Multiple-ways-to-remotely-control-a-Windows-machine
Jump to navigation
Jump to search
In a nutshell
This post lists some tools available for *nix, Windows and Mac OS X to remotely control a Windows machine.
Get network information
Nbtscan
- Description: resolves IP address to NetBIOS name
- Compatibility: *nix
- Example:
$ nbtscan 10.195.97.1 Doing NBT name scan for addresses from 10.195.97.1 IP address NetBIOS Name Server User MAC address -------------------------------------------------------------------------- 10.195.97.1 UNKNOWN-7C76953 <server> <unknown> 08:00:27:8b:42:15
nmblookup
- Description: resolves IP address to NetBIOS name
- Compatibility: *nix
- Example:
$ nmblookup -A 192.168.1.27
Looking up status of 192.168.1.27
OZ-C06A6A6F2D3C <00> - M <ACTIVE>
OZ-C06A6A6F2D3C <20> - M <ACTIVE>
WORKGROUP <00> - <GROUP> M <ACTIVE>
WORKGROUP <1e> - <GROUP> M <ACTIVE>
MAC Address = 00-0C-29-51-2C-E7
smbutil (status)
- Description: converts IP to NetBIOS name
- Compatibility: Mac OS X
- Example:
$ smbutil status 192.168.1.27 Using IP address of 192.168.1.27: 192.168.1.27 Workgroup: WORKGROUP Server: OZ-C06A6A6F2D3C
Nmap Scripting Engine (NSE)
- Description: to be completed
- Compatibility: *nix, Windows
- Example
$ sudo nmap -sC -p 135,139,445 10.199.114.182 Starting Nmap 6.00 ( http://nmap.org ) at 2013-01-11 14:26 CET Nmap scan report for 10.199.114.182 Host is up (0.010s latency). PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: |_nbstat: NetBIOS name: LOC012Z, NetBIOS user: <unknown>, NetBIOS MAC: f0:4d:a2:aa:bb:6a (Dell) |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-security-mode: | Account that was used for smb scripts: guest | User-level authentication | SMB Security: Challenge/response passwords supported |_ Message signing disabled (dangerous, but default) | smb-os-discovery: | OS: Windows XP (Windows 2000 LAN Manager) | Computer name: LOC012Z | Domain name: eur.fr.locz.com | Forest name: fr.locz.com | FQDN: LOC012Z.eur.fr.locz.com | NetBIOS computer name: LOC012Z | NetBIOS domain name: EUR |_ System time: 2013-01-11 14:26:49 UTC+1
smbutil (lookup)
- Description: converts hostname to IP
- Compatibility: Mac OS X
- Example:
$ smbutil lookup oz-c06a6a6f2d3c Got response from 192.168.60.135 IP address of oz-c06a6a6f2d3c: 192.168.60.135 IP address of oz-c06a6a6f2d3c: 192.168.1.27
PsGetSid
- Description: Part of Pstools. Display a computer or a user SID
- Compatibility: Windows
- Example:
C:\pstools>psgetsid \\192.168.1.27 -u pilou -p oopsoops PsGetSid v1.44 - Translates SIDs to names and vice versa Copyright (C) 1999-2008 Mark Russinovich Sysinternals - www.sysinternals.com SID for \\192.168.1.27: S-1-5-21-1801674531-1647877149-682003330
psinfo
- Description: Part of Pstools. Shows various information about a target (uptime, kernel, ...)
- Compatibility: Windows
- Example:
C:\pstools>psinfo \\192.168.1.27 -u pilou -p oopsoops PsInfo v1.77 - Local and remote system information viewer Copyright (C) 2001-2009 Mark Russinovich Sysinternals - www.sysinternals.com System information for \\192.168.1.27: Uptime: Error reading uptime Kernel version: Microsoft Windows XP, Uniprocessor Free Product type: Professional Product version: 5.1 Service pack: 3 Kernel build number: 2600 Registered organization: oz Registered owner: no name IE version: 8.0000 System root: C:\WINDOWS Processors: 1 Processor speed: 2.7 GHz Processor type: Intel(R) Core(TM) i7-2640M CPU @ Physical memory: 512 MB Video driver: VMware SVGA II
- Description: to be completed
- Download: http://downloads.sourceforge.net/project/netbiosscanner/netbios-shares-scanner-1.0.zip
- Example:
$ ./netbios-shares-scanner.py 192.168.1.24 Scanning 192.168.1.24 Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (kevin-Lenovo-G550 server (Samba, Ubuntu)) print$ Disk Printer Drivers Server Comment --------- ------- FREEBOX (null) KEVIN-LENOVO-G55 kevin-Lenovo-G550 server (Samba, Ubuntu) Workgroup Master --------- ------- WORKGROUP FREEBOX Found share: print$ tree connect failed: Share is VISIBLE but password protected
smbutil (view)
- Description: List shared resources
- Compatibility: Mac OS X
- Example:
$ sudo smbutil view //[email protected] Password for 192.168.1.27: p4ssw0rd Share Type Comments ------------------------------- IPC$ Pipe IPC distant ADMIN$ Disk Administration à distance C$ Disk Partage par défaut 3 shares listed
smbclient
- Description: to be completed
- Compatibility: *nix
- Example:
