Hello friends!! Today you will learn how penetrate a network for enumerating any information of a system once it is compromised by any attacker.
Requirement
Attacker: Kali Linux
Targets: Windows operating system
Open Kali Linux terminal and type msfconsole in order to load metasploit framework. Now you need to compromise victim’s machine once to achieve any type of session either metrepreter or shell and to do so you can read our previous article from here. Now to make Post Exploitation, we will need an Administrator Privileged shell, which can be found here.
Get Information about Network Cards
We can enumerate information about the Network Interface Cards using the systeminfo command.
Information can be extracted:
Number of NIC Cards, Manufacturer of NIC Cards, Model, Type (Wireless or LAN).
Command: systeminfo | findstr Network
From given below image you can observe 2 Network Interface Cards is installed.
ARP
Arp or Address Resolution Protocol converts the maps the IP Address to the MAC Address of the Devices. Using the arp command we can enumerate the mac addresses of other systems in the same network as the victim’s system.
Here we are using [-a] to get the list of all the entries of arp cache.
Command: arp -a
From given below image you can see the stored Mac address of arp table.
Get DNS Cache
We can enumerate DNS Resolver cache using the ipconfig command.
DNS Resolver is a temporary database, maintained by the operating system. It contains records of all the recent visits or the attempted visits to websites and other internet domains.
Here we are using [/displaydns] to display the complete dns cache.
Command: ipconfig /displaydns
From given below image you can observer following output is contains:
Record Name: Name with which the DNS query was initiated
Record Type: It is a number to represent the IPv4 or IPv6 address (1 is for IPv4 and 28 is for IPv6)
Time To Live: Time in seconds after which cache entry will expire
Data Length: Length of the data in bytes, IPv4 has 4 bytes and IPv6 has 16 bytes
A/AAAA Record: A is the Address of IPv4 and AAAA is the address of IPv6 (Four A because the address is four times in size as compared to IPv4)
Display all the Connections and Listening Ports on a System
While penetration testing a Remote PC, knowledge of all the connections and listening ports along with the Process id is essential so that we can migrate session if needed
This can be done using netstat command
Here we are using following options with netstat command:
[-a] to display all connections and listening ports
[-n] to display address and port number numerically
[-o] to display the Process ID
Syntax/Example: netstat -ano
Display All the TCP Connections
To enumerate all the TCP connections, we will use netstat command. Here we are using following options with netstat command:
[-a] to display all connections and listening ports
[-n] to display addresses and port numbers in numeric form
We are going to use findstr command to filter out the Connections which mentions TCP.
Command: netstat -na | findstr TCP
From give below image you can observe that all state of TCP connection i.e. Listening, Established and Close Wait on their respective Port number.
Display All the UDP Connections
To enumerate all the UDP connections, we will use netstat command. Here we are using following options with netstat command:
[-a] to display all connections and listening ports
[-n] to display addresses and port numbers in numeric form
We are going to use findstr command to filter out the Connections which mentions UDP.
Syntax/Example: netstat -na | find “UDP”
Similarly From give below image you can observe that all state of UDP connection on their respective Port numbers is left blank *:* which means no UDP connection established.
Display All the Established Connections
While penetration testing a Remote PC, knowledge of all Established connections and listening ports is also essential. This can be done using netstat command.
Here we are using following options with netstat command:
[-n] to display addresses and port numbers in numeric form
[-a] to display all connections and listening ports
We are going to use find command to filter out the Connections which mentions Established.
Command: netstat -na | find “ESTABLISHED”
From given below image you can observe that it shown established TCP connection through between source IP source Port and destination IP and destination Port.
Display the Routing Tables
While penetration testing a Remote PC, knowledge of Routing Tables is essential because Routing tables are used to generate the information about the routes which were chosen by the routing algorithm as preferred routes for packet forwarding and it gives info about the netmask and gateways too.
It contains the Interface List, IPv4 Route Table, Persistent Routes, IPv6 Route Table.
This can be done using netstat command
Here we are using following options with netstat command:
[-n] to display addresses and port numbers in numeric form
[-r] to display the routing table
Command: netstat –nr
Get Executables Which Created Connections
While penetration testing a Remote PC, knowledge of all executable involved in creating each connection, all connections and listening ports, addresses and port numbers in numerical form, owning process ID is very essential because it gives the attacker information about the connections, port numbers as well as Process ID.
This can be done using netstat command
Here we are using following options with netstat command:
[-b] to displays the executable involved in creating each connection or listening port
[-a] to display all connections and listening ports
[-n] to display addresses and port numbers in numeric form
[-o] to display the owning process ID associated with each connection
Command: netstat –bano
From given below image you can observe that it is showing name of running service on a particular port.
Get All the Adapters
We can enumerate all the adapters connected to the victim’s system by using ipconfig command.
As the output of ipconfig command is very vast so we will use the findstr command to filter out the specific result about the adapters.
Command: ipconfig | findstr adapter
Get All the Addresses
We can enumerate all the address including IPv4 and IPv6 by using ipconfig command.
As the output of ipconfig command is very vast so we will use the findstr command to filter out the specific result about the address.
Command: ipconfig | findstr Address
Get the Basic IP Details
We can get the Basic Network Configuration on the Victim’s System and the Network in which the Victim is connected to through the ipconfig command.
[/all] is used to extract all the ipconfig information
Syntax: ipconfig /all
Victim System is connected to a Wi-Fi so it properties can be viewed below
Things to enumerate:
Adapter Name, Model, Type, MAC Address, IPv4 Address, IPv6 Address, Subnet Mask, DHCP Server, Default Gateway and much more.
Ping Sweep
Ping Sweep is a networking technique to get a range of active terminals on the network.
IP Addresses from which we get a reply are active, rest are not.
Command: for /L %i in (100,1,225) do ping 192.168.1.%i | findstr TTL
From given below image you observe the result of multiple Ping response in a network using Ping command loop.
UDP Statistics
In order to obtain statistics for established UDP connection we can execute given command which describe information of UDP traffic send or received.
Command: netstat -s -p udp
[-s] denotes statics option
[-p] denotes protocols
From given below image you can observe that it showing details such as datagrams received, received error and etc.
TCP Statistics
In order to obtain statistics for established TCP connection we can execute given command which describe information of TCP traffic send or received.
Command: netstat -s -p TCP
[-s] denotes statics option
[-p] denotes protocols
From given below image you can observe that it showing details such as segment received, failed attempted, Reset connection and etc.
Display Connections Sorted by Port
Options Used:
[-a]: To Display all active TCP connections and UDP ports on which
[-n]: Addresses and Port Numbers are displayed numerically
[-o]: Display Connections with process IDs
We are using findstr to sort result for 443 Ports
Command: netstat -ano | findstr 443
From given below image you can observe that it has shown TCP connection state only for port 443.
Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here
The post Manual Post Exploitation on Windows PC (Network Command) appeared first on Hacking Articles.