[Dshield] Windows 2000 - Who's logged in?

dcm2002@sbcglobal.net dcm2002 at sbcglobal.net
Thu Nov 21 01:07:30 GMT 2002


At 09:41 AM 11/20/02 -0800, WB wrote:
>Is there anyway to determine who's logged in at a particular IP address
>in Win2K?  We have web-content monitors that identify a particular IP
>address, but not the user.
>
>I understand, of course, that it may not *actually* be the user the
>account is assigned to, but one thing at a time.
>
>- WB

If you are running windows yourself then you can use one of the tools
that ships with it; NBTSTAT. If you can get to that dreaded Port 137 you
should see something like: 
C:\>nbtstat -A 127.123.123.123

Local Area Connection 5:
Node IpAddress: [127.123.123.123] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    Computername   <00>  UNIQUE      Registered	<= this is the
"Computername"
    Workgroup      <00>  GROUP       Registered	<= this is the "Domain"
or workgroup
    Workgroup      <03>  UNIQUE      Registered	<= and so on  <03> means
Name
    Workgroup      <20>  UNIQUE      Registered <= and another form.
<20> is a group.
    Something      <1E>  GROUP       Registered <= <1E> says a specific
NetBIOS service is running here - I don't care to look this one up right
now. 
    User1          <03>  UNIQUE      Registered 
    Workgroup      <1D>  UNIQUE      Registered <= <1D> means the
"Workgroup" is a Domain
    ..__MSBROWSE__.<01>  GROUP       Registered <= This is a "Master
Browser" 

    MAC Address = 00-AB-AB-55-AB-99

Obviously you put the target's IP address after the capital "A" (little
"a" is a different option). 

You may or may not see all of these types of entries, and you may have
others. The current logged in user's ID should show up late in the list
followed by a <03>. The computername and workgroup (in various forms)
will also show with <03>, but they will be listed early. 

And as you said, this may not be the real logged in users. But hey, this
is what Port 137 is good for. ;-) 


David Mehl
Houston TX  USA
dcm2002 at sbcglobal.net 





More information about the list mailing list