Re: Help with smb-enum-users.nse

[Abuse 007 <abuse007 () gmail com>]

> From my testing against a Windows Server 2008 R2 SP1 Domain
Controller, an anonymous user can only retrieve the first 100 entries
via the SAMR QueryDisplayInfo RPC method.

This is basically equivalent to the NetQueryDisplayInformation API,
who's documentation on MSDN states: -

Remarks
If you call this function on a domain controller that is running
Active Directory, access is allowed or denied based on the access
control list (ACL) for the securable object. The default ACL permits
all *authenticated users* and members of the "Pre-Windows 2000
compatible access" group to view the information. <snip> . For
information about anonymous access and restricting anonymous access on
these platforms, see Security Requirements for the Network Management
Functions. <snip>

The NetQueryDisplayInformation function only returns information to
which the caller has Read access. The caller must have List Contents
access to the Domain object, and Enumerate Entire SAM Domain access on
the SAM Server object located in the System container.

<snip>

The number of entries returned by this function depends on the
security descriptor located on the root domain object. *The API will
return either the first 100 entries* or the entire set of entries in
the domain, depending on the access privileges of the user. The ACE
used to control this behavior is "SAM-Enumerate-Entire-Domain", and is
granted to Authenticated Users by default. Administrators can modify
this setting to allow users to enumerate the entire domain.

------- end copy and paste ------- (some emphasis added)


The 2008 R2 DC I tested against has
HKLM\SYSTEM\CurrentControlSet\Control\LSA\EveryoneIncludesAnonymous
set to 0x0. Which is the default. This value means that only the first
100 results will be returned, hence the behaviour I observed earlier.

Winfo.exe is getting more results by using the SAMR EnumDomainUsers RPC method.

With no authentication the LSA RID brute-forcing doesn't work. With a
user account it retrieved about 300 odd accounts. Tweaking the
LSA_GROUPSIZE and LSA_MINEMPTY would probably return more.

This pretty much aligns with the comments in msrpc.lua and
smb-enum-users.nse, except being able to get the first 100 accounts
via SAMR isn't mentioned.

In the past I have used smb-enum-users against a Windows Server 2003
Domain Controller and retrieved the all users for the domain (a lot
more than a 100). I'm not sure if this is the default behaviour for a
Windows Server 2003 Domain Controller or if the settings had been
changed, particularly the EveryoneIncludesAnonymous setting.

I'm not sure of the differences between SAMR QueryDisplayInfo,
QueryDisplayInfo2 and QueryDisplayInfo3, they seem to have the same
arguments in/out from reading MS-SAMR I don't see what the difference
is, besides being newer/older. Does anyone know?

There are probably a few other mechanisms that could be used to
enumerate users, different RPC methods, different services, etc.

Thanks,
Ab


On Sun, Sep 2, 2012 at 4:49 AM, Abuse 007 <abuse007 () gmail com> wrote:
> winfo.exe uses NetUserEnum from NETAPI32.DLL. It results in the
> EnumDomainUsers operation in SAMR. The other difference is that it's
> utilising SMB2, whereas the smb-enum-users script is using SMB rather
> than SMB2.
>
> I'm not sure if SMBv2 vs SMB makes much difference. Does NSE and your
> scripts support SMBv2?
>
> I'm still researching SAMR/RPC/SMB/NetBIOS etc. I think it maybe
> related to the buffer size and number of items requested. I'll do some
> further experimenting.
>
> On Fri, Aug 31, 2012 at 12:34 PM, Abuse 007 <abuse007 () gmail com> wrote:
> > Hi Ron,
> >
> > It's a client's DC, part of a pentest engagement so the information is
> > a bit sensitive.
> >
> > I can try to replicate it in a test environment but it will take some
> > time for me to set it up.. :(
> >
> > I've download some material on SMB, RPC, etc., and I'm doing some
> > research on how it all works, and analysing winfo.exe's behaviour.
> > I'd appreciate any pointers to what the issue may be or to good
> > material for research. SMB/CIFS/MSRPC is quite a beast.
> >
> > Thanks,
> > Ab
> >
> > On Fri, Aug 31, 2012 at 8:40 AM, Ron <ron () skullsecurity net> wrote:
> > > Any chance you can send me a pcap of winfo.exe's execution?
> > >
> > > I've never had the opportunity to test smb-enum-users.nse against a
> > > domain, it's possible it's only enumerating local users or something
> > > like that, rather than enumerating the domain.
> > >
> > > Thanks!
> > >
> > > Ron
> > >
> > > On 2012-08-30 14:08, Abuse 007 wrote:
> > > > Hi All,
> > > >
> > > > With smb-enum-users.nse I get 20 entries via SAMR against a Windows 2008 R2 host that's a DC. If I increase the 
> > > > SMAR count I can get up to 100 entries. If I modify the script so that it loops regardless of the return code 
> > > > (which is 0), the reply to the second querydisplayinfo request does not contain any additional entries.
> > > >
> > > > I'm confused by this behavour. I thought Windows would be an all or nothing type thing.
> > > >
> > > > A differnet tool, winfo.exe, is able to enumerate a little over 500 accounts. I'm not sure of it's exact technique.
> > > >
> > > > Should the SAMR technique be able to enumerate more users?
> > > >
> > > > Also, the smb-enum-users.nse LSA RID bruteforcing method fails. This is prossibly because no authentication 
> > > > credentials have been supplied.
> > > >
> > > > Thanks,
> > > > Ab
> > > > _______________________________________________
> > > > Sent through the nmap-dev mailing list
> > > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > > Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/