I've had a lot of questions about this, so let's see if this helps. When I score a password or a hash, I use an nmap script to quickly determine if this gives me local admin rights to the workstations and servers:
nmap --script=smb-enum-shares.nse --script-args=smbuser=[ADMIN],smbpass=[PASSWORD],smbdomain=[DOMAIN],smbbasic=1,smbtype=v1 -p445 --open -vv -Pn [IP RANGE TO TEST] -oA [FILENAME].txt
smbuser=[ADMIN] = Shared administrator account name
smbpass=[PASSWORD] = The shared account password
Alternatively you can Pass-the-Hash using:
smbhash=LMLMLMLMLMLMLMLMLM:NTLMNTLMNTLMNTLMNTLM
smbdomain=[DOMAIN] = WORKGROUP or AD
[FILENAME] = The filename for the results output
[IP RANGE TO TEST] = The IP ranges in CIDR notation.
Alternatively, you could make a list of all IPs and IP ranges and pass them to the scan using:
"–iL [INPUT LIST TO SCAN].txt"
smbbasic=1
Forces the authentication to use basic security, as opposed to "extended security".
-- Against most modern systems, extended security should work, but there may be cases
-- where you want to force basic. There's a chance that you'll get better results for
-- enumerating users if you turn on basic authentication.
smbtype=v1
The type of SMB authentication to use. These are the possible options:
-- * <code>v1</code>: Sends LMv1 and NTLMv1.
-- * <code>LMv1</code>: Sends LMv1 only.
-- * <code>NTLMv1</code>: Sends NTLMv1 only (default).
-- * <code>v2</code>: Sends LMv2 and NTLMv2.
-- * <code>LMv2</code>: Sends LMv2 only.
-- * <code>NTLMv2</code>: Doesn't exist; the protocol doesn't support NTLMv2 alone.
If you have local administrator rights, the scan will show READ/WRITE access to the SMB shares:
Starting Nmap 5.51 ( http://nmap.org ) at 2012-12-22 15:41 PDT
Nmap scan report for 172.0.0.1
Host is up (0.00069s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| ADMIN$
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Users: 0, Max: <unlimited>
| Path: C:\Windows
| Anonymous access: <none>
| Current user ('admin') access: READ/WRITE
| C$
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Users: 0, Max: <unlimited>
| Path: C:\
| Anonymous access: <none>
| Current user ('admin') access: READ/WRITE
| D$
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Users: 0, Max: <unlimited>
| Path: D:\
| Anonymous access: <none>
| Current user ('admin') access: READ/WRITE
| IPC$
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Users: 2, Max: <unlimited>
| Path:
| Anonymous access: READ <not a file share>
| Current user ('sysadmin') access: READ <not a file share>
| SQLBACKUP
| Type: STYPE_DISKTREE
| Comment:
| Users: 1, Max: <unlimited>
| Path: D:\SQLBACKUP
| Anonymous access: <none>
|_ Current user ('admin') access: READ/WRITE
No comments:
Post a Comment
Thanks for adding to the conversation. I'll update your post shortly.