Using Nmap to find Local Admin - Pentest Geek

Using Nmap to find Local Admin

Author: Brandon McCann Posted In Penetration Testing Tutorials On: 2012/08/23 Comments: 2
Using Nmap to find Local Admin

While conducting  penetration tests I almost always obtain user credentials; sometimes in cleartext, and other times just the hash. If your like me; you’ve often wondered, where do I have local Administrative privileges with these credentials.  If you haven’t checked out Joesph Pierini’s blog post here, I highly suggest you check it out before continuing.

I can’t even count the number of times I have had user credentials or a hash and wondered where I had Local Administrative privileges.  Sure I could fire up metasploit’s msfconsole and psexec across the network.  Hell I could even create a resource script to automate the entire task for me, but its doesn’t scale very well and often times the default metasploit config is not very stealth when you flag every workstation and server antivirus on the network.  That’s when I started to utilize Nmap’s smb-enum-shares NSE script.  I’ve been aware of the script for sometime now, but I wasn’t aware that you can feed it arguments such as a username, password, domain and others.  Even better, the NSE script doesn’t need cleartext credentials so you can pass-the-hash like we all love to do.  The syntax is pretty straightforward as seen below:

nmap -p 445 –open –script=smb-enum-shares.nse –script-args=smbuser=username,smbpass=password, -oA 192.168.1.x_local_admin

This article isn’t intended to show you how to use Nmap’s NSE script, but rather to demonstrate how lethal of a combination this NSE script can be when you write yourself a little  script to parse the results.  I was recently trying to use this script against a chunk of 1500 nodes on the network and going through the *.nmap file was incredibly painful. If my account only had Local Admin on one of these many systems it was like finding a needle in a haystack.  That’s when I realized I needed to write a quick and dirty script to parse the XML ouptut that Nmap gives us.

In some of my test runs on an internal network using this nmap NSE I was able to scan 50 nodes in just 22 seconds to find Local Admin on 9 systems. In another test case I ran it against 300 systems on an internal network and found Local Admin on 114 devices in just 120 seconds.

Now I understand if you have already dumped the  Local Administrator credentials (UID:500) this tactic isn’t incredibly useful because you can most likely pass-the-hash into anything and everything.  When you’re on a tougher network and the Net Admin has configured GPO “Deny access to this computer through the network” and places the Local Administrators in that group, your pass-the-hash tactic isn’t getting you anywhere. Or the case where every single Local Administrator password is unique, pass-the-hash is essentially useless.  That’s when I break out Windows Credential Editor (WCE) and dump the logged in user credentials out of the running memory.  You might not think Domain User credentials are all that useful, but they can be incredibly useful since they are allowed to perform network logons when the Local Administrator accounts may not.

I started out using Ruby’s REXML library, only to find out its old and busted and everyone in #ruby was pointing me to Nokogiri.  I should have known better from the get go considering this is what Metasploit uses to import nmap XML files into the framework.  After spending some time learning the basics of Nokogiri and some awesome help from Bluebie in #ruby I had a functional ruby script that was able to parse the nmap XML output and tell me where my credentials had Local Admin rights.

Now I know my code is not 100% accurate because it doesn’t take into account hosts that allow anonymous READ/WRITE access to drives, but it definitely helps the hunt for Local Admin. The script below essentially looks for systems that we have READ/WRITE access to once credentials have been fed to NMAP’s NSE script.  If we have READ/WRITE access to the C$ there is a pretty good chance that we have Local Admin on that system.

Below is the code to parse Nmap’s XML output after scanning:

#!/usr/bin/ruby -w
require 'nokogiri'

# check to make sure an argument was given
if ARGV.size != 1 then
  puts "n[-] Usage: ./parseadmin.rb <nmap.xml>nn"

xml = Nokogiri::XML.parse(open ARGV[0])

# diplay which ip address our credentials have local admin on
xml.css('nmaprun host').each do |host|
    target_address = host.css('address').first['addr']
    target_hostnames = host.css('hostname').first['name']
    target_scripts = host.css('hostscript script')
  rescue Exception => e
    puts "[-] Error On: #{target_address}t#{target_hostnames}"

  target_scripts.each do |script|
    puts "[+] Local Admin on:  #{target_address}t#{target_hostnames}" if script['output'] =~ /WRITE/

Here is what the script should look like when you don’t feed it any arguments:

zeknox@lockout:~$ ruby parseadmin.rb 

[-] Usage: ./parseadmin.rb <nmap.xml>

You can see that the script wants an nmap.xml file, so lets feed the script one and see what happens.

zeknox@lockout:~$ ruby parseadmin.rb nmap.xml
[+] Local Admin on:	hostname1.domain.local
[+] Local Admin on:	hostname2
[+] Local Admin on:	hostname3.domain.local
[+] Local Admin on:	hostname4.domain.local
[+] Local Admin on:	hostname5
[+] Local Admin on:	hostname6
[+] Local Admin on:	hostname7.domain.local
[+] Local Admin on:	hostname8.domain.local
[+] Local Admin on:	hostname9.domain.local

Once the script has parsed the file you should have some hosts that should give you Local Admin on.  You can validate this by using metasploit psexec or my favorite is changing your credentials running in Windows memory with WCE and attempt to map a network drive to c$ to stay away from antivirus.

net use * \$

Happy Hunting for Local Admin!

Share this article

  • This seems move like shooting fish in a barrel!

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Share This

    Recent Posts

    Subscribe To Our Mailing List

    The Ultimate Burp Suite Training Program

    Learn Network Penetration Testing

    Penetration Testing



    Web Application Hacking

    Brandon McCann

    Copyright 2024


    Are You Using the Top 5 Pentest Tools?

    Enter your email address to download your copy of our FREE e-book and find out now!

    Thank you, now go check your email!!