WinScanX

WinScanX was released today. A Windows command-line enumeration tool plus an optional GUI front-end. A must have for any security professional.

Download link: http://windowsaudit.com/downloads/WinScanX_Basic.zip

Web site: http://www.windowsaudit.com/

Features and usage information:

WinScanX v1.0 | http://www.windowsaudit.com/

Usage: WinScanX [-

abcdefgpklijmnostqurxwyzSWv123] <hostname>
<username> <password>

[-abcdefgpklijmnostqurxwyzSWv123]  – required argument
<hostname>  – required argument
<username>  – optional argument
<password>  – optional argument

If the <username> and <password> arguments are omitted, this utility
will attempt to establish a NetBIOS null session and gather information
via the null session.

If the <username> and <password> arguments are both plus signs (+), the
existing credentials of the user running this utility will be used.

Examples:
WinScanX -1 10.10.10.10
WinScanX -2 10.10.10.10 + +
WinScanX -3 10.10.10.10 administrator password
WinScanX -3 10.10.10.10 domain\admin password

WinScanX -1 WINSERVER01
WinScanX -2 WINSERVER01 + +
WinScanX -3 WINSERVER01 administrator password
WinScanX -3 WINSERVER01 domain\admin password

WinScanX -1 192.168.1-254
WinScanX -2 192.168.1-254 + +
WinScanX -3 192.168.1-254 administrator password
WinScanX -3 192.168.1-254 domain\admin password

WinScanX -1 IPInputFile.txt
WinScanX -2 IPInputFile.txt + +
WinScanX -3 IPInputFile.txt administrator password
WinScanX -3 IPInputFile.txt domain\admin password

==== WinScanX Advanced Features ====

-a  – Get Account Policy Information
-b  – Get Audit Policy Information
-c  – Get Display Information
-d  – Get Domain Information
-e  – Get LDAP Information
-f  – Get Administrative Local & Global Group Information
-g  – Get Local & Global Group Information
-p  – Get Installed Programs
-k  – Get Interactively Logged On Users
-l  – Get Logged On Users
-i  – Get Patch Information
-j  – Get Registry Information
-m  – Get Scheduled Task Information
-n  – Get Server Information
-o  – Get Service Information
-s  – Get Share Information
-t  – Get Share Permissions
-q  – Get SNMP Community Information
-u  – Get User Information
-r  – Get User Information via RA Bypass
-x  – Get User Rights Information
-w  – Get WinVNC3 & WinVNC4 Passwords
-y  – Save Remote Registry Hives

-z  – Ping Remote Host Before Scanning

-S  – Guess SNMP Community Strings
-W  – Guess Windows Passwords

-v  – Verbose Output

-1  – Group 1 (includes -adglnsur)
-2  – Group 2 (includes -adgpljnsquw)
-3  – Group 3 (includes -abdgplijmnostquxw)

==== Retrieving Patch Information ====

The information that is queried for each host to determine the existance
of a patch is included in the PatchInfo.input file.

==== Retrieving Registry Information ====

The registry key/value pairs that are queried for each host are included
in the RegistryInfo.input file.

==== SNMP Community String Guessing ====

The SNMP community strings that are attempted for each host are included
in the CommunityStrings.input file.

==== Windows Password Guessing ====

For Windows password guessing to occur, there must be a matching
<hostname>.users file in the UserCache directory for each host on which
you attempt to guess passwords. WinScanX options -c, -r, -u, and -S can be
used to generate <hostname>.users cache files.

The passwords that are attempted for each user account are included in the
Dictionary.input file.

The following can also be used in the Dictionary.input file:

<username>   — The name of the current user
<lcusername> — The name of the current user in lower case
<ucusername> — The name of the current user in upper case
<blank>      – A blank or null password