Windows Network Information Gathering Lecture (part 2)

Video Activity

This lesson picks up from the previous lesson and focuses on the following tools in the Net suite: Session: lists or disconnects sessions between the computer and others computers on the network and allows us to end a connection with a foreign computer. Statistics: this displays the statistics log for the local workstation or server service View: d...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

7 hours 47 minutes
Video Description

This lesson picks up from the previous lesson and focuses on the following tools in the Net suite:

  • Session: lists or disconnects sessions between the computer and others computers on the network and allows us to end a connection with a foreign computer.

  • Statistics: this displays the statistics log for the local workstation or server service

  • View: displays a list of resources being shared on a computer, a quick way to find out what's being shared.

  • Start: lists running services

Participants also briefly learn about Windows Management Instrumentation (Wmic) which holds massive amounts of information but it best used by the technologically savvy.

Video Transcription
next command is net session.
It lists or disconnect sessions between the computer and other computers on the network when used without options that displays information about all sessions with the computer of current focus.
Ah, the big thing. I really, really want emphasize
Net session tells us, you know, to whom we're communicating with whom we're connected, which is nice, but what? It's really great for us. It lets us end a connection. We use net session computer named elite, and we just tortured connection over.
Um, if you want to remove your connection to an I. D. S or night PS,
you can obviously, it's gonna be loud. You're disconnecting from it so
it can be noticeable. A lot of ideas is or I. P s is aren't really configured to watch for that. So you may be able to do that. And you know what? Don't think that you're shutting down or going off the network or whatever. It won't report anything.
Um, some of the better ones will catch that.
It just depends, but it can't be hit if you're trying to drop a tool. If you're trying to do something malicious on a computer, that you know, the network based firewall or the network based I d S R I P s It's going to catch,
kill the connection, do the bad stuff,
and then you're pretty well, good to go. So here we see the output from it slightly contrived. It changed it.
Ah, just a bit to make it easier to understand. But ah, we see, Computer is in this case, computer zeros, just the computer name.
The username on that computer, in this case is Perry.
The client is Windows 2000. It's got one open, uh, file one open connection, basically, and it's only been idle for 13 seconds, so it's fairly active here. We see Computer one
now, between these two, even if we didn't see it before, we see a clear naming scheme for the network.
We see username, admin. We've got a connection from an admin
client type is dos lm 2.1, no open vials and it's been idle for over an hour. So what we can do with this one is prepare for sort of the second exploit stage, which comes actually after post exploit, which is finding a new target, exploiting a way into that target kind of going through this whole process on it
until you get to where you're going. So we see here that other surface areas on this theoretical network would be Windows $2000 selling 2.1.
Um, yeah, you can pretty much crack those open.
In most cases, you're gonna stroll right through
very little real efforts gonna have to go into breaking your way in, which is nice. So you see, You know, if you see their three Windows 8.1 machines and a DOS machine, it's pretty obvious which one you're gonna want target, so I could be helpful.
Knowing the surface area, like I said, is always useful to a pen tester. Next one is Net statistics server Asai mentioned before server deals with distant connections into your machine. That's statistics is it displays the actual log for those of you that without parameters, it also displays the service is for which statistics are available,
which will usually just be workstation and server.
When you break your way into a host of ice, this really isn't even worth running. Uh, it's not a command is going to do anything. The Net statistics work station does to an extent, but it's information that gets covered about six times and other places. So it's not that great
when you use it on an actual server, though, when you break your way into a server, this can be very handy,
something that you expect people to reconnecting into.
You can find lots of information out of, and it's, you know, definitely worth dropping it into your lawyer or your data. However, you're keeping track of all the info you're gathering. So we see here the output for running this command. This is statistics since 12 13 2014
Ah, it's accepted a single a single session.
Didn't timeout, didn't air out. Sent 37 kilobytes. Received one
14 files were accessed. There were no permissions or password violations. Nothing like that.
Obviously, this isn't super handy on the work station on the server, though you can use these to kind of get a sense of OK, so if today is the 16th of December
and it's accepted, you know, 1000 sessions, we know that it's being used all the time, said tons of killer by received tons of kilobytes, no password or permission violations. Everything's gone smoothly.
You can see how active and how you how often a server is being used, which obviously is
useful information to have
this distance. Six for the server service are very handy in identifying
valuable targets. Viable went for
those ports, which it said server was working on. You know, there's not really much going on there. They're not gonna be used.
Net View
displays A list of resource is being shared on a computer
when used without options that lists computers in the current domain or network.
It's nice because it's a really quick way to find out what is being shared.
And it's also a great opportunity to see how the naming scheme for the network works and, you know, to see again just to see what's indicative to see what machines this computer knows about what printers, all sorts of stuff like that.
So here we see the first output, the up from just net view,
you see server name. Here, you see some of my roommates server names, and then you see a remark
which merely one that puts remarks because, you know, responsible like that. But ah, the remark has named you know, it could be the name. It could be information. If there were a print server or print computer that was sharing something out, you might see remark is printer or something like that.
is you gots assignments were actually documenting things. This function actually comes even or this command actually becomes even more useful. But even if you don't have that, you still see how many servers are on the network
that might be serving things out?
Potential targets.
So I went ahead and used net view on my own machine because I know I'm serving stuff out on. I figured you should at least see it in action.
So the shared resource is we see one of the shared resource is is in fact,
ah, Kodak E sp office 2021 50 Siri's X P s.
Those of you unfamiliar Kodak that's a printer
and then obviously sees right here says used as printer.
Then the comment is just the name of it again.
Next share is for those of you actually watch the practical videos first or caught up to this point of director videos.
No, this Kodak administration, which obviously seems to blend in just fine is actually ah,
a back door that I put into the system during the practical portion of the course.
The type on this is disk. So it's just sharing out
something in the disk, and then the other share, obviously, is users. So seeing these, you can obviously put in back doors later on with the share with shares. But seeing these can tell you a lot. I can tell you what people are serving out. If they're serving out, you know,
things that shouldn't be offered for share,
whatever. And so this is gonna give you good information to report back to the customer to whoever you're doing the test for saying, Hey, you know, you've got host machines that are sharing out there, See Dr Or, you know, the servers, sharing out sensitive data. Things like that,
and you can keep track of what's actually being shared and who can access that share next. One net start. Brevity is the heart of wit. Net start lists. Running service's, that's about it.
So I went ahead and I ran that start, and I wanted to kind of clear out, because when you run this its pages and pages long, and it just kind of picked the ones that are going to be useful when we're kind of dig through them real quick.
I've asked any virus. Obviously, when you see that you know they've been in any virus running.
There's a lot of things that you might do. If you've got a nerdy P open, you can actually close it out with clicks and control it. Make sure it doesn't spend our messages.
Using that stop against the vast does work, however it can also
a lot of any viruses have asked included.
When you just run a net, stop well, actually, throw up a command or not a command. We'll throw up a message box and say, Hey,
someone's trying to kill This isn't you
Ah, lot of users will even still click that not pay any attention, but it does identify that you're on a network or that you're on a machine, so I would avoid just attacking a vast with are attacking any anti virus
without taking time to
properly ensure at least that the user's not going to have a chance to spot you
based filtering engine. We don't need to worry about certificate propagation.
Uh, we see that that is a service currently running. So any sorts this has
it's basically feeding out,
or has the potential to be feeding out to the other machines on the network.
Um, most computers will actually have this, but it's useful to know, you know, if only one computer has certificate propagation of the others do.
That computer is going to be the one that's controlling all the Certs and determining you know who is and isn't allowed.
So it's a useful thing to know for a target.
I'm here. We see I selected the chrome remote desktop service
we go through a lot of trouble to cry to try and create an rdp. IFC Chrome remote desktop service is active
if you're able to find out they're crow, their gruel user name. You get access to the user name password, which again is relatively trivial in the sense that users tend to have easy to find passwords.
Um, the fact that they have an already P service means that you can access it without installing anything new,
and there's going to be no real trace that you did anything since they already existed before you came along D h e p client de ns client that
seeing those here tells us immediately that what we're looking at isn't a server. It also tells us that someone on the network is a server and that we're connecting to it. I p sec policy agent. We know I p sec is i p security.
Um, policy agent. Essentially, what that's doing is it's controlling I p security information,
so it's not uncommon to have a good reason to take that out
if you're doing, you know, if you're using malformed I p packets or if you're usually I p pack. It's a very malicious way for see twos or for anything like that. The policy agent may have something in there that'll take it down, and it's something you might want to break into and look around it.
Network connections.
This is a service we've actually used a few times. When he did, like Met Stat,
it goes to network connections. Eventually
again, Remote desktop service is we see that now. Not only is there a remote desktop there, at least two of the available in various capacities
Security center, obviously
is the security center.
This one right here, Tunnel bear. Those of you unfamiliar tunnel bares a VPN software. And that's why I selected this.
If you see a VPN on a machine,
this is always important. You should always, always always know the security policy of the
customer of whoever this machine belongs to. If they allow VP ends or if they require BBs, which is very common,
then all is well. And you know a VPN exists if, on the other hand, they save you, fiends aren't allowed. We have the right to monitor traffic, et cetera, et cetera, and you see a VPN. This is something you're gonna want a report.
If it's uncertain or if they don't say anything about it, then you're gonna want to let him know there's a VPN
just because it will let them make policy decisions. And it will also give them a heads up that maybe someone's doing something. They don't want scenes
so occasionally it could end up actually helping them to identify security risks or identify people doing bad things.
And certainly when you see VP ends almost always when you're going toward a company, they'll have a specific VP and they use. So if they're lots of different de bienes, that's still something you're probably gonna wanna report.
I was. He also Windows Defender,
which is anti virus, essentially Windows Event Log.
I say It's essentially on the defender, by the way, because
it's it's not a bad any virus, but it's not really a great one, either. It's not really one that's going to be that concerning for most of the malware that you might be using
Windows Event Log is concerning. If you see that is active,
then that means it's logging at least some of the stuff that you're doing.
most computers, unless something very specific or strange is going on. We'll have that running
now when you're doing a pen test. Not only are you actually, you know, doing bad things to a computer, you're also looking around to see if someone else has done bad things to that computer, and that's a really important one that people tend to forget. So if you're doing a pen test and you run net start and you don't see Windows event log, most likely someone has killed that for a reason.
Um, check the check with the I t staff after your tests, Check with whoever.
But most likely if Windows event log isn't running on a machine, something bad is happening. And then, of course, one does firewall because you should always be cognizant of anything that is firewall or network security related on a machine.
All right, so that ends our examination of the net suite of tools. And this time for real, we're done with net. You can take a moment, positivity and cheer if you'd like.
We're gonna dig into W I double U M. I see. Which is the Windows management instrumentation. This is the command line version. Um,
we're not really gonna get too far into it. Just because women is a very
specific sort of
group, it's not really meant for and users or even for fairly technical users. Winnick is meant to be used by programmers, developers, people who are working
very deeply with Windows. So that said, if you have Windows relevant experience, I would absolutely recommend you check it out and start working with it, cause there's a lot of good stuff in there. There are two
tools or two commands. You can run in with Nick that are simple enough and useful enough that they deserve mentioning, and we'll deal with those in just a second.
But as you get better and better with Windows and you all will, because that's sort of how this works, the more you do it, the more you practice, the better you're gonna get a CZ. You get more and more comfortable in familiar with windows, absolutely recommend you check out what make and check out all of its very, very many options.
Up Next