More of using rpcclient to find usernames
null sessions still rule in 2007…
cg@segfault:~$ rpcclient -U “” x.x.3.96
Password:
rpcclient $> lsaenumsid
found 11 SIDs
S-1-5-6
S-1-5-32-551
S-1-5-32-547
S-1-5-32-545
S-1-5-32-544
S-1-5-21-2000478354-1708537768-1957994488-501 <–guest
S-1-5-21-2000478354-1708537768-1957994488-500 <–administrator
S-1-5-21-2000478354-1708537768-1957994488-1002
S-1-5-21-2000478354-1708537768-1957994488-1001
S-1-5-21-2000478354-1708537768-1957994488-1000
S-1-1-0
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-501
S-1-5-21-2000478354-1708537768-1957994488-501 NSL09\Convidado (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-500
S-1-5-21-2000478354-1708537768-1957994488-500 NSL09\Administrador (1)
rpcclient $> lookupnames Administrador
Administrador S-1-5-21-2000478354-1708537768-1957994488-500 (User: 1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-502
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-503
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-503
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-504
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-505
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-506
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1000
S-1-5-21-2000478354-1708537768-1957994488-1000 NSL09\TsInternetUser (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1001
S-1-5-21-2000478354-1708537768-1957994488-1001 NSL09\IUSR_NSL09 (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1002
S-1-5-21-2000478354-1708537768-1957994488-1002 NSL09\IWAM_NSL09 (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1003
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1004
result was NT_STATUS_NONE_MAPPED
rpcclient $> exit
There you have it:
rpcclient rpcclient $> lgt; lookupsids S-1-5-21-2000478354-1708537768-1957994488-500
S-1-5-21-2000478354-1708537768-1957994488-500 NSL09\Administrador (1)
oh and thanks for the name of the box too 🙂
fun rpcclient info:Â http://uw714doc.sco.com/en/samba/rpcclient.1.html
-CG