Skip to content

Instantly share code, notes, and snippets.

@kernelsmith

kernelsmith/windows_scans.md

Created May 10, 2018 00:04
Show Gist options
  • Save kernelsmith/23817dccaf8b5f884b5d383f7a22f763 to your computer and use it in GitHub Desktop.
Save kernelsmith/23817dccaf8b5f884b5d383f7a22f763 to your computer and use it in GitHub Desktop.
Download ZIP
decreasingly dumb ways of doing windows host discovery
Raw
windows_scans.md

Old ways of scanning for windows hosts

This is from an old presentation, I just wanted to record it somewhere. I'm not saying this stuff:

a) still works b) is a good idea c) hasn't been surpassed greatly in the last 7 years d) is completely accurate

hping & TTLs

hping3 -c 1 --faster -n $IP

or

hping3 -c 1 --faster -n --rand-dest 192.168.x.x

parse out TTL if > 120, prolly Windows (Windows uses TTL of 128 but it gets decremented by routers etc) Fast, do a class B in 10mins Very inaccurate of course, any IP mangling device (NAT, FW etc) will lie about the TTL

NMAP obviously

nmap -O --script=smb-os-discovery.nse 192.168.1.1/16 -oA all_windows

bit of a parsing nightmare

Metasploit

msf > db_nmap -O 192.168.1.1/16
msf > hosts
msf > hosts -o all_win.csv
# or
msf > use scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 192.168.1.1/16
msf auxiliary(smb_version) > set THREADS 256 # kind of pointless actually, but...
msf auxiliary(smb_version) > run
msf auxiliary(smb_version) > hosts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment