Re: user enumeration through RDP

["Ryan" <randomrhythm () rhythmengineering com>]

Microsoft Network Level Authentication (NLA) for RDP can also help defend against these "features" as it doesn't allow 
a full RDP connection until the user is authenticated.  

Ryan
  ----- Original Message ----- 
  From: Jeremy Pommerening 
  To: PaulDotCom Security Weekly Mailing List 
  Sent: Tuesday, April 23, 2013 3:27 PM
  Subject: Re: [Pauldotcom] user enumeration through RDP


  It still displays username unless you specifically tell it not to via GPO or local machine policy.  Interactive 
Logon: "Do not display last user name" Enable or Disable.

  Jeremy Pommerening
  CISSP,GCFA,GPEN,GAWN,GCFW, GWAPT,
  MCSE Win2K, MCSE NT4


------------------------------------------------------------------------------
  From: Michael Salmon <lonestarr13 () gmail com>
  To: PaulDotCom Security Weekly Mailing List <pauldotcom () mail pauldotcom com> 
  Sent: Tuesday, April 23, 2013 1:47 PM
  Subject: Re: [Pauldotcom] user enumeration through RDP



  Does RDP on Windows 7 still give the logged in username?  Working with W7 I haven't seen it anymore but it may be 
that it's been disabled in my environment and I didn't realize it.



  On Tue, Apr 23, 2013 at 1:18 PM, Carlos Perez <carlos_perez () darkoperator com> wrote:

    No clue on that 


    On Apr 23, 2013, at 12:32 PM, Robin Wood <robin () digininja org> wrote:



      On Apr 23, 2013 5:07 PM, "Carlos Perez" <carlos_perez () darkoperator com> wrote:
      >
      > This was what I was alluding to  
      > http://www.tenable.com/blog/nessus-52-released
      >
      > Nessus will now grab VNC and RDP Screenshots 
      Looks pretty cool. Any chance of building in character recognition in to read the active user?
      Robin
      > Sent from my iPhone
      >
      > On Apr 23, 2013, at 3:29 AM, Matt <matt () fireantsecurity co uk> wrote:
      >
      >> If you are at BSidesLondon tomorrow we can chat then.
      >>
      >>
      >> Sent from my iPhone
      >>
      >> On 21 Apr 2013, at 23:05, Robin Wood <robin () digininja org> wrote:
      >>
      >>> On 18 April 2013 15:36, Matt <matt () fireantsecurity co uk> wrote:
      >>>>
      >>>> You can do more than that. Can't say much more but RDP has some useful "features" that can be leveraged to 
gain a higher level of access if you know your way round windows api.
      >>>>
      >>>
      >>> Pointers to any info? I don't know much about the windows API but might be worth looking at.
      >>>  
      >>>>
      >>>> Sent from my iPhone
      >>>>
      >>>> On 18 Apr 2013, at 01:36, Robin Wood <robin () digininja org> wrote:
      >>>>
      >>>> > I've just noticed a nice little trick for user enumeration. The client I'm testing has RDP on almost every 
windows machine and when you connect to them, if there is a user already connected they tell you who it is. Luckily 
here most of them do have someone logged in. It is a manual job but has got me a nice little stash of usernames which 
is good as all my usual techniques failed. Of extra lucky, by naming and subnets I know which the servers are so I'm 
assuming users connected to them are either admins or at least have more privileges than a normal user.
      >>>> >
      >>>> > Thought others might find it useful.
      >>>> >
      >>>> > Robin
      >>>> > _______________________________________________
      >>>> > Pauldotcom mailing list
      >>>> > Pauldotcom () mail pauldotcom com
      >>>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
      >>>> > Main Web Site: http://pauldotcom.com
      >>>> _______________________________________________
      >>>> Pauldotcom mailing list
      >>>> Pauldotcom () mail pauldotcom com
      >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
      >>>> Main Web Site: http://pauldotcom.com
      >>>
      >>>
      >>> _______________________________________________
      >>> Pauldotcom mailing list
      >>> Pauldotcom () mail pauldotcom com
      >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
      >>> Main Web Site: http://pauldotcom.com
      >>
      >> _______________________________________________
      >> Pauldotcom mailing list
      >> Pauldotcom () mail pauldotcom com
      >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
      >> Main Web Site: http://pauldotcom.com
      >
      >
      > _______________________________________________
      > Pauldotcom mailing list
      > Pauldotcom () mail pauldotcom com
      > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
      > Main Web Site: http://pauldotcom.com

      _______________________________________________
      Pauldotcom mailing list
      Pauldotcom () mail pauldotcom com
      http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
      Main Web Site: http://pauldotcom.com



    _______________________________________________
    Pauldotcom mailing list
    Pauldotcom () mail pauldotcom com
    http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
    Main Web Site: http://pauldotcom.com




  _______________________________________________
  Pauldotcom mailing list
  Pauldotcom () mail pauldotcom com
  http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
  Main Web Site: http://pauldotcom.com




------------------------------------------------------------------------------


  _______________________________________________
  Pauldotcom mailing list
  Pauldotcom () mail pauldotcom com
  http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
  Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com