Could just use findtoken / incognito from MWR, it will list available tokens on the box (supports ranges)
http://labs.mwrinfosecurity.com/blog/2012/07/18/incognito-v2-0-released/ -- Rob Fuller | Mubix Certified Checkbox Unchecker Room362.com | Hak5.org On Thu, Apr 25, 2013 at 4:16 PM, Ryan <[email protected]>wrote: > ** > Microsoft Network Level Authentication (NLA) for RDP can also help > defend against these "features" as it doesn't allow a full RDP connection > until the user is authenticated. > > Ryan > > ----- Original Message ----- > *From:* Jeremy Pommerening <[email protected]> > *To:* PaulDotCom Security Weekly Mailing List<[email protected]> > *Sent:* Tuesday, April 23, 2013 3:27 PM > *Subject:* Re: [Pauldotcom] user enumeration through RDP > > It still displays username unless you specifically tell it not to via > GPO or local machine policy. Interactive Logon: "Do not display last user > name" Enable or Disable. > > Jeremy Pommerening > CISSP,GCFA,GPEN,GAWN,GCFW, GWAPT, > MCSE Win2K, MCSE NT4 > ------------------------------ > *From:* Michael Salmon <[email protected]> > *To:* PaulDotCom Security Weekly Mailing List < > [email protected]> > *Sent:* Tuesday, April 23, 2013 1:47 PM > *Subject:* Re: [Pauldotcom] user enumeration through RDP > > Does RDP on Windows 7 still give the logged in username? Working with > W7 I haven't seen it anymore but it may be that it's been disabled in my > environment and I didn't realize it. > > > On Tue, Apr 23, 2013 at 1:18 PM, Carlos Perez < > [email protected]> wrote: > > No clue on that > > On Apr 23, 2013, at 12:32 PM, Robin Wood <[email protected]> wrote: > > > On Apr 23, 2013 5:07 PM, "Carlos Perez" <[email protected]> > wrote: > > > > This was what I was alluding to > > http://www.tenable.com/blog/nessus-52-released > > > > Nessus will now grab VNC and RDP Screenshots > Looks pretty cool. Any chance of building in character recognition in to > read the active user? > Robin > > Sent from my iPhone > > > > On Apr 23, 2013, at 3:29 AM, Matt <[email protected]> wrote: > > > >> If you are at BSidesLondon tomorrow we can chat then. > >> > >> > >> Sent from my iPhone > >> > >> On 21 Apr 2013, at 23:05, Robin Wood <[email protected]> wrote: > >> > >>> On 18 April 2013 15:36, Matt <[email protected]> wrote: > >>>> > >>>> You can do more than that. Can't say much more but RDP has some > useful "features" that can be leveraged to gain a higher level of access if > you know your way round windows api. > >>>> > >>> > >>> Pointers to any info? I don't know much about the windows API but > might be worth looking at. > >>> > >>>> > >>>> Sent from my iPhone > >>>> > >>>> On 18 Apr 2013, at 01:36, Robin Wood <[email protected]> wrote: > >>>> > >>>> > I've just noticed a nice little trick for user enumeration. The > client I'm testing has RDP on almost every windows machine and when you > connect to them, if there is a user already connected they tell you who it > is. Luckily here most of them do have someone logged in. It is a manual job > but has got me a nice little stash of usernames which is good as all my > usual techniques failed. Of extra lucky, by naming and subnets I know which > the servers are so I'm assuming users connected to them are either admins > or at least have more privileges than a normal user. > >>>> > > >>>> > Thought others might find it useful. > >>>> > > >>>> > Robin > >>>> > _______________________________________________ > >>>> > Pauldotcom mailing list > >>>> > [email protected] > >>>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>>> > Main Web Site: http://pauldotcom.com > >>>> _______________________________________________ > >>>> Pauldotcom mailing list > >>>> [email protected] > >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>>> Main Web Site: http://pauldotcom.com > >>> > >>> > >>> _______________________________________________ > >>> Pauldotcom mailing list > >>> [email protected] > >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> Main Web Site: http://pauldotcom.com > >> > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > ------------------------------ > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
