https://onnocenter.or.id/wiki/index.php?action=history&feed=atom&title=Forensic%3A_nmap_smb-enum-users.nse_attack_%28en%29Forensic: nmap smb-enum-users.nse attack (en) - Revision history2026-05-04T06:53:50ZRevision history for this page on the wikiMediaWiki 1.35.4https://onnocenter.or.id/wiki/index.php?title=Forensic:_nmap_smb-enum-users.nse_attack_(en)&diff=71302&oldid=prevOnnowpurbo: /* Example Attack */2024-12-04T11:46:05Z<p><span dir="auto"><span class="autocomment">Example Attack</span></span></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 11:46, 4 December 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l7" >Line 7:</td>
<td colspan="2" class="diff-lineno">Line 7:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Suppose we want to enumerate users on a Windows server named "server-windows" that can be accessed from our network. We can run the following Nmap commands:</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Suppose we want to enumerate users on a Windows server named "server-windows" that can be accessed from our network. We can run the following Nmap commands:</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"> wget https://svn.nmap.org/nmap/scripts/smb-enum-users.nse</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> nmap -sV --script smb-enum-users.nse server-windows</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div> nmap -sV --script smb-enum-users.nse server-windows</div></td></tr>
</table>Onnowpurbohttps://onnocenter.or.id/wiki/index.php?title=Forensic:_nmap_smb-enum-users.nse_attack_(en)&diff=71123&oldid=prevOnnowpurbo: /* Attack Forensics */2024-10-28T04:59:49Z<p><span dir="auto"><span class="autocomment">Attack Forensics</span></span></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 04:59, 28 October 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l25" >Line 25:</td>
<td colspan="2" class="diff-lineno">Line 25:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>If we find evidence of an attack using smb-enum-users.nse, some artifacts we can look for include:</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>If we find evidence of an attack using smb-enum-users.nse, some artifacts we can look for include:</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">1. </del>'''Nmap Logs:''' If the attacker ran Nmap from an accessible system, we can check Nmap logs to find the commands used.</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># </ins>'''Nmap Logs:''' If the attacker ran Nmap from an accessible system, we can check Nmap logs to find the commands used.</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">2. </del>'''System Logs:''' Examine the logs on the target Windows server for suspicious activity, such as failed login attempts or unusual network activity.</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># </ins>'''System Logs:''' Examine the logs on the target Windows server for suspicious activity, such as failed login attempts or unusual network activity.</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">3. </del>'''Firewall Logs:''' If there’s a firewall protecting the server, check the firewall logs for suspicious traffic from the attacker’s IP address.</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># </ins>'''Firewall Logs:''' If there’s a firewall protecting the server, check the firewall logs for suspicious traffic from the attacker’s IP address.</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">4. </del>'''Network Traffic Capture:''' If we have captured network traffic, we can analyze it for packets related to the smb-enum-users.nse attack.</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># </ins>'''Network Traffic Capture:''' If we have captured network traffic, we can analyze it for packets related to the smb-enum-users.nse attack.</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">5. </del>'''Windows Event Logs:''' Check the event log on the Windows server for entries related to user enumeration attempts.</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline"># </ins>'''Windows Event Logs:''' Check the event log on the Windows server for entries related to user enumeration attempts.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Mitigation==</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Mitigation==</div></td></tr>
</table>Onnowpurbohttps://onnocenter.or.id/wiki/index.php?title=Forensic:_nmap_smb-enum-users.nse_attack_(en)&diff=70944&oldid=prevOnnowpurbo: Created page with "'''Nmap smb-enum-users.nse''' is a script used to enumerate users on Windows systems with active SMB (Server Message Block) services. This script employs two main methods: *..."2024-10-19T02:25:16Z<p>Created page with "'''Nmap smb-enum-users.nse''' is a script used to enumerate users on Windows systems with active SMB (Server Message Block) services. This script employs two main methods: *..."</p>
<p><b>New page</b></p><div>'''Nmap smb-enum-users.nse''' is a script used to enumerate users on Windows systems with active SMB (Server Message Block) services. This script employs two main methods:<br />
<br />
* '''SAMR enumeration:''' This method is subtler and requires fewer packets for each user account. However, the information obtained may not be as complete as that from the LSA method.<br />
* '''LSA bruteforcing:''' This method is noisier, generating more network traffic and log entries. However, it can provide more comprehensive information about user accounts.<br />
<br />
==Example Attack==<br />
<br />
Suppose we want to enumerate users on a Windows server named "server-windows" that can be accessed from our network. We can run the following Nmap commands:<br />
<br />
nmap -sV --script smb-enum-users.nse server-windows<br />
nmap --script smb-enum-users.nse -p445 <host><br />
sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host><br />
<br />
'''Options used:'''<br />
<br />
* `-sV`: Performs version scanning to obtain service version information.<br />
* `--script smb-enum-users.nse`: Runs the smb-enum-users.nse script.<br />
<br />
==Expected Results==<br />
<br />
The output from the above commands will display a list of users found on the Windows server, including usernames, SIDs (Security Identifiers), and other information.<br />
<br />
==Attack Forensics==<br />
<br />
If we find evidence of an attack using smb-enum-users.nse, some artifacts we can look for include:<br />
<br />
1. '''Nmap Logs:''' If the attacker ran Nmap from an accessible system, we can check Nmap logs to find the commands used.<br />
2. '''System Logs:''' Examine the logs on the target Windows server for suspicious activity, such as failed login attempts or unusual network activity.<br />
3. '''Firewall Logs:''' If there’s a firewall protecting the server, check the firewall logs for suspicious traffic from the attacker’s IP address.<br />
4. '''Network Traffic Capture:''' If we have captured network traffic, we can analyze it for packets related to the smb-enum-users.nse attack.<br />
5. '''Windows Event Logs:''' Check the event log on the Windows server for entries related to user enumeration attempts.<br />
<br />
==Mitigation==<br />
<br />
To prevent smb-enum-users.nse attacks, several measures can be taken:<br />
<br />
* '''Disable Unnecessary SMB:''' If SMB is not needed, disable the SMB service on the server.<br />
* '''Restrict Network Access:''' Limit network access to the server to authorized users only.<br />
* '''Use a Firewall:''' Configure the firewall to block unauthorized traffic.<br />
* '''Update Operating Systems and Applications:''' Ensure that the operating system and applications are always updated with the latest security patches.<br />
* '''Use Strong Passwords:''' Enforce users to use strong and unique passwords for each account.<br />
* '''Enable Audit Logging:''' Activate audit logging features to track user and system activity.<br />
<br />
==Important to Remember==<br />
<br />
* '''Educational Purpose:''' The above explanation is solely for educational and research purposes. Do not use this information for illegal activities.<br />
* '''Laboratory Environment:''' It’s advisable to conduct these tests in an isolated laboratory environment to avoid unintended consequences.<br />
* '''Permission:''' Always obtain necessary permissions before testing systems that are not owned by you.<br />
<br />
==Interesting Links==<br />
<br />
* [[Forensic: IT]] <br />
* '''SMB (Server Message Block):''' Learn in-depth about the SMB protocol, including how it works and common vulnerabilities.<br />
* '''Nmap:''' Explore various features and options of Nmap that can be used for scanning and exploitation.<br />
* '''Network Forensics:''' Study how to analyze network traffic to find evidence of suspicious activity.<br />
* '''Windows Forensics:''' Learn how to analyze Windows systems to uncover evidence of cybercrime.</div>Onnowpurbo