Penetration Testing mailing list archives
Re: [PEN-TEST] Finding a Windows machine that a user is logged in to
From: "Barber, Chris" <cbarber () ESTGSECURITY COM>
Date: Wed, 14 Mar 2001 08:04:32 -0500
If they are on a Windows network then they may be using WINS. Look into the WINS db all the info you need. See DB entries below WINS DB Entries --------------------- Registered name: \\computer_name[00h] Desc: The name registered for the Workstation service on the WINS client. Registered name: \\computer_name[03h] Desc: The name registered for the Messenger service on the WINS client. Registered name: \\computer_name[20h] Desc: The name registered for the Server svc on the WINS client. Registered name: \\username[03h] Desc: The name of the user currently logged on to the computer. The user name is registered by the Messenger service so that the user can receive 'net send' commands sent to their user name. If more than one user is logged on with the same user name, only the first computer from which the user logged on will register the name. Registered name: \\domain_name[1Bh] Desc: The domain name registered by the Windows NT Server PDC that is functioning as the Domain Master Browser. This name is used for remote domain browsing. When a WINS server is queried for this name, it returns the IP address of the computer that registered this name. -----Original Message----- From: Dawes, Rogan (ZA - Johannesburg) [mailto:rdawes () DELOITTE CO ZA] Sent: Tuesday, March 13, 2001 3:08 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Finding a Windows machine that a user is logged into Hi Folks, As part of a demonstration I want to do, I need to find a Windows client that a particular user is logged in to. e.g. on a Windows network, user rdawes is logged in somewhere. I need the IP address, so that I can snoop the traffic that he is generating. It is clearly possible to get this info, as for example tools like "net send rdawes message" do it. Having done that, I can look in my machine cache using "nbtstat -c" to see who I've been talking to. This is a bit obtrusive, though. I don't want to warn the user that I am watching them, which the "net send" would do. Does anyone have an idea how I can do this quietly? Rogan
Current thread:
- Re: [PEN-TEST] Finding a Windows machine that a user is logged in to Toth, Laszlo (Mar 14)
- <Possible follow-ups>
- Re: [PEN-TEST] Finding a Windows machine that a user is logged in to Barber, Chris (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged in to Sacha Faust (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged in to Lucyga,Dierk - Munich (Mar 15)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Mike Sues (Mar 15)