If you can dump the screenshots from Nessus into a common folder, you could try blasting them with ocrshotgun after tweaking the default regexes.
http://denniskuntz.com/blog/2011/10/12/ocrshotgun-sh-sensitive-data-from-images-with-ocr-the-shotgun-approach/ On Wed, May 8, 2013 at 3:48 AM, Robin Wood <[email protected]> wrote: > On 7 May 2013 19:40, Rob Fuller <[email protected]> wrote: > >> Could just use findtoken / incognito from MWR, it will list available >> tokens on the box (supports ranges) >> >> http://labs.mwrinfosecurity.com/blog/2012/07/18/incognito-v2-0-released/ >> >> > Great tool but only if you've already got admin access. My original idea > was for user harvesting when you've nothing else to go on. > > Robin > > >> >> -- >> Rob Fuller | Mubix >> Certified Checkbox Unchecker >> Room362.com | Hak5.org >> >> >> On Thu, Apr 25, 2013 at 4:16 PM, Ryan <[email protected] >> > wrote: >> >>> ** >>> Microsoft Network Level Authentication (NLA) for RDP can also help >>> defend against these "features" as it doesn't allow a full RDP connection >>> until the user is authenticated. >>> >>> Ryan >>> >>> ----- Original Message ----- >>> *From:* Jeremy Pommerening <[email protected]> >>> *To:* PaulDotCom Security Weekly Mailing >>> List<[email protected]> >>> *Sent:* Tuesday, April 23, 2013 3:27 PM >>> *Subject:* Re: [Pauldotcom] user enumeration through RDP >>> >>> It still displays username unless you specifically tell it not to via >>> GPO or local machine policy. Interactive Logon: "Do not display last user >>> name" Enable or Disable. >>> >>> Jeremy Pommerening >>> CISSP,GCFA,GPEN,GAWN,GCFW, GWAPT, >>> MCSE Win2K, MCSE NT4 >>> ------------------------------ >>> *From:* Michael Salmon <[email protected]> >>> *To:* PaulDotCom Security Weekly Mailing List < >>> [email protected]> >>> *Sent:* Tuesday, April 23, 2013 1:47 PM >>> *Subject:* Re: [Pauldotcom] user enumeration through RDP >>> >>> Does RDP on Windows 7 still give the logged in username? Working with >>> W7 I haven't seen it anymore but it may be that it's been disabled in my >>> environment and I didn't realize it. >>> >>> >>> On Tue, Apr 23, 2013 at 1:18 PM, Carlos Perez < >>> [email protected]> wrote: >>> >>> No clue on that >>> >>> On Apr 23, 2013, at 12:32 PM, Robin Wood <[email protected]> wrote: >>> >>> >>> On Apr 23, 2013 5:07 PM, "Carlos Perez" <[email protected]> >>> wrote: >>> > >>> > This was what I was alluding to >>> > http://www.tenable.com/blog/nessus-52-released >>> > >>> > Nessus will now grab VNC and RDP Screenshots >>> Looks pretty cool. Any chance of building in character recognition in to >>> read the active user? >>> Robin >>> > Sent from my iPhone >>> > >>> > On Apr 23, 2013, at 3:29 AM, Matt <[email protected]> wrote: >>> > >>> >> If you are at BSidesLondon tomorrow we can chat then. >>> >> >>> >> >>> >> Sent from my iPhone >>> >> >>> >> On 21 Apr 2013, at 23:05, Robin Wood <[email protected]> wrote: >>> >> >>> >>> On 18 April 2013 15:36, Matt <[email protected]> wrote: >>> >>>> >>> >>>> You can do more than that. Can't say much more but RDP has some >>> useful "features" that can be leveraged to gain a higher level of access if >>> you know your way round windows api. >>> >>>> >>> >>> >>> >>> Pointers to any info? I don't know much about the windows API but >>> might be worth looking at. >>> >>> >>> >>>> >>> >>>> Sent from my iPhone >>> >>>> >>> >>>> On 18 Apr 2013, at 01:36, Robin Wood <[email protected]> wrote: >>> >>>> >>> >>>> > I've just noticed a nice little trick for user enumeration. The >>> client I'm testing has RDP on almost every windows machine and when you >>> connect to them, if there is a user already connected they tell you who it >>> is. Luckily here most of them do have someone logged in. It is a manual job >>> but has got me a nice little stash of usernames which is good as all my >>> usual techniques failed. Of extra lucky, by naming and subnets I know which >>> the servers are so I'm assuming users connected to them are either admins >>> or at least have more privileges than a normal user. >>> >>>> > >>> >>>> > Thought others might find it useful. >>> >>>> > >>> >>>> > Robin >>> >>>> > _______________________________________________ >>> >>>> > Pauldotcom mailing list >>> >>>> > [email protected] >>> >>>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> >>>> > Main Web Site: http://pauldotcom.com >>> >>>> _______________________________________________ >>> >>>> Pauldotcom mailing list >>> >>>> [email protected] >>> >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> >>>> Main Web Site: http://pauldotcom.com >>> >>> >>> >>> >>> >>> _______________________________________________ >>> >>> Pauldotcom mailing list >>> >>> [email protected] >>> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> >>> Main Web Site: http://pauldotcom.com >>> >> >>> >> _______________________________________________ >>> >> Pauldotcom mailing list >>> >> [email protected] >>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> >> Main Web Site: http://pauldotcom.com >>> > >>> > >>> > _______________________________________________ >>> > Pauldotcom mailing list >>> > [email protected] >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> > Main Web Site: http://pauldotcom.com >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> ------------------------------ >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
