Obtains a list of groups from the remote Windows system, as well as a list of the group's users.
This works similarly to
enum.exe with the
The following MSRPC functions in SAMR are used to find a list of groups and the RIDs of their users. Keep in mind that MSRPC refers to groups as "Aliases".
Bind: bind to the SAMR service.
Connect4: get a connect_handle.
EnumDomains: get a list of the domains.
LookupDomain: get the RID of the domains.
OpenDomain: get a handle for each domain.
EnumDomainAliases: get the list of groups in the domain.
OpenAlias: get a handle to each group.
GetMembersInAlias: get the RIDs of the members in the groups.
Close: close the alias handle.
Close: close the domain handle.
Close: close the connect handle.
Once the RIDs have been termined, the
Bind: bind to the LSA service.
OpenPolicy2: get a policy handle.
LookupSids2: convert SIDs to usernames.
I (Ron Bowes) originally looked into the possibility of using the SAMR function
to convert RIDs to usernames, but the function seemed to return a fault no matter what I tried. Since
enum.exe also switches to LSA to convert RIDs to usernames, I figured they had the same issue and I do
the same thing.
randomseed, smbbasic, smbport, smbsignSee the documentation for the smb library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
nmap --script smb-enum-users.nse -p445 <host> sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>
Host script results: | smb-enum-groups: | | WINDOWS2003\HelpServicesGroup: SUPPORT_388945a0 | | WINDOWS2003\IIS_WPG: SYSTEM, SERVICE, NETWORK SERVICE, IWAM_WINDOWS2003 | | WINDOWS2003\TelnetClients: <empty> | | Builtin\Print Operators: <empty> | | Builtin\Replicator: <empty> | | Builtin\Network Configuration Operators: <empty> | | Builtin\Performance Monitor Users: <empty> | | Builtin\Users: INTERACTIVE, Authenticated Users, ron, ASPNET, test | | Builtin\Power Users: <empty> | | Builtin\Backup Operators: <empty> | | Builtin\Remote Desktop Users: <empty> | | Builtin\Administrators: Administrator, ron, test | | Builtin\Performance Log Users: NETWORK SERVICE | | Builtin\Guests: Guest, IUSR_WINDOWS2003 |_ |_ Builtin\Distributed COM Users: <empty>
Author: Ron Bowes
License: Same as Nmap--See http://nmap.org/book/man-legal.html