Since the IP they're connected from and the account is revealed, the information here can also provide extra targets to test, as well as a username that's likely valid on that target. Additionally, since a strong username to ip correlation is given, it can be a boost to a social engineering attack. Enumerating the logged in users is done by reading the remote registry and therefore won't work against Vista, which disables it by default. LsaLookupSids function.
Doing this requires any access higher than anonymous; guests, users, or administrators are all able to perform this request on Windows , XP, , and Vista. Enumerating SMB connections is done using the srvsvc.
LSA bruteforcing can be done anonymously. It has the advantage of running with less permission, and will also find more. The disadvantages is that it returns. It's also extremely noisy. This isn't a brute-force technique in the common sense, however: it's a brute-forcing of users'. So, the technique will essentially try. All members of this group are checked simultaneously, and the responses recorded.
As long as you are getting a few groups with active accounts, the scan will. Before attempting this conversion, the SID of the server has to be determined. The SID is determined by doing the reverse operation; that is, by converting a name into.
The name is determined by looking up any name present on the system. In theory, the computer name should be sufficient for this to always work, and. The names and details from both of these techniques are merged and displayed.
If the output is verbose, then extra details are shown. The output is ordered alphabetically. Only set if you know what you're doing, you'll get better results. This is.
Generally, however,. QueryDomain : get the sid for the domain. OpenDomain : get a handle for each domain. QueryDisplayInfo : get the list of users in the domain. Close : Close the domain handle. Close : Close the connect handle. The advantage of this technique is that a lot of details are returned, including the full name and description; the disadvantage is that it requires a user-level account on every system except for Windows Additionally, it only pulls actual user accounts, not groups or aliases.
Regardless of whether this succeeds, a second technique is used to pull user accounts, called LSA bruteforcing. LSA bruteforcing can be done anonymously against Windows , and requires a guest account or better on other systems. It has the advantage of running with less permission, and will also find more account types i. The disadvantages is that it returns less information, and that, because it's a brute-force guess, it's possible to miss accounts.
It's also extremely noisy. This isn't a brute-force technique in the common sense, however: it's a brute-forcing of users' RIDs. So, the technique will essentially try converting to a name, then , , etc. All members of this group are checked simultaneously, and the responses recorded.
0コメント