OS_fingerprinting

Scripts that can be used for information gathering on machines during IR.

Each directory contains a script that can be used. Naturally some of these commands do require some more specific parameters to be configured prior to running and you may need to run these as either root or with admin privilleges on Windows machines. As always, read the scripts and make sure you understand what they do before you run them.

Rapid fire

Only have a few minutes? Below is a quick referecne sheet for running commands to get an idea for what is being run on the system or what it might be used for. You can either save these to a file, or if you are using some termianl tool you could have that export/save the output of these commands to a file.

Collect *Nix system information

Running processes

ps -aux ps

Last login information

lastlog

Network status

netstat -atu 

Network interfaces

ifconfig

User accounts

cat /etc/passwd

Examine these command outputs for anomalies

Authentication logs

tail /var/log/auth.log

Cron jobs logs

tail /var/log/cron

HTTP server logs (if applicable)

tail /var/log/httpd

SSH daemon logs

journalctl -u sshd

Root user's cron jobs

crontab -u root -l

Services status (for systemd systems)

systemctl --type=service --state=active

Top processes by CPU usage

 top -b -n 1

Collect info on Windows Systems

This could even be combined with my SANS cheatsheet for Windows found here.

Network connections

netstat -ao

User accounts

net users

Running tasks

tasklist 

Account lockout configuration

net accounts 

Examine for anomalies

Firewall rules

netsh advfirewall firewall show rule name=all

Scheduled tasks

Get-ScheduledTask