Penetration Testing mailing list archives
Re: [PEN-TEST] Finding a Windows machine that a user is logged into
From: Chris Winter <cwinter () MENTORTECH COM>
Date: Wed, 14 Mar 2001 14:01:57 -0500
Its been a while since I've played in NT land, so take this with a grain of salt. There are a couple of ways to achieve what you want to do. Since you can do a net send to the target, it sounds like you are in the same domain. If I remember correctly when you use net send, it needs to determine where the Netbios resource that you are trying to communicate with is. It depends on how you have your Netbios node type set up. If its B node (broadcast), then it will just do a local broadcast on your subnet (after looking to see if the resource is local, or in your lmhosts file.) If you have H node (hybrid), it will try to get the info from your WINS server first, then it will broadcast for the info (once again, after looking to see if the resource is local, or in your lmhosts file.) From this it determines what host(s) the user is logged into, and sends its message. If you are in a WINS environment, then what you need to do is query the WINS server for the <username>[03h] (the username can be up to 15 characters, followed by the Netbios hex code [03h], for username, which always needs to be the 16th character.) I don't have a WINS server that I can test this on at the moment, but there are a few ways to do this: 1) Try WINS manager. This may work. I'm not sure if WINS will give up info over a null (anonymous) session, the way User Manager, or Server Manager will, so you may have to be an admin. 2) The NT Resource Kit has a utility called WINSCL which does queries. 3) 3rd party wins query tools ?? Again, I haven't tested this, so your mileage may vary. Another tactic, would be to do Netbios queries to hosts where the user may be logged in. the command line tool nbtstat is handy for this. Use nbtstat -A x.x.x.x (note the capitol 'A', which must be used if you want to query an IP address, as opposed to a lowercase 'a' , which is used with Netbios names), and look for the entry that has a code of <03> UNIQUE, which is the user logged on to that host (I haven't done this to an NT Terminal Server, I'm not sure if it will show multiple users logged on or not.) Using nbtstat by hand gets repetitive, so either script it up, or use a tool, such as Essential NetTools (by TamoSoft www.tamos.com www.tamofiles.com/esstls2.zip ), which includes an automated Netbios scanner (I am sure there many other tools that will also do this.) This will work in small environments, for larger ones, you will probably need to go the WINS route (where they are almost guaranteed to have/need WINS servers.) I have no idea how this transfers over to a WIN2K Active Directory environment (most places still have legacy NT4.0 stuff all over the place though.) Hope this helps, Chris ------------------------------------------------------------------- Chris Winter Consultant Security Practice cwinter () mentortech com Cell: 410 258-4817 Mentor Technologies-- innovators of vLab(r) technology, provides: ** high-end internetworking, skills-based learning services and solutions. ** high-end internetworking design, management, and security consulting. We're high tech, high touch, high performance; the total internetworking solutions company. Visit us at www.mentortech.com --------------------------------------------------------------------
Current thread:
- [PEN-TEST] Finding a Windows machine that a user is logged into Dawes, Rogan (ZA - Johannesburg) (Mar 13)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Ted Behling (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Fredrik Wallström (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into olle (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Joakim Sandström (Mar 15)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Mike Sues (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Stephen P. Wilson (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Chris Winter (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Nelson Brito (Mar 14)