lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <80115b691002091007v12de902bq8d4f17044936764c@mail.gmail.com>
Date: Tue, 9 Feb 2010 11:07:39 -0700
From: Reed Arvin <reedarvin@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Finding Domain Controllers for use with WinScanX
	using DCLookup.exe (source included)

WinScanX Pro is only $10.00 for the month of February (normally $250.00)

WinScanX Basic (always free - only scans one host per run)
http://www.windowsaudit.com/

Article tool: DCLookup.exe (source included)
http://windowsaudit.com/downloads/DCLookup.zip

Original article link:
http://windowsaudit.com/winscanx/finding-domain-controllers-for-use-with-winscanx/

==============================

When performing a security assessment it’s important to have a plan of
attack. All machines do not have the same level of criticality. For
example, a missing patch on a Windows workstation will not be
perceived as being as serious a flaw as a missing patch on a Windows
domain controller. For a Windows assessment, one routine that I found
useful was to target the following hosts in the following order:

- Windows domain controllers
- Windows servers
- Windows workstations

Locating Windows domain controllers can be a bit of a hassle
sometimes, especially if you have no knowledge of the network you are
assessing. If that is the case for you, the following may provide some
help.

DCLookup – Provides a list of domain controllers that are available to
authenticate the current host

Download at: http://windowsaudit.com/downloads/DCLookup.zip (source included)

Usage:

DCLookup.exe <hostname | ip address>

DCLookup.exe 127.0.0.1
DCLookup.exe MyMachine

Example output:

C:\>DCLookup.exe 127.0.0.1

+++++++++++++++++++++++++++++++++++++++++++++++++++
+++++         DC INFO VIA DsGetDcName         +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

Domain Controller Name:    \\site1dc06.company.corp
Domain Controller Address: \\192.168.11.65
Domain Name:               company.corp
DNS Forest Name:           company.corp

+++++++++++++++++++++++++++++++++++++++++++++++++++
+++++  DC INFO VIA DsGetDomainControllerInfo  +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

NetBios Name:  site1DC01
DNS Host Name: site1dc01.company.corp

NetBios Name:  site1DC02
DNS Host Name: site1dc02.company.corp

NetBios Name:  site2DC01
DNS Host Name: site2dc01.company.corp

NetBios Name:  site3DC01
DNS Host Name: site3dc01.company.corp

NetBios Name:  site4DC01
DNS Host Name: site4DC01.company.corp

NetBios Name:  site5DC01
DNS Host Name: site5DC01.company.corp

NetBios Name:  site6DC04
DNS Host Name: site6DC04.company.corp

NetBios Name:  site1DC05
DNS Host Name: site1dc05.company.corp

NetBios Name:  site1DC06
DNS Host Name: site1dc06.company.corp

NetBios Name:  site1DC04
DNS Host Name: site1dc04.company.corp

+++++++++++++++++++++++++++++++++++++++++++++++++++
+++++   DC INFO VIA DsEnumerateDomainTrusts   +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

NetBios Domain Name: TRUSTEDDOM
DNS Domain Name:     trusteddom.corp

What to do next:

Once you have a list of domain controllers, the next step would be to
start running various checks against them to assess their security
stature. The following is a short assessment flow for a domain
controller using WinScanX:

1. Using WinScanX, attempt to retrieve the account lockout threshold
using the Get Account Policy Information feature against a domain
controller.

2. If the account lockout threshold is not set or if it is 5 attempts
or higher, attempt to retrieve the user information using the Get User
Information or Get User Information via RA Bypass feature of WinScanX
and run a quick password check using the Guess Windows Passwords
feature.

***NOTE***
Make sure to only use the Guess Windows Passwords feature on one
domain controller ONLY. Using this feature on multiple domain
controllers in the same domain may cause accounts to lock out.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