本篇文章中我们将重点介绍如何通过SMB协议和RPC协议来枚举域内信息,下文中使用的工具为rpcclient
rpcclient -U Administrator%Ignite@123 192.168.1.172
querydominfo
enumdomusers
enumdomgroups
querygroup 0x200
queryuser yashika
enumprivs
getdompwinfo
getusrdompwinfo 0x1f4
lsaenumsid
createdomuser hacker
setuserinfo2 hacker 24 Password@1
enumdomusers
lookupnames hacker
enumalsgroups builtin
deletedomuser hacker
netshareenum
netshareenumall
netsharegetinfo Confidential
enumdomains
enumdomgroups
enumdomusers
queryusersgroups 0x44f
querygroupmem 0x201
chgpasswd raj Password@1 Password@987
createdomgroup newgroup
enumdomgroups
deletedomgroup newgroup
enumdomgroup
lookupdomain ignite
samlookupnames domain raj
samlookuprids domain 0x44f
lsaenumsid
lsaquery
dsroledominfo
lookupnames raj
lsacreateaccount S-1-5-21-3232368669-2512470540-2741904768-1103
lsaenumsid
lookupsids S-1-1-0
lsaenumacctrights S-1-1-0
lsaaddpriv S-1-1-0 SeCreateTokenPrivilege
lsaenumprivsaccount S-1-1-0
lsadelpriv S-1-1-0 SeCreateTokenPrivilege
lsaenumprivsaccount S-1-1-0
lookupnames raj
lsaaddacctrights S-1-5-21-3232368669-2512470540-2741904768-1103 SeCreateTokenPrivilege
lsaenumprivsaccount S-1-5-21-3232368669-2512470540-2741904768-1103
lsaremoveacctrights S-1-5-21-3232368669-2512470540-2741904768-1103 SeCreateTokenPrivilege
lsaenumprivsaccount S-1-5-21-3232368669-2512470540-2741904768-1103
lsalookupprivvalue SeCreateTokenPrivielge
lsaquerysecobj
在本文中,我们能够使用rpcclient工具通过域内的SMB和RPC枚举大量信息,本文可以作为红队攻击和列举域的参考,但也有助于蓝队了解和测试在域上应用的保护及其用户的措施~