Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Finding Domain Controllers for use with WinScanX using DCLookup.exe (source included)
From: "Thor (Hammer of God)" <Thor () hammerofgod com>
Date: Tue, 9 Feb 2010 18:10:42 +0000

FYI, TSEnum is free and always has been on the HoG site.  I wrote it specifically to enumerate the roles of all servers 
in the domain, including things like SQL server, Terminal services, etc.  it also works over a null session.

Well, it did back in the day, I've not looked at how it holds up against 2008.

t

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-
disclosure-bounces () lists grok org uk] On Behalf Of Reed Arvin
Sent: Tuesday, February 09, 2010 10:08 AM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] Finding Domain Controllers for use with
WinScanX using DCLookup.exe (source included)

WinScanX Pro is only $10.00 for the month of February (normally
$250.00)

WinScanX Basic (always free - only scans one host per run)
http://www.windowsaudit.com/

Article tool: DCLookup.exe (source included)
http://windowsaudit.com/downloads/DCLookup.zip

Original article link:
http://windowsaudit.com/winscanx/finding-domain-controllers-for-use-
with-winscanx/

==============================

When performing a security assessment it's important to have a plan of
attack. All machines do not have the same level of criticality. For
example, a missing patch on a Windows workstation will not be
perceived as being as serious a flaw as a missing patch on a Windows
domain controller. For a Windows assessment, one routine that I found
useful was to target the following hosts in the following order:

- Windows domain controllers
- Windows servers
- Windows workstations

Locating Windows domain controllers can be a bit of a hassle
sometimes, especially if you have no knowledge of the network you are
assessing. If that is the case for you, the following may provide some
help.

DCLookup - Provides a list of domain controllers that are available to
authenticate the current host

Download at: http://windowsaudit.com/downloads/DCLookup.zip (source
included)

Usage:

DCLookup.exe <hostname | ip address>

DCLookup.exe 127.0.0.1
DCLookup.exe MyMachine

Example output:

C:\>DCLookup.exe 127.0.0.1

+++++++++++++++++++++++++++++++++++++++++++++++++++
+++++         DC INFO VIA DsGetDcName         +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

Domain Controller Name:    \\site1dc06.company.corp
Domain Controller Address: \\192.168.11.65
Domain Name:               company.corp
DNS Forest Name:           company.corp

+++++++++++++++++++++++++++++++++++++++++++++++++++
+++++  DC INFO VIA DsGetDomainControllerInfo  +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

NetBios Name:  site1DC01
DNS Host Name: site1dc01.company.corp

NetBios Name:  site1DC02
DNS Host Name: site1dc02.company.corp

NetBios Name:  site2DC01
DNS Host Name: site2dc01.company.corp

NetBios Name:  site3DC01
DNS Host Name: site3dc01.company.corp

NetBios Name:  site4DC01
DNS Host Name: site4DC01.company.corp

NetBios Name:  site5DC01
DNS Host Name: site5DC01.company.corp

NetBios Name:  site6DC04
DNS Host Name: site6DC04.company.corp

NetBios Name:  site1DC05
DNS Host Name: site1dc05.company.corp

NetBios Name:  site1DC06
DNS Host Name: site1dc06.company.corp

NetBios Name:  site1DC04
DNS Host Name: site1dc04.company.corp

+++++++++++++++++++++++++++++++++++++++++++++++++++
+++++   DC INFO VIA DsEnumerateDomainTrusts   +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

NetBios Domain Name: TRUSTEDDOM
DNS Domain Name:     trusteddom.corp

What to do next:

Once you have a list of domain controllers, the next step would be to
start running various checks against them to assess their security
stature. The following is a short assessment flow for a domain
controller using WinScanX:

1. Using WinScanX, attempt to retrieve the account lockout threshold
using the Get Account Policy Information feature against a domain
controller.

2. If the account lockout threshold is not set or if it is 5 attempts
or higher, attempt to retrieve the user information using the Get User
Information or Get User Information via RA Bypass feature of WinScanX
and run a quick password check using the Guess Windows Passwords
feature.

***NOTE***
Make sure to only use the Guess Windows Passwords feature on one
domain controller ONLY. Using this feature on multiple domain
controllers in the same domain may cause accounts to lock out.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault