Penetration Testing mailing list archives

Re: [PEN-TEST] Finding a Windows machine that a user is logged in to

From: "Lucyga,Dierk - Munich" <DLucyga () MUNICHRE COM>
Date: Thu, 15 Mar 2001 14:03:50 +0100

From:  Mike Sues [SMTP:msues () cinnabar ca]
Sent:  Wednesday, March 14, 2001 4:35 PM
To:    PEN-TEST () SECURITYFOCUS COM
Subject:       Re: [PEN-TEST] Finding a Windows machine that a user is

logged into

you need to send a NetBIOS name query for the NetBIOS
service RDAWES<0x03>. This is the Messenger service (i.e.
type 0x03) for the username in question. If the client uses
WINS send the query to the WINS server. Otherwise if the
suspected client is on the same subnet, to the broadcast
address; the client will then respond. If its not on the
same subnet and WINS is not used, if you have a range of
IP addresses, send a name query for RDAWES<0x03> to each
IP address; the client will then respond.


I don't think searching for 0x03 Entries in WINS and/or the name
cache is feasible at all, as the workstation service also registers its
name with 0x03. If you're doing an un-educated pen test and there is
no obvious distinctive feature in the various names you won't be able
to tell apart user names and workstation names.

Regrads,

Dierk Lucyga
IS Office
Tel.: (089) 3891-4720

Current thread:

Re: [PEN-TEST] Finding a Windows machine that a user is logged in to Toth, Laszlo (Mar 14)
- <Possible follow-ups>
- Re: [PEN-TEST] Finding a Windows machine that a user is logged in to Barber, Chris (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged in to Sacha Faust (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged in to Lucyga,Dierk - Munich (Mar 15)
  - Re: [PEN-TEST] Finding a Windows machine that a user is logged into Mike Sues (Mar 15)