How to Trace a Logon Using Only One Machine
This is a Lab for you learn some basics for logon. You can use this to observe user logon traffic for DNS, Kerberos, SMB, and more.
Setup
There are a couple of ways to collect a trace during logon from a client. One way is to hook up a hub to the client and use another client connected to the same hub to capture the traffic. However, with the help with a SysyInternals tool (PSexec.exe) and NMcap.exe we can collect a trace of a logon just using the client.
We will use PSEXEC to launch NmCap as system, so that when you log off the network trace will continue to run. In the command to launch NmCap we will give it a trigger to stop the trace. Once the trace is started, simply log off and back on. Then use the trigger to stop the trace. I provide a trigger using ping, but there are others such as “/timeafter 5 min” where the trace will stop by itself.
To set this up perform the following tasks on your client machine.
1. Install Netmon 3.x
2. Download PSexec if you do not have a copy already
3. Open an Explorer window
4. Navigate to the root of the C: drive
5. Create folder with the name C:\LogonTrace
6. Copy PSEXEC.EXE into the folder
7. Create a text file named LogonTrace.cmd
8. Enter the following command in the text file:
psexec -d -s "C:\Program Files\Microsoft Network Monitor 3\nmcap.exe" /network * /capture /file c:\LogonTrace\Logon_Trace.cap /stopwhen /frame Ipv4.DestinationAddress == 1.2.3.4
You are now ready to create the trace
Create a trace during your logon
1. Open a command prompt on client used in the setup above (run as administrator)
2. Navigate to the C:\LogonTrace folder
3. Type LogonTrace.cmd
The trace is now running
4. Log off
5. Log on
6. Open a cmd prompt (run as admain again) and use IPCONFIG to register DNS to force some DNS traffic
if you like, open task manager to see nmcap.exe process is running
7. Type ping 1.2.3.4
This should stop the trace – look at taskmanager again to verify
Now you should have a trace with logon traffic for your user account. Review the trace to find specific information related to locating domain controllers, registering DNS, locating SYSVOL for GPOs and logon scripts, etc.
Here are some useful filters you may find helpful.
To filter on traffic sent to and received from your client use the following filter:
Ipv4.address == <IP Address of client>
Here are two different filters for Kerberos traffic. Try them both to see if you get a difference.
Tcp.port==88 || udp.port==88
Or you could use a very simple filter
keberosV5
You can use the following for SMB when looking for SYSVOL connections:
Tcp.port==445
or you can use the protocol again
smb || smb2
You should experiment with other protocol and port filters to find other traffic as well. The few filters above are just some examples to get you started. Enjoy