Vulners
Lucene search
Microsoft Windows SAM user enumeration
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(126527);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2025/06/04");
script_name(english:"Microsoft Windows SAM user enumeration");
script_summary(english:"Enumerates users from the Security Accounts Manager");
script_set_attribute(attribute:"synopsis", value:
"Nessus was able to enumerate domain users from the local SAM.");
script_set_attribute(attribute:"description", value:
"Using the domain security identifier (SID), Nessus was able to
enumerate the domain users on the remote Windows system using
the Security Accounts Manager.
Note: Unable to obtain SMB SAMR user data during Agent scans.
Rendering User data obtained by plugin 171956");
script_set_attribute(attribute:"solution", value:"n/a");
script_set_attribute(attribute:"risk_factor", value:"None");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/08");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2019-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Windows : User management");
script_dependencies("netbios_name_get.nasl", "smb_login.nasl", "windows_enum_accounts.nbin");
script_require_keys("SMB/transport", "SMB/name", "SMB/login", "SMB/password");
script_require_ports (139, 445);
exit(0);
}
include("agent.inc");
include("kerberos_func.inc");
include("smb_func.inc");
include("json2.inc");
function get_plugin_preference()
{
local_var testing = get_kb_item("TESTING_smb_samr_user_enum");
if(!isnull(testing)) return "yes";
return get_preference("SMB User Enumeration[checkbox]:SAMR");
}
var name, first_loop, sid_parts, login, default_accounts, pass, port, r, user, domain, rid;
var count = 0;
var report = '';
if (!agent())
{
var plugin_selected = get_plugin_preference();
if(plugin_selected == "no" || plugin_selected != "yes")
exit(0, "This plugin has been disabled by scan policy preference.");
default_accounts = make_nested_array(
# rid display name specific kb item
500, make_array('Name','Administrator account', 'KB','SMB/AdminName'),
501, make_array('Name','Guest account', 'KB','SMB/GuestAccount'),
502, make_array('Name','Kerberos account', 'KB','')
);
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
port = kb_smb_transport();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if ( r != 1 ) audit(AUDIT_SHARE_FAIL, 'IPC$');
var info = NetGetSamrUsers();
NetUseDel();
# Grab the HKU registry subkeys to determine the Machine ID for creating local SIDs later
registry_init();
var hku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE);
var subkeys = get_registry_subkeys(handle:hku, key:'');
RegCloseKey(handle:hku);
close_registry();
var machine_id = '';
if (!empty_or_null(subkeys))
{
foreach var key (subkeys)
{
if (key =~ "^S-1-5-21-" && key !~ "_classes$")
{
sid_parts = split(key, sep:'-', keep:FALSE);
for (var i=0; i<len(sid_parts)-2; i++)
{
if (empty_or_null(machine_id))
machine_id = sid_parts[i] + '-';
else
machine_id = machine_id + sid_parts[i] + '-';
}
break;
}
}
}
if(!isnull(info))
{
replace_kb_item(name:"SMB/Users/enumerated", value:TRUE);
count = 0;
foreach user(info["names"])
{
count += 1;
rid = user["rid"];
name = user["name"];
if(isnull(rid) || isnull(name))
continue;
if(!empty_or_null(default_accounts[rid]))
{
if(empty_or_null(user["full_name"]))
user["full_name"] = default_accounts[rid]["Name"];
else if(empty_or_null(user["desc"]))
user["desc"] = default_accounts[rid]["Name"];
if(!empty_or_null(default_accounts[rid]['KB']))
replace_kb_item(name:default_accounts[rid]['KB'], value:name);
}
if ('-' >!< rid)
rid = machine_id + rid;
report += ' - ' + data_protection::sanitize_user_enum(users:name) + ' (id ' + rid;
if(!empty_or_null(user["full_name"]))
report += ', ' + user["full_name"];
if(!empty_or_null(user["desc"]))
report += ', ' + user["desc"];
report += ')\n';
replace_kb_item(name:"SMB/Users/" + count, value:name);
}
}
}
else
{
var ps_users = get_kb_item("Powershell/Windows/Users");
var udata = {};
var uname, disabled, lockout, chgpass;
if (!empty_or_null(ps_users))
{
var ps_users_struct = json_read(ps_users);
foreach var thisuser (keys(ps_users_struct))
{
if (typeof(ps_users_struct[thisuser]) != 'array')
continue;
foreach var thiselem (keys(ps_users_struct[thisuser]))
{
name = uname = disabled = lockout = chgpass = NULL;
if (empty_or_null(ps_users_struct[thisuser][thiselem]['name']))
continue;
name = data_protection::sanitize_user_enum(users:ps_users_struct[thisuser][thiselem]['name']);
uname = toupper(name);
udata[uname]['name'] = name;
udata[uname]['sid'] = thiselem;
if (!empty_or_null(ps_users_struct[thisuser][thiselem]['disabled']))
{
if (ps_users_struct[thisuser][thiselem]['disabled'] == 0)
udata[uname]['disabled'] = "False";
else
udata[uname]['disabled'] = "True";
}
if (!empty_or_null(ps_users_struct[thisuser][thiselem]['lockout']))
{
if (ps_users_struct[thisuser][thiselem]['lockout'] == 0)
udata[uname]['lockout'] = "False";
else
udata[uname]['lockout'] = "True";
}
if (!empty_or_null(ps_users_struct[thisuser][thiselem]['password']) &&
!empty_or_null(ps_users_struct[thisuser][thiselem]['password']['passCanChange']))
{
if (ps_users_struct[thisuser][thiselem]['password']['passCanChange'] == 0)
udata[uname]['chgpass'] = "False";
else
udata[uname]['chgpass'] = "True";
}
}
}
foreach var udat (sort(keys(udata)))
{
if (first_loop)
first_loop = FALSE;
else
report = report + '\n';
if (!empty_or_null(udata[udat]['name']))
{
report += strcat(' - ', udata[udat]['name']);
if (!empty_or_null(udata[udat]['sid']))
{
report += strcat(' (id ', udata[udat]['sid'], ')');
}
count++;
}
}
if (count > 0)
report += '\n\n No. Of Users : ' + count + '\n';
}
}
replace_kb_item(name:"SMB/Users/count", value:count);
if (strlen(report) > 0)
{
security_note(port:0, extra:report);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Jun 2025 00:00Current
5.5Medium risk
Vulners AI Score5.5