Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lessons focuses on the nslookup command. The nslookup command is a DNS function that can offer a lot of information about a DNS server. Participants also learn about the following tools in the netsuite:

  • Net accounts: shows information about network users, password age and information
  • Net config: shows configuration information of a workstation or server service
  • Net group: shows global groups on servers
  • Net session: shows what computers are communicating, active session

Video Transcription

00:04
hello, illustrious viewers and welcome back to the post exploitation, hacking, persistence and continued access. Course I residents me, Joseph Perry. And in this video, we're going to be discussing
00:13
and as look up and then a few of the net suite of tools that gets rid of tools you may remember from the last video they start out like this,
00:22
and then they go like that.
00:24
They do pretty much anything you want to do on a host or a network. But there are a few other things that we will want to look at before we get cracking with those.
00:32
So we're gonna go ahead and start out with the well, really the last big one that we're gonna look out before we dive in the net, which is Ennis. Look up and it's look up is a d. N s function or a Deena's.
00:45
It identifies the D. N a server and can tell you a lot about that Dean Esther. So we're gonna go ahead and do a net and s look up slash help,
00:53
and it's gonna spit out some less than useful info
00:57
just for safety sake, Will you take a JJ?
01:00
It doesn't really get us anything. All right, So
01:06
let's just go ahead and do an s Look up.
01:08
Um,
01:10
this is a tool. I recommend Googling and learning a little bit more about, and it's locked up can tell you a lot of different things. What we're gonna be using it for is I've just identify a d. N s server, but
01:19
it's a tool of having your back pocket.
01:23
So here we see the default service Cdn s 01 dot com cast on net
01:27
and the address of 75755 75. Which is your, you may recall, is something that we've seen before. We saw it in i p Configured flash. All did identify her d n a server,
01:41
but it's still handed to us and it's look up from time to time and make sure we know everything.
01:45
Make sure we've got all the information.
01:48
So
01:49
that was very, very quick. Look, that's all we really wanted to do within its look up is get a sense of it,
01:55
um, and know that it's a tool that's available.
02:00
Now we're going to dig into the real point of
02:02
really Windows information gathering the real way we go about it, which is again with the Nets. Sweet.
02:08
So the Net suite has a bunch of different tools, and we're gonna look at a few of them.
02:14
Ah, those tools, those
02:15
specific functions we see right here on our always helpful sticking out. Getting that accounts config group in session was going before we discuss in this video.
02:23
So the 1st 1 we're going to dive into is going to mean that accounts
02:28
and that accounts Ah, we'll do a help on it just so you can get a sense of what it actually is. But no accounts. Aerial displays, all sorts of information about users specifically for the network.
02:40
We see if we use without options, that displays that otherwise we can actually update the database and do other things so we could do a force log off,
02:50
Um, which is kind of a useful one.
02:53
It's not exactly what you would think in terms of a force log off. It's not something where you could just make someone leave. Right now,
02:59
it's actually
03:01
designed for user profile. Information is most of these are
03:06
so we see minimum password length minimum password, age or Max password age that everything forced log off basically is designed so that if someone's password expires or if they can't use it anymore,
03:15
it boots them off,
03:17
so that can be useful. If you did Max password age one day
03:24
and then force log off
03:27
one minute, you can boot pay users off very quickly without them knowing exactly what's going on. Um, it's not the most efficient way to get a user off of a system, and it's not something that you're going to be able to win very often with. But if you've got the access, it is kind of fun to do to your friends.
03:45
Not that I'm saying Do this to your friends obviously, should never do any of these things to your friends, and that is wrong and I don't advocate it, but it's
03:50
really funny,
03:52
I'm told
03:53
anyway. So
03:54
the Net Accounts Command, as we saw there, is going to display all sorts of useful information about
04:00
the account rules. The password, a password length, etcetera.
04:02
So rather than just looking at the example from the help, let's see what that accounts spits out.
