Nmap Development mailing list archives
Re: Module ideas for smb-psexec.nse?
From: "DePriest, Jason R." <jrdepriest () gmail com>
Date: Tue, 6 Oct 2009 11:08:18 -0500
I just want to say thank you for putting this together. The documentation you provide in the script is incredible and the functionality is hard to beat. First the easy ones, built-in commands. - - - - - - Microsoft Windows [Version 6.0.6002] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>ver <---- ver command to see what this version of Windows thinks it is Microsoft Windows [Version 6.0.6002] C:\Windows\system32>arp -a <---- arp to get the full arp table; know what IPs this system can match to MACs Interface: 192.168.1.2 --- 0xb Internet Address Physical Address Type 192.168.1.1 00-21-e8-c4-42-6f dynamic 192.168.1.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static 255.255.255.255 ff-ff-ff-ff-ff-ff static Interface: 192.168.56.1 --- 0xf Internet Address Physical Address Type 192.168.56.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static C:\Windows\system32>netstat -nr <---- full routing table; useful to find secondary NICs on the box or find alternate paths to try wiggling around firewalls =========================================================================== Interface List 11 ...00 24 2c 6c 03 40 ...... Atheros AR9285 802.11b/g WiFi Adapter 10 ...00 23 8b c1 9c ff ...... Realtek PCIe GBE Family Controller 15 ...08 00 27 00 bc d4 ...... VirtualBox Host-Only Ethernet Adapter 1 ........................... Software Loopback Interface 1 17 ...00 00 00 00 00 00 00 e0 isatap.{88821758-ACEE-478B-9370-39C78253F4DA} 12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface 16 ...00 00 00 00 00 00 00 e0 isatap.{75B79F26-E3B6-4343-81AA-06C8FC4F2B2C} 18 ...00 00 00 00 00 00 00 e0 isatap.{CF28DC74-4904-4CE7-8272-258D17BA936B} =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.1.0 255.255.255.0 On-link 192.168.1.2 281 192.168.1.2 255.255.255.255 On-link 192.168.1.2 281 192.168.1.255 255.255.255.255 On-link 192.168.1.2 281 192.168.56.0 255.255.255.0 On-link 192.168.56.1 276 192.168.56.1 255.255.255.255 On-link 192.168.56.1 276 192.168.56.255 255.255.255.255 On-link 192.168.56.1 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.56.1 276 224.0.0.0 240.0.0.0 On-link 192.168.1.2 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.56.1 276 255.255.255.255 255.255.255.255 On-link 192.168.1.2 281 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 15 276 fe80::/64 On-link 11 281 fe80::/64 On-link 11 281 fe80::1870:525c:80da:88a8/128 On-link 15 276 fe80::2c20:ca0e:54e8:7fd2/128 On-link 1 306 ff00::/8 On-link 15 276 ff00::/8 On-link 11 281 ff00::/8 On-link =========================================================================== Persistent Routes: None - - - - - - Another useful command is part of some resource kit tools (http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en), but it is built in to Windows Server 2008 and maybe Vista. - - - - - - C:\Windows\system32>whoami /priv <---- find out what privileges your user account has on this box PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================== ========================================= ======== SeLockMemoryPrivilege Lock pages in memory Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeSecurityPrivilege Manage auditing and security log Disabled SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled SeLoadDriverPrivilege Load and unload device drivers Disabled SeSystemProfilePrivilege Profile system performance Disabled SeSystemtimePrivilege Change the system time Disabled SeProfileSingleProcessPrivilege Profile single process Disabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled SeCreatePagefilePrivilege Create a pagefile Disabled SeBackupPrivilege Back up files and directories Disabled SeRestorePrivilege Restore files and directories Disabled SeShutdownPrivilege Shut down the system Disabled SeDebugPrivilege Debug programs Disabled SeSystemEnvironmentPrivilege Modify firmware environment values Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled SeUndockPrivilege Remove computer from docking station Disabled SeManageVolumePrivilege Perform volume maintenance tasks Disabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled SeCreateSymbolicLinkPrivilege Create symbolic links Disabled - - - - - - You could also use 'whoami /all' to get even more information, but the privilege information is most useful. A quick way to determine if you have an elevated account. When I come up with more, I'll send them in. -Jason On Mon, Oct 5, 2009 at 8:27 PM, Ron <> wrote:
Hey all, After a lot of hard work, my development on smb-psexec.nse is finally reaching its conclusion! But before that happens, I'm trying to include some awesome defaults. I'm not really an expert on the Windows commandline, though, so I'm hoping to get some help or ideas. I'm attaching the script itself, for reference, which has a ton of documentation at the top. I'm also attaching the three modules I've made so far, which should be enough to give you some idea how this is supposed to work (backdoor.lua isn't done yet, obviously, but the others work pretty well). I'm hoping to get some really cool default modules! If somebody gives me ideas for commands whose output would be useful, go ahead and mention it, I can take care of writing the actual commands. Looking forward to seeing your ideas! Ron -- Ron Bowes http://www.skullsecurity.org/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Module ideas for smb-psexec.nse? Ron (Oct 05)
- Re: Module ideas for smb-psexec.nse? DePriest, Jason R. (Oct 06)
- Re: Module ideas for smb-psexec.nse? Ron (Oct 06)
- Re: Module ideas for smb-psexec.nse? DePriest, Jason R. (Oct 06)
- Re: Module ideas for smb-psexec.nse? DePriest, Jason R. (Oct 06)
- Re: Module ideas for smb-psexec.nse? Ron (Oct 06)
- Re: Module ideas for smb-psexec.nse? DePriest, Jason R. (Oct 06)
- Re: Module ideas for smb-psexec.nse? Ron (Oct 06)
- Re: Module ideas for smb-psexec.nse? DePriest, Jason R. (Oct 06)