Re: [PEN-TEST] Finding a Windows machine that a user is logged into

[Mike Sues <msues () cinnabar ca>]

Hello,

you need to send a NetBIOS name query for the NetBIOS
service RDAWES<0x03>. This is the Messenger service (i.e.
type 0x03) for the username in question. If the client uses
WINS send the query to the WINS server. Otherwise if the
suspected client is on the same subnet, to the broadcast
address; the client will then respond. If its not on the
same subnet and WINS is not used, if you have a range of
IP addresses, send a name query for RDAWES<0x03> to each
IP address; the client will then respond.

If the user is logged into more than one client, you can only
locate the first client; the netbios Name Registrations for
RDAWES<0x03> for the 2d, 3rd, etc. logins will fail ... the
service is already registered.

Some simple mods to nmblookup should implement these probes;
there may be other tools available too.

Mike Sues
Senior Network Security Analyst
Cinnabar Networks Inc
http://www.cinnabar.ca
ph :613.720.4842
fax:613.236.2506
> -----Original Message-----
> From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
> Of Dawes, Rogan (ZA - Johannesburg)
> Sent: Tuesday, March 13, 2001 12:08 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: [PEN-TEST] Finding a Windows machine that a user is logged into
>
>
> Hi Folks,
>
> As part of a demonstration I want to do, I need to find a Windows client
> that a particular user is logged in to.
>
> e.g. on a Windows network, user rdawes is logged in somewhere. I
> need the IP
> address, so that I can snoop the traffic that he is generating.
>
> It is clearly possible to get this info, as for example tools
> like "net send
> rdawes message" do it.  Having done that, I can look in my machine cache
> using "nbtstat -c" to see who I've been talking to.
>
> This is a bit obtrusive, though. I don't want to warn the user that I am
> watching them, which the "net send" would do.
>
> Does anyone have an idea how I can do this quietly?
>
> Rogan