Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on the Windows Management Instrumentation (Wmic) line command. This command line tool produces information about the following: Wmic useraccount: all user accounts on a machine Wmic startup: shows all processes that happen at startup

Video Transcription

00:03
So the first option that we're going to actually doing in this video or examining is women User account
00:09
were user account. It doesn't spit it out quite this prettily.
00:13
Ah, I recommend generally speaking, that you output this one toe a file, and I stole that file. It's kind of ugly because it's not really meant to be used as a command line tool. It's more meant for programs that are going to be formatting output in their own way or what have you.
00:28
Ah, women user account, though, displays you all of the user accounts on the machine and tells you a bunch about them. It's actually more useful in some capacity than the Net user.
00:37
So we see that the account type is 5 12
00:42
which for those of you unfamiliar 5 12 essentially means that it's gonna be an admin account to some capacity caption, which is the name of the account.
00:52
The full name of the account specifically,
00:55
um, in
00:56
with reference to the machine on which its active so account one on Mary B. C. Is how that threat
01:02
the description of it.
01:03
The description could be very handy because, as you see here,
01:07
built in account for administrating the computer slash domain.
01:11
No.
01:12
Anyone who's used when the Windows for any real length of time on an administrative level knows that that is the default description of the ad. Medico.
01:22
So that's the handy thing about this is a lot of times people will change account names. Good, sad Mons will change the account names,
01:27
but they'll leave the description because they don't think about it or they forget it or what have you.
01:33
Either way, this description can actually help you in identifying which account is which. I'll tell you who the guest is.
01:40
And, of course, if they put descriptions on any other user accounts, you can actually get it from there as well. You get information by them as well.
01:48
What was he disabled is true.
01:49
So
01:53
you actually can't get access
01:56
to this account? One. The admin account.
01:57
Because it's been disabled. The admin saw no reason to leave it up on this machine. Whatever
02:02
we see, the domain is very PC.
02:06
In this case, that means that it's just a local machine,
02:08
Um,
02:09
but the domain can tell us quite a bit. Obviously, going forward,
02:13
A local account true. Lock out false
02:16
name again is account. One password can be changed.
02:22
It expires, and it is required to have a password.
02:27
One thing that's very handy here is the CID.
02:30
So the city, even if they've changed every single other thing, the CID can't be changed. This it is a completely unique I D on a on a Windows user. It's theoretically unique against any other Windows machine in the world. In reality,
02:46
it's probably unique. Would not. Definitely,
02:51
however, one thing of it will always be the case on a city is that the default admin account said
02:57
well ended 500
03:00
which means that even if they change the account name change to the description, even if they falsify it and make someone else look like administrator and have a description of an administrator. This sit right here will indicate who the default windows Adminis.
03:15
It's sort of the Achilles heel of obfuscating account information.
03:22
The next Winnick. This is
03:23
the most immediately useful Winnick for most people. What this is is that essentially shows you all of the things that are done. It start up. It's you know, when make start up, obviously,
03:36
um, get caption. Common Command
03:38
is essentially just something that's designed to say. The caption is the name
03:43
caption right here is the name
03:45
Command is what it actually does.
03:49
So in this machine, we look and we see that. Okay, it's got sidebar two sidebars
03:53
that correspond to Windows program or program files. Window sidebar, sidebar that XY auto run.
04:00
So if you don't know what it is, or if that's something that seems like it might be bad or what have you
04:05
something you can google? Something you could look up in something you may end up reporting to your client
04:11
over. Well, for those of you, unfamiliar is, ah, gaming thing. It's used for
04:16
team speak and similar things like that, but it's, ah, sort of
04:20
plug in for games in its own right.
04:24
We see that runs right a default or write it. Start up in silent mode.
04:30
See occupying session interface, etcetera, etcetera. Ah, Google update is automatic.
04:38
See, there's this weird one f dot lux. If you don't know what it is,
04:43
it is actually a completely benign program. If you've seen the color of my machine, the color of this video shift occasionally,
04:50
that's what it is. It essentially adjusts based on time of day and that sort of thing.
04:56
Um, to make computers easier to read needs your on your eyes.
04:59
But it's a pretty malicious looking command, and it's definitely something you want to look at it. It's got a weird extension. It's just a single letter.
05:08
That's not something you're necessarily always going to see on the machine.
05:12
This one R T H D v CPL
05:15
Again, Reltec. We know from an abstract standpoint that that's completely legitimate,
05:23
but
05:24
it's pretty sketchy looking something you're gonna want to check on her and report.
05:29
And of course, there's the
05:30
yeah, event managers and video back ends, all that sort of thing,
05:34
which some of them are fairly useful
05:36
to know about. Um,
05:39
And just in case of, you know, maybe you haven't exploit for it, Or maybe you know something about it. It's going to give you access,
05:45
but in general, just having this information is good. Obviously, the more you know about a computer, the better.
05:49
Oh, this is actually good. Wanna know? E. D m Origin
05:55
Origin is from E A. It's their sort of their answer to steam
06:00
these sorts of things these gaming related, uh,
06:05
programs. They're installed. One. If it's on a corporate machine, obviously, you're gonna want to mention that. Bring that up.
06:11
Two.
06:12
They could be very, very handy in that.
06:14
Games are so very often vulnerable, and people have downloaded games and they've got no start up something that runs at start up for a game.
06:23
You might be able to actually, you know, exploit that because if you want to get total control, those were the good ones to look at.
06:30
Also, that's useful to know. You know,
06:31
for all of these locations, you could actually create a backdoor. As in the practical. You'll see,
06:39
um, I actually do create a backdoor and story here so that it runs whenever the machine starts up.
06:45
And if you see where most of the start up files restored or most things restored,
06:48
it's handy to actually have Ah, fairly cohesive looking. It helps you blend in and not get caught, which is, of course, one of the important focus is that we kind of go back and forth or go back to over and over again in this class, which is blending in by knowing your environment.
07:04
That's the last one you've got. That's the end of this video. This has been network information gathering in Windows, and this will conclude the information gathering portion of the class. I recommend before you dig into the back door in persistent section, you actually take time to go back through and look at these commands,
07:25
actually run them and see what other commands are similar to these or other commands. Give you similar information to these so that you can get familiar with gathering all of this data very quickly.
07:33
One of my personal secret sister create a batch script with his many wasn't really secret. Most people know one of my personal favorites screen a bad script with his many of these commands. Just already in it is possible and then just run that.
07:46
So get used to this. Commands get used to what they do, practice, practice, practice.
07:50
And, uh, I'll see you next time

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor