Friday, February 29, 2008

"Penetration Testing Ninjitsu" with Ed Skoudis webcast

if you didnt catch it live you can watch the recorded version of “Penetration Testing Ninjitsu” with Ed Skoudis. it was pretty good and two more or lined up, next one is in April.


Here are my notes from listening/watching it

C:\> ipconfig /displaydns

**dumps the DNS cache, targets that have been recently resolved (may or may not be in the same network)

C:\> arp -a

**dumps the ARP Cache, so that should be boxes on the same subnet as the box you are on

**check to see if anything is in the hosts file, hardcoded IP to DNS

C:\> net use \\[target] [password] /u:[user]

**smb session

C:\> net use * \\[targetip]\[share] [password] /u:[user]

**attaches to the next available file share, you can also specify a drive letter

C:\> net user \\[targetip] /del or net use & /del

**can only have one SMB session with a given target machine as one USERNAME at a time, so you have to delete and so you can delete them all when done

FOR /L Loops --counters

C:\> for /L %i in ([start], [step], [stop]) do [command]

C:\> for /L %i in (1,1,255) do echo %i

**simple counter

C:\> for /L %i in (1,1,255) do echo %i & ping -n 5

**pauses 5 seconds between each iteration by using the ping command

**to do more than one command [command1] & [command2]
**run command1 and only run command2 if command1 succeeds [command1] && [command2]

C:\> for /L %i in (1,1,255) do @echo %i & @ping -n 5 > nul

**@ = dont display the command

** send errors to file [command] 2>>errorfile.txt

C:\> for /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"

**ping sweeper

nslookup [IPaddr]
**reverse lookup

C:\> for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 2>nul | find "Name"

**displays successful reverse lookups

C:\> for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i

**shows IP and hostname if found

FOR /F Loops --files, strings, a file set's contents

C:\> for /f %i in (password.lst) do @echo %i & @net use \\[target_IP_addr] %i /u:[UserName] 2>nul && echo UserName: %i >>success.txt

** check slides for more examples

**scripting, .bat files

**you have to do double %% in bat files

C:\> for /L %i in (1,1,100) do @echo %i

**turns into

for /L %%i in (1,1,100) do @echo %%i


Anonymous said...

Hey Chris, I felt that Ed should have started off with some more advanced stuff... The commands he got to in the end should have been at the beginning.

Last summer, I was without a Perl interpreter on a Windows machine and had to come up with a script that would search files for strings, like an SSN. Take a look here,, it encompasses a lot of the functions that were showcased the other day on the webcast. I was in a situation a couple weeks ago where I just referred back to that script I wrote and was able to come up with the scripts Ed showed in no time.

A site I found extremely useful while I work in cmd.exe, is

CG said...

cool thanks for the links Marcin.

i agree more advanced is always better, but dont forget:

no one wants to blow their whole course on a free web cast and most training shops arent geared towards advanced topics & students even though they say they are. there are also two more webcasts so hopefully they will get more in-depth.