add action option for domain user enum #1387

mubix · 2013-01-25T07:10:50Z

enables the module to lookup domain users as well.
thought this would be best done by using an actions

mubix · 2013-01-25T07:11:44Z

hmm, should probably change the description around a bit to make the updated functionality more obvious

mubix · 2013-01-25T07:23:12Z

Use case (domain):

msf  auxiliary(smb_lookupsid) > show options

Module options (auxiliary/scanner/smb/smb_lookupsid):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   MaxRID     4000             no        Maximum RID to check
   RHOSTS                      yes       The target address range or CIDR identifier
   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                     no        The password for the specified username
   SMBUser                     no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf  auxiliary(smb_lookupsid) > set RHOSTS 172.16.10.129
RHOSTS => 172.16.10.129
msf  auxiliary(smb_lookupsid) > set SMBUser jdoe
SMBUser => jdoe
msf  auxiliary(smb_lookupsid) > set SMBPass ASDqwe123
SMBPass => ASDqwe123
msf  auxiliary(smb_lookupsid) > set SMBDomain PROJECTMENTOR
SMBDomain => PROJECTMENTOR
msf  auxiliary(smb_lookupsid) > show actions

Auxiliary actions:

   Name    Description
   ----    -----------
   DOMAIN  Enumerate domain accounts
   LOCAL   Enumerate local accounts


msf  auxiliary(smb_lookupsid) > set ACTION DOMAIN
ACTION => DOMAIN
msf  auxiliary(smb_lookupsid) > run
[*] Reloading module...

[*] 172.16.10.129 PIPE(LSARPC) LOCAL(WIN7X86 - 5-21-66675746-3432570871-2039696144) DOMAIN(PROJECTMENTOR - 5-21-3825330677-773554443-1603823854)
[*] 172.16.10.129 USER=Administrator RID=500
[*] 172.16.10.129 USER=Guest RID=501
[*] 172.16.10.129 USER=krbtgt RID=502
[*] 172.16.10.129 GROUP=Domain Admins RID=512
[*] 172.16.10.129 GROUP=Domain Users RID=513
[*] 172.16.10.129 GROUP=Domain Guests RID=514
[*] 172.16.10.129 GROUP=Domain Computers RID=515
[*] 172.16.10.129 GROUP=Domain Controllers RID=516
[*] 172.16.10.129 TYPE=4 NAME=Cert Publishers rid=517
[*] 172.16.10.129 GROUP=Schema Admins RID=518
[*] 172.16.10.129 GROUP=Enterprise Admins RID=519
[*] 172.16.10.129 GROUP=Group Policy Creator Owners RID=520
[*] 172.16.10.129 GROUP=Read-only Domain Controllers RID=521
[*] 172.16.10.129 TYPE=4 NAME=RAS and IAS Servers rid=553
[*] 172.16.10.129 TYPE=4 NAME=Allowed RODC Password Replication Group rid=571
[*] 172.16.10.129 TYPE=4 NAME=Denied RODC Password Replication Group rid=572
[*] 172.16.10.129 USER=user RID=1000
[*] 172.16.10.129 USER=DC1$ RID=1001
[*] 172.16.10.129 TYPE=4 NAME=DnsAdmins rid=1102
[*] 172.16.10.129 GROUP=DnsUpdateProxy RID=1103
[*] 172.16.10.129 USER=jdoe RID=1104
[*] 172.16.10.129 USER=WIN7X86$ RID=1105
[*] 172.16.10.129 USER=WIN7X64$ RID=1106
[*] 172.16.10.129 USER=XPSP3$ RID=1107
^C[*] Caught interrupt from the console...
[*] Auxiliary module execution completed
msf  auxiliary(smb_lookupsid) >

mubix · 2013-01-25T07:23:36Z

And local:

msf  auxiliary(smb_lookupsid) > set ACTION LOCAL
ACTION => LOCAL
msf  auxiliary(smb_lookupsid) > run

[*] 172.16.10.129 PIPE(LSARPC) LOCAL(WIN7X86 - 5-21-66675746-3432570871-2039696144) DOMAIN(PROJECTMENTOR - 5-21-3825330677-773554443-1603823854)
[*] 172.16.10.129 USER=Administrator RID=500
[*] 172.16.10.129 USER=Guest RID=501
[*] 172.16.10.129 GROUP=None RID=513
[*] 172.16.10.129 USER=user RID=1000
^C[*] Caught interrupt from the console...
[*] Auxiliary module execution completed

jvazquez-r7 · 2013-01-25T10:41:18Z

Looks good, tested successfully agains a controller domain (same host_sid and domain_sid here)

msf  auxiliary(smb_lookupsid) > run

[*] 192.168.1.141 PIPE(LSARPC) LOCAL(MSF - 5-21-1053798420-2132824579-2427655443) DOMAIN(MSF - 5-21-1053798420-2132824579-2427655443)
[*] 192.168.1.141 USER=Administrator RID=500
[*] 192.168.1.141 USER=Guest RID=501
[*] 192.168.1.141 USER=krbtgt RID=502
[*] 192.168.1.141 GROUP=Domain Admins RID=512
[*] 192.168.1.141 GROUP=Domain Users RID=513
[*] 192.168.1.141 GROUP=Domain Guests RID=514
[*] 192.168.1.141 GROUP=Domain Computers RID=515
[*] 192.168.1.141 GROUP=Domain Controllers RID=516
[*] 192.168.1.141 TYPE=4 NAME=Cert Publishers rid=517
[*] 192.168.1.141 GROUP=Schema Admins RID=518
[*] 192.168.1.141 GROUP=Enterprise Admins RID=519
[*] 192.168.1.141 GROUP=Group Policy Creator Owners RID=520
[*] 192.168.1.141 TYPE=4 NAME=RAS and IAS Servers rid=553
[*] 192.168.1.141 TYPE=4 NAME=HelpServicesGroup rid=1000
[*] 192.168.1.141 USER=SUPPORT_388945a0 RID=1001
[*] 192.168.1.141 TYPE=4 NAME=TelnetClients rid=1002
[*] 192.168.1.141 USER=ASPNET RID=1003
[*] 192.168.1.141 TYPE=4 NAME=DHCP Users rid=1004
[*] 192.168.1.141 TYPE=4 NAME=DHCP Administrators rid=1005
[*] 192.168.1.141 USER=JUAN-6ED9DB6CA8$ RID=1006
[*] 192.168.1.141 TYPE=4 NAME=DnsAdmins rid=1107
[*] 192.168.1.141 GROUP=DnsUpdateProxy RID=1108
[*] 192.168.1.141 USER=tmsf RID=1114
[*] 192.168.1.141 MSF [Administrator, Guest, krbtgt, SUPPORT_388945a0, ASPNET, JUAN-6ED9DB6CA8$, tmsf ]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

add action option for domain user enum

a9821fc

mubix added 2 commits January 25, 2013 02:14

update description

976e599

variable typo

a204f6f

jvazquez-r7 merged commit a204f6f into rapid7:master Jan 25, 2013

mubix deleted the lookupsid_actions branch January 25, 2013 12:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add action option for domain user enum #1387

add action option for domain user enum #1387

mubix commented Jan 25, 2013

mubix commented Jan 25, 2013

mubix commented Jan 25, 2013

mubix commented Jan 25, 2013

jvazquez-r7 commented Jan 25, 2013

add action option for domain user enum #1387

add action option for domain user enum #1387

Conversation

mubix commented Jan 25, 2013

mubix commented Jan 25, 2013

mubix commented Jan 25, 2013

mubix commented Jan 25, 2013

jvazquez-r7 commented Jan 25, 2013