Nmap - Dev

New script: smb-enum-groups.nse

View: New views
1 Messages — Rating Filter:   Alert me  

New script: smb-enum-groups.nse

by Ron (list) :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hey,

I just finished writing a script called smb-enum-groups.nse. It's
currently in my nmap-exp branch:
svn://svn.insecure.org/nmap-exp/ron/nmap-smb

Here's an example output run anonymously against a fairly default
Windows 2000 machine:
Host script results:
|  smb-enum-groups:
|  |  Builtin\Administrators (RID: 544): Administrator, ron
|  |  Builtin\Guests (RID: 546): Guest
|  |  Builtin\Replicator (RID: 552): <empty>
|  |  Builtin\Power Users (RID: 547): <empty>
|  |  Builtin\Users (RID: 545): ron
|_ |_ Builtin\Backup Operators (RID: 551): <empty>


And here it is run against a somewhat default Windows 2003 install (with
a user account, not in the Administrators group):

nmap -p445 -d --script=smb-enum-groups
--script-args=smbuser=test,smbpass=test 172.16.212.129
[...]
|  smb-enum-groups:
|  |  WINDOWS2003\HelpServicesGroup (RID: 1003): SUPPORT_388945a0
|  |  WINDOWS2003\IIS_WPG (RID: 1002): IWAM_WINDOWS2003
|  |  WINDOWS2003\TelnetClients (RID: 1005): <empty>
|  |  Builtin\Print Operators (RID: 550): <empty>
|  |  Builtin\Replicator (RID: 552): <empty>
|  |  Builtin\Network Configuration Operators (RID: 556): <empty>
|  |  Builtin\Performance Monitor Users (RID: 558): <empty>
|  |  Builtin\Users (RID: 545): ron, ASPNET, test
|  |  Builtin\Power Users (RID: 547): <empty>
|  |  Builtin\Backup Operators (RID: 551): <empty>
|  |  Builtin\Remote Desktop Users (RID: 555): <empty>
|  |  Builtin\Administrators (RID: 544): Administrator, ron
|  |  Builtin\Performance Log Users (RID: 559): <empty>
|  |  Builtin\Guests (RID: 546): Guest, IUSR_WINDOWS2003
|_ |_ Builtin\Distributed COM Users (RID: 562): <empty>

Unfortunately, anonymous and guest can't run SAMR functions against
Windows XP and higher, so a user account is required.

I haven't tested it significantly yet, though I'll give it a try at work
against a few machines. I'm reasonably confident that it'll hold its
weight fairly well.

I'd like to move this (and the 'output' patch I posted about before)
back into the trunk in the next few days, if nobody minds.

I'd love to hear comments on this! The output formatting isn't my
favourite, so I'm happy to take suggestions on how I can make it nicer. :)

Ron

--
Ron Bowes
http://www.skullsecurity.org/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Free embeddable forum powered by Nabble Forum Help