Microsoft Windows 'Backup Operators' Group User List

2002-03-15T00:00:00
ID SMB_GROUP_BACKUP_OP.NASL
Type nessus
Reporter Tenable
Modified 2018-05-16T00:00:00

Description

Using the supplied credentials, it is possible to extract the member list of the 'Backup Operators' group. Members of this group can logon to the remote host and perform backup operations (read/write files) but have no administrative rights.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(10904);
 script_version("1.19");
 script_cvs_date("Date: 2018/05/16 19:05:10");
 script_name(english:"Microsoft Windows 'Backup Operators' Group User List");
 script_summary(english:"Lists users that are in special groups");

 script_set_attribute(attribute:"synopsis", value:"There is at least one user in the 'Backup Operators' group.");
 script_set_attribute(attribute:"description", value:
"Using the supplied credentials, it is possible to extract the member
list of the 'Backup Operators' group. Members of this group can logon
to the remote host and perform backup operations (read/write files)
but have no administrative rights.");
 script_set_attribute(attribute:"solution", value:"Verify that each member of the group should have this type of access.");
 script_set_attribute(attribute:"risk_factor", value:"None");

 script_set_attribute(attribute:"plugin_publication_date", value:"2002/03/15");

script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english:"Windows : User management");
 script_dependencies("netbios_name_get.nasl",
 		     "smb_login.nasl");
 script_require_keys("SMB/transport", "SMB/name", "SMB/login", "SMB/password");
 script_require_ports (139,445);
 exit(0);
}


include ("audit.inc");
include ("smb_func.inc");
include ("data_protection.inc");

sid = raw_string (0x01,0x02,0x00,0x00,0x00,0x00,0x00,0x05,0x20,0x00,0x00,0x00,0x27,0x02,0x00,0x00);

login	= kb_smb_login();
pass	= kb_smb_password();
domain  = kb_smb_domain();
port	= kb_smb_transport();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');

r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if ( r != 1 ) audit(AUDIT_SHARE_FAIL, 'IPC$');

group = NULL;

lsa = LsaOpenPolicy (desired_access:0x20801);
if (!isnull(lsa))
{
 sids = NULL;
 sids[0] = sid;
 names = LsaLookupSid (handle:lsa, sid_array:sids);
 if (!isnull(names))
 {
  group = parse_lsalookupsid(data:names[0]);
 }

 LsaClose (handle:lsa);
}

if (isnull(group))
{
 NetUseDel();
 exit(0);
}

info = "";
members = NetLocalGroupGetMembers (group:group[2]);

foreach member ( members )
{
  member = parse_lsalookupsid(data:member);
  info += string("  - ", member[1], "\\", member[2], " (", SID_TYPE[member[0]], ")\n");
}
NetUseDel();

if (info)
{
  if (max_index(split(info)) == 1)
    report = "The following user is a member";
  else
    report = "The following users are members";

  report = string(
    "\n",
    report, " of the 'Backup Operators' group :\n",
    "\n",
    data_protection::sanitize_user_enum(users:info)
  );
  security_note(port:0, extra:report);
}