Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help with smb-enum-users.nse

From: Abuse 007 <abuse007 () gmail com>
Date: Sun, 2 Sep 2012 04:49:14 +1000
winfo.exe uses NetUserEnum from NETAPI32.DLL. It results in the
EnumDomainUsers operation in SAMR. The other difference is that it's
utilising SMB2, whereas the smb-enum-users script is using SMB rather
than SMB2.

I'm not sure if SMBv2 vs SMB makes much difference. Does NSE and your
scripts support SMBv2?

I'm still researching SAMR/RPC/SMB/NetBIOS etc. I think it maybe
related to the buffer size and number of items requested. I'll do some
further experimenting.

On Fri, Aug 31, 2012 at 12:34 PM, Abuse 007 <abuse007 () gmail com> wrote:

Hi Ron,

It's a client's DC, part of a pentest engagement so the information is
a bit sensitive.

I can try to replicate it in a test environment but it will take some
time for me to set it up.. :(

I've download some material on SMB, RPC, etc., and I'm doing some
research on how it all works, and analysing winfo.exe's behaviour.
I'd appreciate any pointers to what the issue may be or to good
material for research. SMB/CIFS/MSRPC is quite a beast.

Thanks,
Ab

On Fri, Aug 31, 2012 at 8:40 AM, Ron <ron () skullsecurity net> wrote:

Any chance you can send me a pcap of winfo.exe's execution?

I've never had the opportunity to test smb-enum-users.nse against a
domain, it's possible it's only enumerating local users or something
like that, rather than enumerating the domain.

Thanks!

Ron

On 2012-08-30 14:08, Abuse 007 wrote:

Hi All,

With smb-enum-users.nse I get 20 entries via SAMR against a Windows 2008 R2 host that's a DC. If I increase the 
SMAR count I can get up to 100 entries. If I modify the script so that it loops regardless of the return code 
(which is 0), the reply to the second querydisplayinfo request does not contain any additional entries.

I'm confused by this behavour. I thought Windows would be an all or nothing type thing.

A differnet tool, winfo.exe, is able to enumerate a little over 500 accounts. I'm not sure of it's exact technique.

Should the SAMR technique be able to enumerate more users?

Also, the smb-enum-users.nse LSA RID bruteforcing method fails. This is prossibly because no authentication 
credentials have been supplied.

Thanks,
Ab
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: