Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/auxiliary/scanner/dcerpc/nrpc_enumusers.md
Views: 11789
Vulnerable Application
A new method for gathering domain users. The method leverages auth-level = 1 (No authentication) against the MS-NRPC (Netlogon) interface on domain controllers. All that's required is the domain controller's IP address, and the entire process can be completed without providing any credentials.
Verification Steps
Do:
use auxiliary/gather/nrpc_enumusersDo:
set RHOSTS <targer IP addresses>Do:
set USER_FILE <path to your users list>Do:
run
Target
To use nrpc_enumusers, make sure you are able to connect to the Domain Controller. It has been tested with Windows servers 2012, 2016, 2019 and 2022
Options
USER_FILE
Description: Path to the file containing the list of usernames to enumerate. Each username should be on a separate line.
Usage: Provide the path to the file that contains the list of user accounts you want to test.
Example: set USER_FILE /path/to/usernames.txt
2- RHOSTS (required)
Description: The target IP address or range of IP addresses of the Domain Controllers.
Usage: Specify the IP address or addresses of the Domain Controllers you are targeting.
Example: set RHOSTS 192.168.1.100
3- RPORT (optional)
Description: The port for the MS-NRPC interface. If not specified, the module will attempt to determine the endpoint.
Usage: If you know the port used by the MS-NRPC interface, you can specify it. Otherwise, the module will find it automatically.
Example: set RPORT 49664
Scenarios
The following demonstrates basic usage, using a custom wordlist, targeting a single Domain Controller to identify valid domain user accounts.
Create a new ./users.txt file, then run the module: