Penetration Testing mailing list archives

Re: NT Domain Enumeration from Unix

From: Syzop <syz () dds nl>
Date: Thu, 08 Nov 2001 20:38:29 +0100

Chad Gough wrote:

Does anyone have any tools/scripts to enumerate user/group information
from a Windows Domain Controller.  Additionally, I'm looking for
something to enumerate machine accounts from resource domains.


Samba-TNG (www.samba-tng.org) has some nice tools to do such things...

$ ./rpcclient \\\\SOMESERVER -U someuser
load_client_codepage: filename /usr/local/samba/lib/codepages/codepage.850 does not exist.
load_unicode_map: filename /usr/local/samba/lib/codepages/unicode_map.850 does not exist.
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
Enter Password:
Server: \\SOMESERVER:     User:   someuser     Domain:
Connection:     session setup ok
Domain=[DOMAIN] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
OK
[someuser@SOMESERVER]$ help
help
lsaquery       lsaenumdomains lookupsids     lookupnames    createsecret
setsecret      lsashowsd      querysecret    enumprivs      privinfo
lsaenumsids    trustinfo      time           brsinfo        wksinfo
who            srvinfo        srvsessions    srvshares      srvshareinfo
srvsharedel    srvtransports  srvconnections srvfiles       eventlog
lookupdomain   samlookuprids  samlookupnames enumusers      addgroupmem
addaliasmem    delgroupmem    delaliasmem    creategroup    createalias
createuser     deluser        delgroup       delalias       ntpass
samquerysec    samuserset2    samuserset     samuser        samgroup
samalias       samaliasmem    samgroupmem    samtest        enumaliases
enumdomains    enumgroups     dominfo        dispinfo       svcenum
svcinfo        svcstart       svcset         svcstop        svcunk3
svcgetsec      regenum        regdeletekey   regcreatekey   shutdown
abortshutdown  regqueryval    regquerykey    regdeleteval   regcreateval
reggetsec      regtestsec     ntlogin        domlist        domtrust
samsync        at             spoolenum      spoolenumdatas spooljobs
spoolopen      spoolgetdata   spoolgetprinterspoolenumprinterdriversspoolgetprinterdriver
spoolgetprinterdriverdirdfsenum        dfsadd         dfsremove      set
use            quit           q              exit           bye
help           ?
[someuser@SOMESERVER]$ enumusers
enumusers
SAM Enumerate Users
User RID:      1f4  User Name: admin
User RID:      7b4  User Name: SOMEBOX$
User RID:      5fb  User Name: SOMEBOX2$
[etc]

(You propably don't need a login/pass btw because of the NULL pipe stuff).

    Syzop.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

NT Domain Enumeration from Unix Chad Gough (Nov 08)
- Re: NT Domain Enumeration from Unix Syzop (Nov 08)
- <Possible follow-ups>
- Re: NT Domain Enumeration from Unix Drexx Laggui (Nov 08)
- RE: NT Domain Enumeration from Unix Korkmaz, Murat (Nov 08)
- Re: NT Domain Enumeration from Unix miguel . dilaj (Nov 09)
- Re: NT Domain Enumeration from Unix patrik . karlsson (Nov 12)