Re: NT Domain Enumeration from Unix

From: Syzop (syzat_private)
Date: Thu Nov 08 2001 - 11:38:29 PST

Next message: bluefur0r bluefur0r: "Re:One Big Review, One Small Script?"

Previous message: Bob Davies: "Re: Testing with a WinCE device"
In reply to: Chad Gough: "NT Domain Enumeration from Unix"
Next in thread: Korkmaz, Murat: "RE: NT Domain Enumeration from Unix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Chad Gough wrote:

> Does anyone have any tools/scripts to enumerate user/group information
> from a Windows Domain Controller.  Additionally, I'm looking for
> something to enumerate machine accounts from resource domains.

Samba-TNG (www.samba-tng.org) has some nice tools to do such things...

$ ./rpcclient \\\\SOMESERVER -U someuser
load_client_codepage: filename /usr/local/samba/lib/codepages/codepage.850 does not exist.
load_unicode_map: filename /usr/local/samba/lib/codepages/unicode_map.850 does not exist.
added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
Enter Password:
Server: \\SOMESERVER:     User:   someuser     Domain:
Connection:     session setup ok
Domain=[DOMAIN] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
OK
[someuser@SOMESERVER]$ help
help
lsaquery       lsaenumdomains lookupsids     lookupnames    createsecret
setsecret      lsashowsd      querysecret    enumprivs      privinfo
lsaenumsids    trustinfo      time           brsinfo        wksinfo
who            srvinfo        srvsessions    srvshares      srvshareinfo
srvsharedel    srvtransports  srvconnections srvfiles       eventlog
lookupdomain   samlookuprids  samlookupnames enumusers      addgroupmem
addaliasmem    delgroupmem    delaliasmem    creategroup    createalias
createuser     deluser        delgroup       delalias       ntpass
samquerysec    samuserset2    samuserset     samuser        samgroup
samalias       samaliasmem    samgroupmem    samtest        enumaliases
enumdomains    enumgroups     dominfo        dispinfo       svcenum
svcinfo        svcstart       svcset         svcstop        svcunk3
svcgetsec      regenum        regdeletekey   regcreatekey   shutdown
abortshutdown  regqueryval    regquerykey    regdeleteval   regcreateval
reggetsec      regtestsec     ntlogin        domlist        domtrust
samsync        at             spoolenum      spoolenumdatas spooljobs
spoolopen      spoolgetdata   spoolgetprinterspoolenumprinterdriversspoolgetprinterdriver
spoolgetprinterdriverdirdfsenum        dfsadd         dfsremove      set
use            quit           q              exit           bye
help           ?
[someuser@SOMESERVER]$ enumusers
enumusers
SAM Enumerate Users
User RID:      1f4  User Name: admin
User RID:      7b4  User Name: SOMEBOX$
User RID:      5fb  User Name: SOMEBOX2$
[etc]

(You propably don't need a login/pass btw because of the NULL pipe stuff).

    Syzop.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: bluefur0r bluefur0r: "Re:One Big Review, One Small Script?"
Previous message: Bob Davies: "Re: Testing with a WinCE device"
In reply to: Chad Gough: "NT Domain Enumeration from Unix"
Next in thread: Korkmaz, Murat: "RE: NT Domain Enumeration from Unix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 12:06:35 PST