On CHFI-XP2, launch Netcat in Listening Mode:
C:\Tools\Netcat>nc -v -L -p 99 >> E:\Evidence\MyEvidence.txt
On LON-WEB1, launch Netcat in Client Mode:
D:\Forensics\Netcat>date /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>time /t | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>ipconfig /all | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>netstat -an | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>nbtstat -n | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>arp -a | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>route print | nc 131.107.1.254 99 -w10
D:\Forensics\Netcat>tasklist | nc 131.107.1.254 99 -w10
Display registry values:
D:\Forensics\Netcat>reg query hklm\software\microsoft\windows\currentversion\run | nc 131.107.1.254 99 -w10
If you need to launch Netcat from different directory,
access it by using this command:
D:\Forensics\>cd Sysinternalssuite
D:\Forensics\Sysintenalssuite>pslist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloggedon | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psloglist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psservice | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>psfile | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>pipelist | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>listdlls | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
D:\Forensics\Sysintenalssuite>procfeatures | D:\Forensics\Netcat\nc 131.107.1.254 99 -w10
MyEvidence.txt is the file which will store the evidence collection.
No comments:
Post a Comment