Re: [PEN-TEST] Finding a Windows machine that a user is logged into

[Mike Sues <msues () cinnabar ca>]

> I don't think searching for 0x03 Entries in WINS and/or the name
> cache is feasible at all, as the workstation service also registers its
> name with 0x03. If you're doing an un-educated pen test and there is
> no obvious distinctive feature in the various names you won't be able
> to tell apart user names and workstation names.

Agreed if its a blind test and the username is not known but the poster has
a
particular username, RDAWES, hence why the suggestion was not
to search just for any 0x03 entries but for the messenger service
associated with the known username, i.e. RDAWES<0x03>. This is a
technique I've successfully used in pen tests when one of the goals
is to find (for example) the CEO's workstation. The putative username can be
available to me either through deduction from the organization's naming
scheme or
some information gathering/exploit which allows you to collect usernames.
Unless you have to send name query packets to every IP address in a  range
(i.e.
you can resolve the name through a WINS query or the broadcast method), its
only
one UDP packet out and one returned.

If the organization assigns the same name as the username to the
computername then
this will find the computername's messenger service and not the
username; follow up with an nbtstat/nmblookup to identify as the username or
computername. If the user logs into another workstation the messenger
service
associated with the username might or might not be registered under these
conditions; depends on the method of netbios name resolution being used and
if
the second workstation is on the same segment, etc.

Mike Sues
Senior Network Security Analyst
Cinnabar Networks Inc
http://www.cinnabar.ca
ph :613.720.4842
fax:613.236.2506