Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ron/command line options

From: Ron <ron () skullsecurity net>
Date: Sun, 11 Oct 2009 14:37:05 -0500
On 10/11/2009 02:35 PM, mike wrote:


Ron/all:

this is in response to you needing some command line options in windows for use in your PSutils-like script for SMB 
extraction

to query all running/available services of the remote user, you could run " sc queryex" (sc being the interface to the 
service control manager)

you could also try the netsh (netshell) suite of commands to pull many things related to the routing and interface 
configurations of windows machines (RRAS must be running to pull up alot of these statistics)
here is an example of one without RRAS needed:

-------------------------------------------------------------------
netsh int ip c (c is config)

Configuration for "Local Area Connection"
DHCP Enable: Yes
InterfaceMetric: 0
DNS Servers configured through DHCP: None
WINS Servers configured through DHCP: None
Register with which suffix: Primary Only
-------------------------------------------------------------------
the use of a remote netsh query would come in really handy when you wanted to pull up routing info from every interface 
that you normally would not be able to do with a portscan (for instance, checking for OSPF/RIP activity in detail


something i did want to mention in all of this. if all you are trying to do is load up a PSutility-type script with a 
bunch of different ways to extract info from a user, and since your script has the ability to install a remote service 
through the SVCTL and WINREG named pipes (pwpasswd/etc for registry key /hash extractions), why would you not just 
remotely install an SNMP server that can provide you with all that you are after and more!? heck, you could even have 
uploaded the one that comes with most windows machines already available. if the agent offers MIBs for HOST, then you 
could easily dump EVERYTHING....shares, users, every program installed, paths, interfaces, route tables, etc

it just seems to me that if i was after what you are trying to pursue, i would go that route. i don't code, i am simply 
a network knowledgable guy, so hats off to what you have already done so far, but my idea i think would be far easier with 
better results

thank you

m|ke


Hey,
Thanks for the info! I'd been meaning to look more into the net/netsh/sc commands. I don't know them very well, but I should!
In terms of installing the SNMP server, that's very likely something a user could code into the config file, if they knew how to do it. I'm trying to avoid being *that* intrusive by default, but the configurations are pretty easy to add, so in reality people can do anything they want. I'll look into how to install these tools, though, and maybe stick them in my 'backdoor.lua' script. :) 

Thanks m|ke!

Ron


--
Ron Bowes
http://www.skullsecurity.org/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: