On 7 May 2013 19:40, Rob Fuller <[email protected]> wrote: > Could just use findtoken / incognito from MWR, it will list available > tokens on the box (supports ranges) > > http://labs.mwrinfosecurity.com/blog/2012/07/18/incognito-v2-0-released/ > > Great tool but only if you've already got admin access. My original idea was for user harvesting when you've nothing else to go on.
Robin > > -- > Rob Fuller | Mubix > Certified Checkbox Unchecker > Room362.com | Hak5.org > > > On Thu, Apr 25, 2013 at 4:16 PM, Ryan > <[email protected]>wrote: > >> ** >> Microsoft Network Level Authentication (NLA) for RDP can also help >> defend against these "features" as it doesn't allow a full RDP connection >> until the user is authenticated. >> >> Ryan >> >> ----- Original Message ----- >> *From:* Jeremy Pommerening <[email protected]> >> *To:* PaulDotCom Security Weekly Mailing List<[email protected]> >> *Sent:* Tuesday, April 23, 2013 3:27 PM >> *Subject:* Re: [Pauldotcom] user enumeration through RDP >> >> It still displays username unless you specifically tell it not to via >> GPO or local machine policy. Interactive Logon: "Do not display last user >> name" Enable or Disable. >> >> Jeremy Pommerening >> CISSP,GCFA,GPEN,GAWN,GCFW, GWAPT, >> MCSE Win2K, MCSE NT4 >> ------------------------------ >> *From:* Michael Salmon <[email protected]> >> *To:* PaulDotCom Security Weekly Mailing List < >> [email protected]> >> *Sent:* Tuesday, April 23, 2013 1:47 PM >> *Subject:* Re: [Pauldotcom] user enumeration through RDP >> >> Does RDP on Windows 7 still give the logged in username? Working with >> W7 I haven't seen it anymore but it may be that it's been disabled in my >> environment and I didn't realize it. >> >> >> On Tue, Apr 23, 2013 at 1:18 PM, Carlos Perez < >> [email protected]> wrote: >> >> No clue on that >> >> On Apr 23, 2013, at 12:32 PM, Robin Wood <[email protected]> wrote: >> >> >> On Apr 23, 2013 5:07 PM, "Carlos Perez" <[email protected]> >> wrote: >> > >> > This was what I was alluding to >> > http://www.tenable.com/blog/nessus-52-released >> > >> > Nessus will now grab VNC and RDP Screenshots >> Looks pretty cool. Any chance of building in character recognition in to >> read the active user? >> Robin >> > Sent from my iPhone >> > >> > On Apr 23, 2013, at 3:29 AM, Matt <[email protected]> wrote: >> > >> >> If you are at BSidesLondon tomorrow we can chat then. >> >> >> >> >> >> Sent from my iPhone >> >> >> >> On 21 Apr 2013, at 23:05, Robin Wood <[email protected]> wrote: >> >> >> >>> On 18 April 2013 15:36, Matt <[email protected]> wrote: >> >>>> >> >>>> You can do more than that. Can't say much more but RDP has some >> useful "features" that can be leveraged to gain a higher level of access if >> you know your way round windows api. >> >>>> >> >>> >> >>> Pointers to any info? I don't know much about the windows API but >> might be worth looking at. >> >>> >> >>>> >> >>>> Sent from my iPhone >> >>>> >> >>>> On 18 Apr 2013, at 01:36, Robin Wood <[email protected]> wrote: >> >>>> >> >>>> > I've just noticed a nice little trick for user enumeration. The >> client I'm testing has RDP on almost every windows machine and when you >> connect to them, if there is a user already connected they tell you who it >> is. Luckily here most of them do have someone logged in. It is a manual job >> but has got me a nice little stash of usernames which is good as all my >> usual techniques failed. Of extra lucky, by naming and subnets I know which >> the servers are so I'm assuming users connected to them are either admins >> or at least have more privileges than a normal user. >> >>>> > >> >>>> > Thought others might find it useful. >> >>>> > >> >>>> > Robin >> >>>> > _______________________________________________ >> >>>> > Pauldotcom mailing list >> >>>> > [email protected] >> >>>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >>>> > Main Web Site: http://pauldotcom.com >> >>>> _______________________________________________ >> >>>> Pauldotcom mailing list >> >>>> [email protected] >> >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >>>> Main Web Site: http://pauldotcom.com >> >>> >> >>> >> >>> _______________________________________________ >> >>> Pauldotcom mailing list >> >>> [email protected] >> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >>> Main Web Site: http://pauldotcom.com >> >> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> ------------------------------ >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
