Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: How to get the list of domain admins
From: Marco Ivaldi <raptor () mediaservice net>
Date: Tue, 22 Jul 2008 11:39:51 +0200 (ora solare Europa occidentale)

Shankar,

On Fri, 18 Jul 2008, Shankar Arjunan wrote:

Hi all,

Can anyone tell me how to get list of users who are having domain admin rights in a domain. I vaguely remember using it through command line utility net use or net localgroup ..

If you've got a UNIX-like platform handy, you may want to give Samba-TNG's powerful rpcclient a try (see http://wiki.samba-tng.org/doku.php/start):

fnord:~# /usr/local/samba/bin/rpcclient -U % -S x.x.x.x # null session
Server: \\x.x.x.x: User:           Domain:
Connection:     OK
[x.x.x.x]$ enumgroups
SAM Enumerate Groups
Group RID:      200  Group Name: Domain Admins
Group RID:      201  Group Name: Domain Users
Group RID:      202  Group Name: Domain Guests
Group RID:      229  Group Name: Domain Computers
[x.x.x.x]$ samgroupmem "Domain Admins"
SAM Query Group: Domain Admins
From: FNORD To: \\x.x.x.x Domain: MEDIASERVICE SID: xxx
        Members:
        -------
        Administrator (User) (0x3e8)

Here's a script to automate such an attack, among other useful features:

http://0xdeadbeef.info/code/samba-hax0r

Usage example:

fnord:~# samba-hax0r -m info -h x.x.x.x -t groups

samba-hax0r v0.1 - Multi-purpose SMB/CIFS network attack tool
Copyright (c) 2005-2007 Marco Ivaldi <raptor () 0xdeadbeef info>

--------------------------------
Host:   x.x.x.x
Domain: MEDIASERVICE
SID:    xxx

Group RID:      200  Group Name: Domain Admins
Group RID:      201  Group Name: Domain Users
Group RID:      202  Group Name: Domain Guests
Group RID:      229  Group Name: Domain Computers
--------------------------------
1 host(s) scanned.

fnord:~# samba-hax0r -m info -h x.x.x.x -t groupmem -a "Domain Admins"

samba-hax0r v0.1 - Multi-purpose SMB/CIFS network attack tool
Copyright (c) 2005-2007 Marco Ivaldi <raptor () 0xdeadbeef info>

--------------------------------
Host:   x.x.x.x
Domain: MEDIASERVICE
SID:    xxx

Members:
-------
Administrator (User) (0x3e8)

--------------------------------
1 host(s) scanned.

Hope this helps,

--
Marco Ivaldi, OPST
Red Team Coordinator      Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]