Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on gathering information in a Windows-based machine environment. Participants learn about the following commands:

  • Ipconfig/all: tells a lot about a network, for example its configuration and how many computers are on a network and can tell what sorts of things are active.
  • Netstat: tells what connections are up. In windows, netstat will only show TCP.
  • Net*: administration tool for Windows clients and servers and has many options to gather information.

Video Transcription

00:04
ladies German. Hello and welcome to post exploitation, hacking, persistence and continued access. I'm residents, me, Joseph Perry. And this video is going to be the lecture slides or gathering information on your current machine in Windows.
00:18
Jump right in. As we did with Lennox, the first thing we want to do is look att interfaces on this machine.
00:23
The first command before that we're going to run
00:26
is a peek and pig. So I peek and big is Windows I p configuration obviously slash All option
00:33
tells us all of all sorts of extra information.
00:37
Um,
00:38
first thing we see right here is the host name. You see, there's a primary de ns Suffolk. That's not really important.
00:45
Really. The first thing we're going to get from this light. It's just those name of the machine broke. If you didn't know that already.
00:50
You see it,
00:51
you also based on this, you can tell a lot about a network's potential configuration. Uh, just seeing a single host name can occasionally tell you quite a bit about a network.
01:00
Um, if you see that it's a serial, it's, you know,
01:03
a serial number, followed by a random string, or it might just be a large number.
01:08
It can tell you about potentially how many computers are on the network, and I can tell you
01:14
what sort of you know things to look out for when you're scanning.
01:18
Ho's name could actually be surprisingly indicative of the networks establish arrangement forensic, for example. In this case, you see, it's a last name Underscore PC, which means that
01:29
if this whole network is following a similar pattern, these machines are individually owned or at least individually used. So each person is map to a machine
01:38
rather than just, you know, swapping desks or what have you.
01:42
So if you're looking for a specific target, for example, to CEO,
01:46
then you would want to look for his last name, Underscore PC,
01:49
and you would actually be able to more accurately target based on the actual whose name of machine.
01:55
Obviously, that's not always the case. It's very rare that you see actual names associate with computers specifically for that reason, but
02:02
you never know. You could get a lot of information from simple things like that
02:07
continued.
02:08
So you see Ethan that adapter.
02:10
So this is an Ethernet, uh, interface seats on local area connection to
02:16
me is disconnected, so this interface is not actually attached to anything. It's not really that not that useful. We know that the interface exists
02:25
for some reason or another,
02:28
and that makes more sense when we get down here and we see Oh,
02:32
it's a tunnel bear Adopter Version nine
02:36
interface I'm For those of you unfamiliar with tunnel Bert, it is a VPN software.
02:40
So seeing this up or seeing something similar to this up seeing some sort of b p n
02:46
adopter VPN interface tells us that this computer is using a VPN. If it were using a proprietary VPN like that, that company has for using, you know, some sort of standardized again. This could be used to indicate, and you can use this to identify what kind of VPN is used, what version? Sometimes where the actual server is. Depending on what
03:05
this actual interfaces
03:06
aimed at that sort of thing,
03:07
I will see a physical address associated with it. We see that as D H CP issues dynamic host configuration protocol, and it's auto configured. So the AP that's assigned to this when it's connected. The AP assigned to this is automatically configured are automatically given to it,
03:24
which tells us that the network that this Windows machine is on
03:29
must have a D H C B server.
03:31
So that's something that we want to be on the lookout for
03:34
next page. Also, of course, I p. Config
03:37
is again an Ethernet adapter for the local area connection
03:40
description. Reltec PC III.
03:46
You don't really know what that is. Don't really need to know what that is.
03:49
We see it's got a different physical address. So it's always a good thing to do is to take note of these 1st 3 bites. Look those up and figure out what it is.
03:57
The description on a machine can also tell you what sort of things are active. So if you go in Google Reltec P C I E. G B E family controller will probably find some information out, and it can tell you about targeting. You never know.
04:10
Again. We see there is D H E P enable
04:13
Well, see, that is auto configured,
04:15
and we see this is kind of a useful little tidbit. So first of all, it says preferred, which means it's going to try,
04:21
uh, sorry about that is going to try and get
04:26
data, I's gonna try and get a specific I p from India. Should be server.
04:30
It's got an address that is going to ask for first. If that doesn't work, then it will get some writing a mother thing. But the odds were fairly decent. If they're setting it preferred I ps
04:40
that each machine will have a semi static or at least a fairly static i p address and you can usually
04:46
target
04:46
with, I'd say probably a 70 or 80 degree percent certainty.
