├── images
    ├── image1.png
    ├── image2.png
    ├── image3.png
    ├── image4.png
    └── image5.png
├── README.md
└── rpcenum


/images/image1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/s4vitar/rpcenum/HEAD/images/image1.png


--------------------------------------------------------------------------------
/images/image2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/s4vitar/rpcenum/HEAD/images/image2.png


--------------------------------------------------------------------------------
/images/image3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/s4vitar/rpcenum/HEAD/images/image3.png


--------------------------------------------------------------------------------
/images/image4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/s4vitar/rpcenum/HEAD/images/image4.png


--------------------------------------------------------------------------------
/images/image5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/s4vitar/rpcenum/HEAD/images/image5.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # RPCenum
 2 | 
 3 | Herramienta en Bash ideal para efectuar una enumeración básica y extraer la información más relevante de un dominio vía rpcclient. 
 4 | 
 5 | Esta utilidad nos permitirá obtener la siguiente información de un dominio:
 6 | 
 7 | * Usuarios del dominio
 8 | * Usuarios del dominio con información
 9 | * Usuarios administradores del dominio
10 | * Grupos del dominio
11 | 
12 | ¿Cómo funciona?
13 | ======
14 | La ejecución de la herramienta mostrará el siguiente panel de ayuda:
15 | 
16 | <p align="center">
17 | 	<img src="images/image1.png"
18 | 		alt="Panel de ayuda"
19 | 	style="float: left; margin-right: 10px;" />
20 | </p>
21 | 
22 | Para su correcta ejecución, es necesario especificar el modo de enumeración a usar, siendo los representados en la imagen adjunta.
23 | 
24 | El modo de enumeración **DUsers**, nos permitirá obtener un listado de los usuarios existentes en el dominio (siempre y cuando el **Null Session** esté habilitado):
25 | 
26 | <p align="center">
27 | 	<img src="images/image2.png"
28 | 		alt="DUsers"
29 | 	style="float: left; margin-right: 10px;" />
30 | </p>
31 | 
32 | El modo de enumeración **DUsersInfo**, nos permitirá obtener un listado de los usuarios existentes en el dominio con descripción (siempre y cuando el **Null Session** esté habilitado), pudiendo así identificar a usuarios potenciales:
33 | 
34 | <p align="center">
35 |     <img src="images/image3.png"
36 |         alt="DUsersInfo"
37 |     style="float: left; margin-right: 10px;" />
38 | </p>
39 | 
40 | El modo de enumeración **DAUsers**, nos permitirá obtener un listado de los usuarios existentes administradores del dominio (siempre y cuando el **Null Session** esté habilitado). Esta parte es crucial, puesto que el atacante siempre va a ir en busca de las credenciales de estos, dado que poseen privilegio total sobre el dominio.
41 | 
42 | <p align="center">
43 |     <img src="images/image4.png"
44 |         alt="DUsersInfo"
45 |     style="float: left; margin-right: 10px;" />
46 | </p>
47 | 
48 | El modo de enumeración **DGroups**, nos permitirá obtener un listado de los grupos existentes del dominio (siempre y cuando el **Null Session** esté habilitado).
49 | 
50 | <p align="center">
51 |     <img src="images/image5.png"
52 |         alt="DUsersInfo"
53 |     style="float: left; margin-right: 10px;" />
54 | </p>
55 | 
56 | Por último, el modo de enumeración **All**, nos efectuará todas las enumeraciones de forma simultánea, pudiendo así visualizar la información más relevante del dominio.
57 | 
58 | **ANOTACIÓN**: Es posible que se añadan nuevas opciones a la herramienta.
59 | 


--------------------------------------------------------------------------------
/rpcenum:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # Author: Marcelo Vázquez (aka S4vitar)
  4 | 
  5 | #Colours
  6 | greenColour="\e[0;32m\033[1m"
  7 | endColour="\033[0m\e[0m"
  8 | redColour="\e[0;31m\033[1m"
  9 | blueColour="\e[0;34m\033[1m"
 10 | yellowColour="\e[0;33m\033[1m"
 11 | purpleColour="\e[0;35m\033[1m"
 12 | turquoiseColour="\e[0;36m\033[1m"
 13 | grayColour="\e[0;37m\033[1m"
 14 | 
 15 | declare -r tmp_file="/dev/shm/tmp_file"
 16 | declare -r tmp_file2="/dev/shm/tmp_file2"
 17 | declare -r tmp_file3="/dev/shm/tmp_file3"
 18 | 
 19 | function ctrl_c(){
 20 | 
 21 | 	echo -e "\n${yellowColour}[*]${endColour}${grayColour} Exiting...${endColour}"; sleep 1
 22 | 	rm $tmp_file 2>/dev/null
 23 | 	tput cnorm; exit 1
 24 | }
 25 | 
 26 | function helpPanel(){
 27 | 
 28 | 	echo -e "\n${yellowColour}[*]${endColour}${grayColour} Uso: rpcenum${endColour}"
 29 | 	echo -e "\n\t${purpleColour}e)${endColour}${yellowColour} Enumeration Mode${endColour}"
 30 | 	echo -e "\n\t\t${grayColour}DUsers${endColour}${redColour} (Domain Users)${endColour}"
 31 | 	echo -e "\t\t${grayColour}DUsersInfo${endColour}${redColour} (Domain Users with info)${endColour}"
 32 | 	echo -e "\t\t${grayColour}DAUsers ${redColour}(Domain Admin Users)${endColour}"
 33 | 	echo -e "\t\t${grayColour}DGroups ${redColour}(Domain Groups)${endColour}"
 34 | 	echo -e "\t\t${grayColour}All ${redColour}(All Modes)${endColour}"
 35 | 	echo -e "\n\t${purpleColour}i)${endColour}${yellowColour} Host IP Address${endColour}"
 36 | 	echo -e "\n\t${purpleColour}h)${endColour}${yellowColour} Show this help pannel${endColour}"
 37 | 	exit 1
 38 | }
 39 | 
 40 | function printTable(){
 41 | 
 42 |     local -r delimiter="${1}"
 43 |     local -r data="$(removeEmptyLines "${2}")"
 44 | 
 45 |     if [[ "${delimiter}" != '' && "$(isEmptyString "${data}")" = 'false' ]]
 46 |     then
 47 |         local -r numberOfLines="$(wc -l <<< "${data}")"
 48 | 
 49 |         if [[ "${numberOfLines}" -gt '0' ]]
 50 |         then
 51 |             local table=''
 52 |             local i=1
 53 | 
 54 |             for ((i = 1; i <= "${numberOfLines}"; i = i + 1))
 55 |             do
 56 |                 local line=''
 57 |                 line="$(sed "${i}q;d" <<< "${data}")"
 58 | 
 59 |                 local numberOfColumns='0'
 60 |                 numberOfColumns="$(awk -F "${delimiter}" '{print NF}' <<< "${line}")"
 61 | 
 62 |                 if [[ "${i}" -eq '1' ]]
 63 |                 then
 64 |                     table="${table}$(printf '%s#+' "$(repeatString '#+' "${numberOfColumns}")")"
 65 |                 fi
 66 | 
 67 |                 table="${table}\n"
 68 | 
 69 |                 local j=1
 70 | 
 71 |                 for ((j = 1; j <= "${numberOfColumns}"; j = j + 1))
 72 |                 do
 73 |                     table="${table}$(printf '#| %s' "$(cut -d "${delimiter}" -f "${j}" <<< "${line}")")"
 74 |                 done
 75 | 
 76 |                 table="${table}#|\n"
 77 | 
 78 |                 if [[ "${i}" -eq '1' ]] || [[ "${numberOfLines}" -gt '1' && "${i}" -eq "${numberOfLines}" ]]
 79 |                 then
 80 |                     table="${table}$(printf '%s#+' "$(repeatString '#+' "${numberOfColumns}")")"
 81 |                 fi
 82 |             done
 83 | 
 84 |             if [[ "$(isEmptyString "${table}")" = 'false' ]]
 85 |             then
 86 |                 echo -e "${table}" | column -s '#' -t | awk '/^\+/{gsub(" ", "-", $0)}1'
 87 |             fi
 88 |         fi
 89 |     fi
 90 | }
 91 | 
 92 | function removeEmptyLines(){
 93 | 
 94 |     local -r content="${1}"
 95 |     echo -e "${content}" | sed '/^\s*$/d'
 96 | }
 97 | 
 98 | function repeatString(){
 99 | 
100 |     local -r string="${1}"
101 |     local -r numberToRepeat="${2}"
102 | 
103 |     if [[ "${string}" != '' && "${numberToRepeat}" =~ ^[1-9][0-9]*$ ]]
104 |     then
105 |         local -r result="$(printf "%${numberToRepeat}s")"
106 |         echo -e "${result// /${string}}"
107 |     fi
108 | }
109 | 
110 | function isEmptyString(){
111 | 
112 |     local -r string="${1}"
113 | 
114 |     if [[ "$(trimString "${string}")" = '' ]]
115 |     then
116 |         echo 'true' && return 0
117 |     fi
118 | 
119 |     echo 'false' && return 1
120 | }
121 | 
122 | function trimString(){
123 | 
124 |     local -r string="${1}"
125 |     sed 's,^[[:blank:]]*,,' <<< "${string}" | sed 's,[[:blank:]]*$,,'
126 | }
127 | 
128 | function extract_DUsers(){
129 | 
130 | 	echo -e "\n${yellowColour}[*]${endColour}${grayColour} Enumerating Domain Users...${endColour}\n"
131 | 	domain_users=$(rpcclient -U "" $1 -c "enumdomusers" -N | grep -oP '\[.*?\]' | grep -v 0x | tr -d '[]')
132 | 
133 | 	echo "Users" > $tmp_file && for user in $domain_users; do echo "$user" >> $tmp_file; done
134 | 
135 | 	echo -ne "${blueColour}"; printTable ' ' "$(cat $tmp_file)"; echo -ne "${endColour}"
136 | 	rm $tmp_file 2>/dev/null
137 | }
138 | 
139 | function extract_DUsers_Info(){
140 | 
141 | 	extract_DUsers $1 > /dev/null 2>&1
142 | 
143 | 	echo -e "\n${yellowColour}[*]${endColour}${grayColour} Listing domain users with description...${endColour}\n"
144 | 
145 | 	for user in $domain_users; do
146 | 		rpcclient -U "" $1 -c "queryuser $user" -N | grep -E 'User Name|Description' | cut -d ':' -f 2-100 | sed 's/\t//' | tr '\n' ',' | sed 's/.$//' >> $tmp_file
147 | 		echo -e '\n' >> $tmp_file
148 | 	done
149 | 
150 | 	echo "User,Description" > $tmp_file2
151 | 
152 | 	cat $tmp_file | sed '/^\s*$/d' | while read user_representation; do
153 | 		if [ "$(echo $user_representation | awk '{print $2}' FS=',')" ]; then
154 | 			echo "$(echo $user_representation | awk '{print $1}' FS=','),$(echo $user_representation | awk '{print $2}' FS=',')" >> $tmp_file2
155 | 		fi
156 | 	done
157 | 
158 | 	rm $tmp_file; mv $tmp_file2 $tmp_file
159 | 	sleep 1; echo -ne "${blueColour}"; printTable ',' "$(cat $tmp_file)"; echo -ne "${endColour}"
160 | 	rm $tmp_file 2>/dev/null
161 | }
162 | 
163 | function extract_DAUsers(){
164 | 
165 | 	echo -e "\n${yellowColour}[*]${endColour}${grayColour} Enumerating Domain Admin Users...${endColour}\n"
166 | 	rid_dagroup=$(rpcclient -U "" $1 -c "enumdomgroups" -N | grep "Domain Admins" | awk 'NF{print $NF}' | grep -oP '\[.*?\]' | tr -d '[]')
167 | 	rid_dausers=$(rpcclient -U "" $1 -c "querygroupmem $rid_dagroup" -N | awk '{print $1}' | grep -oP '\[.*?\]' | tr -d '[]')
168 | 
