HOME>>>>>>>>>

File smb-enum-groups

脚本使用类型: hostrule
脚本所属分类: discovery, intrusive
脚本下载地址: http://nmap.org/svn/scripts/smb-enum-groups.nse

User Summary

Obtains a list of groups from the remote Windows system, as well as a list of the group's users. This works similarly to enum.exe with the /G switch.

The following MSRPC functions in SAMR are used to find a list of groups and the RIDs of their users. Keep in mind that MSRPC refers to groups as "Aliases".

Once the RIDs have been termined, the

I (Ron Bowes) originally looked into the possibility of using the SAMR function LookupRids2 to convert RIDs to usernames, but the function seemed to return a fault no matter what I tried. Since enum.exe also switches to LSA to convert RIDs to usernames, I figured they had the same issue and I do the same thing.

Script Arguments

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

执行格式 

nmap --script smb-enum-users.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>

Script Output 

Host script results:
|  smb-enum-groups:
|  |  WINDOWS2003\HelpServicesGroup: SUPPORT_388945a0
|  |  WINDOWS2003\IIS_WPG: SYSTEM, SERVICE, NETWORK SERVICE, IWAM_WINDOWS2003
|  |  WINDOWS2003\TelnetClients: <empty>
|  |  Builtin\Print Operators: <empty>
|  |  Builtin\Replicator: <empty>
|  |  Builtin\Network Configuration Operators: <empty>
|  |  Builtin\Performance Monitor Users: <empty>
|  |  Builtin\Users: INTERACTIVE, Authenticated Users, ron, ASPNET, test
|  |  Builtin\Power Users: <empty>
|  |  Builtin\Backup Operators: <empty>
|  |  Builtin\Remote Desktop Users: <empty>
|  |  Builtin\Administrators: Administrator, ron, test
|  |  Builtin\Performance Log Users: NETWORK SERVICE
|  |  Builtin\Guests: Guest, IUSR_WINDOWS2003
|_ |_ Builtin\Distributed COM Users: <empty>

Requires

Author: Ron Bowes

License: VER007 整理 http://www.ver007.com