Active Directory Enumeration:RPCClient

Al1ex

发布于 2021-07-21 16:55:52

1.7K00

代码可运行

文章被收录于专栏：网络安全攻防网络安全攻防

运行总次数：0

代码可运行

文章前言

本篇文章中我们将重点介绍如何通过SMB协议和RPC协议来枚举域内信息，下文中使用的工具为rpcclient

信息枚举

Server Information

rpcclient -U Administrator%Ignite@123 192.168.1.172

Domain Information

querydominfo

Enumerating Domain Users

enumdomusers

Enumerating Domain Groups

enumdomgroups

Group Information Queries

querygroup 0x200

User Information Queries

queryuser yashika

Enumerating Privileges

enumprivs

Domain Password Information

getdompwinfo

User Password Information

getusrdompwinfo 0x1f4

Enumerating SID from LSA

lsaenumsid

Creating Domain User

createdomuser hacker
setuserinfo2 hacker 24 Password@1
enumdomusers

Lookup User Names

lookupnames hacker

Enumerating Alias Groups

enumalsgroups builtin

Delete Domain User

deletedomuser hacker

Net Share Enumeration

netshareenum
netshareenumall

Net Share Get Information

netsharegetinfo Confidential

Enumerating Domains

enumdomains

Enumerating Domain Groups

enumdomgroups
enumdomusers
queryusersgroups 0x44f
querygroupmem 0x201

Change Password of User

chgpasswd raj Password@1 Password@987

Create Domain Group

createdomgroup newgroup
enumdomgroups

Delete Domain Group

deletedomgroup newgroup
enumdomgroup

Domain Lookup

lookupdomain ignite

SAM Lookup

samlookupnames domain raj
samlookuprids domain 0x44f

SID Lookup

lsaenumsid

LSA Query

lsaquery
dsroledominfo

LSA Create Account

lookupnames raj
lsacreateaccount S-1-5-21-3232368669-2512470540-2741904768-1103

LSA Group Privileges

lsaenumsid
lookupsids S-1-1-0
lsaenumacctrights S-1-1-0

lsaaddpriv S-1-1-0 SeCreateTokenPrivilege
lsaenumprivsaccount S-1-1-0
lsadelpriv S-1-1-0 SeCreateTokenPrivilege
lsaenumprivsaccount S-1-1-0

LSA Account Privileges

lookupnames raj
lsaaddacctrights S-1-5-21-3232368669-2512470540-2741904768-1103 SeCreateTokenPrivilege
lsaenumprivsaccount S-1-5-21-3232368669-2512470540-2741904768-1103
lsaremoveacctrights S-1-5-21-3232368669-2512470540-2741904768-1103 SeCreateTokenPrivilege
lsaenumprivsaccount S-1-5-21-3232368669-2512470540-2741904768-1103

lsalookupprivvalue SeCreateTokenPrivielge

LSA Security Objects

lsaquerysecobj

文末小结

在本文中，我们能够使用rpcclient工具通过域内的SMB和RPC枚举大量信息，本文可以作为红队攻击和列举域的参考，但也有助于蓝队了解和测试在域上应用的保护及其用户的措施~

本文参与腾讯云自媒体同步曝光计划，分享自微信公众号。

原始发表：2021-05-24，如有侵权请联系 cloudcommunity@tencent.com 删除

python

rpc

本文分享自七芒星实验室微信公众号，前往查看

如有侵权，请联系 cloudcommunity@tencent.com 删除。

本文参与腾讯云自媒体同步曝光计划，欢迎热爱写作的你一起参与！

python

rpc

登录后参与评论

0 条评论

热度

Active Directory Enumeration:RPCClient

Active Directory Enumeration:RPCClient

文章前言

信息枚举

Server Information

Domain Information

Enumerating Domain Users

Enumerating Domain Groups

Group Information Queries

User Information Queries

Enumerating Privileges

Domain Password Information

User Password Information

Enumerating SID from LSA

Creating Domain User

Lookup User Names

Enumerating Alias Groups

Delete Domain User

Net Share Enumeration

Net Share Get Information

Enumerating Domains

Enumerating Domain Groups

Change Password of User

Create Domain Group

Delete Domain Group

Domain Lookup

SAM Lookup

SID Lookup

LSA Query

LSA Create Account

LSA Group Privileges

LSA Account Privileges

LSA Security Objects

文末小结

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