ticket in' ],
+    '-s' => [ true,  'SID of the domain' ]
   )
 
   #
   # Output the usage for the ticket listing functionality.
   #
   def golden_ticket_create_usage
-    print(
-      "\nUsage: golden_ticket_create [-h] -u <user> -d <domain> -k <krbtgt_ntlm> -s <sid> -t <path> [-i <id>] [-g <groups>]\n\n" +
-      "Create a golden kerberos ticket that expires in 10 years time.\n\n" +
-      @@golden_ticket_create_opts.usage)
+    print_line('Usage: golden_ticket_create [options]')
+    print_line
+    print_line('Create a golden kerberos ticket that expires in 10 years time.')
+    print_line(@@golden_ticket_create_opts.usage)
   end
 
   #
@@ -181,19 +180,19 @@ class Console::CommandDispatcher::Kiwi
 
     @@golden_ticket_create_opts.parse(args) { |opt, idx, val|
       case opt
-      when "-u"
+      when '-u'
         user = val
-      when "-d"
+      when '-d'
         domain = val
-      when "-k"
+      when '-k'
         tgt = val
-      when "-t"
+      when '-t'
         target = val
-      when "-i"
+      when '-i'
         id = val.to_i
-      when "-g"
+      when '-g'
         group_ids = val.split(',').map { |g| g.to_i }.to_a
-      when "-s"
+      when '-s'
         sid = val
       end
     }
@@ -207,7 +206,7 @@ class Console::CommandDispatcher::Kiwi
     ticket = client.kiwi.golden_ticket_create(user, domain, sid, tgt, id, group_ids)
 
     ::File.open( target, 'wb' ) do |f|
-      f.write ticket
+      f.write(ticket)
     end
 
     print_good("Golden Kerberos ticket written to #{target}")
@@ -217,26 +216,26 @@ class Console::CommandDispatcher::Kiwi
   # Valid options for the ticket listing functionality.
   #
   @@kerberos_ticket_list_opts = Rex::Parser::Arguments.new(
-    "-h" => [ false, "Help banner" ],
-    "-e" => [ false, "Export Kerberos tickets to disk" ],
-    "-p" => [ true,  "Path to export Kerberos tickets to" ]
+    '-h' => [ false, 'Help banner' ],
+    '-e' => [ false, 'Export Kerberos tickets to disk' ],
+    '-p' => [ true,  'Path to export Kerberos tickets to' ]
   )
 
   #
   # Output the usage for the ticket listing functionality.
   #
   def kerberos_ticket_list_usage
-    print(
-      "\nUsage: kerberos_ticket_list [-h] [-e <true|false>] [-p <path>]\n\n" +
-      "List all the available Kerberos tickets.\n\n" +
-      @@kerberos_ticket_list_opts.usage)
+    print_line('Usage: kerberos_ticket_list [options]')
+    print_line
+    print_line('List all the available Kerberos tickets.')
+    print_line(@@kerberos_ticket_list_opts.usage)
   end
 
   #
   # Invoke the kerberos ticket listing functionality on the target machine.
   #
   def cmd_kerberos_ticket_list(*args)
-    if args.include?("-h")
+    if args.include?('-h')
       kerberos_ticket_list_usage
       return
     end
@@ -244,13 +243,13 @@ class Console::CommandDispatcher::Kiwi
     # default to not exporting
     export = false
     # default to the current folder for dumping tickets
-    export_path = "."
+    export_path = '.'
 
     @@kerberos_ticket_list_opts.parse(args) { |opt, idx, val|
       case opt
-      when "-e"
+      when '-e'
         export = true
-      when "-p"
+      when '-p'
         export_path = val
       end
     }
@@ -261,7 +260,7 @@ class Console::CommandDispatcher::Kiwi
     fields << 'Export Path' if export
 
     table = Rex::Ui::Text::Table.new(
-      'Header'    => "Kerberos Tickets",
+      'Header'    => 'Kerberos Tickets',
       'Indent'    => 0,
       'SortIndex' => 0,
       'Columns'   => fields
@@ -280,7 +279,7 @@ class Console::CommandDispatcher::Kiwi
 
       # write out each ticket to disk if export is enabled.
       if export
-        path = "<no data retrieved>"
+        path = '<no data retrieved>'
         if t[:raw]
           id = "#{values[0]}-#{values[1]}".gsub(/[\\\/\$ ]/, '-')
           file = "kerb-#{id}-#{Rex::Text.rand_text_alpha(8)}.tkt"
@@ -305,7 +304,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_kerberos_ticket_purge(*args)
     client.kiwi.kerberos_ticket_purge
-    print_good("Kerberos tickets purged")
+    print_good('Kerberos tickets purged')
   end
 
   #
@@ -313,7 +312,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_kerberos_ticket_use(*args)
     if args.length != 1
-      print_line("Usage: kerberos_ticket_use ticketpath")
+      print_line('Usage: kerberos_ticket_use ticketpath')
       return
     end
 
@@ -325,25 +324,13 @@ class Console::CommandDispatcher::Kiwi
 
     print_status("Using Kerberos ticket stored in #{target}, #{ticket.length} bytes")
     client.kiwi.kerberos_ticket_use(ticket)
-    print_good("Kerberos ticket applied successfully")
-  end
-
-  def wifi_list_usage
-    print(
-      "\nUsage: wifi_list\n\n" +
-      "List WiFi interfaces, profiles and passwords.\n\n")
+    print_good('Kerberos ticket applied successfully')
   end
 