04:08
Oh yes, this is what we like to see
04:13
so we see we never force the user to log off.
04:16
See minimum password. Ages zero That can change is often as they want. See Maximus 42 days, then password length zero So they can have whatever terrible past where they want.
04:27
See, it maintains no history. There's no lockout.
04:31
Well, there's no lockout threshold, which means it'll never like you're forgetting passwords were all
04:36
if there was one.
04:39
Obviously, there'd be a 30 minute delay, which would be very unfortunate for a user.
04:44
But since there's not one, it's very fortunate for us. That means that any account that uses this server, we could just try and break its password all day. It's not gonna do anything. We don't need to do any fancy password stealing or anything like that, though that's certainly on the list of things that we could theoretically do
05:00
on a server. Senate Accounts tells us all about password agent password information. So this is data that we definitely want
05:08
Next net tool
05:10
config
05:13
and again we open up our help. Paige, we see net help. CONFIG tells us
05:16
gonna configuration information of a workstation server service. Um, when used without those that just lists configurable Service's
05:29
as you may remember, from the last video, we actually did a net config. The distinction we're gonna be doing now is when we did the night convict before it was without server workstation.
05:39
If you do it with server, it actually will give us the list of things that were actually acting is a server for?
05:45
Most likely, that's not gonna give us any information any more information than it did before since we saw that there was no list, but it's worth checking.
05:53
Uh,
05:55
that's a new one.
06:05
All right, so you're gonna see me cheat a little bit here, since we're not actually in is an admin user, but
06:11
I wanted to display this for you anyway.
06:16
Hey, I'm just a sec and her back.
06:19
So as I mentioned your, I'm kind of cheating a little bit here when you actually gain access, you would want to get access. Is that I have been user, but I am prone to miss typing commands and destroying things, so I try not to run an admin as much as possible. But for this particular command, we're gonna need thio. So we do net config server
06:39
and it actually spit some stuff out
06:42
that tells us that our original neck and pig wasn't quite as informative as we thought. It waas
06:47
So those headings may not have been quite right. So we do a net config workstation.
06:54
We see that it's actually spinning out some more information there.
06:57
So this is an important detail Just because says that it will tell you the configurable service is doesn't mean it actually works the net config option. You're gonna want to use server and workstation options with
07:10
to make sure you're getting everything because there are certain things that it won't show up in that original list.
07:15
So both of these air useful. They tell us information about columns. They tell us information about
07:21
different service. Is that active? The machine name?
07:25
Interesting. I d string there.
07:29
So things that we're gonna wanna do a little bit of Googling on, see what we can find out about.
07:33
Obviously, it's a computer name, full computer name, all that jazz.
07:40
So
07:41
we're gonna go ahead and fight both of those that are totally not hacking your stuff up.
07:46
We're actually in a different place right now.
07:48
So
07:50
city see
07:53
users Harry,
07:56
important For those of you who aren't familiar at all with Windows commands,
08:00
Quick run his CDs to change directory, CD slash D or other slash D is to change to other drives.
08:07
She's useful to know So
08:11
Neck and Fig Server
08:13
Piper totally not hacking your stuff
08:18
that config
08:20
workstation
08:22
typed also to that file,
08:24
and we're clear. All right, so there's two were different sides of the Net config. Obviously, we saw that configure earlier, but we saw that the information wasn't quite exact. A CZ part of this process is part of the post exploitation process. An important thing to know is that sometimes you're gonna find something out halfway down the road,
08:41
and it's very, very important to be able to kind of roll with the punches. It's not always going to be something as simple is Oh, this command spits out war info. If I run it with this command, sometimes it's gonna be a big deal.
08:50
Um, you might find that there's, ah, firewall active that there shouldn't have been or something like that. Learning to roll with the punches. Learning to sort of adopted Ugo is very important
09:01
soapbox off, so the next thing we're gonna see his Net group. We could do a net help group real fast and see what it's got on it.
