-
Notifications
You must be signed in to change notification settings - Fork 2
Module users
For lack of a better short name, the users module will enumerate users, groups and theirs members from the local account and built-in domains of the target. In order to make sense out of this, one must understand the different type of domains that can be retrieved and queried on a computer.
These definitions can be found in MS-LSAD's glossary.
This is the domain that a computer is joined to and managed by domain controllers.
This domain matches the computer's NetBIOS name and stores the local users and groups that are created.
On a domain controller, this domain can also be retrieved using LsarQueryInformationPolicy2 when specifying PolicyLocalAccountDomainInformation; however when attempting to open it with SamrOpenDomain, we are greeted with STATUS_NO_SUCH_DOMAIN. Therefore, it is safe to simply say that it is nonexistent on a domain controller.
On a domain-joined computer, this is the same as the local account domain.
On a domain controller, it is the same as the primary domain.
Built-in groups, such as Administrators and Remote Desktop Users, are stored in this domain known under the SID S-1-5-32.
On a domain controller, the built-in domain becomes part of the primary domain in its dedicated CN named Builtin. Performing SamrOpenDomain using the aforementioned SID will nonetheless return groups in the CN and their members, following the same behavior as a non-domain controller machine.
Once groups and their members have been gathered from the target, the results will be under the form of SIDs. These are matched against a list of known SIDs in order to avoid requesting what is known.
Since this will almost without a doubt leave some SIDs unmapped, the tool leverages LsarLookupSids to request the mapping off the target. The method is used with the lookup level of LsapLookupWksta, which will attempt mapping in the following order:
- Locally (known SIDs, the BUILTIN domain and then the local account one)
- Primary Domain (therefore, the DC will be queried)
- Trusted Domains (DC(s) of the trusted domain(s))
If some SIDs cannot be resolved, they will simply be reported as is.
Since the module queries the local account domain and it does not exist on domain controllers, they are avoided in this module.
While the built-in domain may be enumerated, this operation is left to the user since it can simply be accomplished with a LDAP query.
The account domain could also be queried but would return all users of the primary domain. This is not desirable in a large domain. Consider a LDAP query if you require this operation.