#! c:\perl\bin\perl.exe #----------------------------------------------------- # null.pl # # Script to test enumeration via null sessions on NT # machines. # Requires Win32::Lanman, v1.04 (errors in NetShareEnum # corrected) # # Usage: null.pl # perl null.pl > myfile # # copyright 1999 by H.Carvey # email contact: wintermute2k@yahoo.com #----------------------------------------------------- use strict; use Win32::Lanman; use Win32::TieRegistry(Delimiter=>"/"); my($server) = shift || die "No server entered.\n"; my($test) = ""; my(@shares,@modals,@users,$user,@global); if (ConnectIPC($server, $test, $test, $test)) { print "Null Session to $server successful.\n"; # Now try getting some information print "\n[Registry]\n"; \&RegConnect($server); print "\n[Shares]\n"; @shares = GetShares($server); (@shares) ? (map{print "$_ \n";}@shares) : (print "No shares.\n"); print "\n[User Modals]\n"; @modals = GetModals($server); (@modals) ? (map{print "$_ \n";}@modals) : (print "No modals.\n"); print "\n[Global Users]\n"; @global = GetGlobalUsers($server); if (@global) { foreach (@global) { print "$_\n"; \&GetUserInfo($server,$_); print "\n"; } } else { print "Did not retrieve global users.\n"; } print "\n[Local Users]\n"; @users = GetLocalUsers($server); if (@users) { foreach (@users) { print "$_\n"; $user = (split(/\\/,$_))[1]; \&GetUserInfo($server,$user); print "\n"; } } else { print "Did not retrieve local users.\n"; } print "\n"; if (Disconnect($server)) { print "Disconnected from $server.\n"; } else { print "Could not disconnect.\n"; } } else { print "Could not establish null session with $server.\n"; } #----------------------------------------------------- # Attempt a connection to IPC$; used for null session # connections, as well as checking passwords #----------------------------------------------------- sub ConnectIPC { my($server,$passwd,$user,$domain) = @_; my(%Hash) = (remote => "\\\\$server\\ipc\$", asg_type => &USE_IPC, password => $passwd, username => $user, domainname => $domain); (Win32::Lanman::NetUseAdd(\%Hash)) ? (return 1) : (return 0); } #----------------------------------------------------- # Disconnect the IPC$ connection #----------------------------------------------------- sub Disconnect { my(@server) = @_; (Win32::Lanman::NetUseDel("\\\\$server\\ipc\$",&USE_FORCE)) ? (return 1) : (return 0); } #----------------------------------------------------- # Get the available shares #----------------------------------------------------- sub GetShares { my($server) = @_; my(@stuff,$str); my(@shares) = (); if (Win32::Lanman::NetShareEnum("\\\\$server",\@stuff)) { foreach (@stuff) { $str = "${$_}{'netname'}"; push (@shares,$str); } } else { # $err = Win32::FormatMessage Win32::Lanman::GetLastError(); # $err = Win32::Lanman::GetLastError() if ($err eq ""); # print "Could not get shares. $err\n"; } return @shares; } #----------------------------------------------------- # Get User Modals #----------------------------------------------------- sub GetModals { my($server) = @_; my(%info,$err); my(@modals) = (); if(Win32::Lanman::NetUserModalsGet("\\\\$server",\%info)) { foreach (sort keys %info) { push (@modals,"$_: $info{$_}") unless ($_ eq "domain_id" || $_ eq "primary"); } } else { $err = Win32::FormatMessage Win32::Lanman::GetLastError(); $err = Win32::Lanman::GetLastError() if ($err eq ""); print "GetUserModalsGet Error: $err\n"; } return @modals; } #----------------------------------------------------- # Get Local Groups/Users from the server #----------------------------------------------------- sub GetLocalUsers { my($server) = @_; my($err,$group,$member); my(@groups,@members,@users) = (); if(Win32::Lanman::NetLocalGroupEnum("\\\\$server", \@groups)) { foreach $group (@groups) { if(Win32::Lanman::NetLocalGroupGetMembers("\\\\$server", ${$group}{'name'}, \@members)) { foreach $member (@members) { push(@users, "${$group}{'name'}:${$member}{'domainandname'}"); } } else { $err = Win32::FormatMessage Win32::Lanman::GetLastError(); $err = Win32::Lanman::GetLastError() if ($err eq ""); print "NetLocalGroupGetMembers error: $err\n"; } } } else { $err = Win32::FormatMessage Win32::Lanman::GetLastError(); $err = Win32::Lanman::GetLastError() if ($err eq ""); print "NetLocalGroupEnum error: $err\n"; } return @users; } #----------------------------------------------------- # Get User Info #----------------------------------------------------- sub GetUserInfo { my($server,$user) = @_; my($err); my(%info) = (); my($usr,$uid,$pwage,$pwbd,$logon,$logoff,$comment); if (Win32::Lanman::NetUserGetInfo("\\\\$server",$user,\%info)) { $pwage = (split(/\./,$info{'password_age'}))/(3600*24); print "\tName => $info{'name'}\n"; print "\tComment => $info{'comment'}\n"; print "\tUID => $info{'user_id'}\n"; print "\tPasswd Age => $pwage\n"; print "\tLast Logon => ".localtime($info{'last_logon'})."\n"; print "\tLast Logoff => ".localtime($info{'last_logoff'})."\n"; print "\n"; print "\tAccount does not expire.\n" if ($info{'acct_expires'} == -1); print "\tACCOUNT DISABLED.\n" if ($info{'flags'} & UF_ACCOUNTDISABLE); print "\tUser cannot change password.\n" if ($info{'flags'} & UF_PASSWD_CANT_CHANGE); print "\tAccount is locked out.\n" if ($info{'flags'} & UF_LOCKOUT); print "\tPassword does not expire.\n" if ($info{'flags'} & UF_DONT_EXPIRE_PASSWD); print "\tPassword not required.\n" if ($info{'flags'} & UF_PASSWD_NOTREQD); } else { $err = Win32::FormatMessage Win32::Lanman::GetLastError(); $err = Win32::Lanman::GetLastError() if ($err eq ""); $err = "Domain User account" if ($err == 2221); print "NetUserGetInfo Error: $err\n"; } } #----------------------------------------------------- # Attempt to connect to the remote Registry #----------------------------------------------------- sub RegConnect { my($server) = @_; my($remote); if ($remote = $Registry->{"//$server/LMachine/"}) { # path "SOFTWARE/Microsoft/Windows NT/CurrentVersion" is usually # in the AllowedPaths\Machine key print "Connected to remote Registry.\n"; } else { print "Could not connect to remote Registry.\n"; } } #----------------------------------------------------- # Get Global Groups/Users from the server #----------------------------------------------------- sub GetGlobalUsers { my($server) = @_; my(@groups,@users,@global) = (); my($err,$group,$user); if(Win32::Lanman::NetGroupEnum("\\\\$server", \@groups)) { foreach $group (@groups) { next if (${$group}{'name'} eq "None"); if(Win32::Lanman::NetGroupGetUsers("\\\\$server", ${$group}{'name'}, \@users)) { foreach $user (@users) { push(@global,${$user}{'name'}); } } else { $err = Win32::FormatMessage Win32::Lanman::GetLastError(); $err = Win32::Lanman::GetLastError() if ($err eq ""); print "NetGroupGetUsers Error: $err\n"; } } } else { $err = Win32::FormatMessage Win32::Lanman::GetLastError(); $err = Win32::Lanman::GetLastError() if ($err eq ""); print "NetGroupEnum Error: $err\n"; } return @global; }