Nmap: enumeration smb user
Sumber: https://nmap.org/nsedoc/scripts/smb-enum-users.html
File smb-enum-users
Script types: hostrule Categories: auth, intrusive Download: http://nmap.org/svn/scripts/smb-enum-users.nse
User Summary
Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.
A penetration tester who is examining servers may wish to determine the purpose of a server. By getting a list of who has access to it, the tester might get a better idea (if financial people have accounts, it probably relates to financial information). Additionally, knowing which accounts exist on a system (or on multiple systems) allows the pen-tester to build a dictionary of possible usernames for bruteforces, such as a SMB bruteforce or a Telnet bruteforce. These accounts may be helpful for other purposes, such as using the accounts in Web applications on this or other servers.
From a pen-testers perspective, retrieving the list of users on any given server creates endless possibilities.
Users are enumerated in two different ways: using SAMR enumeration or LSA bruteforcing. By default, both are used, but they have specific advantages and disadvantages. Using both is a great default, but in certain circumstances it may be best to give preference to one.
Advantages of using SAMR enumeration:
Stealthier (requires one packet/user account, whereas LSA uses at least 10 packets while SAMR uses half that; additionally, LSA makes a lot of noise in the Windows event log (LSA enumeration is the only script I (Ron Bowes) have been called on by the administrator of a box I was testing against). More information is returned (more than just the username). Every account will be found, since they're being enumerated with a function that's designed to enumerate users.
Advantages of using LSA bruteforcing:
More accounts are returned (system accounts, groups, and aliases are returned, not just users). Requires a lower-level account to run on Windows XP and higher (a 'guest' account can be used, whereas SAMR enumeration requires a 'user' account; especially useful when only guest access is allowed, or when an account has a blank password (which effectively gives it guest access)).
Example Usage
nmap --script smb-enum-users.nse -p445 <host> sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>
Script Output
Host script results: | smb-enum-users: |_ |_ Domain: RON-WIN2K-TEST; Users: Administrator, Guest, IUSR_RON-WIN2K-TEST, IWAM_RON-WIN2K-TEST, test1234, TsInternetUser
Host script results: | smb-enum-users: | | RON-WIN2K-TEST\Administrator (RID: 500) | | | Description: Built-in account for administering the computer/domain | | |_ Flags: Password does not expire, Normal user account | | RON-WIN2K-TEST\Guest (RID: 501) | | | Description: Built-in account for guest access to the computer/domain | | |_ Flags: Password not required, Password does not expire, Normal user account | | RON-WIN2K-TEST\IUSR_RON-WIN2K-TEST (RID: 1001) | | | Full name: Internet Guest Account | | | Description: Built-in account for anonymous access to Internet Information Services | | |_ Flags: Password not required, Password does not expire, Normal user account | | RON-WIN2K-TEST\IWAM_RON-WIN2K-TEST (RID: 1002) | | | Full name: Launch IIS Process Account | | | Description: Built-in account for Internet Information Services to start out of process applications | | |_ Flags: Password not required, Password does not expire, Normal user account | | RON-WIN2K-TEST\test1234 (RID: 1005) | | |_ Flags: Normal user account | | RON-WIN2K-TEST\TsInternetUser (RID: 1000) | | | Full name: TsInternetUser | | | Description: This user account is used by Terminal Services. |_ |_ |_ Flags: Password not required, Password does not expire, Normal user account
Contoh lain
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-02-14 20:40 WIB Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan Parallel DNS resolution of 1 host. Timing: About 0.00% done Nmap scan report for 192.168.0.80 Host is up (0.0018s latency). PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: 36:66:33:66:32:39 (Unknown) Host script results: | smb-enum-users: | WIKI\onno (RID: 1000) | Full name: onno | Description: | Flags: Normal user account | WIKI\tamu (RID: 1001) | Full name: | Description: | Flags: Normal user account | WIKI\tamu1 (RID: 1002) | Full name: | Description: | Flags: Normal user account | WIKI\tamu2 (RID: 1003) | Full name: | Description: |_ Flags: Normal user account Nmap done: 1 IP address (1 host up) scanned in 14.61 seconds