Last updated: 18 Mar 2008
Without powering off the computer:
This may take a long time:
nmap name_or_ip -p-
Example:
nmap 192.168.10.5 -p-
If no service name attached, map ports to known services. Google it, or consult Unix /etc/services or Windows C:\WINDOWS\system32\drivers\etc\services.
net use * \\computername_or_ip\C$ /user:computername_or_ip\administrator *
Example:
net use * \\10.20.87.78\C$ /user:10.20.87.78\administrator *
reg subcommand \\computername_or_ip\key
Example:
reg query \\10.10.15.23\hklm\software\microsoft\windows\currentversion
sc \\computername_or_ip query
Example:
sc \\mydc query
tasklist /s computer_or_ip /u user /p password
Example:
tasklist /s 10.18.233.176 /u administrator /p
schtasks /Query /S computer_or_ip /U user /P password
Example:
schtasks /query /s 10.18.233.176 /u administrator /p
If you have to use the features of Windows or tools already installed on Windows, here is some help:
This way you might know what you are dealing with, if you get a positive indication. If you don't find anything, Windows doesn't have any built-in tools to do scanning. Some antivirus tools, such as McAfee VirusScan and Panda Antivirus, include rootkit detection tools.
Press enter when prompted for the password after entering the command below. If it gives you a new command prompt, there is a blank password.
runas /user:administrator cmd
net localgroup Administrators
net group "Domain Admins"
net group "Enterprise Admins"
mmc
Ctrl-M
To open up Active Directory's Users and Computers window.
reg query hklm\software\microsoft\windows\currentversion\run reg query hklm\software\microsoft\windows\currentversion\runonce reg query hklm\software\microsoft\windows\currentversion\runonceex
For a GUI version:
regedit
sc query
For a GUI version:
services.msc
schtasks /query
There are no scheduled tasks that automatically come activated with Windows.
netstat -anob >c:\netstat.out
Compare the "LISTENING" ports to those found externally via nmap. They should match; if they don't, you need to find out why. It could be a service or process that no longer is listening, or a rootkit that is attempting to hide its tracks.
You should also try to match up the services gathered about with the listening ports. They should make sense (e.g., web service should have port 80 open, Kerberos should on port 88).
tasklist
Display the path:
set path
Here you are looking for "suspicious" files of any type:
In each directory in the path, type the following commands:
dir /a /o-d | more
dir /a /o-d /tc | more
eventvwr
System and Security logs are the most important, followed by Application logs. You are looking for unusual events, such as Windows File Protection being disabled, a successful login when you weren't home, or your antivirus service being turned off. If you have auditing turned on, this is where the results of the audit will be recorded.