Penetration Testing mailing list archives
Re: [PEN-TEST] Finding a Windows machine that a user is logged into
From: Mike Sues <msues () cinnabar ca>
Date: Wed, 14 Mar 2001 07:34:37 -0800
Hello, you need to send a NetBIOS name query for the NetBIOS service RDAWES<0x03>. This is the Messenger service (i.e. type 0x03) for the username in question. If the client uses WINS send the query to the WINS server. Otherwise if the suspected client is on the same subnet, to the broadcast address; the client will then respond. If its not on the same subnet and WINS is not used, if you have a range of IP addresses, send a name query for RDAWES<0x03> to each IP address; the client will then respond. If the user is logged into more than one client, you can only locate the first client; the netbios Name Registrations for RDAWES<0x03> for the 2d, 3rd, etc. logins will fail ... the service is already registered. Some simple mods to nmblookup should implement these probes; there may be other tools available too. Mike Sues Senior Network Security Analyst Cinnabar Networks Inc http://www.cinnabar.ca ph :613.720.4842 fax:613.236.2506
-----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Dawes, Rogan (ZA - Johannesburg) Sent: Tuesday, March 13, 2001 12:08 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Finding a Windows machine that a user is logged into Hi Folks, As part of a demonstration I want to do, I need to find a Windows client that a particular user is logged in to. e.g. on a Windows network, user rdawes is logged in somewhere. I need the IP address, so that I can snoop the traffic that he is generating. It is clearly possible to get this info, as for example tools like "net send rdawes message" do it. Having done that, I can look in my machine cache using "nbtstat -c" to see who I've been talking to. This is a bit obtrusive, though. I don't want to warn the user that I am watching them, which the "net send" would do. Does anyone have an idea how I can do this quietly? Rogan
Current thread:
- [PEN-TEST] Finding a Windows machine that a user is logged into Dawes, Rogan (ZA - Johannesburg) (Mar 13)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Ted Behling (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Fredrik Wallström (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into olle (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Joakim Sandström (Mar 15)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Mike Sues (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Stephen P. Wilson (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Chris Winter (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Nelson Brito (Mar 14)