Got asked to help remotely locate local admins on boxes on a network.
rpcclient $> enumalsgroups
Usage: enumalsgroups builtin|domain [access mask]
rpcclient $> enumalsgroups builtin
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Network Configuration Operators] rid:[0x22c]
group:[Power Users] rid:[0x223]
group:[Remote Desktop Users] rid:[0x22b]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]
Now you would think that doing a querygroup would give you the right output, but actually you get a:
rpcclient $> querygroup 0x220
result was NT_STATUS_NO_SUCH_GROUP
Honestly I have no idea why this doesn't work, it *should*. If anyone knows why it doesn't I know more than one person who would like to know.
Anyway it takes one more step but you can do it this way:
rpcclient $> queryaliasmem
Usage: queryaliasmem builtin|domain rid [access mask]
rpcclient $> queryaliasmem builtin 0x220
sid:[S-1-5-21-1214440339-1383384898-839522115-500]
sid:[S-1-5-21-1214440339-1383384898-839522115-1003]
sid:[S-1-5-21-2392188729-2485841371-4291725810-512]
Then you can look up who those SIDs belong to
rpcclient $> lookupsids
Usage: lookupsids [sid1 [sid2 [...]]]
rpcclient $> lookupsids S-1-5-21-1214440339- 1383384898-839522115-500
S-1-5-21-1214440339-1383384898-839522115-500 PC\Administrator (1)
rpcclient $> lookupsids
S-1-5-21-1214440339-1383384898-839522115-1003
S-1-5-21-1214440339-1383384898-839522115-1003 PC\user (1)
rpcclient $> lookupsids
S-1-5-21-2392188729-2485841371-4291725810-512 rpc_api_pipe: Remote machine 192.168.242.128 pipe \lsarpc fnum 0x4001 returned critical error. Error was Call timed out: server did not respond after 10000 milliseconds result was NT_STATUS_IO_TIMEOUT
Not sure about the 512 (its a MS built-in account I think) but the 1003 was the user I added to the local admins group.
Wednesday, June 30, 2010
Subscribe to:
Post Comments (Atom)
4 comments:
I don't think that this will show non-Administrator accounts that have cloned fixed/variable ("F"/"V") values in the registry.
You would have to inspect the registry and look for cloned F/V values of current Administrator accounts in all of the other accounts.
Hi, I have a question, Is it possible to enter NTLM / LM Password Hash instead of Alpha numeric password in RPC Client and then login in remote machine ?
not without patching an smbclient or winexe client. foofus had one, not sure if it still works or not.
http://www.foofus.net/~jmk/passhash.html
however, the standard pentest tools, core,canvas,metasploit will take a hash.
An alternative way to list group members from Linux is to use "/usr/bin/net" (part of the package samba-common-bin on Ubuntu).
$ net rpc group members administrators -I 10.0.0.1 -Uuser%pass
FOO\Administrator
FOO\Enterprise Admins
FOO\Domain Admins
enum4linux will list group members for you (it's a wrapper around rpcclient and other tools).
http://labs.portcullis.co.uk/application/enum4linux/
Post a Comment