Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help with smb-enum-users.nse

From: Abuse 007 <abuse007 () gmail com>
Date: Fri, 31 Aug 2012 12:34:46 +1000
Hi Ron,

It's a client's DC, part of a pentest engagement so the information is
a bit sensitive.

I can try to replicate it in a test environment but it will take some
time for me to set it up.. :(

I've download some material on SMB, RPC, etc., and I'm doing some
research on how it all works, and analysing winfo.exe's behaviour.
I'd appreciate any pointers to what the issue may be or to good
material for research. SMB/CIFS/MSRPC is quite a beast.

Thanks,
Ab

On Fri, Aug 31, 2012 at 8:40 AM, Ron <ron () skullsecurity net> wrote:

Any chance you can send me a pcap of winfo.exe's execution?

I've never had the opportunity to test smb-enum-users.nse against a
domain, it's possible it's only enumerating local users or something
like that, rather than enumerating the domain.

Thanks!

Ron

On 2012-08-30 14:08, Abuse 007 wrote:

Hi All,

With smb-enum-users.nse I get 20 entries via SAMR against a Windows 2008 R2 host that's a DC. If I increase the SMAR 
count I can get up to 100 entries. If I modify the script so that it loops regardless of the return code (which is 
0), the reply to the second querydisplayinfo request does not contain any additional entries.

I'm confused by this behavour. I thought Windows would be an all or nothing type thing.

A differnet tool, winfo.exe, is able to enumerate a little over 500 accounts. I'm not sure of it's exact technique.

Should the SAMR technique be able to enumerate more users?

Also, the smb-enum-users.nse LSA RID bruteforcing method fails. This is prossibly because no authentication 
credentials have been supplied.

Thanks,
Ab
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: