Full Disclosure mailing list archives
Finding Domain Controllers for use with WinScanX using DCLookup.exe (source included)
From: Reed Arvin <reedarvin () gmail com>
Date: Tue, 9 Feb 2010 11:07:39 -0700
WinScanX Pro is only $10.00 for the month of February (normally $250.00) WinScanX Basic (always free - only scans one host per run) http://www.windowsaudit.com/ Article tool: DCLookup.exe (source included) http://windowsaudit.com/downloads/DCLookup.zip Original article link: http://windowsaudit.com/winscanx/finding-domain-controllers-for-use-with-winscanx/ ============================== When performing a security assessment it’s important to have a plan of attack. All machines do not have the same level of criticality. For example, a missing patch on a Windows workstation will not be perceived as being as serious a flaw as a missing patch on a Windows domain controller. For a Windows assessment, one routine that I found useful was to target the following hosts in the following order: - Windows domain controllers - Windows servers - Windows workstations Locating Windows domain controllers can be a bit of a hassle sometimes, especially if you have no knowledge of the network you are assessing. If that is the case for you, the following may provide some help. DCLookup – Provides a list of domain controllers that are available to authenticate the current host Download at: http://windowsaudit.com/downloads/DCLookup.zip (source included) Usage: DCLookup.exe <hostname | ip address> DCLookup.exe 127.0.0.1 DCLookup.exe MyMachine Example output: C:\>DCLookup.exe 127.0.0.1 +++++++++++++++++++++++++++++++++++++++++++++++++++ +++++ DC INFO VIA DsGetDcName +++++ +++++++++++++++++++++++++++++++++++++++++++++++++++ Domain Controller Name: \\site1dc06.company.corp Domain Controller Address: \\192.168.11.65 Domain Name: company.corp DNS Forest Name: company.corp +++++++++++++++++++++++++++++++++++++++++++++++++++ +++++ DC INFO VIA DsGetDomainControllerInfo +++++ +++++++++++++++++++++++++++++++++++++++++++++++++++ NetBios Name: site1DC01 DNS Host Name: site1dc01.company.corp NetBios Name: site1DC02 DNS Host Name: site1dc02.company.corp NetBios Name: site2DC01 DNS Host Name: site2dc01.company.corp NetBios Name: site3DC01 DNS Host Name: site3dc01.company.corp NetBios Name: site4DC01 DNS Host Name: site4DC01.company.corp NetBios Name: site5DC01 DNS Host Name: site5DC01.company.corp NetBios Name: site6DC04 DNS Host Name: site6DC04.company.corp NetBios Name: site1DC05 DNS Host Name: site1dc05.company.corp NetBios Name: site1DC06 DNS Host Name: site1dc06.company.corp NetBios Name: site1DC04 DNS Host Name: site1dc04.company.corp +++++++++++++++++++++++++++++++++++++++++++++++++++ +++++ DC INFO VIA DsEnumerateDomainTrusts +++++ +++++++++++++++++++++++++++++++++++++++++++++++++++ NetBios Domain Name: TRUSTEDDOM DNS Domain Name: trusteddom.corp What to do next: Once you have a list of domain controllers, the next step would be to start running various checks against them to assess their security stature. The following is a short assessment flow for a domain controller using WinScanX: 1. Using WinScanX, attempt to retrieve the account lockout threshold using the Get Account Policy Information feature against a domain controller. 2. If the account lockout threshold is not set or if it is 5 attempts or higher, attempt to retrieve the user information using the Get User Information or Get User Information via RA Bypass feature of WinScanX and run a quick password check using the Guess Windows Passwords feature. ***NOTE*** Make sure to only use the Guess Windows Passwords feature on one domain controller ONLY. Using this feature on multiple domain controllers in the same domain may cause accounts to lock out. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Finding Domain Controllers for use with WinScanX using DCLookup.exe (source included) Reed Arvin (Feb 09)
- Re: Finding Domain Controllers for use with WinScanX using DCLookup.exe (source included) Thor (Hammer of God) (Feb 09)
- Re: Finding Domain Controllers for use with WinScanX using DCLookup.exe (source included) Bugtrace (Feb 09)