• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Windows Share Enumeration/Hacking from a Linux Host

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
gat0r
Just Arrived
Just Arrived


Joined: 02 Jan 2005
Posts: 0
Location: Belgium

Offline

PostPosted: Sat Mar 26, 2005 6:45 pm    Post subject: Windows Share Enumeration/Hacking from a Linux Host Reply with quote

Hi,
I am trying to do some Enumeration/null session hacking from linux against a windows host.

I am able to set up the null session and use the windows tools to pull down account information using userinfo/userdump, enum, and sid2user/user2sid from my windows machine but now i am trying to do it using on Linux.

I am able to connect to the IPC$ share using smbclient but cant get the one and only tool i was able to find, smbdumpusers, to work (i am getting " ERROR: LSARetrieveUserInfo()" error on one host and "ERROR: SMBNTCreateAndX()" for another. Both windows boxes have the firewalls turned off and i can create null sessions to each of them from another windows client. I basically want to get information i can pull down with getuserinfo and sid2user/user2sid. user accts, shares, SIDs, so i can find the real administrator account. etc.

If anyone thinks the tools (userinfo, enum, sid2user, etc) might run in wine, i am willing to give that a shot, but i am basically trying to find a way to do all the windows enumeration i usually do with another windows host on a linux box (hopefully using only commandline tools).

Can anyone recommend any tutorials, tools, tricks, help, etc out there?

thanks!

i'll add a little more info after messing with it some more. The error seems to be because those two windows hosts are running windowsXP. I tried the program on an NT server and Windows 2000 adv Server and was able to pull down some details.

smbdumpuser will give you the sid and username and thats about it
ex:
500-Administrator
1004-gat0r

anything out there that can give more detailed info on the linux side?


Last edited by gat0r on Mon Jan 16, 2006 6:42 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
DCLXVI
Just Arrived
Just Arrived


Joined: 27 Mar 2005
Posts: 4


Offline

PostPosted: Wed Mar 30, 2005 1:22 am    Post subject: Reply with quote

nbaudit
nbtscan
nmbscan
dcetest
SPIKE

There's plenty of good tools out there for NetBIOS analysis.
Back to top
View user's profile Send private message
gat0r
Just Arrived
Just Arrived


Joined: 02 Jan 2005
Posts: 0
Location: Belgium

Offline

PostPosted: Thu Mar 31, 2005 8:21 pm    Post subject: Reply with quote

thanks, i have found nbtscan but that was only good for finding shares not really identifying SIDs and what not. i should have added that i need them to be command line only as well Sad

rpcclient and smbclient from the SAMBA tools seems to do what i need to do:

whoops@pagefault:/tmp$ rpcclient -U administrator 172.10.1.21 Enter Password:
session setup ok
Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
rpcclient $> lookupnames administrator administrator S-1-5-21-1482476501-1202660629-1957994488-500 (1)
rpcclient $> lookupnames bigdude S-1-5-21-1482476501-1202660629-1957994488-1010 (1)
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register