Kali Linux 1.0.4リリースとenum4linux

ペネトレーションテストで有名なKali Linux(旧名:BackTrack Linux)が先日バージョンアップされて、1.0.4が出ていた。

ちょうど今月末からはBlackHatとDEFCON開催ということで、そこに合わせてのリリースという伝統(?)を守ったようだ。ちなみに私も昔(7年ほど前だけど)DEFCONを見にラスベガスまで行ったことがある。今思うと楽しかったなぁ……また行きたい。

というわけで、以下はKali Linux 1.0.4を入れてみたメモ。ホントに入れてみただけなので、大したものではありません。

1.0.3からのアップデート

Kali Linuxは既に先日1.0.3をインストールしていたので(http://d.hatena.ne.jp/ozuma/20130526/1369580668)、ここからアップデートすることにした。公式リリースに書いてある通り、1.0.3からapt-getだけで簡単にバージョンアップできる。

# apt-get update && apt-get dist-upgrade

私の場合、だいたい45分かかった。

1.0.4で新規に追加されたパッケージ

Kali Linuxは、インストールされているツール類のリストが公式サイトに載っておらず、全体像の把握がなかなか難しい。ちなみにこれはBackTrackの頃からそうで、何か伝統的な理由があるのかとも思ったけど、単に面倒くさいだけだと推察している(^^;)。

ところが! なんと1.0.4では、リリースに、何を追加したかがきちんと書かれている!

  • Winexe
  • Pass the Hash Toolkit
  • enum4linux
  • RegRipper
  • rfcat
  • Unicornscan
  • jSQL
  • JD-GUI
  • Ubertooth
  • Ghost Phisher
  • Uniscan
  • Arachni
  • Bully

これは革命的なことですよ(驚くのそこか)。1.0.4に上げたことだしさっそく何か試してみるか。ということで、enum4linuxをテストしてみた。

enum4linux

概要

知らないツールだったのでまず素性を調べてみた。

ダウンロード

Kali Linuxに既にインストールされているけど、公式ページのtar.gzをダウンロードして中身を確認してみた。……ら、びっくり。

$ tar tvzf enum4linux-0.8.9.tar.gz
drwx------  0 root   root        0 12  1  2012 enum4linux-0.8.9/
-rw-------  0 root   root    17987 10 24  2008 enum4linux-0.8.9/COPYING.GPL
-rw-------  0 root   root     2653 12  1  2012 enum4linux-0.8.9/CHANGELOG
-rw-------  0 root   root    69632 12  1  2012 enum4linux-0.8.9/.enum4linux.pl.swp
-rw-------  0 root   root      308 10 24  2008 enum4linux-0.8.9/COPYING.ENUM4LINUX
-rwx------  0 root   root    38614 12  1  2012 enum4linux-0.8.9/enum4linux.pl
-rw-------  0 root   root      217 10 24  2008 enum4linux-0.8.9/share-list.txt

ちょ、ちょっと! ".enum4linux.pl.swp" とか、vimスワップファイル入ってますけど!!

Perlで書かれているので中も見てみたが、うーん、正直、随分とたどたどしいプログラムだなぁ。

使い方

引数無しで実行すればヘルプが表示される。

root@kali:~# enum4linux
enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/)
Copyright (C) 2011 Mark Lowe (mrl@portcullis-security.com)

Simple wrapper around the tools in the samba package to provide similar
functionality to enum.exe (formerly from www.bindview.com).  Some additional
features such as RID cycling have also been added for convenience.

Usage: ./enum4linux.pl [options] ip

Options are (like "enum"):
    -U        get userlist
    -M        get machine list*
    -S        get sharelist
    -P        get password policy information
    -G        get group and member list
    -d        be detailed, applies to -U and -S
    -u user   specify username to use (default "")
    -p pass   specify password to use (default "")

The following options from enum.exe aren't implemented: -L, -N, -D, -f

Additional options:
    -a        Do all simple enumeration (-U -S -G -P -r -o -n -i).
              This opion is enabled if you don't provide any other options.
    -h        Display this help message and exit
    -r        enumerate users via RID cycling
    -R range  RID ranges to enumerate (default: 500-550,1000-1050, implies -r)
    -K n      Keep searching RIDs until n consective RIDs don't correspond to
              a username.  Impies RID range ends at 999999. Useful
	      against DCs.
    -l        Get some (limited) info via LDAP 389/TCP (for DCs only)
    -s file   brute force guessing for share names
    -k user   User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none)
              Used to get sid with "lookupsid known_username"
    	      Use commas to try several users: "-k admin,user1,user2"
    -o        Get OS information
    -i        Get printer information
    -w wrkg   Specify workgroup manually (usually found automatically)
    -n        Do an nmblookup (similar to nbtstat)
    -v        Verbose.  Shows full commands being run (net, rpcclient, etc.)

