Kali Linux 1.0.4リリースとenum4linux
ペネトレーションテストで有名なKali Linux(旧名:BackTrack Linux)が先日バージョンアップされて、1.0.4が出ていた。
ちょうど今月末からはBlackHatとDEFCON開催ということで、そこに合わせてのリリースという伝統(?)を守ったようだ。ちなみに私も昔(7年ほど前だけど)DEFCONを見にラスベガスまで行ったことがある。今思うと楽しかったなぁ……また行きたい。
というわけで、以下はKali Linux 1.0.4を入れてみたメモ。ホントに入れてみただけなので、大したものではありません。
1.0.3からのアップデート
Kali Linuxは既に先日1.0.3をインストールしていたので(http://d.hatena.ne.jp/ozuma/20130526/1369580668)、ここからアップデートすることにした。公式リリースに書いてある通り、1.0.3からapt-getだけで簡単にバージョンアップできる。
# apt-get update && apt-get dist-upgrade
私の場合、だいたい45分かかった。
1.0.4で新規に追加されたパッケージ
Kali Linuxは、インストールされているツール類のリストが公式サイトに載っておらず、全体像の把握がなかなか難しい。ちなみにこれはBackTrackの頃からそうで、何か伝統的な理由があるのかとも思ったけど、単に面倒くさいだけだと推察している(^^;)。
ところが! なんと1.0.4では、リリースに、何を追加したかがきちんと書かれている!
- Winexe
- Pass the Hash Toolkit
- enum4linux
- RegRipper
- rfcat
- Unicornscan
- jSQL
- JD-GUI
- Ubertooth
- Ghost Phisher
- Uniscan
- Arachni
- Bully
これは革命的なことですよ(驚くのそこか)。1.0.4に上げたことだしさっそく何か試してみるか。ということで、enum4linuxをテストしてみた。
enum4linux
概要
知らないツールだったのでまず素性を調べてみた。
ダウンロード
Kali Linuxに既にインストールされているけど、公式ページのtar.gzをダウンロードして中身を確認してみた。……ら、びっくり。
$ tar tvzf enum4linux-0.8.9.tar.gz drwx------ 0 root root 0 12 1 2012 enum4linux-0.8.9/ -rw------- 0 root root 17987 10 24 2008 enum4linux-0.8.9/COPYING.GPL -rw------- 0 root root 2653 12 1 2012 enum4linux-0.8.9/CHANGELOG -rw------- 0 root root 69632 12 1 2012 enum4linux-0.8.9/.enum4linux.pl.swp -rw------- 0 root root 308 10 24 2008 enum4linux-0.8.9/COPYING.ENUM4LINUX -rwx------ 0 root root 38614 12 1 2012 enum4linux-0.8.9/enum4linux.pl -rw------- 0 root root 217 10 24 2008 enum4linux-0.8.9/share-list.txt
ちょ、ちょっと! ".enum4linux.pl.swp" とか、vimのスワップファイル入ってますけど!!
Perlで書かれているので中も見てみたが、うーん、正直、随分とたどたどしいプログラムだなぁ。
使い方
引数無しで実行すればヘルプが表示される。
root@kali:~# enum4linux enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) Copyright (C) 2011 Mark Lowe (mrl@portcullis-security.com) Simple wrapper around the tools in the samba package to provide similar functionality to enum.exe (formerly from www.bindview.com). Some additional features such as RID cycling have also been added for convenience. Usage: ./enum4linux.pl [options] ip Options are (like "enum"): -U get userlist -M get machine list* -S get sharelist -P get password policy information -G get group and member list -d be detailed, applies to -U and -S -u user specify username to use (default "") -p pass specify password to use (default "") The following options from enum.exe aren't implemented: -L, -N, -D, -f Additional options: -a Do all simple enumeration (-U -S -G -P -r -o -n -i). This opion is enabled if you don't provide any other options. -h Display this help message and exit -r enumerate users via RID cycling -R range RID ranges to enumerate (default: 500-550,1000-1050, implies -r) -K n Keep searching RIDs until n consective RIDs don't correspond to a username. Impies RID range ends at 999999. Useful against DCs. -l Get some (limited) info via LDAP 389/TCP (for DCs only) -s file brute force guessing for share names -k user User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none) Used to get sid with "lookupsid known_username" Use commas to try several users: "-k admin,user1,user2" -o Get OS information -i Get printer information -w wrkg Specify workgroup manually (usually found automatically) -n Do an nmblookup (similar to nbtstat) -v Verbose. Shows full commands being run (net, rpcclient, etc.) RID cycling should extract a list of users from Windows (or Samba) hosts which have RestrictAnonymous set to 1 (Windows NT and 2000), or "Network access: Allow anonymous SID/Name translation" enabled (XP, 2003). NB: Samba servers often seem to have RIDs in the range 3000-3050. Dependancy info: You will need to have the samba package installed as this script is basically just a wrapper around rpcclient, net, nmblookup and smbclient. Polenum from http://labs.portcullis.co.uk/application/polenum/ is required to get Password Policy info.
基本的に宛先ホストだけ指定すれば良いようだ。
というわけで、ここではParallels Desktop 8 for Macに入れた、Windows NT 4.0 Workstation, Windows 2000, Windows XPについてかけてみた。いろいろと情報出ちゃってるけど、まぁ晒し用のParallels内の検証PCなのでよいです。
Windows NT 4.0 Workstation
我が家にはいまだにWindows NT 4.0が。
VM内だけどね。
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane. Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jul 30 22:31:57 2013 ========================== | Target Information | ========================== Target ........... 10.211.55.17 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 10.211.55.17 | ==================================================== [+] Got domain/workgroup name: WORKGROUP ============================================ | Nbtstat Information for 10.211.55.17 | ============================================ Looking up status of 10.211.55.17 WINNT40 <00> - B <ACTIVE> Workstation Service WINNT40 <20> - B <ACTIVE> File Server Service WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name WINNT40 <03> - B <ACTIVE> Messenger Service WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections WORKGROUP <1d> - B <ACTIVE> Master Browser ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser ADMINISTRATOR <03> - B <ACTIVE> Messenger Service MAC Address = 00-1C-42-8C-E7-73 ===================================== | Session Check on 10.211.55.17 | ===================================== [+] Server 10.211.55.17 allows sessions using username '', password '' =========================================== | Getting domain SID for 10.211.55.17 | =========================================== Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ====================================== | OS information on 10.211.55.17 | ====================================== [+] Got OS info for 10.211.55.17 from smbclient: Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0] [+] Got OS info for 10.211.55.17 from srvinfo: 10.211.55.17 Wk Sv NT PtB LMB platform_id : 500 os version : 4.0 server type : 0x51003 ============================= | Users on 10.211.55.17 | ============================= index: 0x1 RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: コンピュータ/ドメインの管理用 (ビルトイン アカウント) index: 0x2 RID: 0x1f5 acb: 0x00000211 Account: Guest Name: (null) Desc: コンピュータ/ドメインへのゲスト アクセス用 (ビルトイン アカウント) user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] ========================================= | Share Enumeration on 10.211.55.17 | ========================================= Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0] Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0] Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin IPC$ IPC Remote IPC C$ Disk Default share Server Comment --------- ------- WINNT40 Workgroup Master --------- ------- WORKGROUP WINNT40 [+] Attempting to map shares on 10.211.55.17 //10.211.55.17/ADMIN$ Mapping: DENIED, Listing: N/A //10.211.55.17/IPC$ Mapping: OK Listing: DENIED //10.211.55.17/C$ Mapping: DENIED, Listing: N/A ==================================================== | Password Policy Information for 10.211.55.17 | ==================================================== [+] Attaching to 10.211.55.17 using a NULL share [+] Trying protocol 445/SMB... [!] Protocol failed: [Errno 111] Connection refused [+] Trying protocol 139/SMB... [+] Found domain(s): [+] WINNT40 [+] Builtin [+] Password Info for Domain: WINNT40 [+] Minimum password length: None [+] Password history length: None [+] Maximum password age: 42 days 22 hours 47 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 0 ============================== | Groups on 10.211.55.17 | ============================== [+] Getting builtin groups: group:[Administrators] rid:[0x220] group:[Backup Operators] rid:[0x227] group:[Guests] rid:[0x222] group:[Power Users] rid:[0x223] group:[Replicator] rid:[0x228] group:[Users] rid:[0x221] [+] Getting builtin group memberships: Group 'Guests' (RID: 546) has member: WINNT40\Guest Group 'Administrators' (RID: 544) has member: WINNT40\Administrator [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: group:[なし] rid:[0x201] [+] Getting domain group memberships: Group 'なし' (RID: 513) has member: WINNT40\Administrator Group 'なし' (RID: 513) has member: WINNT40\Guest ======================================================================= | Users on 10.211.55.17 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= [I] Found new SID: S-1-5-21-1392844967-559619856-309592939 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-500 *unknown*\*unknown* (8) S-1-5-32-501 *unknown*\*unknown* (8) S-1-5-32-502 *unknown*\*unknown* (8) S-1-5-32-503 *unknown*\*unknown* (8) S-1-5-32-504 *unknown*\*unknown* (8) S-1-5-32-505 *unknown*\*unknown* (8) S-1-5-32-506 *unknown*\*unknown* (8) S-1-5-32-507 *unknown*\*unknown* (8) S-1-5-32-508 *unknown*\*unknown* (8) S-1-5-32-509 *unknown*\*unknown* (8) S-1-5-32-510 *unknown*\*unknown* (8) S-1-5-32-511 *unknown*\*unknown* (8) S-1-5-32-512 *unknown*\*unknown* (8) S-1-5-32-513 *unknown*\*unknown* (8) S-1-5-32-514 *unknown*\*unknown* (8) S-1-5-32-515 *unknown*\*unknown* (8) S-1-5-32-516 *unknown*\*unknown* (8) S-1-5-32-517 *unknown*\*unknown* (8) S-1-5-32-518 *unknown*\*unknown* (8) S-1-5-32-519 *unknown*\*unknown* (8) S-1-5-32-520 *unknown*\*unknown* (8) S-1-5-32-521 *unknown*\*unknown* (8) S-1-5-32-522 *unknown*\*unknown* (8) S-1-5-32-523 *unknown*\*unknown* (8) S-1-5-32-524 *unknown*\*unknown* (8) S-1-5-32-525 *unknown*\*unknown* (8) S-1-5-32-526 *unknown*\*unknown* (8) S-1-5-32-527 *unknown*\*unknown* (8) S-1-5-32-528 *unknown*\*unknown* (8) S-1-5-32-529 *unknown*\*unknown* (8) S-1-5-32-530 *unknown*\*unknown* (8) S-1-5-32-531 *unknown*\*unknown* (8) S-1-5-32-532 *unknown*\*unknown* (8) S-1-5-32-533 *unknown*\*unknown* (8) S-1-5-32-534 *unknown*\*unknown* (8) S-1-5-32-535 *unknown*\*unknown* (8) S-1-5-32-536 *unknown*\*unknown* (8) S-1-5-32-537 *unknown*\*unknown* (8) S-1-5-32-538 *unknown*\*unknown* (8) S-1-5-32-539 *unknown*\*unknown* (8) S-1-5-32-540 *unknown*\*unknown* (8) S-1-5-32-541 *unknown*\*unknown* (8) S-1-5-32-542 *unknown*\*unknown* (8) S-1-5-32-543 *unknown*\*unknown* (8) S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 *unknown*\*unknown* (8) S-1-5-32-549 *unknown*\*unknown* (8) S-1-5-32-550 *unknown*\*unknown* (8) S-1-5-32-1000 *unknown*\*unknown* (8) S-1-5-32-1001 *unknown*\*unknown* (8) S-1-5-32-1002 *unknown*\*unknown* (8) S-1-5-32-1003 *unknown*\*unknown* (8) S-1-5-32-1004 *unknown*\*unknown* (8) S-1-5-32-1005 *unknown*\*unknown* (8) S-1-5-32-1006 *unknown*\*unknown* (8) S-1-5-32-1007 *unknown*\*unknown* (8) S-1-5-32-1008 *unknown*\*unknown* (8) S-1-5-32-1009 *unknown*\*unknown* (8) S-1-5-32-1010 *unknown*\*unknown* (8) S-1-5-32-1011 *unknown*\*unknown* (8) S-1-5-32-1012 *unknown*\*unknown* (8) S-1-5-32-1013 *unknown*\*unknown* (8) S-1-5-32-1014 *unknown*\*unknown* (8) S-1-5-32-1015 *unknown*\*unknown* (8) S-1-5-32-1016 *unknown*\*unknown* (8) S-1-5-32-1017 *unknown*\*unknown* (8) S-1-5-32-1018 *unknown*\*unknown* (8) S-1-5-32-1019 *unknown*\*unknown* (8) S-1-5-32-1020 *unknown*\*unknown* (8) S-1-5-32-1021 *unknown*\*unknown* (8) S-1-5-32-1022 *unknown*\*unknown* (8) S-1-5-32-1023 *unknown*\*unknown* (8) S-1-5-32-1024 *unknown*\*unknown* (8) S-1-5-32-1025 *unknown*\*unknown* (8) S-1-5-32-1026 *unknown*\*unknown* (8) S-1-5-32-1027 *unknown*\*unknown* (8) S-1-5-32-1028 *unknown*\*unknown* (8) S-1-5-32-1029 *unknown*\*unknown* (8) S-1-5-32-1030 *unknown*\*unknown* (8) S-1-5-32-1031 *unknown*\*unknown* (8) S-1-5-32-1032 *unknown*\*unknown* (8) S-1-5-32-1033 *unknown*\*unknown* (8) S-1-5-32-1034 *unknown*\*unknown* (8) S-1-5-32-1035 *unknown*\*unknown* (8) S-1-5-32-1036 *unknown*\*unknown* (8) S-1-5-32-1037 *unknown*\*unknown* (8) S-1-5-32-1038 *unknown*\*unknown* (8) S-1-5-32-1039 *unknown*\*unknown* (8) S-1-5-32-1040 *unknown*\*unknown* (8) S-1-5-32-1041 *unknown*\*unknown* (8) S-1-5-32-1042 *unknown*\*unknown* (8) S-1-5-32-1043 *unknown*\*unknown* (8) S-1-5-32-1044 *unknown*\*unknown* (8) S-1-5-32-1045 *unknown*\*unknown* (8) S-1-5-32-1046 *unknown*\*unknown* (8) S-1-5-32-1047 *unknown*\*unknown* (8) S-1-5-32-1048 *unknown*\*unknown* (8) S-1-5-32-1049 *unknown*\*unknown* (8) S-1-5-32-1050 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-5-21-1392844967-559619856-309592939 and logon username '', password '' S-1-5-21-1392844967-559619856-309592939-500 WINNT40\Administrator (Local User) S-1-5-21-1392844967-559619856-309592939-501 WINNT40\Guest (Local User) S-1-5-21-1392844967-559619856-309592939-502 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-503 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-504 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-505 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-506 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-507 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-508 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-509 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-510 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-511 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-512 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-513 WINNT40\なし (Domain Group) S-1-5-21-1392844967-559619856-309592939-514 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-515 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-516 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-517 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-518 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-519 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-520 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-521 