Nmap Development mailing list archives
Re: Help with smb-enum-users.nse
From: Abuse 007 <abuse007 () gmail com>
Date: Mon, 3 Sep 2012 00:54:47 +1000
From my testing against a Windows Server 2008 R2 SP1 Domain
Controller, an anonymous user can only retrieve the first 100 entries via the SAMR QueryDisplayInfo RPC method. This is basically equivalent to the NetQueryDisplayInformation API, who's documentation on MSDN states: - Remarks If you call this function on a domain controller that is running Active Directory, access is allowed or denied based on the access control list (ACL) for the securable object. The default ACL permits all *authenticated users* and members of the "Pre-Windows 2000 compatible access" group to view the information. <snip> . For information about anonymous access and restricting anonymous access on these platforms, see Security Requirements for the Network Management Functions. <snip> The NetQueryDisplayInformation function only returns information to which the caller has Read access. The caller must have List Contents access to the Domain object, and Enumerate Entire SAM Domain access on the SAM Server object located in the System container. <snip> The number of entries returned by this function depends on the security descriptor located on the root domain object. *The API will return either the first 100 entries* or the entire set of entries in the domain, depending on the access privileges of the user. The ACE used to control this behavior is "SAM-Enumerate-Entire-Domain", and is granted to Authenticated Users by default. Administrators can modify this setting to allow users to enumerate the entire domain. ------- end copy and paste ------- (some emphasis added) The 2008 R2 DC I tested against has HKLM\SYSTEM\CurrentControlSet\Control\LSA\EveryoneIncludesAnonymous set to 0x0. Which is the default. This value means that only the first 100 results will be returned, hence the behaviour I observed earlier. Winfo.exe is getting more results by using the SAMR EnumDomainUsers RPC method. With no authentication the LSA RID brute-forcing doesn't work. With a user account it retrieved about 300 odd accounts. Tweaking the LSA_GROUPSIZE and LSA_MINEMPTY would probably return more. This pretty much aligns with the comments in msrpc.lua and smb-enum-users.nse, except being able to get the first 100 accounts via SAMR isn't mentioned. In the past I have used smb-enum-users against a Windows Server 2003 Domain Controller and retrieved the all users for the domain (a lot more than a 100). I'm not sure if this is the default behaviour for a Windows Server 2003 Domain Controller or if the settings had been changed, particularly the EveryoneIncludesAnonymous setting. I'm not sure of the differences between SAMR QueryDisplayInfo, QueryDisplayInfo2 and QueryDisplayInfo3, they seem to have the same arguments in/out from reading MS-SAMR I don't see what the difference is, besides being newer/older. Does anyone know? There are probably a few other mechanisms that could be used to enumerate users, different RPC methods, different services, etc. Thanks, Ab On Sun, Sep 2, 2012 at 4:49 AM, Abuse 007 <abuse007 () gmail com> wrote:
winfo.exe uses NetUserEnum from NETAPI32.DLL. It results in the EnumDomainUsers operation in SAMR. The other difference is that it's utilising SMB2, whereas the smb-enum-users script is using SMB rather than SMB2. I'm not sure if SMBv2 vs SMB makes much difference. Does NSE and your scripts support SMBv2? I'm still researching SAMR/RPC/SMB/NetBIOS etc. I think it maybe related to the buffer size and number of items requested. I'll do some further experimenting. On Fri, Aug 31, 2012 at 12:34 PM, Abuse 007 <abuse007 () gmail com> wrote:Hi Ron, It's a client's DC, part of a pentest engagement so the information is a bit sensitive. I can try to replicate it in a test environment but it will take some time for me to set it up.. :( I've download some material on SMB, RPC, etc., and I'm doing some research on how it all works, and analysing winfo.exe's behaviour. I'd appreciate any pointers to what the issue may be or to good material for research. SMB/CIFS/MSRPC is quite a beast. Thanks, Ab On Fri, Aug 31, 2012 at 8:40 AM, Ron <ron () skullsecurity net> wrote:Any chance you can send me a pcap of winfo.exe's execution? I've never had the opportunity to test smb-enum-users.nse against a domain, it's possible it's only enumerating local users or something like that, rather than enumerating the domain. Thanks! Ron On 2012-08-30 14:08, Abuse 007 wrote:Hi All, With smb-enum-users.nse I get 20 entries via SAMR against a Windows 2008 R2 host that's a DC. If I increase the SMAR count I can get up to 100 entries. If I modify the script so that it loops regardless of the return code (which is 0), the reply to the second querydisplayinfo request does not contain any additional entries. I'm confused by this behavour. I thought Windows would be an all or nothing type thing. A differnet tool, winfo.exe, is able to enumerate a little over 500 accounts. I'm not sure of it's exact technique. Should the SAMR technique be able to enumerate more users? Also, the smb-enum-users.nse LSA RID bruteforcing method fails. This is prossibly because no authentication credentials have been supplied. Thanks, Ab _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Help with smb-enum-users.nse Abuse 007 (Aug 29)
- Re: Help with smb-enum-users.nse Ron (Aug 30)
- Re: Help with smb-enum-users.nse Abuse 007 (Aug 30)
- Re: Help with smb-enum-users.nse Abuse 007 (Sep 01)
- Re: Help with smb-enum-users.nse Abuse 007 (Sep 02)
- Re: Help with smb-enum-users.nse Abuse 007 (Aug 30)
- Re: Help with smb-enum-users.nse Ron (Aug 30)