Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

New script: smb-enum-groups.nse

From: Ron <ron () skullsecurity net>
Date: Wed, 11 Nov 2009 20:53:19 -0600
Hey,

I just finished writing a script called smb-enum-groups.nse. It's
currently in my nmap-exp branch:
svn://svn.insecure.org/nmap-exp/ron/nmap-smb

Here's an example output run anonymously against a fairly default
Windows 2000 machine:
Host script results:
|  smb-enum-groups:
|  |  Builtin\Administrators (RID: 544): Administrator, ron
|  |  Builtin\Guests (RID: 546): Guest
|  |  Builtin\Replicator (RID: 552): <empty>
|  |  Builtin\Power Users (RID: 547): <empty>
|  |  Builtin\Users (RID: 545): ron
|_ |_ Builtin\Backup Operators (RID: 551): <empty>


And here it is run against a somewhat default Windows 2003 install (with
a user account, not in the Administrators group):

nmap -p445 -d --script=smb-enum-groups
--script-args=smbuser=test,smbpass=test 172.16.212.129
[...]
|  smb-enum-groups:
|  |  WINDOWS2003\HelpServicesGroup (RID: 1003): SUPPORT_388945a0
|  |  WINDOWS2003\IIS_WPG (RID: 1002): IWAM_WINDOWS2003
|  |  WINDOWS2003\TelnetClients (RID: 1005): <empty>
|  |  Builtin\Print Operators (RID: 550): <empty>
|  |  Builtin\Replicator (RID: 552): <empty>
|  |  Builtin\Network Configuration Operators (RID: 556): <empty>
|  |  Builtin\Performance Monitor Users (RID: 558): <empty>
|  |  Builtin\Users (RID: 545): ron, ASPNET, test
|  |  Builtin\Power Users (RID: 547): <empty>
|  |  Builtin\Backup Operators (RID: 551): <empty>
|  |  Builtin\Remote Desktop Users (RID: 555): <empty>
|  |  Builtin\Administrators (RID: 544): Administrator, ron
|  |  Builtin\Performance Log Users (RID: 559): <empty>
|  |  Builtin\Guests (RID: 546): Guest, IUSR_WINDOWS2003
|_ |_ Builtin\Distributed COM Users (RID: 562): <empty>

Unfortunately, anonymous and guest can't run SAMR functions against
Windows XP and higher, so a user account is required.

I haven't tested it significantly yet, though I'll give it a try at work
against a few machines. I'm reasonably confident that it'll hold its
weight fairly well.

I'd like to move this (and the 'output' patch I posted about before)
back into the trunk in the next few days, if nobody minds.

I'd love to hear comments on this! The output formatting isn't my
favourite, so I'm happy to take suggestions on how I can make it nicer. :)

Ron

-- 
Ron Bowes
http://www.skullsecurity.org/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: