DumpSec, presently available as freeware from SomarSoft and downloadable at http://www.systemtools.com/somarsoft/, is a security auditing program for Windows systems. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable listbox (text) format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information.
DumpSec takes advantage of the NetBIOS API and works by establishing NULL session to the target box as the Null user via the [net use \\server "" /user:""] command. It then makes NET* enumeration application program interface (API) calls like NetServerGetInfo (supported by the Netapi32 library).
It allows users to remotely connect to any computer and dump permissions, audit settings, and ownership for the Windows NT/2000 file system into a format that is easily converted to Microsoft Excel for editing. Hackers can choose to dump either NTFS or share permissions. It can also dump permissions for printers and the registry.
The highlight is DumpSec's ability to dump the users and groups in a Windows NT or Active Directory domain. There are several reporting options and the hacker can choose to dump the direct and nested group memberships for every user, as well as the logon scripts, account status such as disabled or locked out, and the 'true' last logon time across all domain controllers. The user can also get password information such as 'Password Last Set Time' and 'Password Expires Time'. To summarize, Dumpsec can pull a list of users, groups, and the NT system's policies and user rights.
Tags: Attack phases, Enumeration, Hacking Tools