├── README.md ├── images ├── image1.png ├── image2.png ├── image3.png ├── image4.png ├── image5.png ├── image6.png └── image7.png └── rpcenum /README.md: -------------------------------------------------------------------------------- 1 | # RPCenum Enhanced Features 2 | 3 | Rpcenum es una herramienta de línea de comandos, originalmente desarrollada por s4vitar, que permite la **enumeración de información de dominio** en sistemas Windows **mediante** el protocolo **RPC** (Remote Procedure Call). 4 | 5 | En su versión original, permitía la enumeración utilizando un *Null Session* (sin autenticación) si la máquina objetivo lo permitía. Sin embargo, se ha ampliado su funcionamiento para **incluir la autenticación mediante credenciales** de usuario válidas, proporcionando así una mayor flexibilidad y capacidad de adaptación a diferentes entornos y restricciones de seguridad implementadas en los sistemas que se están examinando. 6 | 7 | Además de esta funcionalidad, rpcenum también ha sido actualizada con nuevas características. En particular, se han añadido **barras de progreso** para todos los modos de enumeración. También se han agregado **dos nuevos modos de enumeración**: **DUsersbyGroup** y **DGroupsbyUser**. **El primero** de ellos muestra los **grupos del dominio y los usuarios** que pertenecen a cada uno de ellos. Por otro lado, el segundo modo, **DGroupsbyUser**, muestra los **usuarios del dominio y los grupos a los que pertenecen**. 8 | 9 | Esta utilidad nos **permitirá obtener la siguiente información** de un dominio: 10 | 11 | * Usuarios del dominio 12 | * Usuarios del dominio con información 13 | * Usuarios administradores del dominio 14 | * Grupos del dominio 15 | * Grupos del dominio y usuarios que pertenecen a ellos 16 | * Usuarios del dominio y grupos a los que pretenecen 17 | 18 | ¿Cómo funciona? 19 | ====== 20 | 21 | La ejecución de la herramienta mostrará el siguiente panel de ayuda: 22 | 23 |

24 | Panel de ayuda 27 |

28 | 29 | 30 | Su **funcionamiento** es el siguiente: 31 | 32 | * **Modo** de enumeración (opción -e): Se debe proporcionar el modo de enumeración que se desee utilizar. 33 | * Dirección **IP** del host (opción -i): Proporciona la dirección IP del host que deseas enumerar. 34 | * Uso de sesión **nula** **o autenticación** (opciones -N, -u, y -p): 35 | * Para utilizar una sesión nula (sin autenticación), utiliza la opción -N. 36 | * Si deseas usar credenciales de usuario, proporciona el nombre de usuario con la opción -u y la contraseña con la opción -p. 37 | 38 | La herramienta verifica que se haya proporcionado la dirección IP del host y el modo de enumeración. Además, comprueba si se ha especificado una sesión nula o se han proporcionado credenciales de usuario válidas. 39 | 40 | El modo de enumeración **DUsers**, nos permitirá obtener un listado de los usuarios existentes en el dominio. En este caso nos conectaremos al servicio utilizando las credenciales de dominio *fcarot:Password1*: 41 | 42 |

43 | DUsers 46 |

47 | 48 | El modo de enumeración **DUsersInfo**, nos permitirá obtener un listado de los usuarios existentes en el dominio con descripción, pudiendo así identificar a usuarios potenciales. En este ejemplo se utilizará un *Null Session* (sin autenticación): 49 | 50 |

