PaulDotCom mailing list archives

Re: user enumeration through RDP


From: Michael Salmon <lonestarr13 () gmail com>
Date: Tue, 23 Apr 2013 15:47:17 -0400

Does RDP on Windows 7 still give the logged in username?  Working with W7 I
haven't seen it anymore but it may be that it's been disabled in my
environment and I didn't realize it.


On Tue, Apr 23, 2013 at 1:18 PM, Carlos Perez <carlos_perez () darkoperator com
wrote:

No clue on that

On Apr 23, 2013, at 12:32 PM, Robin Wood <robin () digininja org> wrote:


On Apr 23, 2013 5:07 PM, "Carlos Perez" <carlos_perez () darkoperator com>
wrote:

This was what I was alluding to
http://www.tenable.com/blog/nessus-52-released

Nessus will now grab VNC and RDP Screenshots

Looks pretty cool. Any chance of building in character recognition in to
read the active user?

Robin

Sent from my iPhone

On Apr 23, 2013, at 3:29 AM, Matt <matt () fireantsecurity co uk> wrote:

If you are at BSidesLondon tomorrow we can chat then.


Sent from my iPhone

On 21 Apr 2013, at 23:05, Robin Wood <robin () digininja org> wrote:

On 18 April 2013 15:36, Matt <matt () fireantsecurity co uk> wrote:

You can do more than that. Can't say much more but RDP has some
useful "features" that can be leveraged to gain a higher level of access if
you know your way round windows api.


Pointers to any info? I don't know much about the windows API but
might be worth looking at.


Sent from my iPhone

On 18 Apr 2013, at 01:36, Robin Wood <robin () digininja org> wrote:

I've just noticed a nice little trick for user enumeration. The
client I'm testing has RDP on almost every windows machine and when you
connect to them, if there is a user already connected they tell you who it
is. Luckily here most of them do have someone logged in. It is a manual job
but has got me a nice little stash of usernames which is good as all my
usual techniques failed. Of extra lucky, by naming and subnets I know which
the servers are so I'm assuming users connected to them are either admins
or at least have more privileges than a normal user.

Thought others might find it useful.

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
 _______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread: