Anonymous remote registry reads (fwd)

Luke Kenneth Casson Leighton lkcl at
Tue Oct 26 21:22:46 GMT 1999

> I'm an intern at the SEC, and one of my tasks is to harden all of the NT
> boxes on the SEC network.  I've been trying to go about this by using a
> Perl script that compiles a list of all the currently connected NT boxes
> and checks those computers for a certain registry key.  If that key is
> found, or if the registry is not accessible, the script does nothing.  If
> it is not found, a warning is displayed on the box stating that whoever is
> using has 72 hours to contact the Security Group before the box gets
> shutdown and restarted, and instructed to download and run the hardener,
> whereupon it reboots again and the key is created.  
> So far, I can compile the list of NT boxes.  :)  I've been having trouble
> with rpcclient.  1)  I don't really know how do use it.

anyone want to write a man page? :)

rpcclient [-I ip address] -S server_name [-U [username][%[pass]]] [-W
workgroup] [-l log] [-d debug level]

these are the main options i use.

the bit about -U is a bit confusing.  it means, you can do this:

-U % (anonymous, unprompted connection)

-U username (authenticated, password-prompted connection)

-U username%password (authenticated, unprompted connection)

USER and PASSWD environment variables also work the same as they do in
smbclient (guess where the code for rpcclient was cut/paste from :)

i would recommend that your script be run something like this:

foreach x ...
rpcclient -S $x -U $1%$2

where $1 and $2 are the username and password.  your script would then be

check_reg_sec administrator admin_password

or, to be safer than sorry, create a special domain account with the
privileges added to the registry key you require to access the special
registry key you mention above (at least read and enumerate).  your
hardener program should set this up (the account and the ACL on the
special key).

>  2)  I seem to be
> getting a lot of ERR_noaccess's or ERR_invalidsid's.  The goal has been to
> do all this anonymously, but I think I'm running into problems with access
> privileges.  

you cannot access the windows registry anonymously unless you explicitly
enable this on each and every host.  given that this would be a security
risk, and you are trying to lock down the security of your network, it's
probably not a good idea!

at the smb: /> prompt, type help and then help regenum.

example: regenum HKLM

shows you the list of keys / values in HIVE_KEY_LOCAL_MACHINE.

for your purposes, if you know that a key (not a value) exists, try using
regquerykey.  if the key exists, you will get info about the number of
keys, number of values etc.

this is a Unix implementation of the MSDN RegQueryKeyEx function, and you
get exactly the same information.  see MSDN for more info.

if you want the list of security ACLs on a key, use reggetsec.

if you want to create a key, use regcreatekey.  the default ACL is created
for the key (inherited from the parent) [i am sorry, but regsetsec doesn't
work properly, yet].

if you want to remotely shut down the box, use shutdown (see help

luke (samba team)

<a href="mailto:lkcl at"   > Luke Kenneth Casson Leighton    </a>
<a href=""> Samba and Network Development   </a>
<a href=""        > Samba Web site                  </a>
<a href=""      > Internet Security Systems, Inc. </a>

More information about the samba-ntdom mailing list