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-522 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-523 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-524 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-525 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-526 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-527 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-528 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-529 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-530 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-531 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-532 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-533 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-534 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-535 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-536 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-537 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-538 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-539 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-540 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-541 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-542 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-543 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-544 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-545 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-546 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-547 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-548 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-549 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-550 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1000 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1001 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1002 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1003 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1004 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1005 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1006 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1007 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1008 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1009 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1010 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1011 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1012 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1013 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1014 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1015 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1016 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1017 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1018 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1019 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1020 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1021 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1022 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1023 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1024 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1025 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1026 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1027 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1028 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1029 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1030 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1031 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1032 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1033 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1034 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1035 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1036 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1037 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1038 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1039 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1040 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1041 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1042 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1043 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1044 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1045 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1046 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1047 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1048 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1049 *unknown*\*unknown* (8) S-1-5-21-1392844967-559619856-309592939-1050 *unknown*\*unknown* (8) ============================================= | Getting printer info for 10.211.55.17 | ============================================= No printers returned. enum4linux complete on Tue Jul 30 22:32:13 2013
このマシンのコンピュータ名はWINNT40、ワークグループはWORKGROUPだがどちらも正しく取得できている。OSも[Windows NT 4.0]と取得できた。他には、[Locked Account Duration: 30 minutes]なんて、へー、こんなのも見えるんだ。
また、Administratorのridや、ADMIN$, IPC$, C$ の共有名も取得できた。
Windows 2000 Professional
続いて、Windows 2000にかけてみた。
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane. Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jul 30 22:24:39 2013 ========================== | Target Information | ========================== Target ........... 10.211.55.3 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none =================================================== | Enumerating Workgroup/Domain on 10.211.55.3 | =================================================== [+] Got domain/workgroup name: WORKGROUP =========================================== | Nbtstat Information for 10.211.55.3 | =========================================== Looking up status of 10.211.55.3 PARAWIN2000 <00> - B <ACTIVE> Workstation Service PARAWIN2000 <03> - B <ACTIVE> Messenger Service ROOT <03> - B <ACTIVE> Messenger Service WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name PARAWIN2000 <20> - B <ACTIVE> File Server Service WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections WORKGROUP <1d> - B <ACTIVE> Master Browser ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser MAC Address = 00-1C-42-26-BE-05 ==================================== | Session Check on 10.211.55.3 | ==================================== [+] Server 10.211.55.3 allows sessions using username '', password '' ========================================== | Getting domain SID for 10.211.55.3 | ========================================== Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ===================================== | OS information on 10.211.55.3 | ===================================== [+] Got OS info for 10.211.55.3 from smbclient: Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] [+] Got OS info for 10.211.55.3 from srvinfo: 10.211.55.3 Wk Sv NT PtB LMB platform_id : 500 os version : 5.0 server type : 0x51003 ============================ | Users on 10.211.55.3 | ============================ index: 0x1 RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: コンピュータ/ドメインの管理用 (ビルトイン アカウント) index: 0x2 RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: コンピュータ/ドメインへのゲスト アクセス用 (ビルトイン アカウント) index: 0x3 RID: 0x3e8 acb: 0x00000210 Account: root Name: root Desc: (null) user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[root] rid:[0x3e8] ======================================== | Share Enumeration on 10.211.55.3 | ======================================== Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] Sharename Type Comment --------- ---- ------- IPC$ IPC Remote IPC ADMIN$ Disk Remote Admin C$ Disk Default share Server Comment --------- ------- PARAWIN2000 Workgroup Master --------- ------- WORKGROUP PARAWIN2000 [+] Attempting to map shares on 10.211.55.3 //10.211.55.3/IPC$ Mapping: OK Listing: DENIED //10.211.55.3/ADMIN$ Mapping: DENIED, Listing: N/A //10.211.55.3/C$ Mapping: DENIED, Listing: N/A =================================================== | Password Policy Information for 10.211.55.3 | =================================================== [+] Attaching to 10.211.55.3 using a NULL share [+] Trying protocol 445/SMB... [+] Found domain(s): [+] PARAWIN2000 [+] Builtin [+] Password Info for Domain: PARAWIN2000 [+] Minimum password length: None [+] Password history length: None [+] Maximum password age: 42 days 22 hours 47 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 0 ============================= | Groups on 10.211.55.3 | ============================= [+] Getting builtin groups: group:[Administrators] rid:[0x220] group:[Backup Operators] rid:[0x227] group:[Guests] rid:[0x222] group:[Power Users] rid:[0x223] group:[Replicator] rid:[0x228] group:[Users] rid:[0x221] [+] Getting builtin group memberships: Group 'Guests' (RID: 546) has member: PARAWIN2000\Guest Group 'Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE Group 'Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users Group 'Administrators' (RID: 544) has member: PARAWIN2000\Administrator Group 'Administrators' (RID: 544) has member: PARAWIN2000\root [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: group:[なし] rid:[0x201] [+] Getting domain group memberships: Group 'なし' (RID: 513) has member: PARAWIN2000\Administrator Group 'なし' (RID: 513) has member: PARAWIN2000\Guest Group 'なし' (RID: 513) has member: PARAWIN2000\root ====================================================================== | Users on 10.211.55.3 via RID cycling (RIDS: 500-550,1000-1050) | ====================================================================== [I] Found