51 | DUsersInfo 54 |

55 | 56 | El modo de enumeración **DAUsers**, nos permitirá obtener un listado de los usuarios existentes administradores del dominio. Esta parte es crucial, puesto que el atacante siempre va a ir en busca de las credenciales de estos, dado que poseen privilegio total sobre el dominio. 57 | 58 |

59 | DUsersInfo 62 |

63 | 64 | El modo de enumeración **DGroups**, nos permitirá obtener un listado de los grupos existentes del dominio. 65 | 66 |

67 | DUsersInfo 70 |

71 | 72 | 73 | El modo de enumeración **DUsersbyGroup**, nos permitirá obtener un listado de los grupos existentes del dominio y de los usuarios pertenecientes a cada grupo. 74 | 75 |

76 | DUsersInfo 79 |

80 | 81 | El modo de enumeración **DGroupsbyUser**, nos permitirá obtener un listado de los usuarios del dominio y de los grupos a los cuales pertenecen. 82 | 83 |

84 | DUsersInfo 87 |

88 | 89 | Por último, el modo de enumeración **All**, nos efectuará todas las enumeraciones de forma simultánea, pudiendo así visualizar la información más relevante del dominio. 90 | 91 | 92 | Ejemplos de uso 93 | ====== 94 | 95 | ```bash 96 | sudo ./rpcenum -i 192.168.88.156 -u 'fcarot' -p 'Password1' -e DUsers 97 | sudo ./rpcenum -i 192.168.88.156 -u 'fcarot' -p 'Password1' -e DUsersInfo 98 | sudo ./rpcenum -N -i 10.10.10.169 -e DUsersInfo 99 | sudo ./rpcenum -N -i 10.10.10.169 -e All 100 | ``` 101 | 102 | -------------------------------------------------------------------------------- /images/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RipFran/rpcenum/2f652759b78184d403cc79924702cadcdc8a42ac/images/image1.png -------------------------------------------------------------------------------- /images/image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RipFran/rpcenum/2f652759b78184d403cc79924702cadcdc8a42ac/images/image2.png -------------------------------------------------------------------------------- /images/image3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RipFran/rpcenum/2f652759b78184d403cc79924702cadcdc8a42ac/images/image3.png -------------------------------------------------------------------------------- /images/image4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RipFran/rpcenum/2f652759b78184d403cc79924702cadcdc8a42ac/images/image4.png -------------------------------------------------------------------------------- /images/image5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RipFran/rpcenum/2f652759b78184d403cc79924702cadcdc8a42ac/images/image5.png -------------------------------------------------------------------------------- /images/image6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RipFran/rpcenum/2f652759b78184d403cc79924702cadcdc8a42ac/images/image6.png -------------------------------------------------------------------------------- /images/image7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RipFran/rpcenum/2f652759b78184d403cc79924702cadcdc8a42ac/images/image7.png -------------------------------------------------------------------------------- /rpcenum: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Author: Marcelo Vázquez (aka