Remotely lock a computer, and prevent them from logging back in

Sometimes you have to throw someone off a terminal, but at the same time preserve the evidence on the terminal. For example if someone is using a terminal to hack something, and you need to secure the running terminals to capture the commands that has been run. It is quite simple to accomplish this, as the process below demonstrates.

  1. First, change the target account’s AD password. This will prevent them from logging back in
  2. Next, target the terminal with psexec and use rundll32 to execute user32.dll with the LockWorkStation function. This will trigger the account lock. The following command can be tweaked for your purposes: PsExec.exe \\<ip> -d -u <domain>\Administrator -i cmd.exe /c “C:\windows\system32\rundll32.exe user32.dll, LockWorkStation”
  3. Now it’s time to sieze the terminal. Make sure you are standing by ready for this, as the victim could be distressed and shut down his workstation, essentially removing evidence.

This concept can be expanded further, as Darryl Griffiths pointed out to me on LinkedIn. Coupling the initial idea of locking the workstation with AD Group Policies to modify the Power settings on the target workstation, one can even prevent the machine from shutting down, e.g. when the power button is clicked or the laptop lid is turned off. The Power Management in Windows normally allows this type of overriding the functionality of the power button, and more can be read about this concept in the following TechNet article: https://blogs.technet.microsoft.com/askds/2008/03/21/managing-power-with-group-policy-part-3-of-3/

Get PSExec here: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx?f=255&MSPPError=-2147217396

Here is a video demonstrating the remote terminal lockout.

Finding files and grepping for information

Sometimes you have to find interesting files, then grep through those specific files dynamically. With Linux this is as easy as:

find . -name <file> -exec grep -i -H <match> {} \;

This will simply recursively look for files you want to find, e.g. *.txt, and for each file found, grep that file for whatever matching content you want to find. Additional interesting things to do with this is to grep with regex, or use the find command to further filter for specific types of files.

Slow DNS enumeration

Fierce is an excellent tool for doing DNS reconnaissance, i.e. querying the DNS server for potential domain names to be revealed. I’ve seen some setups where the enumeration has gone horrible slow.

If your DNS enumeration tool is going slow, fire up tcpdump and inspect the DNS traffic.

tcpdump -i <interface> -nn port 53 

Normally you should see tens and hundres of DNS queries flowing past the screen, but if the requests are slow, inspect the queries you are sending. Are you sending queries for .local domain as well?

This image shows 3 queries trying to resolve one name, but sends multiple queries

This is likely due to your DHCP settings are pushed out with a SearchDomain for <whatever>.local. Edit your /etc/resolv.conf and remove the line dictating the SearchDomain, and you should have a huge boost in speed!