network security

enumerate a windows network given one computer with admin rights and a thumb drive, assuming no external internet connection:

• turn off AV

• remove all from msconfig startup

• nmap /24 for OS, ports/services

• psloggedon /24

• pwdump local admin (LM)

  • rainbowtables, dic

  • use that to access \\remote\c$ on /24

• get cached accounts (NTLM)

• remote desktop session passwords

• mail, website logons

  • firefox

  • IE

• thunderbird, outlook profiles: address books

• pslist /24

• systeminfo /24

• get all local (mov, mpg, avi, ogg), (jpg, png, gif) (turbotax, mdb, xls, doc,wrd) filenames and locations

• look for the truecrypt, pgp executables (shows evidence that user is aware of and uses cryptography

• open jpg, png, gif with unrar to see if there are hidden files appended

there are three ways to enumerate all users in Windows Active Directory

• assuming MS exchange server is in use, export global contacts

• query AD directly, using a vbs script, such as chkusers.vbs, http://www.petri.co.il/list_all_users_and_groups_in_domain.htm

• Russinovich's AD Explorer. 10k users = 90 Mb

All of these methods require authenticated access to the domain, but not domain admin privledges. Since access is not abnormal, the only alert an administrator would notice is significant increase in network traffic to the PDC/Exchange server. For example, if you notice 90Mb of data over 10 minutes leaving your PDC, that's a bad sign. How should one monitor this?