S4vitar) & R1pFr4n 4 | 5 | #Colours 6 | greenColour="\e[0;32m\033[1m" 7 | endColour="\033[0m\e[0m" 8 | redColour="\e[0;31m\033[1m" 9 | blueColour="\e[0;34m\033[1m" 10 | yellowColour="\e[0;33m\033[1m" 11 | purpleColour="\e[0;35m\033[1m" 12 | turquoiseColour="\e[0;36m\033[1m" 13 | grayColour="\e[0;37m\033[1m" 14 | 15 | declare -r tmp_file="/dev/shm/tmp_file" 16 | declare -r tmp_file2="/dev/shm/tmp_file2" 17 | declare -r tmp_file3="/dev/shm/tmp_file3" 18 | 19 | function ctrl_c(){ 20 | 21 | echo -e "\n${yellowColour}[*]${endColour}${grayColour} Exiting...${endColour}"; sleep 1 22 | rm $tmp_file 2>/dev/null 23 | tput cnorm; exit 1 24 | } 25 | trap ctrl_c INT 26 | 27 | function helpPanel(){ 28 | 29 | echo -e "\n${yellowColour}[*]${endColour}${grayColour} Uso: rpcenum${endColour}" 30 | echo -e "\n\t${purpleColour}e)${endColour}${yellowColour} Enumeration Mode${endColour}" 31 | echo -e "\n\t\t${grayColour}DUsers${endColour}${redColour} (Domain Users)${endColour}" 32 | echo -e "\t\t${grayColour}DUsersInfo${endColour}${redColour} (Domain Users with description info)${endColour}" 33 | echo -e "\t\t${grayColour}DAUsers ${redColour}(Domain Admin Users)${endColour}" 34 | echo -e "\t\t${grayColour}DGroups ${redColour}(Domain Groups)${endColour}" 35 | echo -e "\t\t${grayColour}DUsersbyGroup ${redColour}(Domain Groups and their Users)${endColour}" 36 | echo -e "\t\t${grayColour}DGroupsbyUser ${redColour}(Users and their Domain Groups)${endColour}" 37 | echo -e "\t\t${grayColour}All ${redColour}(All Modes)${endColour}" 38 | echo -e "\n\t${purpleColour}i)${endColour}${yellowColour} Host IP Address${endColour}" 39 | echo -e "\n\t${purpleColour}N)${endColour}${yellowColour} Use guest session (no authentication)${endColour}" 40 | echo -e "\n\t${purpleColour}u)${endColour}${yellowColour} Username${endColour}" 41 | echo -e "\n\t${purpleColour}p)${endColour}${yellowColour} Password${endColour}" 42 | echo -e "\n\t${purpleColour}h)${endColour}${yellowColour} Show this help pannel${endColour}" 43 | exit 1 44 | } 45 | 46 | function printTable(){ 47 | 48 | local -r delimiter="${1}" 49 | local -r data="$(removeEmptyLines "${2}")" 50 | 51 | if [[ "${delimiter}" != '' && "$(isEmptyString "${data}")" = 'false' ]] 52 | then 53 | local -r numberOfLines="$(wc -l <<< "${data}")" 54 | 55 | if [[ "${numberOfLines}" -gt '0' ]] 56 | then 57 | local table='' 58 | local i=1 59 | 60 | for ((i = 1; i <= "${numberOfLines}"; i = i + 1)) 61 | do 62 | local line='' 63 | line="$(sed "${i}q;d" <<< "${data}")" 64 | 65 | local numberOfColumns='0' 66 | numberOfColumns="$(awk -F "${delimiter}" '{print NF}' <<< "${line}")" 67 | 68 | if [[ "${i}" -eq '1' ]] 69 | then 70 | table="${table}$(printf '%s#+' "$(repeatString '#+' "${numberOfColumns}")")" 71 | fi 72 | 73 | table="${table}\n" 74 | 75 | local j=1 76 | 77 | for ((j = 1; j <= "${numberOfColumns}"; j = j + 1)) 78 | do 79 | table="${table}$(printf '#| %s' "$(cut -d "${delimiter}" -f "${j}" <<< "${line}")")" 80 | done 81 | 82 | table="${table}#|\n" 83 | 84 | if [[ "${i}" -eq '1' ]] || [[ "${numberOfLines}" -gt '1' && "${i}" -eq "${numberOfLines}" ]] 85 | then 86 | table="${table}$(printf '%s#+' "$(repeatString '#+' "${numberOfColumns}")")" 87 | fi 88 | done 