command line basics for it auditors
TRANSCRIPT
-
7/29/2019 Command Line Basics for IT Auditors
1/55
Practical Windows
Command Line Basics for
IT Auditing!A little cmd.exe & PowerShell that I
find useful (and maybe you, too).!!Sean Verity!
-
7/29/2019 Command Line Basics for IT Auditors
2/55
Agenda!whoami! Why?! HOWTO(s)! References / Resources!
-
7/29/2019 Command Line Basics for IT Auditors
3/55
whoami! Job Title: !
IS Auditor, MSUFCU! Some Experience:!
IS General Controls Testing! Network / Web App / Mobile App SecurityTesting!
An Accomplishment:! Submitted the 1st draft of a POST module(post/windows/gather/enum_unattend) to the
Metasploit Project!
This was my first adventure in ruby, msf API,and contributing to a software project!
Much thanks to sinn3r (coding) and Ben Campbell(research and enhancement) !
-
7/29/2019 Command Line Basics for IT Auditors
4/55
Why?!
-
7/29/2019 Command Line Basics for IT Auditors
5/55
Why?! Consistency! Timeliness! Completeness! Repeatability! Fun!
-
7/29/2019 Command Line Basics for IT Auditors
6/55
Procedure: Review All
Local User Accounts for
Reasonableness!Consistency
!
-
7/29/2019 Command Line Basics for IT Auditors
7/55
Windows XP!
-
7/29/2019 Command Line Basics for IT Auditors
8/55
Windows 7!
-
7/29/2019 Command Line Basics for IT Auditors
9/55
Windows Server 2003 R2!
-
7/29/2019 Command Line Basics for IT Auditors
10/55
Windows Server 2008 R2!
-
7/29/2019 Command Line Basics for IT Auditors
11/55
Windows 8!
-
7/29/2019 Command Line Basics for IT Auditors
12/55
Windows 2012 Core!
-
7/29/2019 Command Line Basics for IT Auditors
13/55
Windows XP, Windows 7, WindowsServer 2003 R2, Windows Server 2008R2, Windows 8, and Windows Server
2012 Core!
-
7/29/2019 Command Line Basics for IT Auditors
14/55
Procedure 1: Review All Local User Accounts for
Reasonableness Procedure 2: Review the Firewall Settings for
Reasonableness Procedure 3: Determine if the system is up-to-
date on Microsoft Security Updates Procedure 4:
Determine if the system storespasswords using weak hashing algorithms (i.e. LM) Procedure 5: Determine if administrative access
is being reasonably managed!
Timeliness!Completeness!Repeatability!
-
7/29/2019 Command Line Basics for IT Auditors
15/55
Windows Server 2008 R2!
-
7/29/2019 Command Line Basics for IT Auditors
16/55
Pros! Cons!Send me such and such
screenshot(s) tends to be a
very familiar approach formost people.!
Easy to accidentally skip a
procedure when reviewing
several systems.!!Who doesnt like pictures?!
Must take a screenshot for
each procedure and save it
[somewhere]. Easy to forget
to take a screenshot. Thiscould results in dozens of
files.!!Requires the auditor to a lot
of point-and-clicking, wait
for the application to load,
close the application, rinse,
repeat.!!
-
7/29/2019 Command Line Basics for IT Auditors
17/55
Windows Server 2008 R2!
Automatetes*ngand
evidencecollec*on/forma5ng
throughtheuseofbatchfiles
orPowerShellscriptstosave
*me,diskspace,andensure
completeness.
-
7/29/2019 Command Line Basics for IT Auditors
18/55
Pros! Cons!Its a more automated
process. Greatly reduces the
risk of an auditor skipping aprocedure.!
Learning curve in finding the
right commands and formatting
the output in manner thatmakes sense to you and / or
your audience.!!Consolidate test results into
a single file. As seen in
the previous slide, you canalso automate the process of
evidence collection.
Learning curve in reading the
output. Its actually a
pretty shallow curve, so thisis debatable.!
Console applications
typically require fewercomputing resources than GUI-
based counterparts. !
-
7/29/2019 Command Line Basics for IT Auditors
19/55
HOWTO(s)!
-
7/29/2019 Command Line Basics for IT Auditors
20/55
HOWTO: Open cmd.exe!
-
7/29/2019 Command Line Basics for IT Auditors
21/55
HOWTO: Orientation to cmd.exe prompt!
-
7/29/2019 Command Line Basics for IT Auditors
22/55
HOWTO: Change the colors in cmd.exe!
-
7/29/2019 Command Line Basics for IT Auditors
23/55
HOWTO: Get help with cmd.exe!