new SID: S-1-5-21-343818398-1957994488-725345543 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-500 *unknown*\*unknown* (8) S-1-5-32-501 *unknown*\*unknown* (8) S-1-5-32-502 *unknown*\*unknown* (8) S-1-5-32-503 *unknown*\*unknown* (8) S-1-5-32-504 *unknown*\*unknown* (8) S-1-5-32-505 *unknown*\*unknown* (8) S-1-5-32-506 *unknown*\*unknown* (8) S-1-5-32-507 *unknown*\*unknown* (8) S-1-5-32-508 *unknown*\*unknown* (8) S-1-5-32-509 *unknown*\*unknown* (8) S-1-5-32-510 *unknown*\*unknown* (8) S-1-5-32-511 *unknown*\*unknown* (8) S-1-5-32-512 *unknown*\*unknown* (8) S-1-5-32-513 *unknown*\*unknown* (8) S-1-5-32-514 *unknown*\*unknown* (8) S-1-5-32-515 *unknown*\*unknown* (8) S-1-5-32-516 *unknown*\*unknown* (8) S-1-5-32-517 *unknown*\*unknown* (8) S-1-5-32-518 *unknown*\*unknown* (8) S-1-5-32-519 *unknown*\*unknown* (8) S-1-5-32-520 *unknown*\*unknown* (8) S-1-5-32-521 *unknown*\*unknown* (8) S-1-5-32-522 *unknown*\*unknown* (8) S-1-5-32-523 *unknown*\*unknown* (8) S-1-5-32-524 *unknown*\*unknown* (8) S-1-5-32-525 *unknown*\*unknown* (8) S-1-5-32-526 *unknown*\*unknown* (8) S-1-5-32-527 *unknown*\*unknown* (8) S-1-5-32-528 *unknown*\*unknown* (8) S-1-5-32-529 *unknown*\*unknown* (8) S-1-5-32-530 *unknown*\*unknown* (8) S-1-5-32-531 *unknown*\*unknown* (8) S-1-5-32-532 *unknown*\*unknown* (8) S-1-5-32-533 *unknown*\*unknown* (8) S-1-5-32-534 *unknown*\*unknown* (8) S-1-5-32-535 *unknown*\*unknown* (8) S-1-5-32-536 *unknown*\*unknown* (8) S-1-5-32-537 *unknown*\*unknown* (8) S-1-5-32-538 *unknown*\*unknown* (8) S-1-5-32-539 *unknown*\*unknown* (8) S-1-5-32-540 *unknown*\*unknown* (8) S-1-5-32-541 *unknown*\*unknown* (8) S-1-5-32-542 *unknown*\*unknown* (8) S-1-5-32-543 *unknown*\*unknown* (8) S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 *unknown*\*unknown* (8) S-1-5-32-549 *unknown*\*unknown* (8) S-1-5-32-550 *unknown*\*unknown* (8) S-1-5-32-1000 *unknown*\*unknown* (8) S-1-5-32-1001 *unknown*\*unknown* (8) S-1-5-32-1002 *unknown*\*unknown* (8) S-1-5-32-1003 *unknown*\*unknown* (8) S-1-5-32-1004 *unknown*\*unknown* (8) S-1-5-32-1005 *unknown*\*unknown* (8) S-1-5-32-1006 *unknown*\*unknown* (8) S-1-5-32-1007 *unknown*\*unknown* (8) S-1-5-32-1008 *unknown*\*unknown* (8) S-1-5-32-1009 *unknown*\*unknown* (8) S-1-5-32-1010 *unknown*\*unknown* (8) S-1-5-32-1011 *unknown*\*unknown* (8) S-1-5-32-1012 *unknown*\*unknown* (8) S-1-5-32-1013 *unknown*\*unknown* (8) S-1-5-32-1014 *unknown*\*unknown* (8) S-1-5-32-1015 *unknown*\*unknown* (8) S-1-5-32-1016 *unknown*\*unknown* (8) S-1-5-32-1017 *unknown*\*unknown* (8) S-1-5-32-1018 *unknown*\*unknown* (8) S-1-5-32-1019 *unknown*\*unknown* (8) S-1-5-32-1020 *unknown*\*unknown* (8) S-1-5-32-1021 *unknown*\*unknown* (8) S-1-5-32-1022 *unknown*\*unknown* (8) S-1-5-32-1023 *unknown*\*unknown* (8) S-1-5-32-1024 *unknown*\*unknown* (8) S-1-5-32-1025 *unknown*\*unknown* (8) S-1-5-32-1026 *unknown*\*unknown* (8) S-1-5-32-1027 *unknown*\*unknown* (8) S-1-5-32-1028 *unknown*\*unknown* (8) S-1-5-32-1029 *unknown*\*unknown* (8) S-1-5-32-1030 *unknown*\*unknown* (8) S-1-5-32-1031 *unknown*\*unknown* (8) S-1-5-32-1032 *unknown*\*unknown* (8) S-1-5-32-1033 *unknown*\*unknown* (8) S-1-5-32-1034 *unknown*\*unknown* (8) S-1-5-32-1035 *unknown*\*unknown* (8) S-1-5-32-1036 *unknown*\*unknown* (8) S-1-5-32-1037 *unknown*\*unknown* (8) S-1-5-32-1038 *unknown*\*unknown* (8) S-1-5-32-1039 *unknown*\*unknown* (8) S-1-5-32-1040 *unknown*\*unknown* (8) S-1-5-32-1041 *unknown*\*unknown* (8) S-1-5-32-1042 *unknown*\*unknown* (8) S-1-5-32-1043 *unknown*\*unknown* (8) S-1-5-32-1044 *unknown*\*unknown* (8) S-1-5-32-1045 *unknown*\*unknown* (8) S-1-5-32-1046 *unknown*\*unknown* (8) S-1-5-32-1047 *unknown*\*unknown* (8) S-1-5-32-1048 *unknown*\*unknown* (8) S-1-5-32-1049 *unknown*\*unknown* (8) S-1-5-32-1050 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-5-21-343818398-1957994488-725345543 and logon username '', password '' S-1-5-21-343818398-1957994488-725345543-500 PARAWIN2000\Administrator (Local User) S-1-5-21-343818398-1957994488-725345543-501 PARAWIN2000\Guest (Local User) S-1-5-21-343818398-1957994488-725345543-502 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-503 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-504 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-505 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-506 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-507 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-508 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-509 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-510 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-511 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-512 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-513 