Skip to main content

Table Of Contents

  • WINDOWS
    • NETWORK DISCOVERY
    • DHCP
    • DNS
    • HASHING
    • NETBIOS
    • USER ACTIVITY
    • PASSWORDS
    • MICROSOFT BASELINE SECURITY ANALYZER (MBSA)
    • ACTIVE DIRECTORY INVENTORY

WINDOWS

NETWORK DISCOVERY

Basic network discovery:

net view /all
net view \\<HOST NAME>

Basic ping scan and write output to file:

for /L %I in (1,1,254) do ping -w 30 -n 1 192.168.1.%I | find "Reply" >> <OUTPUT FILE NAME>.txt

DHCP

Enable DHCP server logging:

reg add HKLM\System\CurrentControlSet\Services\DhcpServer\Parameters /v ActivityLogFlag /t REG_DWORD /d 1

Default Location Windows 2003/2008/2012:

%windir%\System32\Dhcp

DNS

Default location Windows 2003:

%SystemRoot%\System32\Dns

Default location Windows 2008:

%SystemRoot%\System32\Winevt\Logs\DNSServer.evtx

Default location of enhanced DNS Windows 2012 R2:

%SystemRoot%\System32\Winevt\Logs\Microsoft­-Windows-DNSServer%4Analytical.etl

Enable DNS Logging:

DNSCmd <DNS SERVER NAME> /config /logLevel 0x8100F331

Set log location:

DNSCmd <DNS SERVER NAME> /config /LogFilePath <PATH TO LOG FILE>

Set size of log file:

DNSCmd <DNS SERVER NAME> /config /logfilemaxsize 0xffffffff

HASHING

File Checksum Integrity Verifier (FCIV):

Hash a file:

fciv.exe <FILE TO HASH>

Hash all files on C:\ into a database file:

fciv.exe c:\ -r -md5 -xml <FILE NAME>.xml

List all hashed files:

fciv.exe -list -sha1 -xml <FILE NAME>.xml

Verify previous hashes in db with file system:

fciv.exe -v -sha1 -xml <FILE NAME>.xml

Note: May be possible to create a master db and compare to all systems from a cmd line. Fast baseline and difference.

Get-FileHash <FILE TO HASH> | Format-List
Get-FileHash -algorithm md5 <FILE TO HASH>
certutil -hashfile <FILE TO HASH> SHA1
certutil -hashfile <FILE TO HASH> MD5

NETBIOS

Basic nbtstat scan:

nbtstat -A <IP ADDRESS>

Cached NetBIOS info on localhost:

nbtstat -c

Script loop scan:

for /L %I in (1,1,254) do nbstat -An 192.168.1.%I

USER ACTIVITY

Get users logged on:

psloggedon \\computername

Script loop scan:

for /L %i in (1,1,254) do psloggedon \\192.168.1.%i >> C:\users_output.txt

PASSWORDS

Password guessing or checks:

for /f %i in (<PASSWORD FILE NAME>.txt) do @echo %i & net use \\<TARGET IP ADDRESS> %i /u:<USER NAME> 2>nul && pause
for /f %i in (<USER NAME FILE>.txt) do @(for /f %j in (<PASSWORD FILE NAME>.txt) do @echo %i:%j & @net use \\<TARGET IP ADDRESS> %j /u:%i 2>nul && echo %i:%j >> success.txt && net use \\<IP ADDRESS> /del)

MICROSOFT BASELINE SECURITY ANALYZER (MBSA)

Basic scan of a target IP address:

mbsacli.exe /target <TARGET IP ADDRESS> /n os+iis+sql+password

Basic scan of a target IP range:

mbsacli.exe /r <IP ADDRESS RANGE> /n os+iis+sql+password

Basic scan of a target domain:

mbsacli.exe /d <TARGET DOMAIN> /n os+iis+sql+password

Basic scan of a target computer names in text file:

mbsacli.exe /listfile <LISTNAME OF COMPUTER NAMES>.txt /n os+iis+sql+password

ACTIVE DIRECTORY INVENTORY

List all OUs:

dsquery ou DC=<DOMAIN>,DC=<DOMAIN EXTENSION>

List of workstations in the domain:

netdom query WORKSTATION

List of servers in the domain:

netdom query SERVER

List of domain controllers:

netdom query DC

List of organizational units under which the specified user can create a machine object:

netdom query OU

List of primary domain controller:

netdom query PDC

List the domain trusts:

netdom query TRUST

Query the domain for the current list of FSMO owners

netdom query FSMO

List all computers from Active Directory:

dsquery COMPUTER "OU=servers,DC=<DOMAIN NAME>,DC=<DOMAIN EXTENSION>" -o rdn -limit 0 > C:\machines.txt

List user accounts inactive longer than 3 weeks:

dsquery user domainroot -inactive 3

Find anything (or user) created on date in UTC using timestamp format YYYYMMDDHHMMSS.sZ:

dsquery * -filter "(whenCreated>=20101022083730,0Z)"
dsquery * -filter "((whenCreated>=20101022083730.0Z)&(objectClass=user))"

Alt option:

ldifde -d ou=<OU NAME>,dC=<DOMAIN NAME>,dc=<DOMAIN EXTENSION> -l whencreated, whenchanged -p onelevel -r "(ObjectCategory=user)" -f <OUTPUT FILENAME>

The last logon timestamp format in UTC: YYYYMMDDHHMMSS

Alt option:

dsquery * dc=<DOMAIN NAME>,dc=<DOMAIN EXTENSION> -filter "(&(objectCategory=Person)(objectClass=User)(whenCreated>=20151001000000.0Z))"

Alt option:

adfind -csv -b dc=<DOMAIN NAME>,dc=<DOMAIN EXTENSION> -f "(&(objectCategory=Person)(objectClass=User)(whenCreated>=20151001000000.0Z))"

Using PowerShell, dump new Active Directory accounts in last 90 Days:

import-module activedirectory
Get-QADUser -CreatedAfter (Get­-Date).AddDays(-90)
Get-ADUser -Filter * -Properties whenCreated | Where-Object {$_.whenCreated -ge ((Get­-Date).AddDays(-90)).Date}