Microsoft Windows Security Assessment

Question 1

Commands to identify domains/work groups and memberships within the network, from outside a windows computer?

Answer 1

• nslookup
• nmap
• name -dhcp
• dig

Question 2

Commands to identify domains/work groups and memberships within the network, with access to windows cmd or powershell?

Answer 2

CMD
net users %username% #Me
net users #All local users
net localgroup #Groups
net localgroup Administrators #Who is inside Administrators group
whoami /all #Check the privileges

PS
Get -WmiObject -Class Win32_UserAccount
Get -LocalUser | ft Name, Enabled, LastLogon
Get -ChildItem C:\Users -Force | select Name
Get -LocalGroupMember Administrators | ft Name, PrincipalSource

Question 3

Command to show scans and domain controller names from nmap?

Answer 3

net View

Question 4

Commands to browse list of available shared network resources collected and distributed by the computer browser service on a Microsoft network?

Answer 4

net share
net view
net view \<computer_name> /All</computer_name>

Question 5

Command to identify and analyse accessible SMB shares?

Answer 5

net share
enum4linux <target_ip>
smbclient -L \\\<target_ip></target_ip></target_ip>

smbclients option L lists shares
Remove L option to connect
Try anonymous login, if not, use other credentials.

Question 6

Identifying user accounts on target systems
and domains using NetBIOS

Answer 6

nbtscan <target_ip>
nmap -sV 172.16.1.102 --script nbstat.nse -v</target_ip>

Question 7

Identifying user accounts on target systems
and domains using SNMP

Answer 7

snmpwalk -c public -vl -t <target_ip>
nmap --script "snmp * and not snmp-brute" <target_ip></target_ip></target_ip>

Question 8

Identifying user accounts on target systems
and domains using LDAP

Answer 8

nmap -n -sV –script “ldap * and not brute” <target_ip>
ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w <passwords>' -b "DC=<1_SUBDOMAIN></passwords></username></DOMAIN></IP></target_ip>

Question 9

3 AD roles?

Answer 9

• Global Catalogue
• Domain Master Browser
• Flexible Single Master operations (FSMO)

Question 10

What is Global Catalogue?

Answer 10

Handles AD queries and logon

Question 11

What is Domain Master Browser?

Answer 11

• used when more than one network in the domain
• each subnet/domain has a master browser, which share info
• when browser list is collected and compiled, then transmitted to all master browser again as the enterprise-wide browse list for the domain

Question 12

What is Flexible Single Master Operations (FSMO)?

Answer 12

• FSMO is a specialised domain controller set of tasks used where standard data transfer and update methods are inadequate.
• AD normally relies on multiple peer DCs, each with a copy of AD database, being synchronised by multi-master replication.
• The tasks not suited to multi-master replication and are viable only with a single master database are the FSMOs.

Question 13

5 FSMO roles?

Answer 13

• Schema Master 1 per forest
• Domain Naming Master 1 per forest
• Relative ID (RID) Master 1 per domain
• Primary Domain Controller (PDC) Emulator 1 per domain
• Infrastructure Master 1 per domain

Question 14

What is Schema Master?

Answer 14

Manages read-write copy of AD schema
The AD schema defines attributes that you can apply to objects in AD database.

Question 15

What is Domain Naming Master?

Answer 15

Ensures you don’t have domains with same names in the same forest.
Master of domain names.
Since domains aren’t created often, this role is likely to live on same DC with another role.