-
7/29/2019 Command Line Basics for IT Auditors
24/55
HOWTO: Get help in cmd.exe!
-
7/29/2019 Command Line Basics for IT Auditors
25/55
HOWTO: Clear the screen in cmd.exe!
-
7/29/2019 Command Line Basics for IT Auditors
26/55
HOWTO: List files in cmd.exe. Wildcard basics.!
-
7/29/2019 Command Line Basics for IT Auditors
27/55
HOWTO: Change your present working directory in
cmd.exe. %HOMEPATH% environment variable.!
-
7/29/2019 Command Line Basics for IT Auditors
28/55
HOWTO: List user accounts and group members in
cmd.exe. !
-
7/29/2019 Command Line Basics for IT Auditors
29/55
CAUTION! net user does not list nested groups whenreviewing Active Directory group members. Use PowerShell
instead (Will not be covered in this presentation. Talkto me after the presentation if youre interested.) !
-
7/29/2019 Command Line Basics for IT Auditors
30/55
HOWTO: Query the registry in cmd.exe. !
-
7/29/2019 Command Line Basics for IT Auditors
31/55
HOWTO: Review OS version, patch levels, etc. Page
command output results. Focus command output on
just what you need. !
-
7/29/2019 Command Line Basics for IT Auditors
32/55
HOWTO: Automate in cmd.exe!
-
7/29/2019 Command Line Basics for IT Auditors
33/55
HOWTO: Automatically save test results generated
from cmd.exe!
-
7/29/2019 Command Line Basics for IT Auditors
34/55
HOWTO: Automatically save test results generated
from cmd.exe!
-
7/29/2019 Command Line Basics for IT Auditors
35/55
Fun!!
-
7/29/2019 Command Line Basics for IT Auditors
36/55
HOWTO: Ping sweep from cmd.exe!
-
7/29/2019 Command Line Basics for IT Auditors
37/55
HOWTO: Port scan from cmd.exe!
CredittoEdSkoudisforthistrick.Usedtobe
possibleusingWindowstelnetclient.Thetelnet
clientisnotenabled,bydefaultinWindows7,so
thisisanice(albeit,slow)workaround.
-
7/29/2019 Command Line Basics for IT Auditors
38/55
HOWTO: Find weak passwords using net.exe and a loop.!
-
7/29/2019 Command Line Basics for IT Auditors
39/55
Now, some PowerShell!
-
7/29/2019 Command Line Basics for IT Auditors
40/55
HOWTO: Open PowerShell!
-
7/29/2019 Command Line Basics for IT Auditors
41/55
HOWTO: Orientation to PowerShell prompt!
-
7/29/2019 Command Line Basics for IT Auditors
42/55
HOWTO: Change the colors in PowerShell (hackish, but
it works)!
-
7/29/2019 Command Line Basics for IT Auditors
43/55
HOWTO: Get help with PowerShell!
-
7/29/2019 Command Line Basics for IT Auditors
44/55
Lets refine our testresults with PowerShell!
-
7/29/2019 Command Line Basics for IT Auditors
45/55
HOWTO: Return a list of ONLY active local accounts
using PowerShell string manipulation!
-
7/29/2019 Command Line Basics for IT Auditors
46/55
Port scanning, the
easier way, withPowerShell!
-
7/29/2019 Command Line Basics for IT Auditors
47/55
HOWTO: Port scan using PowerShell!
-
7/29/2019 Command Line Basics for IT Auditors
48/55
Getting around that
pesky PowerShellExecutionPolicy!
-
7/29/2019 Command Line Basics for IT Auditors
49/55
PROBLEM: Current ExecutionPolicy wont allow the
execution of PowerShell scripts!
-
7/29/2019 Command Line Basics for IT Auditors
50/55
SOLUTION: Call Base64 encoded PowerShell code
from .bat file!
-
7/29/2019 Command Line Basics for IT Auditors
51/55
HOWTO: Look at the bottom of the help page for
powershell.exe. From cmd.exe, type powershell /?!
-
7/29/2019 Command Line Basics for IT Auditors
52/55
A GOTCHA!!
-
7/29/2019 Command Line Basics for IT Auditors
53/55
HOWTO: Be mindful of encoding (UNICODE vs. ASCII)!!
-
7/29/2019 Command Line Basics for IT Auditors
54/55
HOWTO: It works!!
-
7/29/2019 Command Line Basics for IT Auditors
55/55
References / Resources! PowerShell for Pentesters byTim Medin!
Commandlinekungfu blog (EdSkoudis for cmd.exe gymnastics) !
Hey! Scripting Guy! Blog! David ReL1K Kennedy and JoshWinfang Kelley, PowerShell!