169 | 	echo "DomainAdminUsers" > $tmp_file; for da_user_rid in $rid_dausers; do
170 | 		rpcclient -U "" $1 -c "queryuser $da_user_rid" -N | grep 'User Name'| awk 'NF{print $NF}' >> $tmp_file
171 | 	done
172 | 
173 | 	echo -ne "${blueColour}"; printTable ' ' "$(cat $tmp_file)"; echo -ne "${endColour}"
174 | 	rm $tmp_file 2>/dev/null
175 | }
176 | 
177 | function extract_DGroups(){
178 | 
179 | 	echo -e "\n${yellowColour}[*]${endColour}${grayColour} Enumerating Domain Groups...${endColour}\n"
180 | 
181 | 	rpcclient -U "" $host_ip -c "enumdomgroups" -N | grep -oP '\[.*?\]' | grep "0x" | tr -d '[]' >> $tmp_file
182 | 
183 | 	echo "DomainGroup,Description" > $tmp_file2
184 | 	cat $tmp_file | while read rid_domain_groups; do
185 | 		rpcclient -U "" $host_ip -c "querygroup $rid_domain_groups" -N | grep -E 'Group Name|Description' | sed 's/\t//' > $tmp_file3
186 | 		group_name=$(cat $tmp_file3 | grep "Group Name" | awk '{print $2}' FS=":")
187 | 		group_description=$(cat $tmp_file3 | grep "Description" | awk '{print $2}' FS=":")
188 | 
189 | 		echo "$(echo $group_name),$(echo $group_description)" >> $tmp_file2
190 | 	done
191 | 
192 | 	rm $tmp_file $tmp_file3 2>/dev/null && mv $tmp_file2 $tmp_file
193 | 	echo -ne "${blueColour}"; printTable ',' "$(cat $tmp_file)"; echo -ne "${endColour}"
194 | 	rm $tmp_file 2>/dev/null
195 | }
196 | 
197 | function extract_All(){
198 | 	extract_DUsers $1
199 | 	extract_DUsers_Info $1
200 | 	extract_DAUsers $1
201 | 	extract_DGroups $1
202 | }
203 | 
204 | function beginEnumeration(){
205 | 
206 | 	tput civis; nmap -p139 --open -T5 -v -n $host_ip | grep open > /dev/null 2>&1 && port_status=$?
207 | 	rpcclient -U "" $host_ip -c "enumdomusers" -N > /dev/null 2>&1
208 | 
209 | 	if [ "$(echo $?)" == "0" ]; then
210 | 		if [ "$port_status" == "0" ]; then
211 | 			case $enum_mode in
212 | 				DUsers)
213 | 					extract_DUsers $host_ip
214 | 					;;
215 | 				DUsersInfo)
216 | 					extract_DUsers_Info $host_ip
217 | 					;;
218 | 				DAUsers)
219 | 					extract_DAUsers $host_ip
220 | 					;;
221 | 				DGroups)
222 | 					extract_DGroups $host_ip
223 | 					;;
224 | 				All)
225 | 					extract_All $host_ip
226 | 					;;
227 | 				*)
228 | 					echo -e "\n${redColour}[!] Opción no válida${endColour}"
229 | 					helpPanel
230 | 					exit 1
231 | 					;;
232 | 			esac
233 | 		else
234 | 			echo -e "\n${redColour}Port 139 seems to be closed on $host_ip${endColour}"
235 | 			tput cnorm; exit 0
236 | 		fi
237 | 	else
238 | 		echo -e "\n${redColour}[!] Error: Access Denied${endColour}"
239 | 		tput cnorm; exit 0
240 | 	fi
241 | }
242 | 
243 | # Main Function
244 | 
245 | if [ "$(echo $UID)" == "0" ]; then
246 | 	declare -i parameter_counter=0; while getopts ":e:i:h:" arg; do
247 | 		case $arg in
248 | 			e) enum_mode=$OPTARG; let parameter_counter+=1;;
249 | 			i) host_ip=$OPTARG; let parameter_counter+=1;;
250 | 			h) helpPanel;;
251 | 		esac
252 | 	done
253 | 
254 | 	if [ $parameter_counter -ne 2 ]; then
255 | 		helpPanel
256 | 	else
257 | 		beginEnumeration
258 | 		tput cnorm
259 | 	fi
260 | else
261 | 	echo -e "\n${redColour}[*] It is necessary to run the program as root${endColour}\n"
262 | fi
263 | 


--------------------------------------------------------------------------------