89 | 90 | if [[ "$(isEmptyString "${table}")" = 'false' ]] 91 | then 92 | echo -e "${table}" | column -s '#' -t | awk '/^\+/{gsub(" ", "-", $0)}1' 93 | fi 94 | fi 95 | fi 96 | } 97 | 98 | function removeEmptyLines(){ 99 | 100 | local -r content="${1}" 101 | echo -e "${content}" | sed '/^\s*$/d' 102 | } 103 | 104 | function repeatString(){ 105 | 106 | local -r string="${1}" 107 | local -r numberToRepeat="${2}" 108 | 109 | if [[ "${string}" != '' && "${numberToRepeat}" =~ ^[1-9][0-9]*$ ]] 110 | then 111 | local -r result="$(printf "%${numberToRepeat}s")" 112 | echo -e "${result// /${string}}" 113 | fi 114 | } 115 | 116 | function isEmptyString(){ 117 | 118 | local -r string="${1}" 119 | 120 | if [[ "$(trimString "${string}")" = '' ]] 121 | then 122 | echo 'true' && return 0 123 | fi 124 | 125 | echo 'false' && return 1 126 | } 127 | 128 | function trimString(){ 129 | 130 | local -r string="${1}" 131 | sed 's,^[[:blank:]]*,,' <<< "${string}" | sed 's,[[:blank:]]*$,,' 132 | } 133 | 134 | function extract_DUsers(){ 135 | 136 | echo -e "\n${yellowColour}[*]${endColour}${grayColour} Enumerating Domain Users...${endColour}\n" 137 | domain_users=$(eval "$1 -c enumdomusers | grep -oP '\[.*?\]' | grep -v 0x | tr -d '[]'") 138 | 139 | # Count the total number of domain users for the progress bar 140 | total_users=$(echo $domain_users | wc -w) 141 | 142 | # Initialize the progress bar 143 | progress=0 144 | echo -ne "${greenColour}Progress:${endColour} [" 145 | 146 | echo "Users" > $tmp_file && for user in $domain_users; do 147 | echo "$user" >> $tmp_file 148 | 149 | # Update the progress bar 150 | progress=$((progress + 1)) 151 | percentage=$((progress * 100 / total_users)) 152 | echo -ne "\\r${greenColour}Progress:${endColour} [" 153 | for i in {1..50}; do 154 | if [ $((i * 2)) -le $percentage ]; then 155 | echo -ne "${greenColour}#${endColour}" 156 | else 157 | echo -ne "-" 158 | fi 159 | done 160 | echo -ne "] ${greenColour}$percentage%${endColour}" 161 | done 162 | 163 | # Finish the progress bar 164 | echo -ne "\\r${greenColour}Progress:${endColour} [" 165 | for i in {1..50}; do 166 | if [ $((i * 2)) -le 100 ]; then 167 | echo -ne "${greenColour}#${endColour}" 168 | else 169 | echo -ne "-" 170 | fi 171 | done 172 | echo -ne "] ${greenColour}100%${endColour}\n\n" 173 | 174 | echo -ne "${blueColour}"; printTable ' ' "$(cat $tmp_file)"; echo -ne "${endColour}" 175 | rm $tmp_file 2>/dev/null 176 | } 177 | 178 | 179 | function extract_DUsers_Info(){ 180 | 181 | # Extract the domain users and count them for the progress bar 182 | extract_DUsers "${1}" > /dev/null 2>&1 183 | total_users=$(echo $domain_users | wc -w) 184 | 185 | echo -e "\n${yellowColour}[*]${endColour}${grayColour} Listing domain users with description...${endColour}\n" 186 | 187 | # Initialize the progress bar 188 | progress=0 189 | echo -ne "${greenColour}Progress:${endColour} [" 190 | 191 | for user in $domain_users; do 192 | eval "$1 -c \"queryuser $user\" | grep -E 'User Name|Description' | cut -d ':' -f 2-100 | sed 's/\t//' | tr '\n' ',' | sed 's/.