PARAWIN2000\なし (Domain Group) S-1-5-21-343818398-1957994488-725345543-514 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-515 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-516 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-517 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-518 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-519 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-520 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-521 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-522 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-523 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-524 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-525 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-526 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-527 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-528 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-529 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-530 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-531 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-532 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-533 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-534 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-535 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-536 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-537 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-538 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-539 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-540 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-541 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-542 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-543 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-544 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-545 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-546 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-547 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-548 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-549 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-550 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1000 PARAWIN2000\root (Local User) S-1-5-21-343818398-1957994488-725345543-1001 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1002 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1003 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1004 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1005 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1006 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1007 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1008 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1009 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1010 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1011 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1012 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1013 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1014 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1015 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1016 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1017 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1018 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1019 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1020 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1021 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1022 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1023 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1024 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1025 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1026 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1027 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1028 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1029 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1030 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1031 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1032 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1033 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1034 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1035 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1036 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1037 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1038 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1039 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1040 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1041 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1042 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1043 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1044 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1045 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1046 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1047 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1048 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1049 *unknown*\*unknown* (8) S-1-5-21-343818398-1957994488-725345543-1050 *unknown*\*unknown* (8) ============================================ | Getting printer info for 10.211.55.3 | ============================================ No printers returned. enum4linux complete on Tue Jul 30 22:25:04 2013
