Your global information security experts
Search for Vulnerabilities via
The National Vulnerability Database
NT Information Gathering Commands
by Eric Schultze - 10/30/99
I've been hesitant to put this information out on the Net, but I suppose it might be useful to administrators out there. Some of these commands might require a little massaging to work just the way you want. What you should remember is that these commands help you acquire the information needed to hack into a Windows NT system. People are human and humans make mistakes. Since it's difficult to cover your butt all the time, any one of these commands might give you the information needed to get into the server.
Giving credit where credit is due: This information was originally compiled by Eric Schultze, who now works for Rampart Security.
| Command Syntax | Available Here | Access Required | Returns This Result |
| net view /domain | NT built in command | No special access needed | Shows domains on the network |
| net view /domain:domain_name | NT built in command | No special access needed | Shows members of the domain |
| nltest /dclist:domain_name | NT Res Kit | No special access needed | Enumerates Domain Controllers |
| ping server_name | OS built in command | No special access needed | Reveals IP address of machine |
| nbtstat -a server_name | NT built in command | No special access needed | MAC address, domain, logged on username |
| nbtstat -A ip | NT built in command | No special access needed | MAC address, domain, logged on username |
| epdump server_name | Available on the Internet | No special access needed | Lists endpoints, services, IP, etc |
| netdom query \\server_name | NT Res Kit | No special access needed | Enumerates role of server/domain/workgroup |
| net use \\server_name\ipc$ "" /user:"" | NT built in command | No special access needed | Start null session with target |
| nltest /server:server_name /trusted_domains | NT Res Kit | null session established | Lists domains trusted by workstation |
| getmac \\server_name | NT Res Kit | null session established | Lists transport and address info |
| net view \\server_name | NT built in command | null session established | Shows non-hidden shares on server |
| rmtshare \\server_name | NT Res Kit | User access/Administrator | Shows ALL shares on server |
| usrstat domain_name | NT Res Kit | null session established | Lists users in domain, login time, etc |
| dumpacl users and groups report | NT Res Kit | null session established | Lists users in domain, login time, etc |
| local administrators \\server_name | NT Res Kit | null session established | Lists members of local Admin group |
| global "domain admins" \\server_name | NT Res Kit | null session established | Lists members of global Admin group |
| srvcheck \\server_name | NT Res Kit | Mixed access required | Lists shares and who has access |
| srvinfo \\server_name | NT Res Kit | Mixed access required | Remotely gather info about a server |
| nltest /server:server_name /user:user_name | NT Res Kit | Administrator access required | Lists specific user info, passwd hashes |
| pwdump \\server_name | Available on the Internet | Administrator access required | Dumps OWF hashes from server |
| regdump -m \\server_name HKLM\.... | NT Res Kit | Administrator access required | Lists specific registry keys from server |