diff --git a/rpc-protocol/enumeration.md b/rpc-protocol/enumeration.md new file mode 100644 index 0000000..cf0a932 --- /dev/null +++ b/rpc-protocol/enumeration.md @@ -0,0 +1,144 @@ +# Enumeration Operations + +## Enumerate Domain Users +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-users + +SMB 192.168.1.100 445 DC01 [+] Found 25 domain user(s) +SMB 192.168.1.100 445 DC01 RID Username BadPW PW Last Set PW Can Change Description +SMB 192.168.1.100 445 DC01 500 Administrator 0 2021-08-31 00:51:58 2021-09-01 03:51:58 Built-in account for administering... +SMB 192.168.1.100 445 DC01 501 Guest 0 Never Never Built-in account for guest access... +SMB 192.168.1.100 445 DC01 502 krbtgt 0 2021-08-30 15:23:18 2021-08-31 15:23:18 Key Distribution Center Service... +``` + + + +## Enumerate Groups +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-groups + +SMB 192.168.1.100 445 DC01 [+] Domain Groups (15) +SMB 192.168.1.100 445 DC01 RID Group Members Description +SMB 192.168.1.100 445 DC01 512 Domain Admins 3 Designated administrators of the domain +SMB 192.168.1.100 445 DC01 513 Domain Users 45 All domain users +SMB 192.168.1.100 445 DC01 514 Domain Guests 0 All domain guests + +SMB 192.168.1.100 445 DC01 [+] Builtin/Local Groups (20) +SMB 192.168.1.100 445 DC01 RID Group Members Description +SMB 192.168.1.100 445 DC01 544 Administrators 4 Administrators have complete and unrestricted access +SMB 192.168.1.100 445 DC01 545 Users 2 Users are prevented from making accidental changes +SMB 192.168.1.100 445 DC01 546 Guests 1 Guests have the same access as members of the Users group +``` + + + +## Query User Information +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-user Administrator + +SMB 192.168.1.100 445 DC01 User Name: Administrator +SMB 192.168.1.100 445 DC01 Full Name: +SMB 192.168.1.100 445 DC01 Home Directory: +SMB 192.168.1.100 445 DC01 Description: Built-in account for administering the computer/domain +SMB 192.168.1.100 445 DC01 User RID: 0x1f4 +SMB 192.168.1.100 445 DC01 Primary Group RID: 0x201 +SMB 192.168.1.100 445 DC01 Account Flags: 0x210 +``` + +## Query User Groups +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-user-groups Administrator + +SMB 192.168.1.100 445 DC01 [+] Groups for user Administrator (3 groups) +SMB 192.168.1.100 445 DC01 RID ATTR Name +SMB 192.168.1.100 445 DC01 -------- ------ ------------------------------ +SMB 192.168.1.100 445 DC01 512 7 Domain Admins +SMB 192.168.1.100 445 DC01 513 7 Domain Users +SMB 192.168.1.100 445 DC01 520 7 Group Policy Creator Owners +``` + +## Query Group Information +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-group "Domain Admins" + +SMB 192.168.1.100 445 DC01 [+] Group: Domain Admins +SMB 192.168.1.100 445 DC01 Description: Designated administrators of the domain +SMB 192.168.1.100 445 DC01 Attributes: 7 +SMB 192.168.1.100 445 DC01 Member Count: 3 +SMB 192.168.1.100 445 DC01 Members: Administrator, IT-Admin, backup +``` + +## Query Domain Information +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-dom-info + +SMB 192.168.1.100 445 DC01 Domain: CONTOSO +SMB 192.168.1.100 445 DC01 Server: DC01 +SMB 192.168.1.100 445 DC01 Comment: Primary Domain Controller +SMB 192.168.1.100 445 DC01 Domain SID: S-1-5-21-1234567890-1234567890-1234567890 +``` + +## Query Password Policy +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-pass-pol + +SMB 192.168.1.100 445 DC01 Min Password Length: 7 +SMB 192.168.1.100 445 DC01 Password History: 24 +SMB 192.168.1.100 445 DC01 Maximum Password Age: 42 days +SMB 192.168.1.100 445 DC01 Password Complexity: Enabled +``` + +## Enumerate Domain Trusts +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-trusts + +SMB 192.168.1.100 445 DC01 [+] Found 2 domain trust(s) +SMB 192.168.1.100 445 DC01 CHILD.CONTOSO.LOCAL (external, forest: CHILD.CONTOSO.LOCAL) +SMB 192.168.1.100 445 DC01 PARTNER.COM (external, forest: PARTNER.COM) +``` + +## Enumerate Shares +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-shares + +SMB 192.168.1.100 445 DC01 [+] Found 6 share(s) +SMB 192.168.1.100 445 DC01 Share Type Perms Remark Path +SMB 192.168.1.100 445 DC01 ---------------------------------------------------------------------------------------------------- +SMB 192.168.1.100 445 DC01 ADMIN$ Disk READ,WRITE Remote Admin C:\Windows +SMB 192.168.1.100 445 DC01 C$ Disk READ,WRITE Default share C:\ +SMB 192.168.1.100 445 DC01 IPC$ IPC Remote IPC +SMB 192.168.1.100 445 DC01 NETLOGON Disk READ Logon server share C:\Windows\SYSVOL\sysvol\contoso.local\SCRIPTS +SMB 192.168.1.100 445 DC01 SYSVOL Disk READ Logon server share C:\Windows\SYSVOL\sysvol +``` + + + +## Enumerate Sessions +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-sessions + +SMB 192.168.1.100 445 DC01 [+] Found 5 session(s) +SMB 192.168.1.100 445 DC01 user:Administrator from:192.168.1.50 time:2h15m idle:5m +SMB 192.168.1.100 445 DC01 user:jdoe from:192.168.1.120 time:4h idle:30m +``` + +## Enumerate Server Info +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-server-info + +SMB 192.168.1.100 445 DC01 Server Information: +SMB 192.168.1.100 445 DC01 Server Name: DC01 +SMB 192.168.1.100 445 DC01 Server Domain: CONTOSO +SMB 192.168.1.100 445 DC01 Server OS: Windows Server 2019 Standard +SMB 192.168.1.100 445 DC01 Server OS Build: 17763 +``` + +## RID Brute Force +```bash +nxc smb 192.168.1.100 -u username -p password --rid-brute 1000 + +SMB 192.168.1.100 445 DC01 [+] Found 35 accounts via RID cycling: +SMB 192.168.1.100 445 DC01 500: Administrator (Built-in account for administering the computer/domain) +SMB 192.168.1.100 445 DC01 501: Guest (Built-in account for guest access to the computer/domain) +SMB 192.168.1.100 445 DC01 502: krbtgt (Key Distribution Center Service Account) +``` \ No newline at end of file diff --git a/rpc-protocol/group-management.md b/rpc-protocol/group-management.md new file mode 100644 index 0000000..cbc9e08 --- /dev/null +++ b/rpc-protocol/group-management.md @@ -0,0 +1,72 @@ +# Group Management + +## Create Group +```bash +nxc smb 192.168.1.100 -u admin -p password --create-group "IT Support" + +SMB 192.168.1.100 445 DC01 [*] Creating group (createdomgroup IT Support) +SMB 192.168.1.100 445 DC01 [+] Created group IT Support with RID 0x450 +``` + +## Delete Group +```bash +nxc smb 192.168.1.100 -u admin -p password --delete-group "Old Team" + +SMB 192.168.1.100 445 DC01 [*] Deleting group (deletedomgroup Old Team) +SMB 192.168.1.100 445 DC01 [+] Deleted group Old Team +``` + +## Add User to Group +```bash +nxc smb 192.168.1.100 -u admin -p password --add-to-group "john.doe:IT Support" + +SMB 192.168.1.100 445 DC01 [*] Adding john.doe to group IT Support +SMB 192.168.1.100 445 DC01 [+] Added john.doe to IT Support +``` + +## Remove User from Group +```bash +nxc smb 192.168.1.100 -u admin -p password --remove-from-group "john.doe:IT Support" + +SMB 192.168.1.100 445 DC01 [*] Removing john.doe from group IT Support +SMB 192.168.1.100 445 DC01 [+] Removed john.doe from IT Support +``` + +## Enumerate Groups +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-groups + +SMB 192.168.1.100 445 DC01 [+] Domain Groups (15) +SMB 192.168.1.100 445 DC01 RID Group Members Description +SMB 192.168.1.100 445 DC01 512 Domain Admins 3 Designated administrators of the domain +SMB 192.168.1.100 445 DC01 513 Domain Users 45 All domain users +SMB 192.168.1.100 445 DC01 514 Domain Guests 0 All domain guests + +SMB 192.168.1.100 445 DC01 [+] Builtin/Local Groups (20) +SMB 192.168.1.100 445 DC01 RID Group Members Description +SMB 192.168.1.100 445 DC01 544 Administrators 4 Administrators have complete and unrestricted access +SMB 192.168.1.100 445 DC01 545 Users 2 Users are prevented from making accidental changes +SMB 192.168.1.100 445 DC01 546 Guests 1 Guests have the same access as members of the Users group +``` + +## Query Group Information +```bash +# Query domain group +nxc smb 192.168.1.100 -u username -p password --rpc-group "Domain Admins" + +SMB 192.168.1.100 445 DC01 [+] Group: Domain Admins +SMB 192.168.1.100 445 DC01 Description: Designated administrators of the domain +SMB 192.168.1.100 445 DC01 Attributes: 7 +SMB 192.168.1.100 445 DC01 Member Count: 3 +SMB 192.168.1.100 445 DC01 Members: Administrator, IT-Admin, backup + +# Query builtin/local group +nxc smb 192.168.1.100 -u username -p password --rpc-group "Administrators" + +SMB 192.168.1.100 445 DC01 [+] Group: Administrators +SMB 192.168.1.100 445 DC01 Description: Administrators have complete and unrestricted access to the computer/domain +SMB 192.168.1.100 445 DC01 Attributes: 0 +SMB 192.168.1.100 445 DC01 Member Count: 4 +SMB 192.168.1.100 445 DC01 Members: Domain Admins, Administrator, Administrator, SYSTEM +``` + diff --git a/rpc-protocol/lookups.md b/rpc-protocol/lookups.md new file mode 100644 index 0000000..5478e96 --- /dev/null +++ b/rpc-protocol/lookups.md @@ -0,0 +1,67 @@ +# Lookup Operations + +## Lookup Names to SIDs +```bash +nxc smb 192.168.1.100 -u username -p password --lookup-names "Administrator,Guest" + +SMB 192.168.1.100 445 DC01 Administrator -> S-1-5-21-xxx-500 (User) +SMB 192.168.1.100 445 DC01 Guest -> S-1-5-21-xxx-501 (User) +``` + +## LSA Lookup Names +```bash +nxc smb 192.168.1.100 -u username -p password --lsa-lookup-names "Administrator,Everyone" + +SMB 192.168.1.100 445 DC01 Administrator -> CONTOSO\Administrator S-1-5-21-xxx-500 (User) +SMB 192.168.1.100 445 DC01 Everyone -> Everyone S-1-1-0 (WellKnown) +``` + +## LSA Lookup SIDs +```bash +nxc smb 192.168.1.100 -u username -p password --lsa-lookup-sids "S-1-5-21-xxx-500,S-1-1-0" + +SMB 192.168.1.100 445 DC01 S-1-5-21-xxx-500 -> CONTOSO\Administrator (User) +SMB 192.168.1.100 445 DC01 S-1-1-0 -> Everyone (WellKnown) +``` + +## Lookup Domain SID +```bash +nxc smb 192.168.1.100 -u username -p password --lookup-domain CONTOSO + +SMB 192.168.1.100 445 DC01 Domain CONTOSO -> SID S-1-5-21-1234567890-1234567890-1234567890 +``` + +## SAM Lookup (Domain) +```bash +nxc smb 192.168.1.100 -u username -p password --sam-lookup domain "Administrator,Domain Admins" + +SMB 192.168.1.100 445 DC01 Administrator S-1-5-21-xxx-500 (User: 1) +SMB 192.168.1.100 445 DC01 Domain Admins S-1-5-21-xxx-512 (Group: 2) +``` + +## SAM Lookup (Builtin) +```bash +nxc smb 192.168.1.100 -u username -p password --sam-lookup builtin "Administrators,Users" + +SMB 192.168.1.100 445 DC01 Administrators S-1-5-32-544 (Alias: 4) +SMB 192.168.1.100 445 DC01 Users S-1-5-32-545 (Alias: 4) +``` + +## Query User Group Membership +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-user-groups Administrator + +SMB 192.168.1.100 445 DC01 [+] User Administrator is a member of 3 group(s) +SMB 192.168.1.100 445 DC01 [*] rid:[0x200] group:[Domain Admins] attr:[MANDATORY, ENABLED_BY_DEFAULT, ENABLED] +SMB 192.168.1.100 445 DC01 [*] rid:[0x201] group:[Domain Users] attr:[MANDATORY, ENABLED_BY_DEFAULT, ENABLED] +``` + +## RID Brute Force +```bash +nxc smb 192.168.1.100 -u username -p password --rid-brute 1000 + +SMB 192.168.1.100 445 DC01 [+] Found 35 accounts via RID cycling: +SMB 192.168.1.100 445 DC01 500: Administrator (Built-in account for administering the computer/domain) +SMB 192.168.1.100 445 DC01 501: Guest (Built-in account for guest access to the computer/domain) +SMB 192.168.1.100 445 DC01 502: krbtgt (Key Distribution Center Service Account) +``` \ No newline at end of file diff --git a/rpc-protocol/lsa-operations.md b/rpc-protocol/lsa-operations.md new file mode 100644 index 0000000..f95ea02 --- /dev/null +++ b/rpc-protocol/lsa-operations.md @@ -0,0 +1,71 @@ +# LSA Operations + +## LSA Query +```bash +nxc smb 192.168.1.100 -u username -p password --lsa-query + +SMB 192.168.1.100 445 DC01 Domain Name: CONTOSO +SMB 192.168.1.100 445 DC01 Domain SID: S-1-5-21-1234567890-1234567890-1234567890 +``` + +## Enumerate LSA SIDs +```bash +nxc smb 192.168.1.100 -u username -p password --lsa-sids + +SMB 192.168.1.100 445 DC01 [+] Found 15 SID(s) +SMB 192.168.1.100 445 DC01 S-1-5-21-xxx-500 +SMB 192.168.1.100 445 DC01 S-1-5-21-xxx-512 +SMB 192.168.1.100 445 DC01 S-1-5-32-544 +SMB 192.168.1.100 445 DC01 S-1-1-0 +``` + +## Enumerate Privileges +```bash +nxc smb 192.168.1.100 -u username -p password --lsa-privs + +SMB 192.168.1.100 445 DC01 [+] Found 35 privilege(s) +SMB 192.168.1.100 445 DC01 SeCreateTokenPrivilege (0x2) +SMB 192.168.1.100 445 DC01 SeAssignPrimaryTokenPrivilege (0x3) +SMB 192.168.1.100 445 DC01 SeDebugPrivilege (0x14) +``` + +## Account Rights (Privileges) +```bash +nxc smb 192.168.1.100 -u username -p password --lsa-rights S-1-5-32-544 + +SMB 192.168.1.100 445 DC01 [+] Rights for S-1-5-32-544: +SMB 192.168.1.100 445 DC01 SeBackupPrivilege +SMB 192.168.1.100 445 DC01 SeRestorePrivilege +SMB 192.168.1.100 445 DC01 SeShutdownPrivilege +``` + +## Lookup SIDs to Names +```bash +nxc smb 192.168.1.100 -u username -p password --lsa-lookup-sids "S-1-5-21-xxx-500,S-1-5-21-xxx-512,S-1-1-0" + +SMB 192.168.1.100 445 DC01 S-1-5-21-xxx-500 -> CONTOSO\Administrator (User) +SMB 192.168.1.100 445 DC01 S-1-5-21-xxx-512 -> CONTOSO\Domain