Skip to content

Commit 34f724c

Browse files
h00dieh00die
committed
first add
1 parent 69755f6 commit 34f724c

File tree

3 files changed

+146
-0
lines changed

3 files changed

+146
-0
lines changed

documentation/modules/auxiliary/scanner/smb/smb_enumusers.md

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
The `smb_enumusers` module ?????????????????????????????????
2+
This module works against Windows and Samba.
3+
4+
## Vulnerable Application
5+
6+
To use `smb_enumusers`, make sure you are able to connect to a SMB service that supports SMBv1.
7+
8+
## Verification Steps
9+
10+
1. Do: ```use auxiliary/scanner/smb/smb_enumusers```
11+
2. Do: ```set rhosts [IP]```
12+
3. Do: ```run```
13+
14+
## Scenarios
15+
16+
### Metasploitable2 (Samba)
17+
18+
```
19+
msf auxiliary(smb_enumusers) > run
20+
21+
[+] 192.168.2.35:139 - METASPLOITABLE [ games, nobody, bind, proxy, syslog, user, www-data, root, news, postgres, bin, mail, distccd, proftpd, dhcp, daemon, sshd, man, lp, mysql, gnats, libuuid, backup, msfadmin, telnetd, sys, klog, postfix, service, list, irc, ftp, tomcat55, sync, uucp ] ( LockoutTries=0 PasswordMin=5 )
22+
```
23+
24+
### Windows 2000 SP4
25+
26+
```
27+
[+] 192.168.2.127:445 - WIN2K [ disabled, Guest, renamedAdministrator, test ] ( LockoutTries=0 PasswordMin=0 )
28+
```

documentation/modules/auxiliary/scanner/smb/smb_lookupsid.md

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
The `smb_lookupsid` module bruteforces the SID of the user, to obtain the username or group name.
2+
This module works against Windows and Samba.
3+
This module can also be used to lookup the information against a Domain utilizing the `action` option.
4+
SID 500 is always the default administrator account, while user accounts start in the 1000 range.
5+
6+
## Vulnerable Application
7+
8+
To use `smb_lookupsid`, make sure you are able to connect to a SMB service that supports SMBv1.
9+
10+
## Verification Steps
11+
12+
1. Do: ```use auxiliary/scanner/smb/smb_lookupsid```
13+
2. Do: ```set rhosts [IP]```
14+
3. Do: ```run```
15+
16+
## Scenarios
17+
18+
### Windows 2000 SP4
19+
20+
```
21+
msf > use auxiliary/scanner/smb/smb_lookupsid
22+
msf auxiliary(smb_lookupsid) > set rhosts 192.168.2.127
23+
rhosts => 192.168.2.127
24+
25+
[*] 192.168.2.127:445 - PIPE(LSARPC) LOCAL(WIN2K - 5-21-484763869-823518204-682003330) DOMAIN(RAGEGROUP - )
26+
[*] 192.168.2.127:445 - USER=renamedAdministrator RID=500
27+
[*] 192.168.2.127:445 - USER=Guest RID=501
28+
[*] 192.168.2.127:445 - GROUP=None RID=513
29+
[*] 192.168.2.127:445 - USER=disabled RID=1000
30+
[*] 192.168.2.127:445 - USER=test RID=1001
31+
[*] 192.168.2.127:445 - WIN2K [renamedAdministrator, Guest, disabled, test ]
32+
[*] Scanned 1 of 1 hosts (100% complete)
33+
[*] Auxiliary module execution completed
34+
```
35+
36+
### Metasploitable2 (Samba)
37+
38+
```
39+
msf auxiliary(smb_lookupsid) > run
40+
41+
[*] Scanned 26 of 253 hosts (10% complete)
42+
[*] 192.168.2.35:139 - PIPE(LSARPC) LOCAL(METASPLOITABLE - 5-21-1042354039-2475377354-766472396) DOMAIN(WORKGROUP - )
43+
[*] 192.168.2.35:139 - USER=Administrator RID=500
44+
[*] 192.168.2.35:139 - USER=nobody RID=501
45+
[*] 192.168.2.35:139 - GROUP=Domain Admins RID=512
46+
[*] 192.168.2.35:139 - GROUP=Domain Users RID=513
47+
[*] 192.168.2.35:139 - GROUP=Domain Guests RID=514
48+
[*] 192.168.2.35:139 - USER=root RID=1000
49+
[*] 192.168.2.35:139 - GROUP=root RID=1001
50+
[*] 192.168.2.35:139 - USER=daemon RID=1002
51+
[*] 192.168.2.35:139 - GROUP=daemon RID=1003
52+
[*] 192.168.2.35:139 - USER=bin RID=1004
53+
[*] 192.168.2.35:139 - GROUP=bin RID=1005
54+
[*] 192.168.2.35:139 - USER=sys RID=1006
55+
[*] 192.168.2.35:139 - GROUP=sys RID=1007
56+
```
57+
...snip...
58+
59+
```
60+
[*] 192.168.2.35:139 - USER=user RID=3002
61+
[*] 192.168.2.35:139 - GROUP=user RID=3003
62+
[*] 192.168.2.35:139 - USER=service RID=3004
63+
[*] 192.168.2.35:139 - GROUP=service RID=3005
64+
[*] 192.168.2.35:139 - METASPLOITABLE [Administrator, nobody, root, daemon, bin, sys, sync, games, man, lp, mail, news, uucp, proxy, www-data, backup, list, irc, gnats, libuuid, dhcp, syslog, klog, sshd, bind, postfix, ftp, postgres, mysql, tomcat55, distccd, telnetd, proftpd, statd, msfadmin, user, service ]
65+
```

