Using Nmap to find Local Admin

While conducting penetration tests I almost always obtain user credentials; sometimes in cleartext, and other times just the hash. If your like me; you’ve often wondered, where do I have local Administrative privileges with these credentials. If you haven’t checked out Joesph Pierini’s blog post here, I highly suggest you check it out before continuing.

I can’t even count the number of times I have had user credentials or a hash and wondered where I had Local Administrative privileges. Sure I could fire up metasploit’s msfconsole and psexec across the network. Hell I could even create a resource script to automate the entire task for me, but its doesn’t scale very well and often times the default metasploit config is not very stealth when you flag every workstation and server antivirus on the network. That’s when I started to utilize Nmap’s smb-enum-shares NSE script. I’ve been aware of the script for sometime now, but I wasn’t aware that you can feed it arguments such as a username, password, domain and others. Even better, the NSE script doesn’t need cleartext credentials so you can pass-the-hash like we all love to do. The syntax is pretty straightforward as seen below:

nmap -p 445 –open –script=smb-enum-shares.nse –script-args=smbuser=username,smbpass=password,smbdomain=example.net 192.168.1.1/24 -oA 192.168.1.x_local_admin

This article isn’t intended to show you how to use Nmap’s NSE script, but rather to demonstrate how lethal of a combination this NSE script can be when you write yourself a little script to parse the results. I was recently trying to use this script against a chunk of 1500 nodes on the network and going through the *.nmap file was incredibly painful. If my account only had Local Admin on one of these many systems it was like finding a needle in a haystack. That’s when I realized I needed to write a quick and dirty script to parse the XML ouptut that Nmap gives us.

In some of my test runs on an internal network using this nmap NSE I was able to scan 50 nodes in just 22 seconds to find Local Admin on 9 systems. In another test case I ran it against 300 systems on an internal network and found Local Admin on 114 devices in just 120 seconds.

Now I understand if you have already dumped the Local Administrator credentials (UID:500) this tactic isn’t incredibly useful because you can most likely pass-the-hash into anything and everything. When you’re on a tougher network and the Net Admin has configured GPO “Deny access to this computer through the network” and places the Local Administrators in that group, your pass-the-hash tactic isn’t getting you anywhere. Or the case where every single Local Administrator password is unique, pass-the-hash is essentially useless. That’s when I break out Windows Credential Editor (WCE) and dump the logged in user credentials out of the running memory. You might not think Domain User credentials are all that useful, but they can be incredibly useful since they are allowed to perform network logons when the Local Administrator accounts may not.

I started out using Ruby’s REXML library, only to find out its old and busted and everyone in freenode.net #ruby was pointing me to Nokogiri. I should have known better from the get go considering this is what Metasploit uses to import nmap XML files into the framework. After spending some time learning the basics of Nokogiri and some awesome help from Bluebie in #ruby I had a functional ruby script that was able to parse the nmap XML output and tell me where my credentials had Local Admin rights.

Now I know my code is not 100% accurate because it doesn’t take into account hosts that allow anonymous READ/WRITE access to drives, but it definitely helps the hunt for Local Admin. The script below essentially looks for systems that we have READ/WRITE access to once credentials have been fed to NMAP’s NSE script. If we have READ/WRITE access to the C$ there is a pretty good chance that we have Local Admin on that system.

Below is the code to parse Nmap’s XML output after scanning:

#!/usr/bin/ruby -w
require 'nokogiri'

# check to make sure an argument was given
if ARGV.size != 1 then
  puts "n[-] Usage: ./parseadmin.rb <nmap.xml>nn"
  exit
end

xml = Nokogiri::XML.parse(open ARGV[0])

# diplay which ip address our credentials have local admin on
xml.css('nmaprun host').each do |host|
  begin
    target_address = host.css('address').first['addr']
    target_hostnames = host.css('hostname').first['name']
    target_scripts = host.css('hostscript script')
  rescue Exception => e
    puts "[-] Error On: #{target_address}t#{target_hostnames}"
    next
  end

  target_scripts.each do |script|
    puts "[+] Local Admin on:  #{target_address}t#{target_hostnames}" if script['output'] =~ /WRITE/
  end
end

Here is what the script should look like when you don’t feed it any arguments:

zeknox@lockout:~$ ruby parseadmin.rb 

[-] Usage: ./parseadmin.rb <nmap.xml>

You can see that the script wants an nmap.xml file, so lets feed the script one and see what happens.

zeknox@lockout:~$ ruby parseadmin.rb nmap.xml
[+] Local Admin on:  192.168.1.40	hostname1.domain.local
[+] Local Admin on:  192.168.1.34	hostname2
[+] Local Admin on:  192.168.1.41	hostname3.domain.local
[+] Local Admin on:  192.168.1.43	hostname4.domain.local
[+] Local Admin on:  192.168.1.45	hostname5
[+] Local Admin on:  192.168.2.51	hostname6
[+] Local Admin on:  192.168.2.99	hostname7.domain.local
[+] Local Admin on:  192.168.2.95	hostname8.domain.local
[+] Local Admin on:  192.168.2.119	hostname9.domain.local
zeknox@lockout:$

Once the script has parsed the file you should have some hosts that should give you Local Admin on. You can validate this by using metasploit psexec or my favorite is changing your credentials running in Windows memory with WCE and attempt to map a network drive to c$ to stay away from antivirus.