lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <fc24d8021002091615g3006ace3o89ec5440f00fc6f2@mail.gmail.com> Date: Wed, 10 Feb 2010 08:15:57 +0800 From: Bugtrace <bugtrace@...il.com> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Re: Finding Domain Controllers for use with WinScanX using DCLookup.exe (source included) nltest.exe(Windows NT Resource Kit) 2010/2/10 Reed Arvin <reedarvin@...il.com>: > WinScanX Pro is only $10.00 for the month of February (normally $250.00) > > WinScanX Basic (always free - only scans one host per run) > http://www.windowsaudit.com/ > > Article tool: DCLookup.exe (source included) > http://windowsaudit.com/downloads/DCLookup.zip > > Original article link: > http://windowsaudit.com/winscanx/finding-domain-controllers-for-use-with-winscanx/ > > ============================== > > When performing a security assessment it’s important to have a plan of > attack. All machines do not have the same level of criticality. For > example, a missing patch on a Windows workstation will not be > perceived as being as serious a flaw as a missing patch on a Windows > domain controller. For a Windows assessment, one routine that I found > useful was to target the following hosts in the following order: > > - Windows domain controllers > - Windows servers > - Windows workstations > > Locating Windows domain controllers can be a bit of a hassle > sometimes, especially if you have no knowledge of the network you are > assessing. If that is the case for you, the following may provide some > help. > > DCLookup – Provides a list of domain controllers that are available to > authenticate the current host > > Download at: http://windowsaudit.com/downloads/DCLookup.zip (source included) > > Usage: > > DCLookup.exe <hostname | ip address> > > DCLookup.exe 127.0.0.1 > DCLookup.exe MyMachine > > Example output: > > C:\>DCLookup.exe 127.0.0.1 > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > +++++ DC INFO VIA DsGetDcName +++++ > +++++++++++++++++++++++++++++++++++++++++++++++++++ > > Domain Controller Name: \\site1dc06.company.corp > Domain Controller Address: \\192.168.11.65 > Domain Name: company.corp > DNS Forest Name: company.corp > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > +++++ DC INFO VIA DsGetDomainControllerInfo +++++ > +++++++++++++++++++++++++++++++++++++++++++++++++++ > > NetBios Name: site1DC01 > DNS Host Name: site1dc01.company.corp > > NetBios Name: site1DC02 > DNS Host Name: site1dc02.company.corp > > NetBios Name: site2DC01 > DNS Host Name: site2dc01.company.corp > > NetBios Name: site3DC01 > DNS Host Name: site3dc01.company.corp > > NetBios Name: site4DC01 > DNS Host Name: site4DC01.company.corp > > NetBios Name: site5DC01 > DNS Host Name: site5DC01.company.corp > > NetBios Name: site6DC04 > DNS Host Name: site6DC04.company.corp > > NetBios Name: site1DC05 > DNS Host Name: site1dc05.company.corp > > NetBios Name: site1DC06 > DNS Host Name: site1dc06.company.corp > > NetBios Name: site1DC04 > DNS Host Name: site1dc04.company.corp > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > +++++ DC INFO VIA DsEnumerateDomainTrusts +++++ > +++++++++++++++++++++++++++++++++++++++++++++++++++ > > NetBios Domain Name: TRUSTEDDOM > DNS Domain Name: trusteddom.corp > > What to do next: > > Once you have a list of domain controllers, the next step would be to > start running various checks against them to assess their security > stature. The following is a short assessment flow for a domain > controller using WinScanX: > > 1. Using WinScanX, attempt to retrieve the account lockout threshold > using the Get Account Policy Information feature against a domain > controller. > > 2. If the account lockout threshold is not set or if it is 5 attempts > or higher, attempt to retrieve the user information using the Get User > Information or Get User Information via RA Bypass feature of WinScanX > and run a quick password check using the Guess Windows Passwords > feature. > > ***NOTE*** > Make sure to only use the Guess Windows Passwords feature on one > domain controller ONLY. Using this feature on multiple domain > controllers in the same domain may cause accounts to lock out. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Best Regards, Trace _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists