Penetration Testing mailing list archives
Re: How to get the list of domain admins
From: Marco Ivaldi <raptor () mediaservice net>
Date: Tue, 22 Jul 2008 11:39:51 +0200 (ora solare Europa occidentale)
Shankar, On Fri, 18 Jul 2008, Shankar Arjunan wrote:
Hi all,Can anyone tell me how to get list of users who are having domain admin rights in a domain. I vaguely remember using it through command line utility net use or net localgroup ..
If you've got a UNIX-like platform handy, you may want to give Samba-TNG's powerful rpcclient a try (see http://wiki.samba-tng.org/doku.php/start):
fnord:~# /usr/local/samba/bin/rpcclient -U % -S x.x.x.x # null session
Server: \\x.x.x.x: User: Domain:
Connection: OK
[x.x.x.x]$ enumgroups
SAM Enumerate Groups
Group RID: 200 Group Name: Domain Admins
Group RID: 201 Group Name: Domain Users
Group RID: 202 Group Name: Domain Guests
Group RID: 229 Group Name: Domain Computers
[x.x.x.x]$ samgroupmem "Domain Admins"
SAM Query Group: Domain Admins
From: FNORD To: \\x.x.x.x Domain: MEDIASERVICE SID: xxx
Members:
-------
Administrator (User) (0x3e8)
Here's a script to automate such an attack, among other useful features:
http://0xdeadbeef.info/code/samba-hax0r
Usage example:
fnord:~# samba-hax0r -m info -h x.x.x.x -t groups
samba-hax0r v0.1 - Multi-purpose SMB/CIFS network attack tool
Copyright (c) 2005-2007 Marco Ivaldi <raptor () 0xdeadbeef info>
--------------------------------
Host: x.x.x.x
Domain: MEDIASERVICE
SID: xxx
Group RID: 200 Group Name: Domain Admins
Group RID: 201 Group Name: Domain Users
Group RID: 202 Group Name: Domain Guests
Group RID: 229 Group Name: Domain Computers
--------------------------------
1 host(s) scanned.
fnord:~# samba-hax0r -m info -h x.x.x.x -t groupmem -a "Domain Admins"
samba-hax0r v0.1 - Multi-purpose SMB/CIFS network attack tool
Copyright (c) 2005-2007 Marco Ivaldi <raptor () 0xdeadbeef info>
--------------------------------
Host: x.x.x.x
Domain: MEDIASERVICE
SID: xxx
Members:
-------
Administrator (User) (0x3e8)
--------------------------------
1 host(s) scanned.
Hope this helps,
--
Marco Ivaldi, OPST
Red Team Coordinator Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- How to get the list of domain admins Shankar Arjunan (Jul 22)
- Re: How to get the list of domain admins Sean Brackeen (Jul 25)
- RE: How to get the list of domain admins asamargin (Jul 28)
- Re: How to get the list of domain admins Neil Moore (Jul 28)
- RE: How to get the list of domain admins Robert Petrunic (Jul 25)
- Re: How to get the list of domain admins Marco Ivaldi (Jul 25)
- Re: How to get the list of domain admins Taufiq Ali (Jul 25)
- Re: How to get the list of domain admins Kurt Buff (Jul 25)
- Re: How to get the list of domain admins pand0ra (Jul 28)
- RE: How to get the list of domain admins Roni Bachar (Jul 29)
- <Possible follow-ups>
- RE: How to get the list of domain admins Tudor, Razvan (Jul 25)
- Re: How to get the list of domain admins Sean Brackeen (Jul 25)