Penetration Testing mailing list archives
Re: How to get the list of domain admins
From: Marco Ivaldi <raptor () mediaservice net>
Date: Tue, 22 Jul 2008 11:39:51 +0200 (ora solare Europa occidentale)
Shankar, On Fri, 18 Jul 2008, Shankar Arjunan wrote:
Hi all,Can anyone tell me how to get list of users who are having domain admin rights in a domain. I vaguely remember using it through command line utility net use or net localgroup ..
If you've got a UNIX-like platform handy, you may want to give Samba-TNG's powerful rpcclient a try (see http://wiki.samba-tng.org/doku.php/start):
fnord:~# /usr/local/samba/bin/rpcclient -U % -S x.x.x.x # null session Server: \\x.x.x.x: User: Domain: Connection: OK [x.x.x.x]$ enumgroups SAM Enumerate Groups Group RID: 200 Group Name: Domain Admins Group RID: 201 Group Name: Domain Users Group RID: 202 Group Name: Domain Guests Group RID: 229 Group Name: Domain Computers [x.x.x.x]$ samgroupmem "Domain Admins" SAM Query Group: Domain Admins From: FNORD To: \\x.x.x.x Domain: MEDIASERVICE SID: xxx Members: ------- Administrator (User) (0x3e8) Here's a script to automate such an attack, among other useful features: http://0xdeadbeef.info/code/samba-hax0r Usage example: fnord:~# samba-hax0r -m info -h x.x.x.x -t groups samba-hax0r v0.1 - Multi-purpose SMB/CIFS network attack tool Copyright (c) 2005-2007 Marco Ivaldi <raptor () 0xdeadbeef info> -------------------------------- Host: x.x.x.x Domain: MEDIASERVICE SID: xxx Group RID: 200 Group Name: Domain Admins Group RID: 201 Group Name: Domain Users Group RID: 202 Group Name: Domain Guests Group RID: 229 Group Name: Domain Computers -------------------------------- 1 host(s) scanned. fnord:~# samba-hax0r -m info -h x.x.x.x -t groupmem -a "Domain Admins" samba-hax0r v0.1 - Multi-purpose SMB/CIFS network attack tool Copyright (c) 2005-2007 Marco Ivaldi <raptor () 0xdeadbeef info> -------------------------------- Host: x.x.x.x Domain: MEDIASERVICE SID: xxx Members: ------- Administrator (User) (0x3e8) -------------------------------- 1 host(s) scanned. Hope this helps, -- Marco Ivaldi, OPST Red Team Coordinator Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This list is sponsored by: CenzicTop 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- How to get the list of domain admins Shankar Arjunan (Jul 22)
- Re: How to get the list of domain admins Sean Brackeen (Jul 25)
- RE: How to get the list of domain admins asamargin (Jul 28)
- Re: How to get the list of domain admins Neil Moore (Jul 28)
- RE: How to get the list of domain admins Robert Petrunic (Jul 25)
- Re: How to get the list of domain admins Marco Ivaldi (Jul 25)
- Re: How to get the list of domain admins Taufiq Ali (Jul 25)
- Re: How to get the list of domain admins Kurt Buff (Jul 25)
- Re: How to get the list of domain admins pand0ra (Jul 28)
- RE: How to get the list of domain admins Roni Bachar (Jul 29)
- <Possible follow-ups>
- RE: How to get the list of domain admins Tudor, Razvan (Jul 25)
- Re: How to get the list of domain admins Sean Brackeen (Jul 25)