documentation/modules/auxiliary/scanner/smb/smb_version.md

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
The `smb_version` module is used to determine what version of the Operating System is installed.
2+
This module also attempts to determine the following information on the system if possible:
3+
4+
1. OS (product and version)
5+
2. lanman version
6+
3. OS build number
7+
4. Service pack
8+
5. OS language
9+
10+
## Vulnerable Application
11+
12+
To use `smb_version`, make sure you are able to connect to a SMB service that supports SMBv1.
13+
14+
## Verification Steps
15+
16+
1. Do: ```use auxiliary/scanner/smb/smb_version```
17+
2. Do: ```set rhosts [IP]```
18+
3. Do: ```run```
19+
20+
## Scenarios
21+
22+
This is an example run of a network with several different version of Windows, metasploit 1 and 2, and a NAS device running SAMBA.
23+
24+
```
25+
msf > use auxiliary/scanner/smb/smb_version
26+
msf auxiliary(smb_version) > set rhosts 10.9.7.1-254
27+
rhosts => 10.9.7.1-254
28+
msf auxiliary(smb_version) > set threads 5
29+
threads => 5
30+
msf auxiliary(smb_version) > run
31+
32+
[*] 10.9.7.7:445 - Host is running Windows 2008 R2 Standard (build:7600) (name:WIN-O712LQK2K69) (workgroup:WORKGROUP )
33+
[*] Scanned 26 of 254 hosts (10% complete)
34+
[*] 10.9.7.35:445 - Host could not be identified: Unix (Samba 3.0.20-Debian)
35+
[*] 10.9.7.46:445 - Host could not be identified: Unix (Samba 3.0.20-Debian)
36+
[*] Scanned 52 of 254 hosts (20% complete)
37+
[*] Scanned 77 of 254 hosts (30% complete)
38+
[*] 10.9.7.91:445 - Host is running Windows 8.1 Enterprise Evaluation (build:9600) (name:IE11WIN8_1) (workgroup:WORKGROUP )
39+
[*] Scanned 105 of 254 hosts (41% complete)
40+
[*] 10.9.7.108:445 - Host is running Windows XP SP3 (language:English) (name:WINXP) (workgroup:WORKGROUP )
41+
[*] 10.9.7.119:445 - Host could not be identified: Windows 6.1 (Samba 4.4.9)
42+
[*] 10.9.7.127:445 - Host is running Windows 2000 SP4 with ms05-010+ (language:English) (name:WIN2K) (workgroup:WORKGROUP )
43+
[*] Scanned 127 of 254 hosts (50% complete)
44+
[*] Scanned 154 of 254 hosts (60% complete)
45+
[*] 10.9.7.164:445 - Host is running Windows 2012 Standard (build:9200) (name:WIN-OBKF2JFCDKL)
46+
[*] 10.9.7.175:445 - Host is running Windows 10 Pro (build:14393) (name:WORKDESK)
47+
[*] Scanned 178 of 254 hosts (70% complete)
48+
[*] Scanned 204 of 254 hosts (80% complete)
49+
[*] Scanned 231 of 254 hosts (90% complete)
50+
[*] 10.9.7.232:445 - Host is running Windows 7 Enterprise SP1 (build:7601) (name:IE11WIN7) (workgroup:WORKGROUP )
51+
[*] Scanned 254 of 254 hosts (100% complete)
52+
[*] Auxiliary module execution completed
53+
```

0 commit comments

Comments
 (0)