PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 12:41:29 +00:00
Code Issues Projects Releases Wiki Activity
Files
13f8f95a5f8a0bcd478f2331df6928c64a4951a2
nmap/scripts/smb-enum-groups.nse
batrick 610bd0a55b Merge from Dependencies branch (nmap-exp/patrick/dependencies) 
with modifications from [2].

** Short description from [1] **

I have created a patch to NSE that replaces runlevels with a table of
dependencies that clearly outlines what other scripts the script
depends on. The table is of the form:

dependences = {"script1", script2", ...}

Runlevels become an internal representation of the order of scripts
that are generated by the dependencies. Dependencies only enforce
an execution order and not a requirement for execution.

[1] http://seclists.org/nmap-dev/2009/q4/295
[2] http://seclists.org/nmap-dev/2009/q4/446
2009-12-30 02:34:05 +00:00

94 lines
3.4 KiB
Lua
Raw Blame History

description = [[
Obtains a list of groups from the remote Windows system, as well as a list of the group's users.
This works similarly to enum.exe with the /G switch.
The following MSRPC functions in SAMR are used to find a list of groups and the RIDs of their users. Keep
in mind thatMSRPC refers to groups as 'Aliases'.
* <code>Bind</code>: bind to the SAMR service.
* <code>Connect4</code>: get a connect_handle.
* <code>EnumDomains</code>: get a list of the domains.
* <code>LookupDomain</code>: get the RID of the domains.
* <code>OpenDomain</code>: get a handle for each domain.
* <code>EnumDomainAliases</code>: get the list of groups in the domain.
* <code>OpenAlias</code>: get a handle to each group.
* <code>GetMembersInAlias</code>: get the RIDs of the members in the groups.
* <code>Close</code>: close the alias handle.
* <code>Close</code>: close the domain handle.
* <code>Close</code>: close the connect handle.
Once the RIDs have been termined, the
* <code>Bind</code>: bind to the LSA service.
* <code>OpenPolicy2</code>: get a policy handle.
* <code>LookupSids2</code>: convert SIDs to usernames.
I (Ron Bowes) originally looked into the possibility of using the SAMR function <code>LookupRids2</code>
to convert RIDs to usernames, but the function seemed to return a fault no matter what I tried. Since
enum.exe also switches to LSA to convert RIDs to usernames, I figured they had the same issue and I do
the same thing.
]]
---
-- @usage
-- nmap --script smb-enum-users.nse -p445 <host>
-- sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>
--
-- @output
-- Host script results:
-- | smb-enum-groups:
-- | | WINDOWS2003\HelpServicesGroup: SUPPORT_388945a0
-- | | WINDOWS2003\IIS_WPG: SYSTEM, SERVICE, NETWORK SERVICE, IWAM_WINDOWS2003
-- | | WINDOWS2003\TelnetClients: <empty>
-- | | Builtin\Print Operators: <empty>
-- | | Builtin\Replicator: <empty>
-- | | Builtin\Network Configuration Operators: <empty>
-- | | Builtin\Performance Monitor Users: <empty>
-- | | Builtin\Users: INTERACTIVE, Authenticated Users, ron, ASPNET, test
-- | | Builtin\Power Users: <empty>
-- | | Builtin\Backup Operators: <empty>
-- | | Builtin\Remote Desktop Users: <empty>
-- | | Builtin\Administrators: Administrator, ron, test
-- | | Builtin\Performance Log Users: NETWORK SERVICE
-- | | Builtin\Guests: Guest, IUSR_WINDOWS2003
-- |_ |_ Builtin\Distributed COM Users: <empty>
-----------------------------------------------------------------------
author = "Ron Bowes"
copyright = "Ron Bowes"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"discovery","intrusive"}
dependencies = {"smb-brute"}
require 'msrpc'
require 'smb'
require 'stdnse'
hostrule = function(host)
return smb.get_port(host) ~= nil
end
action = function(host)
local status, groups = msrpc.samr_enum_groups(host)
if(not(status)) then
return stdnse.format_output(false, "Couldn't enumerate groups: " .. groups)
end
local response = {}
for domain_name, domain_data in pairs(groups) do
for rid, group_data in pairs(domain_data) do
local members = group_data['members']
if(#members > 0) then
members = stdnse.strjoin(", ", group_data['members'])
else
members = "<empty>"
end
table.insert(response, string.format("%s\\%s (RID: %s): %s", domain_name, group_data['name'], rid, members))
end
end
return stdnse.format_output(true, response)
end
Reference in New Issue View Git Blame Copy Permalink