RID cycling should extract a list of users from Windows (or Samba) hosts
which have RestrictAnonymous set to 1 (Windows NT and 2000), or "Network
access: Allow anonymous SID/Name translation" enabled (XP, 2003).

NB: Samba servers often seem to have RIDs in the range 3000-3050.

Dependancy info: You will need to have the samba package installed as this
script is basically just a wrapper around rpcclient, net, nmblookup and
smbclient.  Polenum from http://labs.portcullis.co.uk/application/polenum/
is required to get Password Policy info.

基本的に宛先ホストだけ指定すれば良いようだ。

というわけで、ここではParallels Desktop 8 for Macに入れた、Windows NT 4.0 Workstation, Windows 2000, Windows XPについてかけてみた。いろいろと情報出ちゃってるけど、まぁ晒し用のParallels内の検証PCなのでよいです。

Windows NT 4.0 Workstation

我が家にはいまだにWindows NT 4.0が。

VM内だけどね。

WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jul 30 22:31:57 2013

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.211.55.17
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 10.211.55.17    |
 ==================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================ 
|    Nbtstat Information for 10.211.55.17    |
 ============================================ 
Looking up status of 10.211.55.17
	WINNT40         <00> -         B <ACTIVE>  Workstation Service
	WINNT40         <20> -         B <ACTIVE>  File Server Service
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	WINNT40         <03> -         B <ACTIVE>  Messenger Service
	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
	WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
	ADMINISTRATOR   <03> -         B <ACTIVE>  Messenger Service

	MAC Address = 00-1C-42-8C-E7-73

 ===================================== 
|    Session Check on 10.211.55.17    |
 ===================================== 
[+] Server 10.211.55.17 allows sessions using username '', password ''

 =========================================== 
|    Getting domain SID for 10.211.55.17    |
 =========================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ====================================== 
|    OS information on 10.211.55.17    |
 ====================================== 
[+] Got OS info for 10.211.55.17 from smbclient: Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
[+] Got OS info for 10.211.55.17 from srvinfo:
	10.211.55.17   Wk Sv NT PtB LMB     
	platform_id     :	500
	os version      :	4.0
	server type     :	0x51003

 ============================= 
|    Users on 10.211.55.17    |
 ============================= 
index: 0x1 RID: 0x1f4 acb: 0x00000210 Account: Administrator	Name: (null)	Desc: コンピュータ/ドメインの管理用 (ビルトイン アカウント)
index: 0x2 RID: 0x1f5 acb: 0x00000211 Account: Guest	Name: (null)	Desc: コンピュータ/ドメインへのゲスト アクセス用 (ビルトイン アカウント)

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]

 ========================================= 
|    Share Enumeration on 10.211.55.17    |
 ========================================= 
Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
Domain=[WORKGROUP] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	IPC$            IPC       Remote IPC
	C$              Disk      Default share

	Server               Comment
	---------            -------
	WINNT40              

	Workgroup            Master
	---------            -------
	WORKGROUP            WINNT40

[+] Attempting to map shares on 10.211.55.17
//10.211.55.17/ADMIN$	Mapping: DENIED, Listing: N/A
//10.211.55.17/IPC$	Mapping: OK	Listing: DENIED
//10.211.55.17/C$	Mapping: DENIED, Listing: N/A

 ==================================================== 
|    Password Policy Information for 10.211.55.17    |
 ==================================================== 

[+] Attaching to 10.211.55.17 using a NULL share

	[+] Trying protocol 445/SMB...

	[!] Protocol failed: [Errno 111] Connection refused

	[+] Trying protocol 139/SMB...

[+] Found domain(s):

	[+] WINNT40
	[+] Builtin

[+] Password Info for Domain: WINNT40

	[+] Minimum password length: None
	[+] Password history length: None
	[+] Maximum password age: 42 days 22 hours 47 minutes
	[+] Password Complexity Flags: 000000

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0

	[+] Minimum password age: None
	[+] Reset Account Lockout Counter: 30 minutes
	[+] Locked Account Duration: 30 minutes
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ============================== 
|    Groups on 10.211.55.17    |
 ============================== 

[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Power Users] rid:[0x223]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]

[+] Getting builtin group memberships:
Group 'Guests' (RID: 546) has member: WINNT40\Guest
Group 'Administrators' (RID: 544) has member: WINNT40\Administrator

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:
group:[なし] rid:[0x201]

[+] Getting domain group memberships:
Group 'なし' (RID: 513) has member: WINNT40\Administrator
Group 'なし' (RID: 513) has member: WINNT40\Guest

 ======================================================================= 
|    Users on 10.211.55.17 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================= 
[I] Found new SID: S-1-5-21-1392844967-559619856-309592939
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 *unknown*\*unknown* (8)
S-1-5-32-549 *unknown*\*unknown* (8)
S-1-5-32-550 *unknown*\*unknown* (8)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-21-1392844967-559619856-309592939 and logon username '', password ''
S-1-5-21-1392844967-559619856-309592939-500 WINNT40\Administrator (Local User)
S-1-5-21-1392844967-559619856-309592939-501 WINNT40\Guest (Local User)
S-1-5-21-1392844967-559619856-309592939-502 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-503 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-504 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-505 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-506 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-507 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-508 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-509 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-510 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-511 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-512 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-513 WINNT40\なし (Domain Group)
S-1-5-21-1392844967-559619856-309592939-514 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-515 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-516 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-517 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-518 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-519 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-520 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-521 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-522 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-523 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-524 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-525 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-526 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-527 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-528 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-529 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-530 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-531 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-532 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-533 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-534 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-535 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-536 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-537 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-538 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-539 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-540 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-541 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-542 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-543 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-544 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-545 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-546 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-547 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-548 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-549 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-550 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1000 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1001 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1002 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1003 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1004 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1005 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1006 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1007 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1008 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1009 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1010 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1011 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1012 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1013 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1014 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1015 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1016 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1017 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1018 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1019 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1020 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1021 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1022 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1023 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1024 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1025 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1026 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1027 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1028 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1029 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1030 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1031 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1032 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1033 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1034 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1035 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1036 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1037 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1038 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1039 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1040 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1041 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1042 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1043 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1044 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1045 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1046 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1047 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1048 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1049 *unknown*\*unknown* (8)
S-1-5-21-1392844967-559619856-309592939-1050 *unknown*\*unknown* (8)

 ============================================= 
|    Getting printer info for 10.211.55.17    |
 ============================================= 
No printers returned.


enum4linux complete on Tue Jul 30 22:32:13 2013

このマシンのコンピュータ名はWINNT40、ワークグループはWORKGROUPだがどちらも正しく取得できている。OSも[Windows NT 4.0]と取得できた。他には、[Locked Account Duration: 30 minutes]なんて、へー、こんなのも見えるんだ。

また、Administratorのridや、ADMIN$, IPC$, C$ の共有名も取得できた。

Windows 2000 Professional

続いて、Windows 2000にかけてみた。

WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jul 30 22:24:39 2013

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.211.55.3
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =================================================== 
|    Enumerating Workgroup/Domain on 10.211.55.3    |
 =================================================== 
[+] Got domain/workgroup name: WORKGROUP

 =========================================== 
|    Nbtstat Information for 10.211.55.3    |
 =========================================== 
Looking up status of 10.211.55.3
	PARAWIN2000     <00> -         B <ACTIVE>  Workstation Service
	PARAWIN2000     <03> -         B <ACTIVE>  Messenger Service
	ROOT            <03> -         B <ACTIVE>  Messenger Service
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	PARAWIN2000     <20> -         B <ACTIVE>  File Server Service
	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
	WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

	MAC Address = 00-1C-42-26-BE-05

 ==================================== 
|    Session Check on 10.211.55.3    |
 ==================================== 
[+] Server 10.211.55.3 allows sessions using username '', password ''

 ========================================== 
|    Getting domain SID for 10.211.55.3    |
 ========================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ===================================== 
|    OS information on 10.211.55.3    |
 ===================================== 
[+] Got OS info for 10.211.55.3 from smbclient: Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
[+] Got OS info for 10.211.55.3 from srvinfo:
	10.211.55.3    Wk Sv NT PtB LMB     
	platform_id     :	500
	os version      :	5.0
	server type     :	0x51003

