Re: [PEN-TEST] Finding a Windows machine that a user is logged into

[Chris Winter <cwinter () MENTORTECH COM>]

Its been a while since I've played in NT land, so take this with a grain of
salt.

There are a couple of ways to achieve what you want to do.  Since you can do
a net send to the target, it sounds like you are in the same domain.  If I
remember correctly when you use net send, it needs to determine where the
Netbios resource that you are trying to communicate with is.  It depends on
how you have your Netbios node type set up.  If its B node (broadcast), then
it will just do a  local broadcast on your subnet (after looking to see if
the resource is local, or in your lmhosts file.)  If you have H node
(hybrid), it will try to get the info from your WINS server first, then it
will broadcast for the info (once again, after looking to see if the
resource is local, or in your lmhosts file.)  From this it determines what
host(s) the user is logged into, and sends its message.  If you are in a
WINS environment, then what you need to do is query the WINS server for the
<username>[03h]  (the username can be up to 15 characters, followed by the
Netbios hex code [03h], for username, which always needs to be the 16th
character.)  I don't have a WINS server that I can test this on at the
moment, but there are a few ways to do this:

1) Try WINS manager.  This may work.  I'm not sure if WINS will give up info
over a null (anonymous) session, the way User Manager, or Server Manager
will, so you may have to be an admin.
2) The NT Resource Kit has a utility called WINSCL which does queries.
3) 3rd party wins query tools ??

Again, I haven't tested this, so your mileage may vary.

Another tactic, would be to do Netbios queries to hosts where the user may
be logged in.  the command line tool nbtstat is handy for this.  Use
nbtstat -A x.x.x.x (note the capitol 'A', which must be used if you want to
query an IP address, as opposed to a lowercase 'a' , which is used with
Netbios names), and look for the entry that has a code of <03> UNIQUE, which
is the user logged on to that host (I haven't done this to an NT Terminal
Server, I'm not sure if it will show multiple users logged on or not.)
Using nbtstat by hand gets repetitive, so either script it up, or use a
tool, such as Essential NetTools (by TamoSoft www.tamos.com
www.tamofiles.com/esstls2.zip ), which includes an automated Netbios scanner
(I am sure there many other tools that will also do this.)  This will work
in small environments, for larger ones, you will probably need to go the
WINS route (where they are almost guaranteed to have/need WINS servers.)

I have no idea how this transfers over to a WIN2K Active Directory
environment (most places still have legacy NT4.0 stuff all over the place
though.)

Hope this helps,

Chris

-------------------------------------------------------------------
  Chris Winter
  Consultant
  Security Practice
  cwinter () mentortech com
  Cell: 410 258-4817

  Mentor Technologies-- innovators of vLab(r) technology, provides:
   ** high-end internetworking, skills-based learning services and
      solutions.
   ** high-end internetworking design, management, and security
      consulting.
  We're high tech, high touch, high performance; the total
  internetworking solutions company.  Visit us at www.mentortech.com
--------------------------------------------------------------------