Penetration Testing mailing list archives

Re: [PEN-TEST] Finding a Windows machine that a user is logged into

From: Greg <greg () HOOBIE NET>
Date: Wed, 14 Mar 2001 21:30:17 -0000

DumpACL should amongst other things, obtain the name of the last workstation
that any particular user logged in from. This info can be obtained from any
domain controller I believe.

I've never bothered using this function but I do recall seing it within
DumpACL some years ago and I assume it works OK. Just point DumpACL at a DC
and dump the list of users, remember to select the 'last workstation' field
in the list of stuff to grab.

regards

Greg

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Clifford, Shawn A
Sent: 14 March 2001 12:51
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Finding a Windows machine that a user is logged
into


Hi,

You can use 'netdom member' to look up all of the users on all machines in
your domain(s).  Then parse the output.  Here is a Perl script that does
just that.  It creates a hash table (by specifying the -r option) of all
user/machine pairs currently logged in in your domain(s).  This can take a
long time to generate.

You will need to edit the netdom queries to specify your domain(s).

-- Shawn


-----Original Message-----
From: Dawes, Rogan (ZA - Johannesburg) [mailto:rdawes () DELOITTE CO ZA]
Sent: Tuesday, March 13, 2001 3:08 AM
Subject: Finding a Windows machine that a user is logged into


Hi Folks,

As part of a demonstration I want to do, I need to find a Windows client
that a particular user is logged in to.

e.g. on a Windows network, user rdawes is logged in somewhere. I need the IP
address, so that I can snoop the traffic that he is generating.

It is clearly possible to get this info, as for example tools like "net send
rdawes message" do it.  Having done that, I can look in my machine cache
using "nbtstat -c" to see who I've been talking to.

This is a bit obtrusive, though. I don't want to warn the user that I am
watching them, which the "net send" would do.

Does anyone have an idea how I can do this quietly?

Rogan

Current thread:

Re: [PEN-TEST] Finding a Windows machine that a user is logged into Carter, Adam (Mar 14)
- <Possible follow-ups>
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Clifford, Shawn A (Mar 14)
  - Re: [PEN-TEST] Finding a Windows machine that a user is logged into Greg (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Woch, Wojciech (Mar 14)
- Re: [PEN-TEST] Finding a Windows machine that a user is logged into Clifford, Shawn A (Mar 14)