 ============================ 
|    Users on 10.211.55.3    |
 ============================ 
index: 0x1 RID: 0x1f4 acb: 0x00000210 Account: Administrator	Name: (null)	Desc: コンピュータ/ドメインの管理用 (ビルトイン アカウント)
index: 0x2 RID: 0x1f5 acb: 0x00000215 Account: Guest	Name: (null)	Desc: コンピュータ/ドメインへのゲスト アクセス用 (ビルトイン アカウント)
index: 0x3 RID: 0x3e8 acb: 0x00000210 Account: root	Name: root	Desc: (null)

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[root] rid:[0x3e8]

 ======================================== 
|    Share Enumeration on 10.211.55.3    |
 ======================================== 
Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       Remote IPC
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share

	Server               Comment
	---------            -------
	PARAWIN2000          

	Workgroup            Master
	---------            -------
	WORKGROUP            PARAWIN2000

[+] Attempting to map shares on 10.211.55.3
//10.211.55.3/IPC$	Mapping: OK	Listing: DENIED
//10.211.55.3/ADMIN$	Mapping: DENIED, Listing: N/A
//10.211.55.3/C$	Mapping: DENIED, Listing: N/A

 =================================================== 
|    Password Policy Information for 10.211.55.3    |
 =================================================== 

[+] Attaching to 10.211.55.3 using a NULL share

	[+] Trying protocol 445/SMB...

[+] Found domain(s):

	[+] PARAWIN2000
	[+] Builtin

[+] Password Info for Domain: PARAWIN2000

	[+] Minimum password length: None
	[+] Password history length: None
	[+] Maximum password age: 42 days 22 hours 47 minutes
	[+] Password Complexity Flags: 000000

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0

	[+] Minimum password age: None
	[+] Reset Account Lockout Counter: 30 minutes
	[+] Locked Account Duration: 30 minutes
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ============================= 
|    Groups on 10.211.55.3    |
 ============================= 

[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Power Users] rid:[0x223]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]

[+] Getting builtin group memberships:
Group 'Guests' (RID: 546) has member: PARAWIN2000\Guest
Group 'Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group 'Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group 'Administrators' (RID: 544) has member: PARAWIN2000\Administrator
Group 'Administrators' (RID: 544) has member: PARAWIN2000\root

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:
group:[なし] rid:[0x201]

[+] Getting domain group memberships:
Group 'なし' (RID: 513) has member: PARAWIN2000\Administrator
Group 'なし' (RID: 513) has member: PARAWIN2000\Guest
Group 'なし' (RID: 513) has member: PARAWIN2000\root

 ====================================================================== 
|    Users on 10.211.55.3 via RID cycling (RIDS: 500-550,1000-1050)    |
 ====================================================================== 
[I] Found new SID: S-1-5-21-343818398-1957994488-725345543
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 *unknown*\*unknown* (8)
S-1-5-32-549 *unknown*\*unknown* (8)
S-1-5-32-550 *unknown*\*unknown* (8)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-21-343818398-1957994488-725345543 and logon username '', password ''
S-1-5-21-343818398-1957994488-725345543-500 PARAWIN2000\Administrator (Local User)
S-1-5-21-343818398-1957994488-725345543-501 PARAWIN2000\Guest (Local User)
S-1-5-21-343818398-1957994488-725345543-502 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-503 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-504 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-505 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-506 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-507 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-508 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-509 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-510 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-511 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-512 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-513 PARAWIN2000\なし (Domain Group)
S-1-5-21-343818398-1957994488-725345543-514 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-515 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-516 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-517 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-518 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-519 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-520 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-521 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-522 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-523 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-524 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-525 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-526 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-527 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-528 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-529 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-530 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-531 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-532 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-533 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-534 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-535 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-536 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-537 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-538 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-539 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-540 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-541 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-542 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-543 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-544 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-545 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-546 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-547 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-548 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-549 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-550 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1000 PARAWIN2000\root (Local User)
S-1-5-21-343818398-1957994488-725345543-1001 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1002 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1003 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1004 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1005 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1006 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1007 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1008 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1009 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1010 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1011 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1012 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1013 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1014 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1015 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1016 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1017 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1018 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1019 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1020 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1021 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1022 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1023 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1024 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1025 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1026 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1027 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1028 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1029 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1030 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1031 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1032 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1033 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1034 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1035 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1036 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1037 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1038 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1039 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1040 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1041 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1042 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1043 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1044 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1045 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1046 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1047 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1048 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1049 *unknown*\*unknown* (8)
S-1-5-21-343818398-1957994488-725345543-1050 *unknown*\*unknown* (8)

