Obtains a list of groups from the remote Windows system, as well as a list of the group's users.
This works similarly to
enum.exe with the
The following MSRPC functions in SAMR are used to find a list of groups and the RIDs of their users. Keep in mind that MSRPC refers to groups as "Aliases".
Bind: bind to the SAMR service.
Connect4: get a connect_handle.
EnumDomains: get a list of the domains.
LookupDomain: get the RID of the domains.
OpenDomain: get a handle for each domain.
EnumDomainAliases: get the list of groups in the domain.
OpenAlias: get a handle to each group.
GetMembersInAlias: get the RIDs of the members in the groups.
Close: close the alias handle.
Close: close the domain handle.
Close: close the connect handle.
Once the RIDs have been termined, the
Bind: bind to the LSA service.
OpenPolicy2: get a policy handle.
LookupSids2: convert SIDs to usernames.
I (Ron Bowes) originally looked into the possibility of using the SAMR function
to convert RIDs to usernames, but the function seemed to return a fault no matter what I tried. Since
enum.exe also switches to LSA to convert RIDs to usernames, I figured they had the same issue and I do
the same thing.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
randomseed, smbbasic, smbport, smbsignSee the documentation for the smb library.
unittest.runSee the documentation for the unittest library.
nmap --script smb-enum-users.nse -p445 <host> sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>
Host script results: | smb-enum-groups: | | WINDOWS2003\HelpServicesGroup: SUPPORT_388945a0 | | WINDOWS2003\IIS_WPG: SYSTEM, SERVICE, NETWORK SERVICE, IWAM_WINDOWS2003 | | WINDOWS2003\TelnetClients: <empty> | | Builtin\Print Operators: <empty> | | Builtin\Replicator: <empty> | | Builtin\Network Configuration Operators: <empty> | | Builtin\Performance Monitor Users: <empty> | | Builtin\Users: INTERACTIVE, Authenticated Users, ron, ASPNET, test | | Builtin\Power Users: <empty> | | Builtin\Backup Operators: <empty> | | Builtin\Remote Desktop Users: <empty> | | Builtin\Administrators: Administrator, ron, test | | Builtin\Performance Log Users: NETWORK SERVICE | | Builtin\Guests: Guest, IUSR_WINDOWS2003 |_ |_ Builtin\Distributed COM Users: <empty>
Author: Ron Bowes
License: Same as Nmap--See http://nmap.org/book/man-legal.html