

Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Use this guide as a quick reference to simplify this task. Enumerate User and Groups. Enumerate Password Policy Information. Purpose. What to use this sheet for.
Typology: Summaries
1 / 2
This page cannot be seen from the preview
Don't miss anything!


From rpcclient, enumerate user and group settings:
POCKET REFERENCE GUIDE SANS Institute Prepared exclusively for SANS SEC50 4 Create a new user on the remote Windows system using rpcclient with the createdomuser username command. rpcclient $> createdomuser username rpcclient $> setuserinfo2 username 24 'NewPassword'
Windows information class constant to set a user password. The value will always be 24 when setting a password. Create a New User Use rpcclient to enumerate Windows password policy information with the getdompwinfo and getusrdompwinfo RID# commands: rpcclient $> getdompwinfo min_password_length: 5 password_properties: 0x rpcclient $> getusrdompwinfo 1000 min_password_length: 5 &info.password_properties: 0xb7d1c734 (3083978548) 0: DOMAIN_PASSWORD_COMPLEX 0: DOMAIN_PASSWORD_NO_ANON_CHANGE 1: DOMAIN_PASSWORD_NO_CLEAR_CHANGE 0: DOMAIN_PASSWORD_LOCKOUT_ADMINS 1: DOMAIN_PASSWORD_STORE_CLEARTEXT 1: DOMAIN_REFUSE_PASSWORD_CHANGE In this output we see that getdompwinfo reveals the minimum password length of 5. Running getusrdompwinfo followed by a user RID (the first standard user is RID 1000, which can be determined with queryuser) indicates a collection of password settings, including that the server does not enforce a password complexity policy (DOMAIN_PASSWORD_COMPLEX is 0). Change a user's password on the Windows system using rpcclient with the chgpasswd3 username oldpass newpass command. rpcclient $> chgpasswd3 josh oldpass newpass Change a User Password Create a new share on the remote Windows system using rpcclient with the netshareadd command. rpcclient $> netshareadd "C:\Windows" "Windows" 10 "Windows Share" Create a New Share Authentication Required In order to use the smbclient and rpcclient tools, you will need to authenticate to the Windows target. Specify a username with - U username. Both tools will prompt for a password. Alternatively, you can specify the --pw-nt-hash argument, and supply the NT hash value at the password prompt to conduct a pass-the-hash attack instead.
Use smbclient to retrieve files from a Windows file share, similar to an FTP client: $ smbclient - U username // ip / share After authenticating you will see a smb :> prompt. Use the following commands to navigate and access the file share:
or - m SMB3 to specify SMBv2 or SMBv3 as the minimum security protocol to use when accessing the server. $ smbclient - L ip - U username - m SMB You can use this feature to evaluate what the minimum SMB version is for the server: $ smbclient - L ip - U username - m NT $ smbclient - L ip - U username - m SMB $ smbclient - L ip - U username - m SMB 3 If all succeed, then the server supports all versions of SMB (including legacy versions, which exposes the server to attack). If one or more fail, the next one that succeeds is the minimum SMB version supported. Protocol Negotiation Failed Troubleshooting Enumerate Shortcut From the rpcclient prompt, you can enumerate system information using several of the enum commands. To get a list, type enum followed by the Tab key twice at the rpcclient prompt: rpcclient $> enum