Enumerating Windows Information

After you have gained access to a box, the first thing you want to do as a pen tester is obtain as much information about the machine/network as possible. Here is a list of commands that aim to enumerate host/network information from a Windows machine. The following commands are for Windows XP/Vista/7 unless stated otherwise.

Operating System Details

> ver

> systeminfo

Who are you logged in as

> set username

Which domain/workgroup is the machine apart of

> set userdomain

What is the machine called

> set computername

Windows 7 only

> whoami

List user groups on the system

> net localgroup

List users on the machine

> net user

List users in administrative group

> net localgroup administrators

View all mapped logical/shared drives on the system

> wmic logicaldisk get caption,description,providername

List all listening services on the machine

> netstat –nao

See which other machines the system has been communicating with

> arp –a

View what directories are currently being shared

> net share

View firewall configuration

> netsh firewall show config

Windows 7 only

> netsh advfirewall firewall show rule name=all more

or

> netsh advfirewall firewall show rule name=all dir=<inout>

NOTE: For more information on this command please see:

http://support.microsoft.com/kb/947709

View all currently running processes

> tasklist

Find a specific task through Process ID (PID), where x is an arbitrary PID

> tasklist /fi “pid eq x”

or

> tasklist find “x”

Find tasks running under a specific user, where x is an arbitrary username

> tasklist /fi “username eq x”

For more information on information gathering/windows forensics, check out:

http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots

Comments

Post a Comment

Popular posts from this blog

Cracking OS X Lion Passwords

Image
UPDATE [2011-10-15]: The issues described in this post have now been resolved by Apple. Users running OS X Lion 10.7.2 or security update 2011-006 are no longer affected by the vulnerabilities detailed below (CVE-2011-3435 and CVE-2011-3436). For further details on this security update please see Apple's advisory . In 2009 I posted an article on Cracking Mac OS X passwords . Whilst this post has been quite popular, it was written for OS X 10.6 and prior. Since the release of Mac OS X Lion (10.7) in July, I have received numerous requests for an update. Typically, I would have just updated the existing article without the need for a new post. However, during my research I discovered something interesting about OS X Lion that I'd like to share. In previous versions of OS X (10.6, 10.5, 10.4) the process to extract user password hashes has been the same: obtain the user's GeneratedUID and then use that ID to extract hashes from a specific user's shadow file (See my pr
Read more

Cracking Mac OS X Passwords

In this post I will demonstrate how to both extract and crack Mac OS X passwords. The OS X variants that this tutorial is aimed at are 10.4 (Tiger), 10.5 (Leopard) and 10.6 (Snow Leopard). Whilst Mac OS X is based on a Unix variant (BSD), there are several key differences between traditional Unix-based and Mac OS systems when it comes to password storage. Lets take a quick look at some of the differences. If you have ever poked around on an OS X system, you may have noticed the absence of the /etc/shadow file. Whilst traditional Unix and BSD variants store their password hashes in /etc/shadow and /etc/master.passwd respectively, Mac OS X does not. Since the release of OS X 10.3 in 2003, Macintosh products have stored their shadow files in the /var/db/shadow/hash/ directory. Another key difference is the way in which the two systems store their hashes. On a Unix-based system, every hash associated with the system is stored in the /etc/shadow file. This differs from OS X whereby each
Read more

Attacking LM/NTLMv1 Challenge/Response Authentication

Image
In Part 1 of the “LM/NTLMv1 Challenge/Response Authentication” series I discussed how both the LANMAN/NTLMv1 protocols operate and the weaknesses that plague these protocols. In this post I will demonstrate how attackers leverage these weaknesses to exploit the LANMAN/NTLMv1 protocols in order to compromise user credentials. For the remainder of this article I will be focusing on attacking the SMB protocol (Windows file sharing) as this is where LANMAN/NTLMv1 is most commonly used. Capturing the Response In order to capture a client’s LANMAN/NTLMv1 response, attackers will often utilise one of two methods: Force the client host to connect to them Conduct a man-in-the-middle (MITM) attack and “sniff” the client’s response To demonstrate these methods, I will be using the Metasploit Framework or Cain and Abel respectively. Metasploit In order for a client host to connect to us, we first need to create a listening SMB service that will accept incoming connections. Fo
Read more