Rappel :
Attention dans cet article l'outils est utilisé pour la recherche et l'apprentissage.
Ce type d'outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).
Environnement de test :
Pour cela nous allons utiliser une VM tournant sur la distribution Kali . enum4linux est disponible par défaut sous Kali.
Utilisation
Options
1 root @kali :~ # enum4linux
2 enum4linux v0 . 8 . 9 ( http : // labs . portcullis . co . uk / application / enum4linux / )
3 Copyright ( C ) 2011 Mark Lowe ( mrl @portcullis - security . com )
4
5 Simple wrapper around the tools in the samba package to provide similar
6 functionality to enum . exe ( formerly from www . bindview . com ) . Some additional
7 features such as RID cycling have also been added for convenience .
8
9 Usage : . / enum4linux . pl [ options ] ip
10
11 Options are ( like "enum" ):
12 - U get userlist
13 - M get machine list *
14 - S get sharelist
15 - P get password policy information
16 - G get group and member list
17 - d be detailed , applies to - U and - S
18 - u user specify username to use ( default "" )
19 - p pass specify password to use ( default "" )
20
21 The following options from enum . exe aren 't implemented: -L, -N, -D, -f
22
23 Additional options:
24 -a Do all simple enumeration (-U -S -G -P -r -o -n -i).
25 This opion is enabled if you don' t provide any other options .
26 - h Display this help message and exit
27 - r enumerate users via RID cycling
28 - R range RID ranges to enumerate ( default : 500 - 550 , 1000 - 1050 , implies - r )
29 - K n Keep searching RIDs until n consective RIDs don ' t correspond to
30 a username . Impies RID range ends at 999999 . Useful
31 against DCs .
32 - l Get some ( limited ) info via LDAP 389 / TCP ( for DCs only )
33 - s file brute force guessing for share names
34 - k user User ( s ) that exists on remote system ( default : administrator , guest , krbtgt , domain admins , root , bin , none )
35 Used to get sid with "lookupsid known_username"
36 Use commas to try several users : "-k admin,user1,user2"
37 - o Get OS information
38 - i Get printer information
39 - w wrkg Specify workgroup manually ( usually found automatically )
40 - n Do an nmblookup ( similar to nbtstat )
41 - v Verbose . Shows full commands being run ( net , rpcclient , etc . )
42
43 RID cycling should extract a list of users from Windows ( or Samba ) hosts
44 which have RestrictAnonymous set to 1 ( Windows NT and 2000 ), or "Network
45 access: Allow anonymous SID/Name translation" enabled ( XP , 2003 ) .
46
47 NB : Samba servers often seem to have RIDs in the range 3000 - 3050 .
48
49 Dependancy info : You will need to have the samba package installed as this
50 script is basically just a wrapper around rpcclient , net , nmblookup and
51 smbclient . Polenum from http : // labs . portcullis . co . uk / application / polenum /
52 is required to get Password Policy info .
Enumération sans compte
1 root @kali :~ # enum4linux -U -o 192.168.5.100
2 WARNING : ldapsearch is not in your path . Check that package is installed and your PATH is sane .
3 Starting enum4linux v0 . 8 . 9 ( http : // labs . portcullis . co . uk / application / enum4linux / ) on Sun Mar 27 22 : 47 : 45 2016
4
5 ==========================
6 | Target Information |
7 ==========================
8 Target ........... 192 . 168 . 5 . 100
9 RID Range ........ 500 - 550 , 1000 - 1050
10 Username ......... ''
11 Password ......... ''
12 Known Usernames .. administrator , guest , krbtgt , domain admins , root , bin , none
13
14
15 =====================================================
16 | Enumerating Workgroup / Domain on 192 . 168 . 5 . 100 |
17 =====================================================
18 [+] Got domain / workgroup name : WORKGROUP
19
20 ======================================
21 | Session Check on 192 . 168 . 5 . 100 |
22 ======================================
23 [+] Server 192 . 168 . 5 . 100 allows sessions using username '' , password ''
24
25 ============================================
26 | Getting domain SID for 192 . 168 . 5 . 100 |
27 ============================================
28 could not initialise lsa pipe . Error was NT_STATUS_ACCESS_DENIED
29 could not obtain sid for domain WORKGROUP
30 error : NT_STATUS_ACCESS_DENIED
31 [+] Can 't determine if host is part of domain or part of a workgroup
32
33 =======================================
34 | OS information on 192.168.5.100 |
35 =======================================
36 [+] Got OS info for 192.168.5.100 from smbclient: Domain=[WORKGROUP] OS=[Windows 7 Professional 7601 Service Pack 1] Server=[Windows 7 Professional 6.1]