 ============================================ 
|    Getting printer info for 10.211.55.3    |
 ============================================ 
No printers returned.


enum4linux complete on Tue Jul 30 22:25:04 2013

こちらはホスト名 "PARAWIN2000"。これもNT 4.0と同じように、共有名、Administratorのridなど取れている。OSは[Windows 5.0]に変わった。

Windows XP Professional

最後に、WinXPにもかけてみた。なお機材の都合上、我が家にVistaや7はありません。

WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jul 30 22:40:42 2013

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.211.55.5
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =================================================== 
|    Enumerating Workgroup/Domain on 10.211.55.5    |
 =================================================== 
[+] Got domain/workgroup name: MSHOME

 =========================================== 
|    Nbtstat Information for 10.211.55.5    |
 =========================================== 
Looking up status of 10.211.55.5
	OZUMAB2DA       <00> -         B <ACTIVE>  Workstation Service
	MSHOME          <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	OZUMAB2DA       <20> -         B <ACTIVE>  File Server Service
	MSHOME          <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
	MSHOME          <1d> -         B <ACTIVE>  Master Browser
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

	MAC Address = 00-1C-42-78-86-20

 ==================================== 
|    Session Check on 10.211.55.5    |
 ==================================== 
[+] Server 10.211.55.5 allows sessions using username '', password ''

 ========================================== 
|    Getting domain SID for 10.211.55.5    |
 ========================================== 
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid for domain MSHOME
error: NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup

 ===================================== 
|    OS information on 10.211.55.5    |
 ===================================== 
[+] Got OS info for 10.211.55.5 from smbclient: Domain=[MSHOME] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
[E] Can't get OS info with srvinfo: NT_STATUS_ACCESS_DENIED

 ============================ 
|    Users on 10.211.55.5    |
 ============================ 
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ======================================== 
|    Share Enumeration on 10.211.55.5    |
 ======================================== 
[E] Can't list shares: NT_STATUS_ACCESS_DENIED

[+] Attempting to map shares on 10.211.55.5

 =================================================== 
|    Password Policy Information for 10.211.55.5    |
 =================================================== 
[E] Unexpected error from polenum:

[+] Attaching to 10.211.55.5 using a NULL share

	[+] Trying protocol 445/SMB...

	[!] Protocol failed: SMB SessionError: class: ERRNT, code: STATUS_ACCESS_DENIED(Access is denied.)

	[+] Trying protocol 139/SMB...

	[!] Protocol failed: SMB SessionError: class: ERRNT, code: STATUS_ACCESS_DENIED(Access is denied.)

[E] Failed to get password policy with rpcclient


 ============================= 
|    Groups on 10.211.55.5    |
 ============================= 

[+] Getting builtin groups:
[E] Can't get builtin groups: NT_STATUS_ACCESS_DENIED

[+] Getting builtin group memberships:

[+] Getting local groups:
[E] Can't get local groups: NT_STATUS_ACCESS_DENIED

[+] Getting local group memberships:

[+] Getting domain groups:
[E] Can't get domain groups: NT_STATUS_ACCESS_DENIED

[+] Getting domain group memberships:

 ====================================================================== 
|    Users on 10.211.55.5 via RID cycling (RIDS: 500-550,1000-1050)    |
 ====================================================================== 
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

 ============================================ 
|    Getting printer info for 10.211.55.5    |
 ============================================ 
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid for domain MSHOME
error: NT_STATUS_ACCESS_DENIED


enum4linux complete on Tue Jul 30 22:41:04 2013

む、取れるのが少なくなった。ホスト名OZUMAB2DAは取れているけど、ユーザリストやAdministratorのridなんかは見えなくなった。OSは[Windows 5.1]と見える。Win2000では無造作に見えていたsidも見えなくなった。

ちなみにXPのWindowsファイルウォールをOFFにしてかけてみたが、ONにしても結果は同じだった。まぁファイル共有まわりは、WindowsファイアウォールONにしても素通しに自動設定されるしね。


と、いくつかやってみたけどこれだけ。オチはありません。