$//' >> $tmp_file" 193 | echo -e '\n' >> $tmp_file 194 | 195 | # Update the progress bar 196 | progress=$((progress + 1)) 197 | percentage=$((progress * 100 / total_users)) 198 | echo -ne "\\r${greenColour}Progress:${endColour} [" 199 | for i in {1..50}; do 200 | if [ $((i * 2)) -le $percentage ]; then 201 | echo -ne "${greenColour}#${endColour}" 202 | else 203 | echo -ne "-" 204 | fi 205 | done 206 | echo -ne "] ${greenColour}$percentage%${endColour}" 207 | done 208 | 209 | # Finish the progress bar 210 | echo -ne "\\r${greenColour}Progress:${endColour} [" 211 | for i in {1..50}; do 212 | if [ $((i * 2)) -le 100 ]; then 213 | echo -ne "${greenColour}#${endColour}" 214 | else 215 | echo -ne "-" 216 | fi 217 | done 218 | echo -ne "] ${greenColour}100%${endColour}\n\n" 219 | 220 | echo "User,Description" > $tmp_file2 221 | 222 | cat $tmp_file | sed '/^\s*$/d' | while read user_representation; do 223 | if [ "$(echo $user_representation | awk '{print $2}' FS=',')" ]; then 224 | echo "$(echo $user_representation | awk '{print $1}' FS=','),$(echo $user_representation | awk '{print $2}' FS=',')" >> $tmp_file2 225 | fi 226 | done 227 | 228 | rm $tmp_file; mv $tmp_file2 $tmp_file 229 | sleep 1; echo -ne "${blueColour}"; printTable ',' "$(cat $tmp_file)"; echo -ne "${endColour}" 230 | rm $tmp_file 2>/dev/null 231 | } 232 | 233 | 234 | function extract_DAUsers(){ 235 | 236 | echo -e "\n${yellowColour}[*]${endColour}${grayColour} Enumerating Domain Admin Users...${endColour}\n" 237 | rid_dagroup=$(eval "$1 -c enumdomgroups" | grep "Domain Admins" | awk 'NF{print $NF}' | grep -oP '\[.*?\]' | tr -d '[]') 238 | rid_dausers=$(eval "$1 -c \"querygroupmem $rid_dagroup\"" | awk '{print $1}' | grep -oP '\[.*?\]' | tr -d '[]') 239 | 240 | # Count the total number of domain admin users 241 | total_users=$(echo $rid_dausers | wc -w) 242 | 243 | # Initialize the progress bar 244 | progress=0 245 | echo -ne "${greenColour}Progress:${endColour} [" 246 | 247 | echo "DomainAdminUsers" > $tmp_file; for da_user_rid in $rid_dausers; do 248 | eval "$1 -c \"queryuser $da_user_rid\"" | grep 'User Name'| awk 'NF{print $NF}' >> $tmp_file 249 | 250 | # Update the progress bar 251 | progress=$((progress + 1)) 252 | percentage=$((progress * 100 / total_users)) 253 | echo -ne "\\r${greenColour}Progress:${endColour} [" 254 | for i in {1..50}; do 255 | if [ $((i * 2)) -le $percentage ]; then 256 | echo -ne "${greenColour}#${endColour}" 257 | else 258 | echo -ne "-" 259 | fi 260 | done 261 | echo -ne "] ${greenColour}$percentage%${endColour}" 262 | done 263 | 264 | # Finish the progress bar 265 | echo -ne "\\r${greenColour}Progress:${endColour} [" 266 | for i in {1..50}; do 267 | if [ $((i * 2)) -le 100 ]; then 268 | echo -ne "${greenColour}#${endColour}" 269 | else 270 | echo -ne "-" 271 | fi 272 | done 273 | echo -ne "] ${greenColour}100%${endColour}\n\n" 274 | 275 | echo -ne "${blueColour}"; printTable ' ' "$(cat $tmp_file)"; echo -ne "${endColour}" 276 | rm $tmp_file 2>/dev/null 277 | } 278 | 279 | 280 | function extract_DGroups(){ 281 | 282 | echo -e "\n${yellowColour}[*]${endColour}${grayColour} Enumerating Domain Groups...${endColour}\n" 283 | 284 | # Count the total number of domain groups 285 | total_groups=$(eval "$1 -c enumdomgroups" | grep -oP '\[.*?