37 [E] Can' t get OS info with srvinfo : NT_STATUS_ACCESS_DENIED
38
39 ==============================
40 | Users on 192 . 168 . 5 . 100 |
41 ==============================
42 [ E ] Couldn 't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
43
44 [E] Couldn' t find users using enumdomusers : NT_STATUS_ACCESS_DENIED
45 enum4linux complete on Sun Mar 27 22 : 47 : 46 2016
On a juste récupérer l'OS : Windows 7 Professional 7601 Service Pack 1
Enumératon avec un compte
1 root @kali :~ # enum4linux -U -u admin -p password -o 192.168.5.100
2 WARNING : ldapsearch is not in your path . Check that package is installed and your PATH is sane .
3 Starting enum4linux v0 . 8 . 9 ( http : // labs . portcullis . co . uk / application / enum4linux / ) on Sun Mar 27 22 : 50 : 00 2016
4
5 ==========================
6 | Target Information |
7 ==========================
8 Target ........... 192 . 168 . 5 . 100
9 RID Range ........ 500 - 550 , 1000 - 1050
10 Username ......... 'admin'
11 Password ......... 'password'
12 Known Usernames .. administrator , guest , krbtgt , domain admins , root , bin , none
13
14
15 =====================================================
16 | Enumerating Workgroup / Domain on 192 . 168 . 5 . 100 |
17 =====================================================
18 [+] Got domain / workgroup name : WORKGROUP
19
20 ======================================
21 | Session Check on 192 . 168 . 5 . 100 |
22 ======================================
23 [+] Server 192 . 168 . 5 . 100 allows sessions using username 'admin' , password 'password'
24
25 ============================================
26 | Getting domain SID for 192 . 168 . 5 . 100 |
27 ============================================
28 Domain Name : WORKGROUP
29 Domain Sid : ( NULL SID )
30 [+] Can ' t determine if host is part of domain or part of a workgroup
31
32 =======================================
33 | OS information on 192 . 168 . 5 . 100 |
34 =======================================
35 [+] Got OS info for 192 . 168 . 5 . 100 from smbclient : Domain =[ DESKTOP ] OS =[ Windows 7 Professional 7601 Service Pack 1 ] Server =[ Windows 7 Professional 6 . 1 ]
36 [+] Got OS info for 192 . 168 . 5 . 100 from srvinfo :
37 192 . 168 . 5 . 100 Wk Sv PrQ NT PtB LMB
38 platform_id : 500
39 os version : 6 . 1
40 server type : 0x51203
41
42 ==============================
43 | Users on 192 . 168 . 5 . 100 |
44 ==============================
45 index : 0x1 RID : 0x3e8 acb : 0x00000214 Account : admin Name : ( null ) Desc : ( null )
46 index : 0x2 RID : 0x1f4 acb : 0x00000211 Account : Administrateur Name : ( null ) Desc : Compte d ’ utilisateur d ’ administration
47 index : 0x3 RID : 0x3ea acb : 0x00000210 Account : HomeGroupUser $ Name : HomeGroupUser $ Desc : Compte int é gr é pour un acc è s Groupe r é sidentiel à l ’ ordinateur
48 index : 0x4 RID : 0x1f5 acb : 0x00000215 Account : Invit é Name : ( null ) Desc : Compte d ’ utilisateur invit é
49 index : 0x5 RID : 0x3ee acb : 0x00000210 Account : System Name : System Account Desc : Compte utilis é par System
50 index : 0x6 RID : 0x3eb acb : 0x00000210 Account : totouser Name : totouser Desc : ( null )
51 index : 0x7 RID : 0x3ec acb : 0x00000210 Account : titiuser Name : titiuser Desc : ( null )
52
53 user : [ admin ] rid : [ 0x3e8 ]
54 user : [ Administrateur ] rid : [ 0x1f4 ]
55 user : [ HomeGroupUser $ ] rid : [ 0x3ea ]
56 user : [ Invit é ] rid : [ 0x1f5 ]
57 user : [ System ] rid : [ 0x3ee ]
58 user : [ totouser ] rid : [ 0x3eb ]
59 user : [ titiuser ] rid : [ 0x3ec ]
60 enum4linux complete on Sun Mar 27 22 : 50 : 01 2016
On arrive à énumérer les différents comptes de la machine.