04:50
Um, obviously, we see also that there is an I. P. V six address and able to end tonight TV for a dress.
04:56
So
04:58
as with a lot of things that I've seen on the Linux machine,
05:00
this could mean that it's just got a default configuration. They just did the computer up. The admin wasn't really trying too hard. Whatever
05:08
that could indicate, their i. D. S can be beaten. You might be able to sneak by it with you with the I P V six addresses again, as I'm very fond of reminding you, it's extremely common to see people protect against all sorts of different TV before
05:21
and forget all about I 56.
05:24
So it's certainly worth checking on. The next one is
05:28
associated with the same one.
05:30
See, it's got a seven it mask of 2552552550 So it's on
05:36
a network of 10.0 dot zero dot something. Every machine should have 10 00
05:43
See, also, uh, for those of you unaware, 10 00 means this is an internal network. It's behind a router and everything's come all the I. P s air coming from that specific writer,
05:53
we see that it obtained this lease on December the third
05:57
at going on about 9 p.m.
06:00
And we see that it expires on December the 10th.
06:03
So it's got a seven day period, Uh,
06:05
sort of odd little few seconds. Just, uh,
06:12
strangeness here disconnect.
06:14
But that's not really any extreme important. You see, it's an almost exactly seven day period.
06:18
Ah, for licenses. So if you have an I p
06:23
um,
06:24
or if you come back on the 10th
06:28
you see whatever the I P is, then you know that I was going to be good until the 17th. So on and so forth, but you're going to be able to continually monitor I ps and know what the I p is.
06:39
And of course, it's acid preferred I p. The odds of it getting the same one are very good. So between that, on any given day, your odds of having the same I Pierre having you know of knowing the idea of a machine are very, very, very good.
06:50
We see the default gateway right here.
06:53
He's 10 001
06:55
So we know that that is where we're going to actually travel through to get other networks.
07:00
It just tells us that ran out of the gate.
07:01
D h e p server. It also gives us for free
07:04
on this is what I love about. If I p config for Windows
07:08
is, it is just extremely informative, and it just kind of puts the date out there most of what you need to know right out of the gate, over a network.
07:15
Just run I p could big slash all pipe into a file and then read that file very easy to do. We got D H cp version six. It's not really super important. We see the D N. A server is 75 75 75 75
07:29
and 35 75 76 76.
07:31
So you don't have to go out and run out. I can tell you offhand, that is a Comcast e n s. So you know who their service provider is now. You know they're going through.
07:42
And if you're
07:43
really feeling frisky, you can target that. I p try and take down that DNA. Sir, we're obviously against a multinational corporation. Are giant national corporation
07:51
might not work super well, but if this was, you know, some 10.0 If it was 10 001
07:58
and you wanted to destroy the master control the NS, you would know that that was the port. That was the I. P. You wanted target.
08:03
So it does help you build a network in image of the network. And it does tell you that they're not hosting de ns locally, so that if you have any attack vectors, that air d N s based, you can probably just kind of toss those out the window so it could save you several hours worth of work. It's worth checking up on. If nothing else.
08:20
So don't with that beacon pig we get over the net, stat. That's that. This is really all about for you
08:26
right here. That's that's just like Lennox. It's straightforward. Tells you what connections air up. It's not
08:33
any more interesting on Windows. I think we're pretty well dug into that stat in the linens video.
08:39
I don't think there's any need to go forward. Ah, one thing that is worth mentioning, I suppose, Is that on Windows? Ah, lot of times Nets. That will only show you TCP.
08:48
So make sure you using nets, attack a show all
08:52
or just not stop Tak T nights backpack, you et cetera to show each one. Individually, however, you want to do it.
08:58
Now here's we're gonna dig into the real stuff for Windows. Windows has a sweet It's the Net. Siri's of tools. It's an administration tool that is for Windows clients and servers. It's got loads of options, and I love them all. I'm not equally I'll admit, You know, I have favorite Children, at least favorite Children,
09:16
but almost all of them were useful.
09:18
They can tell you a lot about a machine.
09:20
Er, familiarise yourself with net.
09:22
I mean, just no matter what, you're gonna need to use it to learn things about a witness. She It's the most
09:28
powerful information gathering tool you have for Windows, and what's nice is it's built into almost every single windows. Were you ever touch and it's almost never turned off because it's too necessary,
09:37
so is useful.
09:39
We see here there are a few of these options. These with one's local group config sharing user that we're going to cover in this portion of the network. Information gathering for Windows will cover
09:48
pretty much all of the rest, as you see here so much more
09:52
So first thing we're gonna look at is that local room.
09:56
That local group is exactly what it sounds like.
09:58
Ah, I suppose before we dig into this, I should mention net help. And then the command name will tell you all sorts of things about a command, its options, how it works, etcetera.
10:07
So definitely something check is just net help. Command names in this case would be met. Help local room.
10:13
Something that
10:16
deserves mention deserves notice
10:18
anyway, So we see look, groups, these air groups that exist on this machine.
10:22
So you see, this first group is being weird group.
10:24
So if we didn't know it already,
10:28
pardon me. We know that it's got a V M has got specifically VM where
10:31
we see there's an administrator's group. They didn't change the name of that. That'll be very useful when it when we use the net user to create a backdoor. Later on,
10:41
he's got backup operators,
10:43
cryptographic operators,
10:46
number configuration operators, performance monitor, user's power users, RTP users
10:52
that's important
10:54
and then normal users.
10:56
So each of these is a different group, obviously. And with each group there are different permissions. Obviously, in terms of power,
11:05
they're certain ones that air better than others.
11:09
Ah, the administrator
11:11
number one used my mouse to drive fancy number one for you.
11:16
Um,
11:18
backup operators typically number two people who can actually back up all the data. If you have the authority to back up all the data and you have access to wherever it gets backed up, too, you can learn everything about a machine and you can do it at your leisure, which is nice.
11:31
After that, network configuration operators are very important.
11:35
Crypto operators are good because these guys have access, they can encrypt, decrypt traffic or encrypt decrypt files on a Windows machine.
11:43
I'm and then
11:45
already P users I love because if you can create an already be if you see that this group exists, that means that our DP is enabled and you can create an already be connection.
11:54
And hacking is just
11:56
having a gooey is cheating and I love cheating.
12:00
So if you have the opportunity to cheat and use our DP and use a gooey, you're a very lucky person. Obviously, users
12:05
bottom of the barrel. They exist. They're good, but they're not as good.
12:09
Net config there. Two parts and I can figure, is that convict server and it convey workstation. Obviously, in this portion, we could be looking at work station.
12:18
Um, first thing that we're going to see is the computer name of this machine. Again, it's very PC that could tell us a lot. Full computer name is just very PC,
12:26
so
12:28
they're not using any full, fully qualified name for the computer, whatever. So it's a very it's the host machine that probably doesn't have a whole lot of connection to a major network.
12:39
We see a user name.
12:41
So that's the log on user currently not. Convict Workstation can tell you, you know, if you don't know who you're broken as that convict workstation can tell you,
12:50
you see that work station is active on these
12:52
right here.
12:56
This, this, this and this. These are the things that work station is active for. It doesn't really tell you that much. It's worth knowing worth a Google,
13:03
but that's about it. You see T c p I p. There's some sort of network connection happening,
13:09
said Quick. Assumptions could be made, but really, information digging would have to be done with a Google search
13:16
software version is Window seven Ultimate.
13:18
So it's not one of seven professional, which is worth noting most. Most companies are going to shell out for ultimate. They'll get professional or just window seven.
13:26
Um, it's part of the work domain,
13:30
which, if you know about Windows, networks can tell you a ton of stuff on the difference between a workgroup. Clients ever never socials other things.
13:37
Log on domain, this local. So this machine is its own machine.
13:43
It could be that you've broken into, you know, stand alone that's used by an important person. It could be broken into someone's personal PC, whatever,
13:50
but knowing that it's so long on machine, no tells you that you don't have to target servers to get law. That information if you created I mean user on this, they'll have admin privileges, that sort of thing. You can tell you about your access factory.
14:01
Um, if you've got a different log on domain here, you know you can start looking for that domain controller, and that could be your next target. So it can help you specify if you should target someone else. And if so, who
14:13
or who rather
14:13
this one is not share. That share shows you what this computer is sharing out.
14:18
Um, if you see this right here,
14:20
do a little happy dance. ABC shares one of the default shares out ABC share or C share. Either one can give you a pretty much complete access to a machine. If you have a user name and password, which if you're in right now, I'll be showing you shortly how to create a user.
14:35
Ah, but this gives you just total. Everything you could want to know is all shared out through that. It's wonderful print shares.
14:43
Um, I tend to get kind of neglected by a lot of people, but are actually very handy.
14:48
If you see here this print share, just all it does is shout. See Windows System 32 school drivers.
14:54
That's all it's doing. But
14:56
if you can get into that,
14:58
you may be able to use directory reversal. You may be able to use other exploits. All sorts of things could be used. Great. Many worms use prints shares to migrate
15:09
because Prince shares don't tend to be very secure.
15:13
That would be very easy to get into it. Knowing Carrie, it's just the printer. But in reality, when you get into that print share, you can oftentimes navigate throughout the system and do a lot.
15:22
My PC is remote. I. P c.
15:24
If you don't know what this means,
15:26
you have homework. Go to Wikipedia, learn. Go to Google, learn, find out all the reasons why I B. C. Is a great thing to have because there are a bunch. You see also that he's sharing his user file,
15:39
uh, his users
15:39
not file, but folder
15:41
the sea users. Um,
15:46
that's dangerous. That's really really bad. I actually set that up specifically to show you some of the weird practices people. D'oh! That can be wonderful again if you have the ability to access this computer shares. If you have,
15:56
you know, a password, a user name password for the domain or for whatever
16:00
this user file could tell you everything.
16:03
Oh, it could be used to gain access to individual user passwords in their vaults, which will examine later.
16:10
It could be used to scan all the user's files.
16:12
All sorts of stuff. If you have access to users, have access to everything in a lot of ways. On you've got a lot of different vectors from which you can approach.
16:21
It's nice to see, and it's unfortunately much more common than I'd like to say it is that people share out folders that
16:29
logically, they said shouldn't share. It could have been they just shared out because easy, they shared it out because there's something in there that needed people have or they shared it out because they ran the commanding correctly, didn't know what they were doing. That's very common to see weird things being shared because someone made a typo next command is net user.
16:47
That user indicates the user accounts on a machine.
16:49
Um, for those of you who watched the practical or
16:52
are washing the practical, you know, after each slide or whatever see account for exists. I did this just after creating that one and doing that nifty little bit of work. But you see that this lists user accounts. This is very handy because it can show you naming schemes from most of the user's. She can't one
17:11
account to account. Three account four.
17:14
That means that for most new accounts, this person labels them with just a count and then a number
17:18
that could be useful for them
17:21
in that it obvious skates. Which account is an admin account and which kind is a guest account? Which kind is whatever we can also be used for for you? Because if they're, you know, ah, 118 account number,
17:33
then no one's gonna notice. Account 1 19 So this by seeing the user names that are in use on a machine or a network or whatever, you can see what types of years your names and how those years our names were set up
17:45
and that'll make it a lot easier for you to sort of create your own and office. Kate, in the height of their network without being is noticeable on without standing out.
17:52
There's also asked Net, which it's not super useful to us right now, and then Perry, which is the user name under which we've been operating.
18:00
Um, this isn't uncommon,
18:03
and this is a useful trick. If you see a user name that is clearly strange, it might be a name. It would be a weird handle. It might be some sort of like quip or joke
18:11
on a network that otherwise every other account is standardized and specific. The weird name is almost always an I T person.
18:19
We tend to have a little bit more control over user names, a little bit more control over that sort of thing, which means that we tend to let her, you know, creativity are jokes kind of fly out a little bit more, and you probably should
18:30
so useful and quick means of identifying which users powerful. Which user has that more access is just to look at which user doesn't
18:40
fit in, right?
18:41
Um, it could also tell you if someone else has been attacking a machine,
18:44
so either of those is worth letting you know it should be documented. If you're doing an actual pen test, you should indicate,
18:51
Hey, I saw weird user names that's indicative of either someone not following the rules or that someone else is already in your networks.
19:00
So that pretty much ends information Gathering on the host machine and windows
19:03
we went through and covered some of the simpler tools from the quick commands You can run obviously, as always, their arm or more tools out there than I could ever show you on one classes. More to learn. There's more to know. So by all means, check those out. Play with those tools like there are other options.
19:19
I kind of get used to him. I'm get used to using that help
19:22
because that is going to answer a lot of questions you're going tohave on. I assure you, when you start using them, you're gonna have a lot of questions. Examine your own network, your own machine. See if you've got you know, your corporate network or your home network or whatever. See if you got usernames that stand out see if see what you could tell about yourself by going for user names and groups and that sort of thing.
19:42
You may be surprised to discover there's a lot more
19:47
being shown very easily than what you would think.
19:51
And, of course, you may be pleasantly surprised to discover the same thing when you're targeting someone else's network.
19:56
So what? That that's the end of this video, a CZ, always every speed Joseph Perry. And this has been post exploitation, hacking, persistence and continued access.
20:04
I hope you enjoyed yourself.

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor