Command Line Basics for IT Auditors

7/29/2019 Command Line Basics for IT Auditors

1/55

Practical Windows

Command Line Basics for

IT Auditing!A little cmd.exe & PowerShell that I

find useful (and maybe you, too).!!Sean Verity!


2/55

Agenda!whoami! Why?! HOWTO(s)! References / Resources!


3/55

whoami! Job Title: !

IS Auditor, MSUFCU! Some Experience:!

IS General Controls Testing! Network / Web App / Mobile App SecurityTesting!

An Accomplishment:! Submitted the 1st draft of a POST module(post/windows/gather/enum_unattend) to the

Metasploit Project!

This was my first adventure in ruby, msf API,and contributing to a software project!

Much thanks to sinn3r (coding) and Ben Campbell(research and enhancement) !


4/55

Why?!


5/55

Why?! Consistency! Timeliness! Completeness! Repeatability! Fun!


6/55

Procedure: Review All

Local User Accounts for

Reasonableness!Consistency

!


7/55

Windows XP!


8/55

Windows 7!


9/55

Windows Server 2003 R2!


10/55



11/55

Windows 8!


12/55

Windows 2012 Core!


13/55

Windows XP, Windows 7, WindowsServer 2003 R2, Windows Server 2008R2, Windows 8, and Windows Server

2012 Core!


14/55

Procedure 1: Review All Local User Accounts for

Reasonableness Procedure 2: Review the Firewall Settings for

Reasonableness Procedure 3: Determine if the system is up-to-

date on Microsoft Security Updates Procedure 4:

Determine if the system storespasswords using weak hashing algorithms (i.e. LM) Procedure 5: Determine if administrative access

is being reasonably managed!

Timeliness!Completeness!Repeatability!


15/55



16/55

Pros! Cons!Send me such and such

screenshot(s) tends to be a

very familiar approach formost people.!

Easy to accidentally skip a

procedure when reviewing

several systems.!!Who doesnt like pictures?!

Must take a screenshot for

each procedure and save it

[somewhere]. Easy to forget

to take a screenshot. Thiscould results in dozens of

files.!!Requires the auditor to a lot

of point-and-clicking, wait

for the application to load,

close the application, rinse,

repeat.!!


17/55


Automatetes*ngand

evidencecollec*on/forma5ng

throughtheuseofbatchfiles

orPowerShellscriptstosave

*me,diskspace,andensure

completeness.


18/55

Pros! Cons!Its a more automated

process. Greatly reduces the

risk of an auditor skipping aprocedure.!

Learning curve in finding the

right commands and formatting

the output in manner thatmakes sense to you and / or

your audience.!!Consolidate test results into

a single file. As seen in

the previous slide, you canalso automate the process of

evidence collection.

Learning curve in reading the

output. Its actually a

pretty shallow curve, so thisis debatable.!

Console applications

typically require fewercomputing resources than GUI-

based counterparts. !


19/55

HOWTO(s)!


20/55

HOWTO: Open cmd.exe!


21/55

HOWTO: Orientation to cmd.exe prompt!


22/55

HOWTO: Change the colors in cmd.exe!


23/55

HOWTO: Get help with cmd.exe!


24/55

HOWTO: Get help in cmd.exe!


25/55

HOWTO: Clear the screen in cmd.exe!


26/55

HOWTO: List files in cmd.exe. Wildcard basics.!


27/55

HOWTO: Change your present working directory in

cmd.exe. %HOMEPATH% environment variable.!


28/55

HOWTO: List user accounts and group members in

cmd.exe. !


29/55

CAUTION! net user does not list nested groups whenreviewing Active Directory group members. Use PowerShell

instead (Will not be covered in this presentation. Talkto me after the presentation if youre interested.) !


30/55

HOWTO: Query the registry in cmd.exe. !


31/55

HOWTO: Review OS version, patch levels, etc. Page

command output results. Focus command output on

just what you need. !


32/55

HOWTO: Automate in cmd.exe!


33/55

HOWTO: Automatically save test results generated

from cmd.exe!


34/55

HOWTO: Automatically save test results generated

from cmd.exe!


35/55

Fun!!


36/55

HOWTO: Ping sweep from cmd.exe!


37/55

HOWTO: Port scan from cmd.exe!

CredittoEdSkoudisforthistrick.Usedtobe

possibleusingWindowstelnetclient.Thetelnet

clientisnotenabled,bydefaultinWindows7,so

thisisanice(albeit,slow)workaround.


38/55

HOWTO: Find weak passwords using net.exe and a loop.!


39/55

Now, some PowerShell!


40/55

HOWTO: Open PowerShell!


41/55

HOWTO: Orientation to PowerShell prompt!


42/55

HOWTO: Change the colors in PowerShell (hackish, but

it works)!


43/55

HOWTO: Get help with PowerShell!


44/55

Lets refine our testresults with PowerShell!


45/55

HOWTO: Return a list of ONLY active local accounts

using PowerShell string manipulation!


46/55

Port scanning, the

easier way, withPowerShell!


47/55

HOWTO: Port scan using PowerShell!


48/55

Getting around that

pesky PowerShellExecutionPolicy!


49/55

PROBLEM: Current ExecutionPolicy wont allow the

execution of PowerShell scripts!


50/55

SOLUTION: Call Base64 encoded PowerShell code

from .bat file!


51/55

HOWTO: Look at the bottom of the help page for

powershell.exe. From cmd.exe, type powershell /?!


52/55

A GOTCHA!!


53/55

HOWTO: Be mindful of encoding (UNICODE vs. ASCII)!!


54/55

HOWTO: It works!!


55/55

References / Resources! PowerShell for Pentesters byTim Medin!

Commandlinekungfu blog (EdSkoudis for cmd.exe gymnastics) !

Hey! Scripting Guy! Blog! David ReL1K Kennedy and JoshWinfang Kelley, PowerShell!

Command Line Basics for IT Auditors

Documents