Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on gathering information in a Windows-based environment and focuses on discovering information in a host machine using the following commands:

  • Ipconfig
  • Netstat
  • Arp

Participants learn step by step instructions in using these commands to gather information in a Windows-based host machine.

Video Transcription

00:04
Hello, ladies and gentlemen, welcome to this latest video in the post Exploitation, persistence and continued access. Course
00:09
I'm a resident Smee Joseph Perry. And as you can see, this particular video as well as the next few will be on Windows. We just finished covering a bunch of Lennox material Lennox information gathering. Specifically,
00:23
we dug through where you will find servers. We find lots of information on the host machine,
00:28
and now we're going to be digging into the windows side of things where you can find information on a host machine where you can find network servers where you can find Generally speaking, we kind of divided in tow, host machine information and network information. So this first video, these 1st 2 videos will be made up of host machine information on this very 1st 1 will be
00:47
not exactly a recap. What sort of a recovering will be discussing
00:52
things that we discussed in Lenox but have a slightly different application in windows.
00:57
The three that will be using are going to be i f config, which is now going to be I p config.
01:02
The second will be net stat with which we're all very familiar and are
01:07
the three are both similar and very different to what we were using in Lenox. Um, I I p config specifically will tell us a lot more than i f configure ever did. And Net stat will be a slightly less use, Um, if only because so much of its going recovered by other
01:23
tools.
01:25
So the first thing is I mention we're gonna do is going to be an I p. Config.
01:27
First thing we have spit out his I p configure it here we see a bunch of different things that I have up
01:34
and doing this particular video on a machine that I've had for a little while. So it's actually been active so you can see a little bit Maur.
01:41
Then what? Just a basic bm would have.
01:45
So we see that they're a bunch of different ether nets. Three of them are the M wear or virtual box or some other virtual ization. There's a tunneling interface.
01:56
There are a few tunneling interface is actually
01:57
so that can tell us quite a bit about this machine. So we're gonna go ahead and do the
02:02
usual.
02:04
We'll pipe that into a file on this case totally as we've been doing. Totally not
02:09
hacking your stuff
02:13
dot t s t
02:15
spit it all out of there.
02:16
So I p config We're going to discuss a little bit more in depth in this one because I p config slash all you remember it used to be in the mix. It was I f convict i k
02:27
with i p config slash All remember this slash Right here
02:31
this thing is a pain and I always make the mistake of using attack. What's more frustrating is some Lennox commands actually will accept the tax. Some won't so usually just go with the slash y i p config slash All is going to tell us a plethora of information. It's absolutely fantastic for gathering data on that machine.
02:50
Like I said, there's a lot.
02:53
So
02:53
we're gonna go up to the 1st 1 which is our local area connection. This is the one that really gonna make youself because you can see this one does. Ah, lot of the work that in linen is where we had to go, did for files and see where service like the HDP server would have been hosted where he had to, you know, check different addressing schemes and all sorts of other things to try stuff down
03:13
windows just spits it out for us.
03:15
Dina. Server locations. Is she p server default gateway I P address before address
03:23
the mask. Everything you could really want to know. Your
03:28
Ethernet address, Just all of the information just displayed to the screen. Um, this is useful, especially when you're looking at things like the tunneling adapter.
03:38
You can see if they've actually got something connected. You can see this is clearly not a valid
03:44
Ethernet address
03:46
in that
03:46
000000 is not actually owned by anyone.
03:52
Um,
03:53
you can see that. Obviously, these hardware addresses are also this is one that a lot of people won't catch at first plans,
04:00
you can see that they're too long. These air eight byte instead of six. Big reason for that is because their pseudo interface is this sort of work on their own thing.
04:09
They do their own stuff, so to speak,
04:12
but yeah. So with that scan or with that command, Rather, we found out more about a windows machine. Then we found out of analytics machine in an hour's worth of video. It was very, very quick. Very, very easy.
04:24
So
04:25
I'm gonna go ahead and pipe this also that file,
04:31
make sure we do it right.
04:35
All right, So that's two things in the file. That's most of I p config um, in in windows, it bears mentioning there aren't any man pages.
04:46
Windows isn't quite that friendly.
04:47
There are help
04:49
commands,
04:55
which can tell you a little bit. Um,
04:58
not really that useful. By comparison to a man page, they'll tell you quick, easy uses. But
05:03
in general, Windows is really where you're gonna want Google Machine to be sitting around something that, actually you could just use quickly tow,
05:11
identify uses and quick cases.
05:14
This is an important detail, something that everyone should know. If you don't know it,
05:19
google it in Windows. If you don't know it, go to M S. D N. That's Microsoft's developer network. And while a lot of it is programming focused, their tons and tons of things on there that aren't all programming focused just Microsoft communiqu community work,
05:34
Microsoft community Just generally speaking,
05:39
any information you could possibly want tohave you'll probably find on that network.
05:44
So speaking of networks. Next we're gonna check is network interfaces, which is going to be a net stop. Now. We're not going to dig into a bunch of options with this net stat, primarily because a lot of the things that we use that to discover and Lennox has pretty much already been covered in one i p convict.
05:59
So we see Nets that's gonna take a little bit longer to run. Um, part of that's because Windows is slower about it. Part of it's because they're way more connections on this machine doing a lot more.
06:09
Uh, like I said, this is gonna be a little bit more practical. The things you see on this, because it's not just a quick generated bm
06:16
so we're seeing a lot of connections going from one port. Going out to foreign address on that foreign address, if you remember earlier, is the default gateway,
06:27
so you know a lot of different possibilities. Most likely, there's some sort of knotting set up or something to that effect.
06:34
We see random high ports connecting out.
06:43
So this is something that I guess should be covered. That I kind of glossed over at Lenox is the distinction between time waiting, established and since, as I mentioned, Windows is very, very slow with nets that we've got a little bit time to do it. So they're a bunch of different states that an interface can be in,
07:00
um, for T C P. It's a little bit more accurate and can tell you more. Those states are actually more useful
07:04
in that a time waiting established a closed. All of these, actually, our states with easy D u D B is more just based on timing since it last got information. So it's not always to extremely handy.
07:19
All right, finally completed our nets. That took a little while, so I kind of positive videos. I apologize that there's a bit of an abrupt jump. There
07:27
s so we see here that there are a bunch of ports on the local host currently connected. If we go back and look, we see the
07:34
I peek and fig
07:36
spits out that our current addresses Tenn 0.3. So all of these, obviously our local addresses the distinction. Of course, being
07:45
this is an outward facing address. Where is this is the logical Loop Mac interface we discussed earlier.
07:49
So everything we see on the loop back addresses something that's actually connecting to this machine doing something else. Windows, basically windows, procedure calls
08:00
and just kind of the machine communicating with itself over a socket
08:03
for various reasons.
08:05
Aah! These addresses the 10.1 we know map to our gateway.
08:11
We see some various other addresses in there that might be of some degree of use.
08:16
In general, a lot of useful addresses, this gun, this particular part could be used just like nets. That was before to help us kind of map out the network and see what's offering
08:26
service is
08:28
I was C h e to be s. So we see there's some sort of Web server going on there. This bit right here is probably worth a Google
08:35
wiki spaces,
08:37
just general usage items, things that tell us this computer is active, it's doing things, and it's a viable target.
08:46
Lots of TCP.
08:50
So,
08:50
as before, we're just gonna basically map the net, stat actually into
08:56
totally not hacking you stuff that text.
09:01
There we go.
09:03
And I actually control seat out of that one just so you don't have to sit and wait for it to, ah,
09:07
re download every copy that information.
09:11
So now we're gonna do our third command, which is the AARP.
09:16
Tak es. I think it actually works with slash Airtight case will do Slash, eh?
09:20
Yes. So are just like before is for specific interfaces. It identifies physical addresses that are mapped to I p addresses. This is a really, really handy one, because this is going to not only let us map out the network in general, but it'll let us specifically map out computers to which this computer is spoken.
09:37
Um, maps.
09:41
The actual hardware type mapping is somewhat useful, but what's really useful is that the AARP is
09:46
not something that stays forever,
09:48
which means that if it appears in the art, it's something that the machine has seen relatively recently and therefore that can prove a great use in knowing what machines are active in what machines are viable targets.
10:00
I'm Obviously the static roots are somewhat less useful than the dynamic that AnAnd maker ones that you really want to keep on eye on
10:07
static or things. They're kind of hard coded in there.
10:11
But either way, we also see that therefore interfaces on this machine that are normally active. 1921 6/8 which, if you remember, from before for our various virtual
10:20
machines, virtual networks, et cetera, on the important one is this 10.3.
10:26
You see, it's communicated with about 1.5 dot eight, not 9 13 etcetera. So we see that they're probably at least
10:33
4 to 6 active computers on this network. Besides the one that we're actually looking at,
10:39
this window's network or this network on which we found this Windows machine is probably, ah, fairly viable target.
10:45
And of course, that's a useful information that we're going to want to know.
10:50
So drop that in there.
10:52
So what? That we've covered the 1st 3 tools that are
10:54
ah, used for Lennox host information gathering. Those tools are, as I mentioned before, pretty similar to limit stools before, and they're generally going to be tools that are useful in any operating system.
11:05
They've gathered all sorts of information about what's on this computer, and they told us all sorts of useful things
11:09
s we're gonna go ahead and and the video here momentarily when we come back, going to be discussing the new sort of the new tools that you'll see on Windows, and those tools pretty much often fall under the heading of Net something.
11:22
So I'll see until next time this is your residence. Me, just Perry saying goodbye and I'll see you then.

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor