Winfingerprint 0.6.2
Winfingerprint Homepage: http://winfingerprint.sourceforge.net
Written by : Kirby Kuehl 1999-2004 vacuum@users.sourceforge.net
Requirements: Windows NT, 2000, XP, or 2003. Winfingerprint will NOT run on Windows 95, 98, or ME.
WinPcap WinPcap 3.1 beta 4 or better is required for TCP SYN scans. If WinPcap is unavailable, winfingerprint will automatically utilize TCP non-blocking connect() calls for portscans.
You may have to download the Microsoft Platform SDK for the ADSI method to work although the Winfingerprint installer does include activeds.dll and adsldpc.dll.
Start Screen:
You can select Scan options:
Options Explained:
- Win32 OS Version
Determines the current configuration of each scanned host using an SMB (Server Message Block) Query. This includes OS Version (Major and Minor) as well as type of software.
- Null IPC$ Sessions
From a NULL session, it is possible to call APIs and use Remote Procedure calls to enumerate information. Example of how a null session would be manually established:
net use \\10.0.0.1\ipc$ “” /user:”"
Null IPC$ sessions are necessary to enumerate information on targets that are not part of the same domain or workgroup as the scanning host. Winfingerprint utilizes the WNetAddConnection3 API to establish null sessions. Upon the completion of the scan, the null session is disconnected using the WNetCancelConnection2 API.
NOTE: If Null Sessions cannot be established, it is probable that the target computer set restrictanyonymous to 1 or 2:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
“restrictanonymous”=dword:00000002
- NetBIOS Shares
Retrieves information about each shared resource on a server.
Share Name
Share Type
Optional Comment
Sample Output:
NetBIOS Shares:Name: IPC$ Remark: Remote IPCType: Interprocess communication (IPC)Name: ADMIN$ Remark: Remote AdminType: Special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$)Accessible without password.Name: C$ Remark: Default shareType: Special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$)Accessible without password.192.168.1.1 scanned in 2.25 seconds
NetBIOS shares are checked to see if they are accessible without password.
API: NetShareEnum Level 1 (No special group membership is required for level 1 calls).
- Date and Time
This option returns the time of day information from a specified server.
Sample Output:
Date and Time:[9/21/2004] — 07:50:48.15192.168.1.1 scanned in 0.02 seconds
API: NetRemoteTOD No special group membership is required to successfully execute the NetRemoteTOD function.
- Users - Network Type: NT DOMAIN
Returns user account information:
Username
Userid
Full Name
Comment
Login script executed
Account Disabled
Home directory is required
No password required
The user cannot change password
The account is locked
Password does not expire
The account is enabled for delegation
The user’s password is stored under reversible encryption in the Active Directory.
Requires the user to log on to the user account with a smart card.
Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
This account does not require Kerberos preauthentication for logon.
The user’s password has expired.
Sample Output:
Users:
Administrator [500] “”
- Built-in account for administering the computer/domain
SID : S-1-5-21-778402230-1777874515-1923568549-500
- The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT.
- Password does not expire. Guest [501] “”
SID : S-1-5-21-778402230-1777874515-1923568549-501
- Built-in account for guest access to the computer/domain
- The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT.
- The user’s account is disabled.
- No password is required.
- Password does not expire.
vacuum [1004] “vacuum”
SID : S-1-5-21-778402230-1777874515-1923568549-1004
- The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT.
- Password does not expire.
- Services - Network Type: NT DOMAIN
Enumerates services in the specified service control manager database. The name and status of each service are provided.
- Disks
Retrieves a list of disk drives on a server.
API: NetServerDiskEnum Only members of the Administrators or Account Operators local group can successfully execute the NetServerDiskEnum function on a remote computer.
- Groups - Network Type: NT DOMAIN
This option makes two different calls. NetLocalGroupEnum will return information on all local groups. NetQueryDisplayInformation (Level 3) will return global groups which is excellent against Domain Controllers.
Local Groups
Returns group account information:
Group Name
Comment
API: NetLocalGroupEnum Level 1 No special privileges are required to perform this command (NetLocalGroupEnum).
Global Groups
Returns group account information:
Group Name
Group Comment
Group ID
- Registry (Service Pack and Hotfix)
This option queries the remote registry and if successful, will report back the installed Service Pack as well as any hotfixes.
Sample Output:
Patch Level:
Q307869 Windows XP Hotfix (SP1) [See Q307869 for more information]
Q309521 Windows XP Hotfix (SP1) [See Q309521 for more information]
Q309691 Windows XP Hotfix (SP1) [See Q309691 for more information]
APIS: RegConnectRegistry, RegOpenKeyEx, RegEnumKeyEx,RegQueryValueKeyEx, RegCloseKey.
- NBT Information
Supplies information about transport protocols that are managed by the server.
Transport Name
Transport Address (MAC)
Sample Output:
Transports:
TEST-W2K Transport: \Device\NetBT_Tcpip_{4E93603E-0A88-42DA-B4F8-9C2AE2366268}
Network Address: 00096be057b3
TEST-W2K Transport: \Device\NetbiosSmb
Network Address: 000000000000
- Sessions - Network Type: NT DOMAIN
Provides information about sessions established on a server. A session is recorded when a user at a client successfully contacts a server. A successful session occurs when the two computers are on the same network, and the user has a user name and password that are accepted by the server. A user at a client has to have a session with a server before he or she can use the resources of the server, and a session is not established until a user at a client connects to a resource. A client and a server have only one session, but they can have many entry points, or connections, to resources.
Session Enumeration using Network Type NT Domain enumerates the following:
Computer Name
User Name
Seconds Active Time
Seconds Idle Time
API: NetSessionEnum Level 10
- Simple Network Management Protocol
system.sysDescr
system.sysObjectID
system.sysUpTime
system.sysName
system.sysLocation
ip.ipRouteTable.ipRouteEntry.ipRouteDest
interfaces.ifTable.ifEntry.ifDescr
- Security Event Log
Enumerates the security event log. For Example:
00 Event ID: 0×00000205 Time Generated: Fri Nov 29 10:05:31 2002
Time Written: Fri Nov 29 10:05:31 2002
Success Audit Event
SourceName: Security
ComputerName: TEST-W2K
- RPC Bindings Enumeration
The ncacn_nb_tcp keyword is used to identify TCP over NetBIOS as the protocol family for the endpoint.
The ncacn_np keyword identifies named pipes as the protocol family for the endpoint. On Microsoft?Windows 95/98, ncacn_np is supported only for client applications.
The ncacn_ip_tcp keyword identifies TCP/IP as the protocol family for the endpoint.
The ncadg_ip_udp keyword identifies the datagram version of TCP/IP as the protocol family for the endpoint.
The ncacn_http keyword identifies the Microsoft Internet Information Server (IIS) as the protocol family for the endpoint.
——————————————————————————————————-
Sources: WinfingerPrint 0.6.2 Help file. Only pictures are original.
Cheers,
pavs
