m8r0wn
Blog  |  Walkthroughs  |  Talks  |  About   
menu

Enumerating Windows with the Linux "net" Commands

June 08, 2018
This post serves as a cheat sheet for enumerating Windows environments from a Linux host using the Samba Suite. The items listed focus on Samba’s “net” command, which aims to replicate common Windows functionality and provide options for remote management cross platform. This can be used by hackers, administrators, or anyone who finds themselves on a Linux host with a valid set of credentials.

List all users in the current domain

# Windows:
net user /domain

# Linux:
echo "user list" | net rpc shell -U "[Username]"%"[Password]" -S [DC-IP]

List all groups in the current domain

# Windows:
net groups /domain

# Linux:
net rpc group list -U "[Username]"%"[Password]" -S [DC-IP]

Listing members of a specific group

# Windows:
net group "Domain Admins" /domain

# Linux:
net rpc group members 'Domain Admins' -U "[Username]"%"[Password]" -S [DC-IP]

Check the domain's password policy

# Windows:
net accounts /domain

# Linux:
echo "account show" | net rpc shell -U "[Username]"%"[Password]" -S [DC-IP]

Identify open shares on a domain computer

# Windows:
net view \\computer

# Linux:
net rpc share list -U "[Username]"%"[Password]" -S [DC-IP]

Lookup domain user

Looking up details about a specific domain user requires multiple command variations that I have turned into a Bash script to save time:
# Windows:
net user m8r0wn /domain

# Linux:
./aduser_lookup.sh [Username] [Password] [DC-IP] [Lookup_User]

To further enumerate Windows from a Linux host, checkout the following resources:
https://github.com/m8r0wn/nullinux
https://github.com/portcullislabs/enum4linux
https://github.com/SecureAuthCorp/impacket
https://github.com/m8r0wn/ActiveReign