\]' | grep "0x" | wc -l) 286 | 287 | # Initialize the progress bar 288 | progress=0 289 | echo -ne "${greenColour}Progress:${endColour} [" 290 | 291 | eval "$1 -c enumdomgroups" | grep -oP '\[.*?\]' | grep "0x" | tr -d '[]' >> $tmp_file 292 | 293 | echo "DomainGroup,Description" > $tmp_file2 294 | cat $tmp_file | while read rid_domain_groups; do 295 | eval "$1 -c \"querygroup $rid_domain_groups\"" | grep -E 'Group Name|Description' | sed 's/\t//' > $tmp_file3 296 | group_name=$(cat $tmp_file3 | grep "Group Name" | awk '{print $2}' FS=":") 297 | group_description=$(cat $tmp_file3 | grep "Description" | awk '{print $2}' FS=":") 298 | 299 | echo "$(echo $group_name),$(echo $group_description)" >> $tmp_file2 300 | 301 | # Update the progress bar 302 | progress=$((progress + 1)) 303 | percentage=$((progress * 100 / total_groups)) 304 | echo -ne "\\r${greenColour}Progress:${endColour} [" 305 | for i in {1..50}; do 306 | if [ $((i * 2)) -le $percentage ]; then 307 | echo -ne "${greenColour}#${endColour}" 308 | else 309 | echo -ne "-" 310 | fi 311 | done 312 | echo -ne "] ${greenColour}$percentage%${endColour}" 313 | done 314 | 315 | # Finish the progress bar 316 | echo -ne "\\r${greenColour}Progress:${endColour} [" 317 | for i in {1..50}; do 318 | if [ $((i * 2)) -le 100 ]; then 319 | echo -ne "${greenColour}#${endColour}" 320 | else 321 | echo -ne "-" 322 | fi 323 | done 324 | echo -ne "] ${greenColour}100%${endColour}\n\n" 325 | 326 | rm $tmp_file $tmp_file3 2>/dev/null && mv $tmp_file2 $tmp_file 327 | echo -ne "${blueColour}"; printTable ',' "$(cat $tmp_file)"; echo -ne "${endColour}" 328 | rm $tmp_file 2>/dev/null 329 | } 330 | 331 | function extract_All(){ 332 | extract_DUsers "${1}" 333 | extract_DUsers_Info "${1}" 334 | extract_DAUsers "${1}" 335 | extract_DGroups "${1}" 336 | extract_DUsersbyGroup "${1}" 337 | extract_DGroupsbyUser "${1}" 338 | } 339 | 340 | 341 | function extract_DUsersbyGroup() { 342 | 343 | echo -e "\n${yellowColour}[*]${endColour}${grayColour} Enumerating Domain Groups and their Users...${endColour}\n" 344 | 345 | # Count the total number of domain groups 346 | total_groups=$(eval "$1 -c enumdomgroups" | grep -oP '\[.*?\]' | grep "0x" | wc -l) 347 | 348 | # Initialize the progress bar 349 | progress=0 350 | echo -ne "${greenColour}Progress:${endColour} [" 351 | 352 | eval "$1 -c enumdomgroups" | grep -oP '\[.*?\]' | grep "0x" | tr -d '[]' > $tmp_file 353 | echo "Domain Groups|Users" > $tmp_file2 354 | cat $tmp_file | while read rid_domain_groups; do 355 | group_name=$(eval "$1 -c \"querygroup $rid_domain_groups\"" | grep 'Group Name' | cut -d ':' -f 2-) 356 | rid_group_members=$(eval "$1 -c \"querygroupmem $rid_domain_groups\"" | awk '{print $1}' | grep -oP '\[.*?\]' | tr -d '[]') 357 | 358 | user_names="" 359 | for rid_user in $rid_group_members; do 360 | user_name=$(eval "$1 -c \"queryuser $rid_user\"" | grep 'User Name' | cut -d ':' -f 2-) 361 | if [[ ! $user_name =~ \$$ ]]; then # Check if user_name does not end with $ 362 | user_names+="$user_name, " 363 | fi 364 | done 365 | user_names=${user_names%, } 366 | 367 | if [ ! -z "$user_names" ]; then # Check if user_names is not empty 368 | echo "$(echo $group_name)|$(echo $user_names)" >> $tmp_file2 369 | fi 370 | 371 | # Update the