lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <optid.065667ae02.A876923A2C9CD44BA76505F58ECF089D03FED0AE@gandalf.optimum.bm> Date: Tue, 9 Feb 2010 18:10:42 +0000 From: "Thor (Hammer of God)" <Thor@...merofgod.com> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Re: Finding Domain Controllers for use with WinScanX using DCLookup.exe (source included) FYI, TSEnum is free and always has been on the HoG site. I wrote it specifically to enumerate the roles of all servers in the domain, including things like SQL server, Terminal services, etc. it also works over a null session. Well, it did back in the day, I've not looked at how it holds up against 2008. t > -----Original Message----- > From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full- > disclosure-bounces@...ts.grok.org.uk] On Behalf Of Reed Arvin > Sent: Tuesday, February 09, 2010 10:08 AM > To: full-disclosure@...ts.grok.org.uk > Subject: [Full-disclosure] Finding Domain Controllers for use with > WinScanX using DCLookup.exe (source included) > > WinScanX Pro is only $10.00 for the month of February (normally > $250.00) > > WinScanX Basic (always free - only scans one host per run) > http://www.windowsaudit.com/ > > Article tool: DCLookup.exe (source included) > http://windowsaudit.com/downloads/DCLookup.zip > > Original article link: > http://windowsaudit.com/winscanx/finding-domain-controllers-for-use- > with-winscanx/ > > ============================== > > When performing a security assessment it's important to have a plan of > attack. All machines do not have the same level of criticality. For > example, a missing patch on a Windows workstation will not be > perceived as being as serious a flaw as a missing patch on a Windows > domain controller. For a Windows assessment, one routine that I found > useful was to target the following hosts in the following order: > > - Windows domain controllers > - Windows servers > - Windows workstations > > Locating Windows domain controllers can be a bit of a hassle > sometimes, especially if you have no knowledge of the network you are > assessing. If that is the case for you, the following may provide some > help. > > DCLookup - Provides a list of domain controllers that are available to > authenticate the current host > > Download at: http://windowsaudit.com/downloads/DCLookup.zip (source > included) > > Usage: > > DCLookup.exe <hostname | ip address> > > DCLookup.exe 127.0.0.1 > DCLookup.exe MyMachine > > Example output: > > C:\>DCLookup.exe 127.0.0.1 > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > +++++ DC INFO VIA DsGetDcName +++++ > +++++++++++++++++++++++++++++++++++++++++++++++++++ > > Domain Controller Name: \\site1dc06.company.corp > Domain Controller Address: \\192.168.11.65 > Domain Name: company.corp > DNS Forest Name: company.corp > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > +++++ DC INFO VIA DsGetDomainControllerInfo +++++ > +++++++++++++++++++++++++++++++++++++++++++++++++++ > > NetBios Name: site1DC01 > DNS Host Name: site1dc01.company.corp > > NetBios Name: site1DC02 > DNS Host Name: site1dc02.company.corp > > NetBios Name: site2DC01 > DNS Host Name: site2dc01.company.corp > > NetBios Name: site3DC01 > DNS Host Name: site3dc01.company.corp > > NetBios Name: site4DC01 > DNS Host Name: site4DC01.company.corp > > NetBios Name: site5DC01 > DNS Host Name: site5DC01.company.corp > > NetBios Name: site6DC04 > DNS Host Name: site6DC04.company.corp > > NetBios Name: site1DC05 > DNS Host Name: site1dc05.company.corp > > NetBios Name: site1DC06 > DNS Host Name: site1dc06.company.corp > > NetBios Name: site1DC04 > DNS Host Name: site1dc04.company.corp > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > +++++ DC INFO VIA DsEnumerateDomainTrusts +++++ > +++++++++++++++++++++++++++++++++++++++++++++++++++ > > NetBios Domain Name: TRUSTEDDOM > DNS Domain Name: trusteddom.corp > > What to do next: > > Once you have a list of domain controllers, the next step would be to > start running various checks against them to assess their security > stature. The following is a short assessment flow for a domain > controller using WinScanX: > > 1. Using WinScanX, attempt to retrieve the account lockout threshold > using the Get Account Policy Information feature against a domain > controller. > > 2. If the account lockout threshold is not set or if it is 5 attempts > or higher, attempt to retrieve the user information using the Get User > Information or Get User Information via RA Bypass feature of WinScanX > and run a quick password check using the Guess Windows Passwords > feature. > > ***NOTE*** > Make sure to only use the Guess Windows Passwords feature on one > domain controller ONLY. Using this feature on multiple domain > controllers in the same domain may cause accounts to lock out. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists