本文共 1910 字,大约阅读时间需要 6 分钟。
http://www.foofus.net/~jmk/passhash.html
Got asked to help remotely locate local admins on boxes on a network.
rpcclient $> enumalsgroupsUsage: enumalsgroups builtin|domain [access mask]rpcclient $> enumalsgroups builtingroup:[Administrators] rid:[0x220]group:[Backup Operators] rid:[0x227]group:[Guests] rid:[0x222]group:[Network Configuration Operators] rid:[0x22c]group:[Power Users] rid:[0x223]group:[Remote Desktop Users] rid:[0x22b]group:[Replicator] rid:[0x228]group:[Users] rid:[0x221]Now you would think that doing a querygroup would give you the right output, but actually you get a:rpcclient $> querygroup 0x220result was NT_STATUS_NO_SUCH_GROUPHonestly I have no idea why this doesn't work, it *should*. If anyone knows why it doesn't I know more than one person who would like to know.Anyway it takes one more step but you can do it this way:rpcclient $> queryaliasmemUsage: queryaliasmem builtin|domain rid [access mask]rpcclient $> queryaliasmem builtin 0x220sid:[S-1-5-21-1214440339-1383384898-839522115-500]sid:[S-1-5-21-1214440339-1383384898-839522115-1003]sid:[S-1-5-21-2392188729-2485841371-4291725810-512]Then you can look up who those SIDs belong torpcclient $> lookupsidsUsage: lookupsids [sid1 [sid2 [...]]]rpcclient $> lookupsids S-1-5-21-1214440339- 1383384898-839522115-500S-1-5-21-1214440339-1383384898-839522115-500 PC/Administrator (1)rpcclient $> lookupsidsS-1-5-21-1214440339-1383384898-839522115-1003S-1-5-21-1214440339-1383384898-839522115-1003 PC/user (1)rpcclient $> lookupsidsS-1-5-21-2392188729-2485841371-4291725810-512 rpc_api_pipe: Remote machine 192.168.242.128 pipe /lsarpc fnum 0x4001 returned critical error. Error was Call timed out: server did not respond after 10000 milliseconds result was NT_STATUS_IO_TIMEOUTNot sure about the 512 (its a MS built-in account I think) but the 1003 was the user I added to the local admins group.转载地址:http://flqmb.baihongyu.com/