Admins (Group) +SMB 192.168.1.100 445 DC01 S-1-1-0 -> Everyone (WellKnown) +``` + +## Create LSA Account +```bash +nxc smb 192.168.1.100 -u admin -p password --lsa-create-account S-1-5-21-xxx-1001 + +SMB 192.168.1.100 445 DC01 [+] Created LSA account for S-1-5-21-xxx-1001 +``` + +## Query LSA Security +```bash +nxc smb 192.168.1.100 -u username -p password --lsa-query-security + +SMB 192.168.1.100 445 DC01 revision: 1 +SMB 192.168.1.100 445 DC01 type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE +SMB 192.168.1.100 445 DC01 DACL +SMB 192.168.1.100 445 DC01 ACL Num ACEs: 9 revision: 2 +SMB 192.168.1.100 445 DC01 --- +SMB 192.168.1.100 445 DC01 ACE +SMB 192.168.1.100 445 DC01 type: ACCESS ALLOWED (0) flags: 0x00 +SMB 192.168.1.100 445 DC01 Permissions: 0xf1fff: WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS +SMB 192.168.1.100 445 DC01 SID: S-1-5-32-544 +``` \ No newline at end of file diff --git a/rpc-protocol/user-management.md b/rpc-protocol/user-management.md new file mode 100644 index 0000000..38434d8 --- /dev/null +++ b/rpc-protocol/user-management.md @@ -0,0 +1,63 @@ +# User Management + +## Create User +```bash +nxc smb 192.168.1.100 -u admin -p password --create-user newuser:Password123! + +SMB 192.168.1.100 445 DC01 [*] Creating user (createdomuser newuser) +SMB 192.168.1.100 445 DC01 [+] Created user newuser with RID 0x450 +``` + +## Delete User +```bash +nxc smb 192.168.1.100 -u admin -p password --delete-user testuser + +SMB 192.168.1.100 445 DC01 [*] Deleting user (deletedomuser testuser) +SMB 192.168.1.100 445 DC01 [+] Deleted user testuser +``` + +## Enable User +```bash +nxc smb 192.168.1.100 -u admin -p password --enable-user disableduser + +SMB 192.168.1.100 445 DC01 [*] Enabling user account (setuserinfo2 disableduser) +SMB 192.168.1.100 445 DC01 [+] Enabled user disableduser (UAC: 0x202 -> 0x200) +``` + +## Disable User +```bash +nxc smb 192.168.1.100 -u admin -p password --disable-user targetuser + +SMB 192.168.1.100 445 DC01 [*] Disabling user account (setuserinfo2 targetuser) +SMB 192.168.1.100 445 DC01 [+] Disabled user targetuser (UAC: 0x200 -> 0x202) +``` + +## Change Password (with old password) +```bash +nxc smb 192.168.1.100 -u username -p password --change-password targetuser:OldPass123:NewPass456! + +SMB 192.168.1.100 445 DC01 [*] Changing password (chgpasswd targetuser) +SMB 192.168.1.100 445 DC01 [+] Changed password for targetuser +``` + +## Reset Password (administrative) +```bash +nxc smb 192.168.1.100 -u admin -p password --reset-password targetuser:NewPass456! + +SMB 192.168.1.100 445 DC01 [*] Resetting password for targetuser +SMB 192.168.1.100 445 DC01 [+] Reset password for targetuser +``` + +## Query User Information +```bash +nxc smb 192.168.1.100 -u username -p password --rpc-user Administrator + +SMB 192.168.1.100 445 DC01 User Name: Administrator +SMB 192.168.1.100 445 DC01 Full Name: +SMB 192.168.1.100 445 DC01 Home Directory: +SMB 192.168.1.100 445 DC01 Profile Path: +SMB 192.168.1.100 445 DC01 Description: Built-in account for administering the computer/domain +SMB 192.168.1.100 445 DC01 User RID: 0x1f4 +SMB 192.168.1.100 445 DC01 Primary Group RID: 0x201 +SMB 192.168.1.100 445 DC01 Account Flags: 0x210 +``` \ No newline at end of file