こちらはホスト名 "PARAWIN2000"。これもNT 4.0と同じように、共有名、Administratorのridなど取れている。OSは[Windows 5.0]に変わった。
Windows XP Professional
最後に、WinXPにもかけてみた。なお機材の都合上、我が家にVistaや7はありません。
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane. Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jul 30 22:40:42 2013 ========================== | Target Information | ========================== Target ........... 10.211.55.5 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none =================================================== | Enumerating Workgroup/Domain on 10.211.55.5 | =================================================== [+] Got domain/workgroup name: MSHOME =========================================== | Nbtstat Information for 10.211.55.5 | =========================================== Looking up status of 10.211.55.5 OZUMAB2DA <00> - B <ACTIVE> Workstation Service MSHOME <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name OZUMAB2DA <20> - B <ACTIVE> File Server Service MSHOME <1e> - <GROUP> B <ACTIVE> Browser Service Elections MSHOME <1d> - B <ACTIVE> Master Browser ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser MAC Address = 00-1C-42-78-86-20 ==================================== | Session Check on 10.211.55.5 | ==================================== [+] Server 10.211.55.5 allows sessions using username '', password '' ========================================== | Getting domain SID for 10.211.55.5 | ========================================== could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED could not obtain sid for domain MSHOME error: NT_STATUS_ACCESS_DENIED [+] Can't determine if host is part of domain or part of a workgroup ===================================== | OS information on 10.211.55.5 | ===================================== [+] Got OS info for 10.211.55.5 from smbclient: Domain=[MSHOME] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] [E] Can't get OS info with srvinfo: NT_STATUS_ACCESS_DENIED ============================ | Users on 10.211.55.5 | ============================ [E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED [E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED ======================================== | Share Enumeration on 10.211.55.5 | ======================================== [E] Can't list shares: NT_STATUS_ACCESS_DENIED [+] Attempting to map shares on 10.211.55.5 =================================================== | Password Policy Information for 10.211.55.5 | =================================================== [E] Unexpected error from polenum: [+] Attaching to 10.211.55.5 using a NULL share [+] Trying protocol 445/SMB... [!] Protocol failed: SMB SessionError: class: ERRNT, code: STATUS_ACCESS_DENIED(Access is denied.) [+] Trying protocol 139/SMB... [!] Protocol failed: SMB SessionError: class: ERRNT, code: STATUS_ACCESS_DENIED(Access is denied.) [E] Failed to get password policy with rpcclient ============================= | Groups on 10.211.55.5 | ============================= [+] Getting builtin groups: [E] Can't get builtin groups: NT_STATUS_ACCESS_DENIED [+] Getting builtin group memberships: [+] Getting local groups: [E] Can't get local groups: NT_STATUS_ACCESS_DENIED [+] Getting local group memberships: [+] Getting domain groups: [E] Can't get domain groups: NT_STATUS_ACCESS_DENIED [+] Getting domain group memberships: ====================================================================== | Users on 10.211.55.5 via RID cycling (RIDS: 500-550,1000-1050) | ====================================================================== [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. ============================================ | Getting printer info for 10.211.55.5 | ============================================ could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED could not obtain sid for domain MSHOME error: NT_STATUS_ACCESS_DENIED enum4linux complete on Tue Jul 30 22:41:04 2013
む、取れるのが少なくなった。ホスト名OZUMAB2DAは取れているけど、ユーザリストやAdministratorのridなんかは見えなくなった。OSは[Windows 5.1]と見える。Win2000では無造作に見えていたsidも見えなくなった。
ちなみにXPのWindowsファイルウォールをOFFにしてかけてみたが、ONにしても結果は同じだった。まぁファイル共有まわりは、WindowsファイアウォールONにしても素通しに自動設定されるしね。
と、いくつかやってみたけどこれだけ。オチはありません。