Nmap Development mailing list archives
Re: Help with smb-enum-users.nse
From: Abuse 007 <abuse007 () gmail com>
Date: Fri, 31 Aug 2012 12:34:46 +1000
Hi Ron, It's a client's DC, part of a pentest engagement so the information is a bit sensitive. I can try to replicate it in a test environment but it will take some time for me to set it up.. :( I've download some material on SMB, RPC, etc., and I'm doing some research on how it all works, and analysing winfo.exe's behaviour. I'd appreciate any pointers to what the issue may be or to good material for research. SMB/CIFS/MSRPC is quite a beast. Thanks, Ab On Fri, Aug 31, 2012 at 8:40 AM, Ron <ron () skullsecurity net> wrote:
Any chance you can send me a pcap of winfo.exe's execution? I've never had the opportunity to test smb-enum-users.nse against a domain, it's possible it's only enumerating local users or something like that, rather than enumerating the domain. Thanks! Ron On 2012-08-30 14:08, Abuse 007 wrote:Hi All, With smb-enum-users.nse I get 20 entries via SAMR against a Windows 2008 R2 host that's a DC. If I increase the SMAR count I can get up to 100 entries. If I modify the script so that it loops regardless of the return code (which is 0), the reply to the second querydisplayinfo request does not contain any additional entries. I'm confused by this behavour. I thought Windows would be an all or nothing type thing. A differnet tool, winfo.exe, is able to enumerate a little over 500 accounts. I'm not sure of it's exact technique. Should the SAMR technique be able to enumerate more users? Also, the smb-enum-users.nse LSA RID bruteforcing method fails. This is prossibly because no authentication credentials have been supplied. Thanks, Ab _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Help with smb-enum-users.nse Abuse 007 (Aug 29)
- Re: Help with smb-enum-users.nse Ron (Aug 30)
- Re: Help with smb-enum-users.nse Abuse 007 (Aug 30)
- Re: Help with smb-enum-users.nse Abuse 007 (Sep 01)
- Re: Help with smb-enum-users.nse Abuse 007 (Sep 02)
- Re: Help with smb-enum-users.nse Abuse 007 (Aug 30)
- Re: Help with smb-enum-users.nse Ron (Aug 30)