diff --git a/scripts/smb-enum-groups.nse b/scripts/smb-enum-groups.nse index 1547c63eb..8e035aa9c 100644 --- a/scripts/smb-enum-groups.nse +++ b/scripts/smb-enum-groups.nse @@ -41,23 +41,90 @@ the same thing. -- -- @output -- Host script results: --- | smb-enum-groups: --- | | WINDOWS2003\HelpServicesGroup: SUPPORT_388945a0 --- | | WINDOWS2003\IIS_WPG: SYSTEM, SERVICE, NETWORK SERVICE, IWAM_WINDOWS2003 --- | | WINDOWS2003\TelnetClients: --- | | Builtin\Print Operators: --- | | Builtin\Replicator: --- | | Builtin\Network Configuration Operators: --- | | Builtin\Performance Monitor Users: --- | | Builtin\Users: INTERACTIVE, Authenticated Users, ron, ASPNET, test --- | | Builtin\Power Users: --- | | Builtin\Backup Operators: --- | | Builtin\Remote Desktop Users: --- | | Builtin\Administrators: Administrator, ron, test --- | | Builtin\Performance Log Users: NETWORK SERVICE --- | | Builtin\Guests: Guest, IUSR_WINDOWS2003 --- |_ |_ Builtin\Distributed COM Users: ------------------------------------------------------------------------ +-- | smb-enum-groups: +-- | Builtin\Administrators (RID: 544): Administrator, Daniel +-- | Builtin\Users (RID: 545): +-- | Builtin\Guests (RID: 546): Guest +-- | Builtin\Performance Monitor Users (RID: 558): +-- | Builtin\Performance Log Users (RID: 559): Daniel +-- | Builtin\Distributed COM Users (RID: 562): +-- | Builtin\IIS_IUSRS (RID: 568): +-- | Builtin\Event Log Readers (RID: 573): +-- | azure\HomeUsers (RID: 1000): Administrator, Daniel, HomeGroupUser$ +-- |_ azure\HelpLibraryUpdaters (RID: 1003): +-- +-- @xmloutput +-- +--
+--
+-- S-1-5-21-12345678-1234567890-0987654321-500 +-- S-1-5-21-12345678-1234567890-0987654321-1001 +--
+-- Administrators +-- +-- Administrator +-- Daniel +--
+-- +-- +--
+-- S-1-5-4 +-- S-1-5-11 +--
+-- Users +--
+-- +-- +--
+-- S-1-5-21-12345678-1234567890-0987654321-501 +--
+-- Guests +-- +-- Guest +--
+-- +-- +--
+-- S-1-5-21-12345678-1234567890-0987654321-1001 +--
+-- Performance Log Users +-- +-- Daniel +--
+-- +-- +--
+-- Distributed COM Users +--
+-- +-- +--
+-- S-1-5-17 +--
+-- IIS_IUSRS +--
+-- +-- +-- +--
+--
+-- S-1-5-21-12345678-1234567890-0987654321-500 +-- S-1-5-21-12345678-1234567890-0987654321-1001 +-- S-1-5-21-12345678-1234567890-0987654321-1002 +--
+-- HomeUsers +-- +-- Administrator +-- Daniel +-- HomeGroupUser$ +--
+-- +-- +--
+-- HelpLibraryUpdaters +--
+-- +-- author = "Ron Bowes" copyright = "Ron Bowes" @@ -70,27 +137,37 @@ hostrule = function(host) return smb.get_port(host) ~= nil end +local empty = {""} + action = function(host) local status, groups = msrpc.samr_enum_groups(host) if(not(status)) then return stdnse.format_output(false, "Couldn't enumerate groups: " .. groups) end - local response = {} + local response = stdnse.output_table() + local response_str = {} - for domain_name, domain_data in pairs(groups) do + local domains = stdnse.keys(groups) + table.sort(domains) + for _, domain_name in ipairs(domains) do + local dom_groups = stdnse.output_table() + response[domain_name] = dom_groups + local domain_data = groups[domain_name] - for rid, group_data in pairs(domain_data) do - local members = group_data['members'] - if(#members > 0) then - members = stdnse.strjoin(", ", group_data['members']) - else - members = "" - end - table.insert(response, string.format("%s\\%s (RID: %s): %s", domain_name, group_data['name'], rid, members)) + local rids = stdnse.keys(domain_data) + table.sort(rids) + for _, rid in ipairs(rids) do + local group_data = domain_data[rid] + -- TODO: Map SIDs to names, show non-named SIDs + table.insert(response_str, + string.format("\n %s\\%s (RID: %s): %s", domain_name, group_data.name, rid, + table.concat(#group_data.members > 0 and group_data.members or empty, ", ")) + ) + dom_groups[string.format("RID %d", rid)] = group_data end end - return stdnse.format_output(true, response) + return response, table.concat(response_str) end