My client has disabled SMBv1/2 on the majority of their systems and that has made using many tools impossible. What I wanted was a netstat from each of the boxes to check connections, so I went down the WMI road looking for answers. That was a dead end, but I did discover some useful objects to query with WMI that might help your investigations. This requires WMI to be enabled, which was spotty on workstations but was enabled on all of my Client’s servers.
Find out who is logged onto the box
pth-wmic -U 'domain\username'%'Asdf1234' //10.128.192.84 "select * from Win32_LoggedOnUser"
Sysinfo
pth-wmic -U 'domain\username'%'Asdf1234' //10.128.192.84 "select Buildtype from win32_operatingsystem"
Running Processes
pth-wmic -U 'domain\username'%'Asdf1234' //10.128.192.84 "select csname,name from win32_process"
Active Route
pth-wmic -U 'domain\username'%'Asdf1234' //10.128.192.84 "select * from Win32_ActiveRoute”
All the routes
pth-wmic -U 'domain\username'%'Asdf1234' //10.128.192.84 "select name from Win32_IP4RouteTable"
Because I can never remember the syntax
for i in `cat /mnt/hgfs/PenTests/CLIENT/PortScans/10.445-1\all.txt`; do echo $i; pth-wmic -U 'domain\username'%'Asdf1234' //$i "select csname,name from win32_process"; done
If you have a better way or know of a way to pull a netstat without SMB enabled, please let me know in the comments.
No comments:
Post a Comment
Thanks for adding to the conversation. I'll update your post shortly.