$ smbclient -U administrator //10.195.97.1/c$ Enter administrator's password: p4ssw0rd Domain=[UNKNOWN-7C76953] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] smb: \> dir 726716f98d83f667fed538 D 0 Tue Oct 23 10:59:41 2012 7bb3b9f312da9409285a593f D 0 Thu Oct 18 18:04:19 2012 95be4cca3b07f6ea2cc2ec3a27d9 D 0 Mon Oct 22 08:18:02 2012 AUTOEXEC.BAT A 0 Sat Jan 21 17:03:51 2012 b86c6acb8e282eb715 D 0 Thu Oct 18 18:04:18 2012 boot.ini HS 212 Sat Jan 21 17:01:45 2012 Bootfont.bin AHSR 4952 Tue Aug 28 14:00:00 2001 Config.Msi DHS 0 Mon Dec 17 23:09:54 2012 CONFIG.SYS A 0 Sat Jan 21 17:03:51 2012 Documents and Settings D 0 Sat Jan 21 17:09:37 2012 IO.SYS AHSR 0 Sat Jan 21 17:03:51 2012 MSDOS.SYS AHSR 0 Sat Jan 21 17:03:51 2012 MSOCache DHR 0 Tue Feb 7 21:09:30 2012 NTDETECT.COM AHSR 47564 Sun Apr 13 09:43:04 2008 ntldr AHSR 252240 Sun Apr 13 11:31:52 2008 pagefile.sys AHS 1610612736 Thu Jan 10 13:10:36 2013 Program Files DR 0 Mon Dec 17 23:09:38 2012 PSTools D 0 Wed Oct 24 13:51:31 2012 Python27 D 0 Mon Sep 17 09:20:58 2012 RECYCLER DHS 0 Wed Feb 8 15:48:32 2012 System Volume Information DHS 0 Wed Sep 12 10:34:20 2012 Temp D 0 Thu Jul 5 13:50:02 2012 WINDOWS D 0 Wed Jan 9 06:56:01 2013 40931 blocks of size 524288. 3779 blocks available
psexec
- Description: to be completed
- Compatibility: Windows
- Example:
psexec \\1.2.3.4 -U administrator -P
Get a remote file to local machine
smbclient (get command)
- Description: Download file over SMB
- Compatibility:
- Example:
$ smbclient -U pilou //192.168.1.27/c$ Enter pilou's password: password Domain=[OZ-C06A6A6F2D3C] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] smb: \> cd isa smb: \isa\> get test.csv getting file \isa\test.csv of size 40099 as test.csv (4894,8 KiloBytes/sec) (average 4894,9 KiloBytes/sec)
smbget
- Description: wget-like utility to download files over SMB
- Compatibility:
- Example:
$ smbget -r -u administrator smb://192.168.1.27/d$/image.img Password for d$ at 10.195.42.31: Using workgroup WORKGROUP, user administrator [img.img] 17,76MB of 1,95GB (0,89%) at 137,78kB/s ETA: 04:04:41
Send a local file to the remote machine
smbclient
- Description:
- Compatibility:
- Example:
$ smbclient -U unknown //10.195.97.1/c$ Enter unknown's password: Domain=[UNKNOWN-7C76953] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] smb: \> put out.txt putting file out.txt as \out.txt (544,2 kb/s) (average 544,2 kb/s)
psexec
- Description:
- Compatibility:
- Example:
psexec \\1.2.3.4 -U administrator -P password -c localfile
netcat
On the Windows machine that will receive the file:
- Download netcat for Windows: http://joncraton.org/media/files/nc111nt.zip
- Uncompress the archive
- Copy the “nc” file whereever you want. It’s recommended to copy it in C:\Windows
- Run following command:
$ nc -l -p 1234 > C:\isa\file.txt
On the *nix machine that will send the file:
$ cat file.txt | nc 192.168.1.28 1234
smb in Nautilus
- Description: Remotely connect to a Windows network share
- Compatibility: Linux
- Example:
Windows Explorer
- Description: Remotely connect to a Windows network share
- Compatibility: Windows
- Example:
Execute commands remotely
psexec
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Registry database
Regshell
$ sudo aptitude install registry-tools $ regshell -R 10.195.97.1 -U administrator Password for [WORKGROUP\administrator]: p4ssw0rd HKEY_CLASSES_ROOT\> help Available commands: ck - Change current key info - Show detailed information of a key list - List values/keys in current key print - Print value mkkey - Make new key rmval - Remove value rmkey - Remove key pwd - Printing current key set - Update value help - Help exit - Exit predef - Go to predefined key HKEY_CLASSES_ROOT\> predef HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE\> cd Software\\Microsoft\\Windows\\CurrentVersion\\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run> list V "VBoxTray" REG_SZ C:\WINDOWS\system32\VBoxTray.exe V "Adobe ARM" REG_SZ "C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" V "SunJavaUpdateSched" REG_SZ "C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe" V "ConnectionCenter" REG_SZ "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run> exit
Regtree
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Reglookup
$ sudo aptitude install reglookup
Regviewer
$ sudo aptitude install libgnomeui-dev automake autoconf $ wget http://downloads.sourceforge.net/project/regviewer/regviewer/regviewer-0.1/regviewer-0.1.tar.gz $ tar xvzf regviewer-0.1.tar.gz $ cd regviewer-0.1/ $ ./autogen.sh $ make $ sudo make install