Active Directory Enumeration:RPCClient

admin
admin
admin
138635
文章
114
评论
2023年4月10日14:52:59评论84 views字数 1976阅读6分35秒阅读模式

文章前言

本篇文章中我们将重点介绍如何通过SMB协议和RPC协议来枚举域内信息,下文中使用的工具为rpcclient

信息枚举

Server Information
rpcclient -U Administrator%Ignite@123 192.168.1.172

Active Directory Enumeration:RPCClient

Domain Information
querydominfo

Active Directory Enumeration:RPCClient

Enumerating Domain Users
enumdomusers

Active Directory Enumeration:RPCClient

Enumerating Domain Groups
enumdomgroups

Active Directory Enumeration:RPCClient

Group Information Queries
querygroup 0x200

Active Directory Enumeration:RPCClient

User Information Queries
queryuser yashika

Active Directory Enumeration:RPCClient

Enumerating Privileges
enumprivs

Active Directory Enumeration:RPCClient

Domain Password Information
getdompwinfo

Active Directory Enumeration:RPCClient

User Password Information
getusrdompwinfo 0x1f4

Active Directory Enumeration:RPCClient

Enumerating SID from LSA
lsaenumsid

Active Directory Enumeration:RPCClient

Creating Domain User
createdomuser hackersetuserinfo2 hacker 24 Password@1enumdomusers

Active Directory Enumeration:RPCClient

Lookup User Names
lookupnames hacker

Active Directory Enumeration:RPCClient

Enumerating Alias Groups
enumalsgroups builtin

Active Directory Enumeration:RPCClient

Delete Domain User
deletedomuser hacker

Active Directory Enumeration:RPCClient

Net Share Enumeration
netshareenumnetshareenumall

Active Directory Enumeration:RPCClient

Net Share Get Information
netsharegetinfo Confidential

Active Directory Enumeration:RPCClient

Enumerating Domains
enumdomains

Active Directory Enumeration:RPCClient

Enumerating Domain Groups
enumdomgroupsenumdomusersqueryusersgroups 0x44fquerygroupmem 0x201

Active Directory Enumeration:RPCClient

Change Password of User
chgpasswd raj Password@1 Password@987

Active Directory Enumeration:RPCClient

Create Domain Group
createdomgroup newgroupenumdomgroups

Active Directory Enumeration:RPCClient

Delete Domain Group
deletedomgroup newgroupenumdomgroup

Active Directory Enumeration:RPCClient

Domain Lookup
lookupdomain ignite

Active Directory Enumeration:RPCClient

SAM Lookup
samlookupnames domain rajsamlookuprids domain 0x44f

Active Directory Enumeration:RPCClient

SID Lookup
lsaenumsid

Active Directory Enumeration:RPCClient

LSA Query
lsaquerydsroledominfo

Active Directory Enumeration:RPCClient

LSA Create Account
lookupnames rajlsacreateaccount S-1-5-21-3232368669-2512470540-2741904768-1103

Active Directory Enumeration:RPCClient

LSA Group Privileges
lsaenumsidlookupsids S-1-1-0lsaenumacctrights S-1-1-0

Active Directory Enumeration:RPCClient

lsaaddpriv S-1-1-0 SeCreateTokenPrivilegelsaenumprivsaccount S-1-1-0lsadelpriv S-1-1-0 SeCreateTokenPrivilegelsaenumprivsaccount S-1-1-0

Active Directory Enumeration:RPCClient

LSA Account Privileges
lookupnames rajlsaaddacctrights S-1-5-21-3232368669-2512470540-2741904768-1103 SeCreateTokenPrivilegelsaenumprivsaccount S-1-5-21-3232368669-2512470540-2741904768-1103lsaremoveacctrights S-1-5-21-3232368669-2512470540-2741904768-1103 SeCreateTokenPrivilegelsaenumprivsaccount S-1-5-21-3232368669-2512470540-2741904768-1103

Active Directory Enumeration:RPCClient

lsalookupprivvalue SeCreateTokenPrivielge

Active Directory Enumeration:RPCClient

LSA Security Objects
lsaquerysecobj

Active Directory Enumeration:RPCClient

文末小结

在本文中,我们能够使用rpcclient工具通过域内的SMB和RPC枚举大量信息,本文可以作为红队攻击和列举域的参考,但也有助于蓝队了解和测试在域上应用的保护及其用户的措施~

原文始发于微信公众号(七芒星实验室):Active Directory Enumeration:RPCClient

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年4月10日14:52:59
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Active Directory Enumeration:RPCClienthttps://cn-sec.com/archives/1664268.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息