09:07
Okay,
09:09
Global Group's on servers. Pretty straightforward,
09:13
So we'll go ahead and do in that group and see what's there.
09:16
Oh, she can only be used on a Windows domain controller,
09:20
so it's kind of a useful one. What that means is that the machine we're on isn't actually a server for the whole network. It has shown us a lot of server information, but it's not actually been a server.
09:31
People who are more used to Windows administration and that are watching this video right now. Could have told you probably very early that Yeah, this is Anna Windows Server. Obviously, the quick and easy ways to tell work wasn't spitting out a lot of information. It wasn't allowing a lot of exterior connections,
09:46
but this is useful because error messages can tell us a lot
09:50
and saying, Oh, this is going to be used on a Windows domain controller says. Well, that means I'm not.
09:54
This also shows us another net function, which is net help message just to give you a sense of what that's used for again. I mentioned before that this is great for programmers, but it's great for anyone who's getting error messages in this case. Is that perhaps less useful?
10:09
More help claim. But that's okay. Ah, the help message is very, very good. I can't advocate enough any opportunity you have to use of it. Please do.
10:18
So we see the Net group isn't really gonna tell us much. That's fine.
10:22
Roll with Bunches
10:24
next morning. Well, nice. We're gonna do a clear because I don't like having included screen. But the next actual command, we're gonna run with the net session
10:31
in that session. Yes, to pull the help up for you. Do it in the other order. This time
10:35
shows you Ah, what computers are being isn't communicating with
10:43
any sessions that are currently active, like the one you see here
10:46
are displayed.
10:50
And it can tell us quite a bit about what computers are active. What? I'm serving data out to that sort of thing. Ah, here. We see that there's Ah,
11:00
there's an I P B six address. It's active
11:03
Weaken checker. I peek and big real quick.
11:07
Look for that similar HPV six address which we saw here was F E 80.
11:13
Okay, be 8 47 771 We see that's on the Internet. So you see, this isn't actually connected out
11:20
to anything. We see that this is actually the same machine. It's just the HPV six address,
11:26
but that is still useful. This command is still useful in that. It'll tell us if anybody else is connected. Tell us you know what
11:33
what's going on? How long have they been connected? If we go back up here and look real quick, we see that
11:39
there's idle time. How long? It's not been doing anything. Basically, how long has just been kind of existing there?
11:45
You see, it's more than a day, so whatever connection caused to spit this out,
11:50
we know he's been up for a little while and hasn't really seen much action.
11:54
But we know that it's been up for a long time. So if we saw lots of computers that were connected, we saw a long time that they've been active or idol really not active. Long time they've been connected
12:03
that we know that making a connection that computer isn't going to raise any eyebrows. And as we've discussed a few times now one of the primary focus is off. This class
12:13
is preventing yourself from doing anything that's too noticeable on the network. That's why we were first sniffing to scanning. That's why we prefer
12:20
using whatever protocols are most common on the network. It's all about not being noticed. One of the biggest things that
12:28
security professionals mess up is getting used to using these tools and getting used to using much more complicated third party tools. These to find information into kind of troll to the network, which is great, but it's easy to lose sight of
12:45
the basics. And the basics, of course, are the big focus of this class. And one of the most important basics is don't get caught.
12:50
So by seeing that session by seeing sniffing my doing all the things we've been doing, we're actually seeing a pattern of consistent and normal use on the system and on the machine.
13:01
And by seeing this consistent, normal use, we know what's not normal. We know not only what to look for, to see what other people are doing, but to what we can do and what we can't do if we want to be quiet and stealthy.
13:13
So net session and other commands like that are most useful in their ability to let us predict what will and won't get us comped.
13:22
With that, we're gonna go ahead. And in this video, the next video is gonna be a few more net commands and than one Maur really nifty command.
13:31
Until then, I am your Smee, Joseph Perry. And this has been persistence and continued access. The post exploitation course. I hope you've learned a lot, and I hope you had a great time.

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor