SMB User Group Enumeration Scanner

Obtains a list of groups from the remote Windows system, as well as a list of the group's users. This works similarly to enum.exe with the /G switch.

The following MSRPC functions in SAMR are used to find a list of groups and the RIDs of their users. Keep in mind that MSRPC refers to groups as "Aliases".

• Bind: bind to the SAMR service.
• Connect4: get a connect_handle.
• EnumDomains: get a list of the domains.
• LookupDomain: get the RID of the domains.
• OpenDomain: get a handle for each domain.
• EnumDomainAliases: get the list of groups in the domain.
• OpenAlias: get a handle to each group.
• GetMembersInAlias: get the RIDs of the members in the groups.
• Close: close the alias handle.
• Close: close the domain handle.
• Close: close the connect handle.

Once the RIDs have been termined, the

• Bind: bind to the LSA service.
• OpenPolicy2: get a policy handle.
• LookupSids2: convert SIDs to usernames.

I (Ron Bowes) originally looked into the possibility of using the SAMR function LookupRids2 to convert RIDs to usernames, but the function seemed to return a fault no matter what I tried. Since enum.exe also switches to LSA to convert RIDs to usernames, I figured they had the same issue and I do the same thing.