SysInternals
Table of Contents
- Table of Contents
- Accessing the tool suite
- ADExplorer
- ProcDump
- ProcExp
- PsLoggedOn
- Strings
- Autoruns / Autorunsc
- AccessChk
- AccessEnum
- SigCheck
Accessing the tool suite
The complete SysInternals Suite is available online at the following two locations:
- https://live.sysinternals.com/
- \\live.sysinternals.com\tools\
This means that you can execute any tool using its online UNC path as long as the target system has access to the Internet.
Example:
C:\Users\betelsam>\\live.sysinternals.com\tools\ADExplorer.exe
Tip
You might need to “mount” the share before being able to run the tool from their UNC path.
net use \\live.sysinternals.com\tools
ADExplorer
Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object’s schema, and execute sophisticated searches that you can save and re-execute.
\\live.sysinternals.com\tools\ADExplorer.exe -accepteula
Offensive usage:
- read
descriptionandinfoattributes - find forgotten ASCII decimal obfuscated passwords in
UserPassword,UnixUserPassword,unicodePwd,msSFU30Passwordattributes - find high-value target servers/workstations (SQL, SharePoint, …)
- find distribution groups that allow email from external sources (
msExchRequireAuthToSendTo=FALSE) - snapshot differential (who changed their passwords, who is disabled, …)
Create snapshot from the command-line:
ADExplorer.exe -snapshot "" <SNAPSHOT.DAT PATH>
Reference: https://www.blackhillsinfosec.com/domain-goodness-learned-love-ad-explorer/
ProcDump
ProcDump can serve as a general process dump utility (i.e. for lsass.exe).
procdump.exe -accepteula -ma <PROCESS> <DUMP FILE>
Warning
Requires local administrative privileges.
ProcExp
Process Explorer is a kind of task manager on steroid. Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
\\live.sysinternals.com\tools\procexp.exe -accepteula
Tip
Process Explorer also allows you to create memory dump of proccesses.
PsLoggedOn
PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one. If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on.
psloggedon.exe \\<COMPUTER>
psloggedon.exe <USERNAME>
Strings
Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters. It basically does the same than its Unix equivalent.
\\live.sysinternals.com\strings.exe -accepteula
Autoruns / Autorunsc
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players.
\\live.sysinternals.com\autoruns.exe -accepteula
Useful to find custom executables or batch scripts that could be exploited to escalate privileges locally on the target system when used in conjunction with AccessChk.
Command Line Usage
In order to get the same functionnality via the command line:
autorunsc.exe -a * <OPTIONS ...>
| Option | Description |
|---|---|
-c |
Print output as CSV |
-ct |
Print output as tab-delimited values |
-x |
Print output as XML |
-m |
Hide Microsoft entries |
-vt |
Query hashes on VirusTotal |
AccessChk
As a part of ensuring that they’ve created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.
accesschk.exe -accepteula -qu <TYPE> <OPTIONS> <USERNAME> <FILE, DIRECTORY, REGISTRY KEY, PROCESS, SERVICE, OBJECT>
| Type | Description |
|---|---|
| (default) | Query a file or directory (local or UNC) |
-c |
Query a Windows Service |
-p |
Query a process name |
-h |
Query a file or printer share |
-k |
Query a registrey key (i.e. hklm\software) |
| Option | Description |
|---|---|
-s |
Recurse |
-n |
Show only objects that have no access |
-r |
Show only objects that have read access |
-w |
Show only objects that have write access |
Find write permissions of user within path:
accesschk.exe -accepteula -u -sw <USERNAME> <LOCAL PATH/UNC PATH>
Find read permissions of user within share:
accesschk.exe -accepteula -u -sr <USERNAME> \\<HOSTNAME>\<SHARE>
Find permissions on all services:
accesschk.exe -accepteula -u -c <USERNAME> *
Find permissions on all local shares:
accesschk.exe -accepteula -u -h <USERNAME> *
AccessEnum
There’s no built-in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary.
\\live.sysinternals.com\accessenum.exe -accepteula
This is basically the GUI equivalent of AccessChk.
SigCheck
Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal.
Useful to find a program version number and search for known exploits.
sigcheck.exe -a <OPTIONS> <FILE or DIRECTORY>
| Option | Description |
|---|---|
-c |
Print output as CSV |
-ct |
Print output as tab-delimited values |
-x |
Print output as XML |
-h |
Show file hashes |
-s |
Recurse subdirectories |
-u |
Show unsigned only |
-e |
Scan executable images only (regardless of their extension) |
-vt |
Query hashes on VirusTotal |