Re: Module ideas for smb-psexec.nse?

["DePriest, Jason R." <jrdepriest () gmail com>]

I just want to say thank you for putting this together.  The
documentation you provide in the script is incredible and the
functionality is hard to beat.

First the easy ones, built-in commands.

- - - - - -

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>ver <---- ver command to see what this version of
Windows thinks it is

Microsoft Windows [Version 6.0.6002]

C:\Windows\system32>arp -a <---- arp to get the full arp table; know
what IPs this system can match to MACs

Interface: 192.168.1.2 --- 0xb
  Internet Address      Physical Address      Type
  192.168.1.1           00-21-e8-c4-42-6f     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

Interface: 192.168.56.1 --- 0xf
  Internet Address      Physical Address      Type
  192.168.56.255        ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static

C:\Windows\system32>netstat -nr <---- full routing table; useful to
find secondary NICs on the box or find alternate paths to try wiggling
around firewalls
===========================================================================
Interface List
 11 ...00 24 2c 6c 03 40 ...... Atheros AR9285 802.11b/g WiFi Adapter
 10 ...00 23 8b c1 9c ff ...... Realtek PCIe GBE Family Controller
 15 ...08 00 27 00 bc d4 ...... VirtualBox Host-Only Ethernet Adapter
  1 ........................... Software Loopback Interface 1
 17 ...00 00 00 00 00 00 00 e0  isatap.{88821758-ACEE-478B-9370-39C78253F4DA}
 12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 16 ...00 00 00 00 00 00 00 e0  isatap.{75B79F26-E3B6-4343-81AA-06C8FC4F2B2C}
 18 ...00 00 00 00 00 00 00 e0  isatap.{CF28DC74-4904-4CE7-8272-258D17BA936B}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.2     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.2    281
      192.168.1.2  255.255.255.255         On-link       192.168.1.2    281
    192.168.1.255  255.255.255.255         On-link       192.168.1.2    281
     192.168.56.0    255.255.255.0         On-link      192.168.56.1    276
     192.168.56.1  255.255.255.255         On-link      192.168.56.1    276
   192.168.56.255  255.255.255.255         On-link      192.168.56.1    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.56.1    276
        224.0.0.0        240.0.0.0         On-link       192.168.1.2    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.56.1    276
  255.255.255.255  255.255.255.255         On-link       192.168.1.2    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 15    276 fe80::/64                On-link
 11    281 fe80::/64                On-link
 11    281 fe80::1870:525c:80da:88a8/128
                                    On-link
 15    276 fe80::2c20:ca0e:54e8:7fd2/128
                                    On-link
  1    306 ff00::/8                 On-link
 15    276 ff00::/8                 On-link
 11    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

- - - - - -

Another useful command is part of some resource kit tools
(http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en),
but it is built in to Windows Server 2008 and maybe Vista.

- - - - - -

C:\Windows\system32>whoami /priv <---- find out what privileges your
user account has on this box

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State
===============================
========================================= ========
SeLockMemoryPrivilege           Lock pages in memory
   Disabled
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process
   Disabled
SeSecurityPrivilege             Manage auditing and security log
   Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other
objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers
   Disabled
SeSystemProfilePrivilege        Profile system performance
   Disabled
SeSystemtimePrivilege           Change the system time
   Disabled
SeProfileSingleProcessPrivilege Profile single process
   Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority
   Disabled
SeCreatePagefilePrivilege       Create a pagefile
   Disabled
SeBackupPrivilege               Back up files and directories
   Disabled
SeRestorePrivilege              Restore files and directories
   Disabled
SeShutdownPrivilege             Shut down the system
   Disabled
SeDebugPrivilege                Debug programs
   Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values
   Disabled
SeChangeNotifyPrivilege         Bypass traverse checking
   Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system
   Disabled
SeUndockPrivilege               Remove computer from docking station
   Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks
   Disabled
SeImpersonatePrivilege          Impersonate a client after
authentication Enabled
SeCreateGlobalPrivilege         Create global objects
   Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set
   Disabled
SeTimeZonePrivilege             Change the time zone
   Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links
   Disabled

- - - - - -

You could also use 'whoami /all' to get even more information, but the
privilege information is most useful.  A quick way to determine if you
have an elevated account.

When I come up with more, I'll send them in.

-Jason

On Mon, Oct 5, 2009 at 8:27 PM, Ron <> wrote:
> Hey all,
>
> After a lot of hard work, my development on smb-psexec.nse is finally
> reaching its conclusion! But before that happens, I'm trying to include some
> awesome defaults. I'm not really an expert on the Windows commandline,
> though, so I'm hoping to get some help or ideas.
>
> I'm attaching the script itself, for reference, which has a ton of
> documentation at the top. I'm also attaching the three modules I've made so
> far, which should be enough to give you some idea how this is supposed to
> work (backdoor.lua isn't done yet, obviously, but the others work pretty
> well).
>
> I'm hoping to get some really cool default modules! If somebody gives me
> ideas for commands whose output would be useful, go ahead and mention it, I
> can take care of writing the actual commands.
>
> Looking forward to seeing your ideas!
> Ron
>
> --
> Ron Bowes
> http://www.skullsecurity.org/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org