Anti-Hacker Tool Kit, Third Edition
| | ||
The Winfingerprint utility is in active development, has readily available source code, and pulls the most information possible across an IPC$ share. The development builds support Simple Network Management Protocol (SNMP) enumeration, accessing the event log and delving into the Active Directory structure.
Implementation
Winfingerprint is GUI-based, so keep your mouse finger in shape. The utility can scan a single host or a continuous network block. The information desired, from a port scan to registry information, is selected from any of the multiple checkboxes on the interface. Figure 6-1 shows the default settings. It's fine to select more options, but they will only work if the remote server has certain services enabled. Figure 6-2 shows a scan against a single IP address using the "WMI API" network type. The "Network Type" decides which Windows API Winfingerprint will use to enumerate the target hosts .
-
Domain Use the Win32 API that has evolved from Windows NT 4.0. It will gather shares, users, password policies, and system information.
-
Active Directory Use the Active Directory Service Interface (ADSI) API to enumerate system information. This will not work correctly against Windows 2000 systems. It works well against Windows XP and Windows 2003 systems.
-
WMI Use the Windows Management Instrumentation API to enumerate system information. This may also be able to report service packs , hotfixes, and running services.
Figure 6-1: Winfingerprint default settings
Figure 6-2: Winfingerprint scan
There's no real trick to running Winfingerprint. Do take note, however, of some useful information:
-
Role Winfingerprint can determine, with some detail, the type of server and its operating system. This identifies primary domain controllers (PDCs), backup domain controllers (BDCs), and any domain to which the computer belongs.
-
Date/Time This helps you deduce (to some degree) the physical location of the server. The server's local time is also useful when you're trying to schedule remote jobs with the AT command.
-
Usernames Winfingerprint lists each user 's system ID (SID). This identifies the administrator (SID 500).
-
Sessions This lists the NetBIOS name of other systems that have connected to the target. Many times this helps narrow down a target list to BDCs, databases, or administrator systems.
-
Services A complete service list tells you what programs are installed and potentially active.
| Note | Saving a file prompts you for "Winfingerprint Output," but that's simply a fancy way of saying text file. |
In spite of the amount of information that Winfingerprint pulls from a target, it suffers the same drawback as many GUI toolsthat is, it cannot be scripted. Although the interface allows you to specify a large target range, the results do not come in an easy-to-use format. A Perl script could parse the file based on key fields and indentation, but it would be clumsy for a large network.
Running a Development Build
Source code is available for the intrepid (or impatient) administrator who wants the latest functionality of Winfingerprint. Use Concurrent Versions System ( cvs you installed Cygwin, right?) to grab the latest snapshot (the password is left blank):
$ cvs -d:pserver:anonymous@cvs.winfingerprint.sourceforge.net :/cvsroot/winfingerprint login (Logging in to anonymous@cvs.winfingerprint.sourceforge.net) CVS password: $ cvs -z3 -d:pserver:anonymous@cvs.winfingerprint.sourceforge.net :/cvsroot/winfingerprint co winfingerprint
The resulting Winfingerprint directory contains a Visual Studio workspace. Open the Visual Studio Project (DSP) file and compile! If you have problems, make sure that the application type uses MFC Shared DLL in the General compile options.
Returning to the Command Line
The latest version of Winfingerprint brings the command-line utility up to par with the GUI. Now you have the same functionality, but one that can be automated from the command line. The Winfingerprint-cli.exe is available as a subproject on Winfingerprint's SourceForge web site. It has the same capability, only now you must specify multiple options rather than wear down the mouse button in the GUI. Table 6-3 describes the options.
| Option | Description |
|---|---|
| -host < hostname > | Scan a single host. Identical to the "Single Host" Input Option in the GUI. |
| -l < IP list > -list < IP list > | Scan a list of hosts. Identical to the "IP List" Input Option in the GUI. The < IP list > is a text file with a single host per line. |
| -startip < ip address > -endip < ip address > | Identical to the "IP Range" Input Option in the GUI. |
| -o < filename > -output < filename > | Write output to a file. This is identical to the format in which the GUI saves data. |
| -a or all | Equivalent to -shares -services -time -users -groups disks -ping -tcpscan -udpscan fingerprint Does not include -null -startport or endport (won't check for NULL IPC$ sessions or perform a port scan). |
| -b -shares | Enumerate NetBIOS shares. |
| -d -disks | Enumerate disks. |
| -f -fingerprint | Determine Windows version. |
| -g -groups | Enumerate groups. |
| -i -time | Get remote time and date. (Note that t enumerates transports, not time.) |
| -n -null | Establish NULL IPC$ sessions. |
| -p -ping | Only hosts that respond to ICMP echo request are scanned. |
| -r -registry | Read Service Pack and Hotfix Level from registry. |
| -s -sessions | Enumerate sessions. |
| -t -transports | Enumerate transports. |
| -u -users | Enumerate users. |
| -v -services | Enumerate running services. |
| -ad | Use Active Directory API functions rather than Windows Domain (NT). |
| -tcpscan | TCP portscan (Grabs Banners). |
| -udpscan | UDP portscan . |
| -startport <1-65535> | Default startport = 1. |
| -endport <1-65535> | Default endport = 1024. |
| | ||