PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: user enumeration through RDP

From: Carlos Perez <carlos_perez () darkoperator com>
Date: Tue, 7 May 2013 16:24:28 -0400
It can do it via port 3389? I doubt it. The subject is enumeration thru RSP that tool actually logs in and requires 
cred to the box and the RPC ports open

Sent from my iPhone

On May 7, 2013, at 2:40 PM, Rob Fuller <jd.mubix () gmail com> wrote:


Could just use findtoken / incognito from MWR, it will list available tokens on the box (supports ranges)

http://labs.mwrinfosecurity.com/blog/2012/07/18/incognito-v2-0-released/


--
Rob Fuller | Mubix
Certified Checkbox Unchecker
Room362.com | Hak5.org


On Thu, Apr 25, 2013 at 4:16 PM, Ryan <randomrhythm () rhythmengineering com> wrote:

Microsoft Network Level Authentication (NLA) for RDP can also help defend against these "features" as it doesn't 
allow a full RDP connection until the user is authenticated. 
 
Ryan
----- Original Message -----
From: Jeremy Pommerening
To: PaulDotCom Security Weekly Mailing List
Sent: Tuesday, April 23, 2013 3:27 PM
Subject: Re: [Pauldotcom] user enumeration through RDP

It still displays username unless you specifically tell it not to via GPO or local machine policy.  Interactive 
Logon: "Do not display last user name" Enable or Disable.
 
Jeremy Pommerening
CISSP,GCFA,GPEN,GAWN,GCFW, GWAPT,
MCSE Win2K, MCSE NT4
From: Michael Salmon <lonestarr13 () gmail com>
To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com> 
Sent: Tuesday, April 23, 2013 1:47 PM
Subject: Re: [Pauldotcom] user enumeration through RDP

Does RDP on Windows 7 still give the logged in username?  Working with W7 I haven't seen it anymore but it may be 
that it's been disabled in my environment and I didn't realize it.


On Tue, Apr 23, 2013 at 1:18 PM, Carlos Perez <carlos_perez () darkoperator com> wrote:
No clue on that 

On Apr 23, 2013, at 12:32 PM, Robin Wood <robin () digininja org> wrote:



On Apr 23, 2013 5:07 PM, "Carlos Perez" <carlos_perez () darkoperator com> wrote:


This was what I was alluding to  
http://www.tenable.com/blog/nessus-52-released

Nessus will now grab VNC and RDP Screenshots 

Looks pretty cool. Any chance of building in character recognition in to read the active user?
Robin

Sent from my iPhone

On Apr 23, 2013, at 3:29 AM, Matt <matt () fireantsecurity co uk> wrote:


If you are at BSidesLondon tomorrow we can chat then.


Sent from my iPhone

On 21 Apr 2013, at 23:05, Robin Wood <robin () digininja org> wrote:


On 18 April 2013 15:36, Matt <matt () fireantsecurity co uk> wrote:


You can do more than that. Can't say much more but RDP has some useful "features" that can be leveraged to 
gain a higher level of access if you know your way round windows api.



Pointers to any info? I don't know much about the windows API but might be worth looking at.
 


Sent from my iPhone

On 18 Apr 2013, at 01:36, Robin Wood <robin () digininja org>        wrote:


I've just noticed a nice little trick for user enumeration. The client I'm testing has RDP on almost every 
windows machine and when you connect to them, if there is a user already connected they tell you who it is. 
Luckily here most of them        do have someone logged in. It is a manual job but has got me a nice little 
stash of usernames which is good as all my usual techniques failed. Of extra lucky, by naming and subnets I 
know which the servers are so I'm assuming users connected to them are either admins or at least have more 
privileges than a normal user.

Thought others might find it        useful.

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: