Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: NT Domain Enumeration from Unix

Re: NT Domain Enumeration from Unix

From: Syzop <syz_at_dds.nl>
Date: Thu, 08 Nov 2001 20:38:29 +0100

Chad Gough wrote:

> Does anyone have any tools/scripts to enumerate user/group information
> from a Windows Domain Controller. Additionally, I'm looking for
> something to enumerate machine accounts from resource domains.

Samba-TNG (www.samba-tng.org) has some nice tools to do such things...

$ ./rpcclient \\\\SOMESERVER -U someuser
load_client_codepage: filename /usr/local/samba/lib/codepages/codepage.850 does not exist.
load_unicode_map: filename /usr/local/samba/lib/codepages/unicode_map.850 does not exist.
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
Enter Password:
Server: \\SOMESERVER: User: someuser Domain:
Connection: session setup ok
Domain=[DOMAIN] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
OK
[someuser_at_SOMESERVER]$ help
help
lsaquery lsaenumdomains lookupsids lookupnames createsecret
setsecret lsashowsd querysecret enumprivs privinfo
lsaenumsids trustinfo time brsinfo wksinfo
who srvinfo srvsessions srvshares srvshareinfo
srvsharedel srvtransports srvconnections srvfiles eventlog
lookupdomain samlookuprids samlookupnames enumusers addgroupmem
addaliasmem delgroupmem delaliasmem creategroup createalias
createuser deluser delgroup delalias ntpass
samquerysec samuserset2 samuserset samuser samgroup
samalias samaliasmem samgroupmem samtest enumaliases
enumdomains enumgroups dominfo dispinfo svcenum
svcinfo svcstart svcset svcstop svcunk3
svcgetsec regenum regdeletekey regcreatekey shutdown
abortshutdown regqueryval regquerykey regdeleteval regcreateval
reggetsec regtestsec ntlogin domlist domtrust
samsync at spoolenum spoolenumdatas spooljobs
spoolopen spoolgetdata spoolgetprinterspoolenumprinterdriversspoolgetprinterdriver
spoolgetprinterdriverdirdfsenum dfsadd dfsremove set
use quit q exit bye
help ?
[someuser_at_SOMESERVER]$ enumusers
enumusers
SAM Enumerate Users
User RID: 1f4 User Name: admin
User RID: 7b4 User Name: SOMEBOX$
User RID: 5fb User Name: SOMEBOX2$
[etc]

(You propably don't need a login/pass btw because of the NULL pipe stuff).

    Syzop.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Nov 08 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]