   #
   # Dump all the wifi profiles/credentials
   #
   def cmd_wifi_list(*args)
-    # if any arguments are specified, then fire up a usage message
-    if args.length > 0
-      wifi_list_usage
-      return
-    end
-
     results = client.kiwi.wifi_list
 
     if results.length > 0
@@ -362,24 +349,39 @@ class Console::CommandDispatcher::Kiwi
           table << [p[:name], p[:auth], p[:key_type], p[:shared_key]]
         end
 
-        print_line table.to_s
-        print_line "State: #{r[:state]}"
+        print_line(table.to_s)
+        print_line("State: #{r[:state]}")
       end
     else
       print_line
-      print_error("No wireless profiles found on the target.")
+      print_error('No wireless profiles found on the target.')
     end
 
     print_line
     return true
   end
 
+  @@creds_opts = Rex::Parser::Arguments.new(
+    '-o' => [ true,  'Write the output to the specified file.' ],
+    '-h' => [ false, 'Help menu.' ]
+  )
+
+  #
+  # Displays information about the various creds commands
+  #
+  def cmd_creds_usage(provider)
+    print_line("Usage: creds_#{provider} [options]")
+    print_line
+    print_line("Dump #{provider} credentials.")
+    print_line(@@creds_opts.usage)
+  end
+
   #
   # Dump all the possible credentials to screen.
   #
   def cmd_creds_all(*args)
     method = Proc.new { client.kiwi.all_pass }
-    scrape_passwords("all", method)
+    scrape_passwords('all', method, args)
   end
 
   #
@@ -387,7 +389,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_creds_wdigest(*args)
     method = Proc.new { client.kiwi.wdigest }
-    scrape_passwords("wdigest", method)
+    scrape_passwords('wdigest', method, args)
   end
 
   #
@@ -395,7 +397,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_creds_msv(*args)
     method = Proc.new { client.kiwi.msv }
-    scrape_passwords("msv", method)
+    scrape_passwords('msv', method, args)
   end
 
   #
@@ -403,7 +405,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_creds_livessp(*args)
     method = Proc.new { client.kiwi.livessp }
-    scrape_passwords("livessp", method)
+    scrape_passwords('livessp', method, args)
   end
 
   #
@@ -411,7 +413,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_creds_ssp(*args)
     method = Proc.new { client.kiwi.ssp }
-    scrape_passwords("ssp", method)
+    scrape_passwords('ssp', method, args)
   end
 
   #
@@ -419,7 +421,7 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_creds_tspkg(*args)
     method = Proc.new { client.kiwi.tspkg }
-    scrape_passwords("tspkg", method)
+    scrape_passwords('tspkg', method, args)
   end
 
   #
@@ -427,22 +429,22 @@ class Console::CommandDispatcher::Kiwi
   #
   def cmd_creds_kerberos(*args)
     method = Proc.new { client.kiwi.kerberos }
-    scrape_passwords("kerberos", method)
+    scrape_passwords('kerberos', method, args)
   end
 
 protected
 
   def check_privs
     if system_check
-      print_good("Running as SYSTEM")
+      print_good('Running as SYSTEM')
     else
-      print_warning("Not running as SYSTEM, execution may fail")
+      print_warning('Not running as SYSTEM, execution may fail')
     end
   end
 
   def system_check
-    unless (client.sys.config.getuid == "NT AUTHORITY\\SYSTEM")
-      print_warning("Not currently running as SYSTEM")
+    unless client.sys.config.is_system?
+      print_warning('Not currently running as SYSTEM')
       return false
     end
 
@@ -459,7 +461,12 @@ protected
   #   Meterpreter that lay in the house that Jack built.
   #
   # @return [void]
-  def scrape_passwords(provider, method)
+  def scrape_passwords(provider, method, args)
+    if args.include?('-h')
+      cmd_creds_usage(provider)
+      return
+    end
+
     check_privs
     print_status("Retrieving #{provider} credentials")
     accounts = method.call
@@ -468,24 +475,40 @@ protected
       'Header'    => "#{provider} credentials",
       'Indent'    => 0,
       'SortIndex' => 0,
-      'Columns'   =>
-      [
-        'Domain', 'User', 'Password', 'Auth Id', 'LM Hash', 'NTLM Hash'
+      'Columns'   => [
+        'Domain', 'User', 'Password', 'LM Hash', 'NTLM Hash'
       ]
     )
 
     accounts.each do |acc|
       table << [
-        acc[:domain] || "",
-        acc[:username] || "",
-        acc[:password] || "",
-        "#{acc[:auth_hi]} ; #{acc[:auth_lo]}",
-        to_hex(acc[:lm] || ""),
-        to_hex(acc[:ntlm] || "")
+        acc[:domain] || '',
+        acc[:username] || '',
+        acc[:password] || '',
+        to_hex(acc[:lm]),
+        to_hex(acc[:ntlm])
       ]
     end
 
-    print_line table.to_s
+    output = table.to_s
+    print_line(output)
+
+    # determine if a target file path was passed in
+    file_index = args.index('-o')
+    unless file_index.nil?
+      if args.length > file_index + 1
+        # try to write the file to disk
+        begin
+          ::File.write(args[file_index + 1], output)
+          print_good("Output written to #{args[file_index + 1]}")
+        rescue
+          print_error("Unable to write to #{args[file_index + 1]}")
+        end
+      else
+        print_error('Missing file path for -o parameter')
+      end
+    end
+
     return true
   end
 
@@ -496,8 +519,7 @@ protected
   # @param (see Rex::Text.to_hex)
   # @return [String] The result of {Rex::Text.to_hex}, strip'd
   def to_hex(value, sep = '')
-    value ||= ""
-    Rex::Text.to_hex(value, sep).strip
+    Rex::Text.to_hex(value || '', sep).strip
   end
 
 end