progress bar 372 | progress=$((progress + 1)) 373 | percentage=$((progress * 100 / total_groups)) 374 | echo -ne "\\r${greenColour}Progress:${endColour} [" 375 | for i in {1..50}; do 376 | if [ $((i * 2)) -le $percentage ]; then 377 | echo -ne "${greenColour}#${endColour}" 378 | else 379 | echo -ne "-" 380 | fi 381 | done 382 | echo -ne "] ${greenColour}$percentage%${endColour}" 383 | done 384 | 385 | # Finish the progress bar 386 | echo -ne "\\r${greenColour}Progress:${endColour} [" 387 | for i in {1..50}; do 388 | if [ $((i * 2)) -le 100 ]; then 389 | echo -ne "${greenColour}#${endColour}" 390 | else 391 | echo -ne "-" 392 | fi 393 | done 394 | echo -ne "] ${greenColour}100%${endColour}\n\n" 395 | 396 | rm $tmp_file 397 | mv $tmp_file2 $tmp_file 398 | echo -ne "${blueColour}"; printTable '|' "$(cat $tmp_file)"; echo -ne "${endColour}" 399 | rm $tmp_file 2>/dev/null 400 | } 401 | 402 | function extract_DGroupsbyUser() { 403 | 404 | echo -e "\n${yellowColour}[*]${endColour}${grayColour} Enumerating Users and their Domain Groups...${endColour}\n" 405 | 406 | # Count the total number of users 407 | total_users=$(eval "$1 -c enumdomusers" | grep -oP '\[.*?\]' | grep "0x" | wc -l) 408 | 409 | # Initialize the progress bar 410 | progress=0 411 | echo -ne "${greenColour}Progress:${endColour} [" 412 | 413 | eval "$1 -c enumdomusers" | grep -oP '\[.*?\]' | grep "0x" | tr -d '[]' > $tmp_file 414 | 415 | echo "Users|Domain Groups" > $tmp_file2 416 | cat $tmp_file | while read rid_user; do 417 | user_name=$(eval "$1 -c \"queryuser $rid_user\"" | grep 'User Name' | cut -d ':' -f 2-) 418 | if [[ ! $user_name =~ \$$ ]]; then # Check if user_name does not end with $ 419 | group_rids=$(eval "$1 -c \"queryusergroups $rid_user\"" | awk '{print $2}' | awk '{print $2}' FS=':' | tr -d '[]') 420 | group_names="" 421 | for rid_group in $group_rids; do 422 | group_name=$(eval "$1 -c \"querygroup $rid_group\"" | grep 'Group Name' | awk '{print $2}' FS=':') 423 | group_names+="$group_name, " 424 | done 425 | group_names=${group_names%, } 426 | 427 | if [ ! -z "$group_names" ]; then # Check if group_names is not empty 428 | echo "$(echo $user_name)|$(echo $group_names)" >> $tmp_file2 429 | fi 430 | fi 431 | 432 | # Update the progress bar 433 | progress=$((progress + 1)) 434 | percentage=$((progress * 100 / total_users)) 435 | echo -ne "\\r${greenColour}Progress:${endColour} [" 436 | for i in {1..50}; do 437 | if [ $((i * 2)) -le $percentage ]; then 438 | echo -ne "${greenColour}#${endColour}" 439 | else 440 | echo -ne "-" 441 | fi 442 | done 443 | echo -ne "] ${greenColour}$percentage%${endColour}" 444 | done 445 | 446 | # Finish the progress bar 447 | echo -ne "\\r${greenColour}Progress:${endColour} [" 448 | for i in {1..50}; do 449 | if [ $((i * 2)) -le 100 ]; then 450 | echo -ne "${greenColour}#${endColour}" 451 | else 452 | echo -ne "-" 453 | fi 454 | done 455 | echo -ne "] ${greenColour}100%${endColour}\n\n" 456 | 457 | rm $tmp_file 458 | mv $tmp_file2 $tmp_file 459 | echo -ne "${blueColour}"; printTable '|' "$(cat $tmp_file)"; echo -ne "${endColour}" 460 | rm $tmp_file 2>/dev/null 461 | } 462 | 463 | 464 | function beginEnumeration() { 465 | tput civis 466 | 467 | if [[ "${guest_session}" == "true" ]]; then 468 | rpcclient_cmd="rpcclient -U \"\" -N ${host_ip}" 469 | else 470 | rpcclient_cmd="rpcclient -U ${username}%${password} ${host_ip}" 471 | fi 472 | 473 | trap ctrl_c INT 474 | nmap -p139 --open -T5 -v -n ${host_ip} | grep open > /dev/null 2>&1 && port_status=$? 475 | 476 | if eval "${rpcclient_cmd} -c enumdomusers" > /dev/null 2>&1; then 477 | if [[ "${port_status}" == "0" ]]; then 478 | case "${enum_mode}" in 479 | DUsers) 480 | extract_DUsers "${rpcclient_cmd}" 481 | ;; 482 | DUsersInfo) 483 | extract_DUsers_Info "${rpcclient_cmd}" 484 | ;; 485 | DAUsers) 486 | extract_DAUsers "${rpcclient_cmd}" 487 | ;; 488 | DGroups) 489 | extract_DGroups "${rpcclient_cmd}" 490 | ;; 491 | DUsersbyGroup) 492 | extract_DUsersbyGroup "${rpcclient_cmd}" 493 | ;; 494 | DGroupsbyUser) 495 | extract_DGroupsbyUser "${rpcclient_cmd}" 496 | ;; 497 | All) 498 | extract_All "${rpcclient_cmd}" 499 | ;; 500 | *) 501 | echo -e "\n${redColour}[!] Opción no válida: ${enum_mode}${endColour}\n" 502 | helpPanel 503 | exit 1 504 | ;; 505 | esac 506 | else 507 | echo -e "\n${redColour}[!] El puerto 139 parece estar cerrado en ${host_ip}${endColour}\n" 508 | tput cnorm 509 | exit 0 510 | fi 511 | else 512 | echo -e "\n${redColour}[!] Error: Acceso denegado${endColour}\n" 513 | tput cnorm 514 | exit 0 515 | fi 516 | 517 | tput cnorm 518 | } 519 | 520 | # Main Function 521 | 522 | if [ "$(echo $UID)" == "0" ]; then 523 | 524 | guest_session=false 525 | 526 | while getopts ":e:i:u:p:Nh" opt; do 527 | case ${opt} in 528 | e) 529 | enum_mode="${OPTARG}" 530 | ;; 531 | i) 532 | host_ip="${OPTARG}" 533 | ;; 534 | u) 535 | username="${OPTARG}" 536 | ;; 537 | p) 538 | password="${OPTARG}" 539 | ;; 540 | N) 541 | guest_session=true 542 | ;; 543 | h) 544 | helpPanel 545 | ;; 546 | \?) 547 | echo -e "\n${redColour}[!] Opción inválida: -$OPTARG${endColour}\n" 548 | helpPanel 549 | exit 1 550 | ;; 551 | :) 552 | echo -e "\n${redColour}[!] Opción -$OPTARG requiere un argumento.${endColour}\n" 553 | helpPanel 554 | exit 1 555 | ;; 556 | esac 557 | done 558 | 559 | # Verificar si se proporcionó la dirección IP del host 560 | if [[ -z "${host_ip}" ]]; then 561 | echo -e "\n${redColour}[!] Es necesario proporcionar la dirección IP del host a enumerar.${endColour}\n" 562 | helpPanel 563 | exit 1 564 | fi 565 | 566 | # Verificar si se proporcionó el modo de enumeración 567 | if [[ -z "${enum_mode}" ]]; then 568 | echo -e "\n${redColour}[!] Es necesario proporcionar el modo de enumeración.${endColour}\n" 569 | helpPanel 570 | exit 1 571 | fi 572 | 573 | # Comprobar si se ha especificado una sesión de invitado o credenciales de usuario 574 | if [ "$guest_session" = false ] && [ -z "$username" -o -z "$password" ]; then 575 | echo -e "\n${redColour}[!] Debe especificar una sesión de invitado (-N) o proporcionar un nombre de usuario y contraseña (-u y -p).${endColour}\n" 576 | helpPanel 577 | exit 1 578 | fi 579 | 580 | # Comenzar la enumeración 581 | beginEnumeration 582 | else 583 | echo -e "\n${redColour}[*] It is necessary to run the program as root${endColour}\n" 584 | fi 585 | --------------------------------------------------------------------------------