Weaponizing cmd.exe – Enumerate users (inspite of RestrictAnonymous)

Okay. Continuing on with the series. Now that we have  mapped the network, we need to enumerate users on the active hosts. Often times you will be preforming a Penetration Test on a windows machine. In the event that the machine has RestrictAnonymous set, you may find it difficult to enumerate users using your null session. It is important to note that this does not make it impossible! tools like enum rely upon the null session enumeration option,  therefore RestrictAnonymous = 2 ruins the use of that tool (and others like it). I am going to show you a method to brute force usernames in a different manner. For this you will need two tools, sid2user, and user2sid. You can get them here.

Read the rest of the post on the new blog!

Step 1: Establish a Null Session

C:\> net use \\<target_ip> "" /u:""

It is important to note that although RestrictAnonymous is set to 2, that does not prevent null sessions. It simply prevents the enumeration of users via null sessions.

Step 2: Determine Target Machine’s name

There are many methods to get this. Here is one:

C:\> nbtstat -a <target_ip>

Step 3: Aquire SID

C:\> user2sid \\<target_ip> <machine_name>

This will return to us the machines SID (Security Identifier). The SID is a unique number for each user/system. It follows the following format:

S-[Revision-Level]-[Authority Level]-[Domain-or-Computer-number]-[RID]

Example (brackets added for clarity): S-[1]-[5-21]-[165875785-1005667432-441284377]-[1023]

The RID is the number which represents the user ID. We use this to get their usernames.

Step 4: Aquire Admin account name

500 is the admin account, which allows us to identify the true admin even if the account name has been renamed. With that being known, you can manually determine the admin using sid2user.

C:\> sid2user \\<target_ip> <SID_with_RID_set_to_500>

For example, the SID with the RID set to 500 would look like:


Step 5: Aquire Other Users

C:\> for /L %u in (1000,1,1015) do @sid2user \\<target_ip> <SID_without_RID> %u

This loop will brute force usernames by retrieving the usernames associated with RIDs 1000-1015. You can change this according to your needs.

There you go! now you can go on to password cracking, etc!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: