Nmap: enumeration smb user

From OnnoWiki
Jump to: navigation, search

Sumber: https://nmap.org/nsedoc/scripts/smb-enum-users.html

File smb-enum-users

Script types: hostrule
Categories: auth, intrusive
Download: http://nmap.org/svn/scripts/smb-enum-users.nse

User Summary

Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.

A penetration tester who is examining servers may wish to determine the purpose of a server. By getting a list of who has access to it, the tester might get a better idea (if financial people have accounts, it probably relates to financial information). Additionally, knowing which accounts exist on a system (or on multiple systems) allows the pen-tester to build a dictionary of possible usernames for bruteforces, such as a SMB bruteforce or a Telnet bruteforce. These accounts may be helpful for other purposes, such as using the accounts in Web applications on this or other servers.

From a pen-testers perspective, retrieving the list of users on any given server creates endless possibilities.

Users are enumerated in two different ways: using SAMR enumeration or LSA bruteforcing. By default, both are used, but they have specific advantages and disadvantages. Using both is a great default, but in certain circumstances it may be best to give preference to one.

Advantages of using SAMR enumeration:

   Stealthier (requires one packet/user account, whereas LSA uses at least 10 packets while SAMR uses half that; additionally, LSA makes a lot of noise in the Windows event log (LSA enumeration is the only script I (Ron Bowes) have been called on by the administrator of a box I was testing against).
   More information is returned (more than just the username).
   Every account will be found, since they're being enumerated with a function that's designed to enumerate users.

Advantages of using LSA bruteforcing:

   More accounts are returned (system accounts, groups, and aliases are returned, not just users).
   Requires a lower-level account to run on Windows XP and higher (a 'guest' account can be used, whereas SAMR enumeration requires a 'user' account; especially useful when only guest access is allowed, or when an account has a blank password (which effectively gives it guest access)).

Example Usage

nmap --script smb-enum-users.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>

Script Output

Host script results:
|  smb-enum-users:
|_ |_ Domain: RON-WIN2K-TEST; Users: Administrator, Guest, IUSR_RON-WIN2K-TEST, IWAM_RON-WIN2K-TEST, test1234, TsInternetUser
Host script results:
|  smb-enum-users:
|  |  RON-WIN2K-TEST\Administrator (RID: 500)
|  |  |  Description: Built-in account for administering the computer/domain
|  |  |_ Flags:       Password does not expire, Normal user account
|  |  RON-WIN2K-TEST\Guest (RID: 501)
|  |  |  Description: Built-in account for guest access to the computer/domain
|  |  |_ Flags:       Password not required, Password does not expire, Normal user account
|  |  |  Full name:   Internet Guest Account
|  |  |  Description: Built-in account for anonymous access to Internet Information Services
|  |  |_ Flags:       Password not required, Password does not expire, Normal user account
|  |  |  Full name:   Launch IIS Process Account
|  |  |  Description: Built-in account for Internet Information Services to start out of process applications
|  |  |_ Flags:       Password not required, Password does not expire, Normal user account
|  |  RON-WIN2K-TEST\test1234 (RID: 1005)
|  |  |_ Flags:       Normal user account
|  |  RON-WIN2K-TEST\TsInternetUser (RID: 1000)
|  |  |  Full name:   TsInternetUser
|  |  |  Description: This user account is used by Terminal Services.
|_ |_ |_ Flags:       Password not required, Password does not expire, Normal user account 

Contoh lain

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-02-14 20:40 WIB
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for
Host is up (0.0018s latency).
445/tcp open  microsoft-ds
MAC Address: 36:66:33:66:32:39 (Unknown)

Host script results:
| smb-enum-users: 
|   WIKI\onno (RID: 1000)
|     Full name:   onno
|     Description: 
|     Flags:       Normal user account
|   WIKI\tamu (RID: 1001)
|     Full name:   
|     Description: 
|     Flags:       Normal user account
|   WIKI\tamu1 (RID: 1002)
|     Full name:   
|     Description: 
|     Flags:       Normal user account
|   WIKI\tamu2 (RID: 1003)
|     Full name:   
|     Description: 
|_    Flags:       Normal user account 

Nmap done: 1 IP address (1 host up) scanned in 14.61 seconds