这个与 KerberBrute 有点相似,但是这个走的是rpc服务,而那个走的是kerberos协议
而且这个枚举很慢,差不多7、8秒一个用户
#枚举域内用户
python3 nauth.py -t 192.168.3.142 -u users.txt
#枚举机器用户
python3 nauth.py -t 192.168.3.142 -c computers.txt
#获取域控详细信息
python3 nauth.py -t 192.168.3.142
#枚举域内用户 或者机器用户
┌──(root㉿kali)-[~/Desktop/tools/NauthNRPC]
└─# python3 nauth.py -t 192.168.3.142 -u users.txt -c computers.txt
NAuthNRPC Tool By Haidar Kabibo - Kaspersky Security Services 2024
[*] User Accounts Enumeration
------------------------------
#枚举成功的用户
[+] user Administrator exists.
[+] user tadmin exists.
[+] user jack exists.
#只枚举域控信息
┌──(root㉿kali)-[~/Desktop/tools/NauthNRPC]
└─# python3 nauth.py -t 192.168.3.142
NAuthNRPC Tool By Haidar Kabibo - Kaspersky Security Services 2024
[*] Domain Information
------------------------------
[*] DC Name: OWA2010SP3.0day.org
[*] DC IP: 192.168.3.142
[*] Domain GUID: 0A700981-B5A5-4F8C-9E0A-B5C00EA2D8E9
[*] Domain Name: 0day.org
[*] Forest Name: 0day.org
[*] DC Site Name: Default-First-Site-Name
[*] Client Site Name: Default-First-Site-Name
[*] Domain Flags: DS_PDC_FLAG | DS_GC_FLAG | DS_LDAP_FLAG | DS_DS_FLAG | DS_KDC_FLAG | DS_TIMESERV_FLAG | DS_CLOSEST_FLAG | DS_WRITABLE_FLAG | DS_GOOD_TIMESERV_FLAG | DS_FULL_SECRET_DOMAIN_6_FLAG | DS_WS_FLAG | DS_PING_FLAGS | DS_DNS_CONTROLLER_FLAG | DS_DNS_DOMAIN_FLAG | DS_DNS_FOREST_FLAG
[*] Trusted Domains Information
------------------------------
[*] Trusted Domain number 0
• NetBios Domain Name: 0DAY
• DNS Domain Name: 0day.org
• Flags: DS_DOMAIN_IN_FOREST | DS_DOMAIN_TREE_ROOT | DS_DOMAIN_PRIMARY | DS_DOMAIN_NATIVE_MODE
• Parent Index: Not Available
• Trust Type: TRUST_TYPE_UPLEVEL
• Trust Attributes: Not Available
• Domain SID: s-1-5-21-1812960810-2335050734-3517558805
• Domain GUID: 0A700981-B5A5-4F8C-9E0A-B5C00EA2D8E9