Penetration Testing mailing list archives
Re: [PEN-TEST] Finding a Windows machine that a user is logged into
From: Mike Sues <msues () cinnabar ca>
Date: Thu, 15 Mar 2001 09:06:41 -0800
I don't think searching for 0x03 Entries in WINS and/or the name cache is feasible at all, as the workstation service also registers its name with 0x03. If you're doing an un-educated pen test and there is no obvious distinctive feature in the various names you won't be able to tell apart user names and workstation names.
Agreed if its a blind test and the username is not known but the poster has a particular username, RDAWES, hence why the suggestion was not to search just for any 0x03 entries but for the messenger service associated with the known username, i.e. RDAWES<0x03>. This is a technique I've successfully used in pen tests when one of the goals is to find (for example) the CEO's workstation. The putative username can be available to me either through deduction from the organization's naming scheme or some information gathering/exploit which allows you to collect usernames. Unless you have to send name query packets to every IP address in a range (i.e. you can resolve the name through a WINS query or the broadcast method), its only one UDP packet out and one returned. If the organization assigns the same name as the username to the computername then this will find the computername's messenger service and not the username; follow up with an nbtstat/nmblookup to identify as the username or computername. If the user logs into another workstation the messenger service associated with the username might or might not be registered under these conditions; depends on the method of netbios name resolution being used and if the second workstation is on the same segment, etc. Mike Sues Senior Network Security Analyst Cinnabar Networks Inc http://www.cinnabar.ca ph :613.720.4842 fax:613.236.2506
Current thread:
- Re: [PEN-TEST] Finding a Windows machine that a user is logged in to Toth, Laszlo (Mar 14)
- <Possible follow-ups>
- Re: [PEN-TEST] Finding a Windows machine that a user is logged in to Barber, Chris (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged in to Sacha Faust (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged in to Lucyga,Dierk - Munich (Mar 15)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Mike Sues (Mar 15)