It is not uncommon for domain administrators and in general, the IT department of businesses not to know where privileged accounts are being utilised. I couldn’t tell you how often I’ve reported a load of compromised accounts for the client to respond with bemusement about at very least a few of the accounts and their origins.
It is also not uncommon for IT departments to configure their systems to use a single local administrator account or have a domain account that has local admin rights across the board. This is great for an attacker, you pop one account and have access to a smorgasbord of systems and their impersonation tokens. We could now login to each system until we can find one with the relevant tokens available to escalate our privileges. As you can imagine this could be a very laborious task, and if you have very large ranges it could be very time consuming. Of course being a pentester, time is something we don’t have to spare. So if something has to be done more than twice I like to automate it. ‘Venkman’ (cause ya know, we hunting ghosts) is a simple RPC/WMI client wrapped in some python, it takes a target user/users and checks all services and logged in users on the target host/hosts for relevant accounts.
A quick breakdown of the arguments:
-sl Used to supply a file containing all servers of interest
-s Used to supply one server of interest inline
-r Used to supply a CIDR range of potential targets
-u The username to authenticate to targets
-p The password to authenticate to targets
-nl Used to supply a file containing names of interest
-n Used to supply one name of interest inline
It is available on Github and Pypi.
pip install venkman