Penetration Testing mailing list archives

Re: [PEN-TEST] Finding a Windows machine that a user is logged into

From: Nelson Brito <nelson () SECUNET COM BR>
Date: Wed, 14 Mar 2001 16:13:12 -0300

"Dawes, Rogan (ZA - Johannesburg)" wrote:


Hi Folks,

As part of a demonstration I want to do, I need to find a Windows client
that a particular user is logged in to.

e.g. on a Windows network, user rdawes is logged in somewhere. I need the IP
address, so that I can snoop the traffic that he is generating.


You can use the nbtscan. Let me explain.

You do not need to be logged in NT Domain to enumerate the Windows machines.

The nbtscan return something like this:
D:\New-CD\CDROM_1\01_OperatingSystem\01_WindowsNT\01_Footprint\NBTScan>nbtscan
-t 15 192.168.1.24/24
Doing NBT name scan for addresses from 192.168.1.24/24

IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------
192.168.1.3      SERVER           <server>  SERVER           08-00-2b-e2-9c-59
192.168.1.12     ST_UserA         <server>  UserA            00-00-21-cf-af-38
192.168.1.14     ST_UserB         <server>  UserB            00-e0-7d-91-02-55
192.168.1.105    ST_UserC         <server>  UserC            00-40-33-2f-97-95
192.168.1.251    BDC_SRV          <server>  Admin            00-80-c8-e7-05-f0
192.168.1.253    PDC_SRV          <server>  NTADM            00-80-c8-e7-05-f1

D:\New-CD\CDROM_1\01_OperatingSystem\01_WindowsNT\01_Footprint\NBTScan>

Take a look carefully. In "NetBIOS Name" colum you can see the Workstation's
Name and in "User" collum you can see the NT Domain's user name using the
Workstation, so 2+2=4. ;)

Another way is to use NTRK's "NETWATCH.EXE", but you'll need Administrator
Status to do this.

PS: NTRK == NT Resource Kit != NT RootKit.

Sem mais,
--
+---------------------------------------------------------------------+
|Nelson Brito        |  Security Networks / IBQN                      |
|                    |  Avenida General Justo, 365 - 4Â° Andar - Centro|
|Security Analyst    |  20.021-130 - Rio de Janeiro - RJ - Brasil     |
|Penetration Tester  |  +55.021.282-1351 R. 104                       |
|                    |  nelson () secunet com br                         |
+---------------------------------------------------------------------+
|"Windows NT can also be protected from nmap OS detection scans thanks|
|to *Nelson Brito* ..."                                               |
|              Trecho do livro "Hack Proofing your Network", pÃ¡gina 93|
+---------------------------------------------------------------------+

Current thread:

[PEN-TEST] Finding a Windows machine that a user is logged into Dawes, Rogan (ZA - Johannesburg) (Mar 13)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Ted Behling (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Fredrik Wallström (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into olle (Mar 14)
  - Re: [PEN-TEST] Finding a Windows machine that a user is logged into Joakim SandstrÃ¶m (Mar 15)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Mike Sues (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Stephen P. Wilson (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Chris Winter (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Nelson Brito (Mar 14)