Re: user enumeration through RDP

[Chris Campbell <chris () ctcampbell com>]

There's a group policy option to disable username memory on the login 
screen.

Michael Salmon wrote:
> Does RDP on Windows 7 still give the logged in username?  Working with 
> W7 I haven't seen it anymore but it may be that it's been disabled in 
> my environment and I didn't realize it.
>
>
> On Tue, Apr 23, 2013 at 1:18 PM, Carlos Perez 
> <carlos_perez () darkoperator com <mailto:carlos_perez () darkoperator com>> 
> wrote:
>
>     No clue on that
>
>     On Apr 23, 2013, at 12:32 PM, Robin Wood <robin () digininja org
>     <mailto:robin () digininja org>> wrote:
>
> >     On Apr 23, 2013 5:07 PM, "Carlos Perez"
> >     <carlos_perez () darkoperator com
> >     <mailto:carlos_perez () darkoperator com>> wrote:
> >     >
> >     > This was what I was alluding to
> >     > http://www.tenable.com/blog/nessus-52-released
> >     >
> >     > Nessus will now grab VNC and RDP Screenshots
> >
> >     Looks pretty cool. Any chance of building in character
> >     recognition in to read the active user?
> >
> >     Robin
> >
> >     > Sent from my iPhone
> >     >
> >     > On Apr 23, 2013, at 3:29 AM, Matt <matt () fireantsecurity co uk
> >     <mailto:matt () fireantsecurity co uk>> wrote:
> >     >
> >     >> If you are at BSidesLondon tomorrow we can chat then.
> >     >>
> >     >>
> >     >> Sent from my iPhone
> >     >>
> >     >> On 21 Apr 2013, at 23:05, Robin Wood <robin () digininja org
> >     <mailto:robin () digininja org>> wrote:
> >     >>
> >     >>> On 18 April 2013 15:36, Matt <matt () fireantsecurity co uk
> >     <mailto:matt () fireantsecurity co uk>> wrote:
> >     >>>>
> >     >>>> You can do more than that. Can't say much more but RDP has
> >     some useful "features" that can be leveraged to gain a higher
> >     level of access if you know your way round windows api.
> >     >>>>
> >     >>>
> >     >>> Pointers to any info? I don't know much about the windows API
> >     but might be worth looking at.
> >     >>>
> >     >>>>
> >     >>>> Sent from my iPhone
> >     >>>>
> >     >>>> On 18 Apr 2013, at 01:36, Robin Wood <robin () digininja org
> >     <mailto:robin () digininja org>> wrote:
> >     >>>>
> >     >>>> > I've just noticed a nice little trick for user
> >     enumeration. The client I'm testing has RDP on almost every
> >     windows machine and when you connect to them, if there is a user
> >     already connected they tell you who it is. Luckily here most of
> >     them do have someone logged in. It is a manual job but has got me
> >     a nice little stash of usernames which is good as all my usual
> >     techniques failed. Of extra lucky, by naming and subnets I know
> >     which the servers are so I'm assuming users connected to them are
> >     either admins or at least have more privileges than a normal user.
> >     >>>> >
> >     >>>> > Thought others might find it useful.
> >     >>>> >
> >     >>>> > Robin
> >     >>>> > _______________________________________________
> >     >>>> > Pauldotcom mailing list
> >     >>>> > Pauldotcom () mail pauldotcom com
> >     <mailto:Pauldotcom () mail pauldotcom com>
> >     >>>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> >     >>>> > Main Web Site: http://pauldotcom.com <http://pauldotcom.com/>
> >     >>>> _______________________________________________
> >     >>>> Pauldotcom mailing list
> >     >>>> Pauldotcom () mail pauldotcom com
> >     <mailto:Pauldotcom () mail pauldotcom com>
> >     >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> >     >>>> Main Web Site: http://pauldotcom.com <http://pauldotcom.com/>
> >     >>>
> >     >>>
> >     >>> _______________________________________________
> >     >>> Pauldotcom mailing list
> >     >>> Pauldotcom () mail pauldotcom com
> >     <mailto:Pauldotcom () mail pauldotcom com>
> >     >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> >     >>> Main Web Site: http://pauldotcom.com <http://pauldotcom.com/>
> >     >>
> >     >> _______________________________________________
> >     >> Pauldotcom mailing list
> >     >> Pauldotcom () mail pauldotcom com
> >     <mailto:Pauldotcom () mail pauldotcom com>
> >     >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> >     >> Main Web Site: http://pauldotcom.com <http://pauldotcom.com/>
> >     >
> >     >
> >     > _______________________________________________
> >     > Pauldotcom mailing list
> >     > Pauldotcom () mail pauldotcom com
> >     <mailto:Pauldotcom () mail pauldotcom com>
> >     > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> >     > Main Web Site: http://pauldotcom.com <http://pauldotcom.com/>
> >
> >     _______________________________________________
> >     Pauldotcom mailing list
> >     Pauldotcom () mail pauldotcom com
> >     <mailto:Pauldotcom () mail pauldotcom com>
> >     http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> >     Main Web Site: http://pauldotcom.com
>
>
>     _______________________________________________
>     Pauldotcom mailing list
>     Pauldotcom () mail pauldotcom com <mailto:Pauldotcom () mail pauldotcom com>
>     http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>     Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com