Determines the current configuration of each host in the IP Address Range using Server Message Block (SMB) Query. This includes OS Version (Major and Minor) as well as type of software:
Winfingerprint - Network Type : NT DOMAIN
Determines the current configuration of each host in the IP Address Range using Server Message Block (SMB) Query.
This includes OS Version (Major and Minor) as well as type of software:
Fingerprint:API: NetServerGetInfo Level 101 (No special privileges are required to perform this command).
Computername: WORKGROUP\TEST-XP Role: NT WORKSTATION Role: LAN Manager Workstation Role: LAN Manager Server Role: Server sharing print queue Role: Potential Browser Role: Master Browser Platform: 500 Version: 5.0 Comment: 192.168.1.8 scanned in 0.02 seconds
Winfingerprint - Network Type : Active Directory
Sample Output:
Operating System: Windows NT Version: 5.1 Organization: SourceForge Processor : x86 Family 6 Model 1 Stepping 2 Processor Count : Uniprocessor Free Computer owner: Kirby Kuehl 192.168.1.8 scanned in 0.44 secondsReturn to top of page
Null Sessions (IPC$)
From a NULL session, it is possible to call APIs and use Remote Procedure calls to enumerate information.
Example of how a null session would be manually established:
net use \\10.0.0.1\ipc$ "" /user:""
Winfingerprint utilizes the WNetAddConnection3 API to establish null sessions.
Upon the completion of the scan, the null session is disconnected using the WNetCancelConnection2 API.
Return to top of page
NetBIOS Shares
Retrieves information about each shared resource on a server.
NetBIOS Shares: Name: IPC$ Remark: Remote IPC Type: Interprocess communication (IPC) Name: ADMIN$ Remark: Remote Admin Type: Special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$) Accessible without password. Name: C$ Remark: Default share Type: Special share reserved for interprocess communication (IPC$) or remote administration of the server (ADMIN$) Accessible without password. 192.168.1.1 scanned in 2.25 secondsNetBIOS shares are checked to see if they are accessible without password.
Date and Time: [9/21/2002] -- 07:50:48.15 192.168.1.1 scanned in 0.02 secondsAPI: NetRemoteTOD
Users - Network Type: NT DOMAIN
Returns user account information:
Users:
Administrator [500] ""
- Built-in account for administering the computer/domain
- The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT.
- Password does not expire.
Guest [501] ""
- Built-in account for guest access to the computer/domain
- The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT.
- The user's account is disabled.
- No password is required.
- Password does not expire.
vacuum [1004] "vacuum"
- The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT.
- Password does not expire.
VUSR_TESTXP-GDE934 [1002] "VSA Server Account"
- Account for the Visual Studio Analyzer server components
- The logon script executed. This value must be set for LAN Manager 2.0 or Windows NT.
- No password is required.
- Password does not expire.
192.168.1.8 scanned in 0.14 seconds
Users - Network Type: Active Directory
Services - Network Type: NT DOMAIN
User: Administrator GUID: {D83F1060-1E71-11CF-B1F3-02608C9E7553}
API: NetQueryDisplayInformation
Level
1 No special privileges are required to perform this command.
User: Guest GUID: {D83F1060-1E71-11CF-B1F3-02608C9E7553}
User: HelpAssistant GUID: {D83F1060-1E71-11CF-B1F3-02608C9E7553}
User: kkuehl GUID: {D83F1060-1E71-11CF-B1F3-02608C9E7553}
User: SUPPORT_388945a0 GUID: {D83F1060-1E71-11CF-B1F3-02608C9E7553}
User: VUSR_KKUEHL-XP GUID: {D83F1060-1E71-11CF-B1F3-02608C9E7553}
Return to top of page
Enumerates services in the specified service control manager database. The name and status of each service
are provided.
Sample Output:
Running Services:
AudioSrv -- Windows Audio
AvSynMgr -- AVSync Manager
BITS -- Background Intelligent Transfer Service
Browser -- Computer Browser
CryptSvc -- Cryptographic Services
CVPND -- Cisco Systems, Inc. VPN Service
Dhcp -- DHCP Client
Dnscache -- DNS Client
ERSvc -- Error Reporting Service
Eventlog -- Event Log
EventSystem -- COM+ Event System
helpsvc -- Help and Support
inv32cli -- SMS Client Inventory
Irmon -- Infrared Monitor
lanmanserver -- Server
lanmanworkstation -- Workstation
LmHosts -- TCP/IP NetBIOS Helper
McShield -- McShield
Messenger -- Messenger
Netlogon -- Net Logon
Netman -- Network Connections
Nla -- Network Location Awareness (NLA)
PlugPlay -- Plug and Play
ProtectedStorage -- Protected Storage
RasMan -- Remote Access Connection Manager
RemoteRegistry -- Remote Registry
RpcSs -- Remote Procedure Call (RPC)
SamSs -- Security Accounts Manager
Schedule -- Task Scheduler
seclogon -- Secondary Logon
SENS -- System Event Notification
ShellHWDetection -- Shell Hardware Detection
Spooler -- Print Spooler
srservice -- System Restore Service
SSDPSRV -- SSDP Discovery Service
TapiSrv -- Telephony
TermService -- Terminal Services
Themes -- Themes
TrkWks -- Distributed Link Tracking Client
uploadmgr -- Upload Manager
W32Time -- Windows Time
WebClient -- WebClient
winmgmt -- Windows Management Instrumentation
WmdmPmSp -- Portable Media Serial Number
wuauserv -- Automatic Updates
wuser32 -- SMS Remote Control Agent
WZCSVC -- Wireless Zero Configuration
171.70.39.214 scanned in 0.06 seconds
Return to top of page
Services - Network Type: Active Directory
Disks
Groups - Network Type: NT DOMAIN
Sample Output:
Service: Alerter GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: ALG GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: AppMgmt GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: AudioSrv GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: AvSynMgr GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: BITS GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Browser GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: cisvc GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: ClipSrv GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: COMSysApp GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: CryptSvc GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: CVPND GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Dhcp GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: dmadmin GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: dmserver GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Dnscache GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: ERSvc GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Eventlog GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: EventSystem GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: FastUserSwitchingCompatibility GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: helpsvc GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: HidServ GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: ImapiService GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: inv32cli GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Irmon GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: lanmanserver GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: lanmanworkstation GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: LmHosts GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: McShield GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Messenger GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: mnmsrvc GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: MSDTC GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: MSIServer GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: NetDDE GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: NetDDEdsdm GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Netlogon GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Netman GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Nla GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: NtLmSsp GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: NtmsSvc GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: PlugPlay GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: PolicyAgent GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: ProtectedStorage GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: RasAuto GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: RasMan GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: RDSessMgr GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: RemoteAccess GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: RemoteRegistry GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: RpcLocator GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: RpcSs GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: RSVP GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: SamSs GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: SCardDrv GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: SCardSvr GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Schedule GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: seclogon GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: SENS GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: SharedAccess GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: ShellHWDetection GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Spooler GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: srservice GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: SSDPSRV GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: stisvc GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: SwPrv GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: SysmonLog GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: TapiSrv GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: TermService GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Themes GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: TlntSvr GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: TrkWks GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: uploadmgr GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: upnphost GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: UPS GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Visual Studio Analyzer RPC bridge GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: VSS GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: W32Time GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: WebClient GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: winmgmt GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: WmdmPmSp GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: Wmi GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: WmiApSrv GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: wuauserv GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: wuser32 GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
Service: WZCSVC GUID: {C3968E50-4C66-11CF-A995-00AA006BC149}
192.168.1.1 scanned in 1.14 seconds
APIS: OpenSCManager
EnumServicesStatus
Return to top of page
Retrieves a list of disk drives on a server.
Sample Output:
Disks:
Disk: C:
Disk: D:
Entries enumerated: 2
192.168.1.1 scanned in 0.05 seconds
API: NetServerDiskEnum
Only members of the Administrators or Account Operators local group can
successfully execute the NetServerDiskEnum function on a remote computer.
Return to top of page
This option makes two different calls.
NetLocalGroupEnum will return information on all local groups.
NetQueryDisplayInformation (Level 3) will return global groups which is
excellent against Domain Controllers.
Local Groups
Returns group
account information:
API: NetLocalGroupEnum
Level
1
No special privileges are required to perform this command
(NetLocalGroupEnum).
Global Groups
Returns group account
information:
Sample Output:
Local Groups:
Return to top of page
Administrators "Administrators have complete and unrestricted access to the computer/domain"
Backup Operators "Backup Operators can override security restrictions for the sole purpose of backing up or restoring files"
Guests "Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted"
Power Users "Power Users possess most administrative powers with some restrictions. Thus, Power Users can run legacy applications in addition to certified applications"
Replicator "Supports file replication in a domain"
Users "Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications"
Global Groups:
None "Ordinary users" [513]
"None" Group Members
Administrator
Guest
VUSR_TESTXP-GDE934
vacuum
192.168.1.8 scanned in 0.10 seconds
Groups - Network Type: Active Directory
Transports
Ping
Sample Output:
Group: Administrators GUID: {D9C1AAD0-1E71-11CF-B1F3-02608C9E7553}
API: NetQueryDisplayInformation
Level
3
Group: Backup Operators GUID: {D9C1AAD0-1E71-11CF-B1F3-02608C9E7553}
Group: Guests GUID: {D9C1AAD0-1E71-11CF-B1F3-02608C9E7553}
Group: Network Configuration Operators GUID: {D9C1AAD0-1E71-11CF-B1F3-02608C9E7553}
Group: Power Users GUID: {D9C1AAD0-1E71-11CF-B1F3-02608C9E7553}
Group: Remote Desktop Users GUID: {D9C1AAD0-1E71-11CF-B1F3-02608C9E7553}
Group: Replicator GUID: {D9C1AAD0-1E71-11CF-B1F3-02608C9E7553}
Group: Users GUID: {D9C1AAD0-1E71-11CF-B1F3-02608C9E7553}
No special privileges are required to perform this command
(NetQueryDisplayInformation).
Group Members are enumerated using NetGroupGetUsers
Return to top of page
Patch Level:
Q307869 Windows XP Hotfix (SP1) [See Q307869 for more information]
Q309521 Windows XP Hotfix (SP1) [See Q309521 for more information]
Q309691 Windows XP Hotfix (SP1) [See Q309691 for more information]
Q310437 Windows XP Hotfix (SP1) [See Q310437 for more information]
Q311889 Windows XP Hotfix (SP1) [See Q311889 for more information]
Q311967 Windows XP Hotfix (SP1) [See Q311967 for more information]
Q313484 Windows XP Hotfix (SP1) [See Q313484 for more information]
Q314147 Windows XP Hotfix (SP1) [See Q314147 for more information]
Q314862 Windows XP Hotfix (SP1) [See Q314862 for more information]
Q315000 Windows XP Hotfix (SP1) [See Q315000 for more information]
Q315403 Windows XP Hotfix (SP1) [See Q315403 for more information]
Q317277 Windows XP Hotfix (SP1) [See Q317277 for more information]
Q318138 Windows XP Hotfix (SP1) [See Q318138 for more information]
Q319580 Windows XP Hotfix (SP1) [See Q319580 for more information]
APIS: RegConnectRegistry,
RegOpenKeyEx,
RegEnumKeyEx,
RegQueryValueKeyEx.
Return to top of page
Supplies information about transport protocols that are managed by the server.
Sample Output
Transports:
\Device\NetBT_Tcpip_{7EA2EF3E-C4C2-44F1-8F99-020F3BC8FDBE} 00042315358f
Transports:
\Device\NetBT_Tcpip_{7EA2EF3E-C4C2-44F1-8F99-020F3BC8FDBE} 00042315358f
Transports:
\Device\NetbiosSmb 000000000000
\Device\NetbiosSmb 000000000000
API: NetServerTransportEnum
Level 0
No special group membership is required to successfully execute the NetServerTransportEnum function.
Windows NT/2000/XP: Requires Windows NT 3.1 or later.
Windows 95/98/ME: Unsupported.
Return to top of page
API: NetSessionEnum
Level
10
Return to top of page
Sends ICMP ECHO_REQUEST packet to host using raw sockets. If host responds, continue with remaining options, otherwise skip.
This function also provides DNS resolution (gethostbyname).
Return to top of page