# Windows Network ## Windows Firewall Logfiles of the Windows Firewall can be found under `C:\Windows\System32\LogFiles\firewall`. ```sh Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log ``` ## SRUB.dat Use kape.exe to extract a dump of used system resources from `C:\Windows\System32\sru` ```sh ./kape.exe --tsource C:\Windows\System32\sru --tdest C:\Windows\Temp\sru --tflush --mdest C:\Windows\Temp\module --mflush --moduel SRUMDmp --target SRUM ``` Use [MarkBaggett's srum-dump](https://github.com/MarkBaggett/scrum-dump) to take a look at the extracted files. ## Network Connections Take a look at current connections through the following line. ```sh netstat -a -o ``` See the name of the portable executable that initiated the connection via the following command. ```sh netstat -b ``` Take a look at the current TCP connections via the following powershell one-liner. ```sh Get-NetTCPConnection | select localAddress,localPort,remoteAddress,remotePort,state,@{name="process";Expression={(get-process -id $_.owningProcess).ProcessName}}, @{Name="cmdLine";Expression={(Get-WmiObject win32_Process -filter "ProcessID = $($_.owningProcess)").commandline}} | sort remoteAddress -Descending | ft -wrap -autosize ``` Take a look at the current UDP connections via the following powershell one-liner. ```sh Get-NetUDPEndpoint | select local*,creationTime,remote* | ft -autosize ``` There is something similar to TCPDump for catching network packets on windows. Start the packet gathering via `pktmon start -c`. Convert the stored file, so Wireshark is able to read it via `pktmon etl2pcap`. ### IP Addresses List unqiue IP addresses through the following one-liner. ```sh (Get-NetTCPConnection).remoteAddress | Sort-Object -unique ``` List connections of an IP address through the following one-liner. ```sh Get-NetTCPConnection -remoteAddress | select state,creationTime,localPort,remotePort | ft -autosize ``` ### DNS Cache Gather information about the DNS cache through the following one-liner. ```sh Get-DNSClientCache | ? Entry -noMatch "workst|servst|kerb|ws|oscp" | out-string -width 1000 ``` ### Hostnames Take a look at the set hosts inside the hosts file. ```sh Get-Content C:\Windows\System32\Drivers\etc\hosts ``` ### Network Services Current RDP connections can be found through the following one-liner. ```sh qwinsta ``` Current SMB shares and connections can be found through the following lines. ```sh Get-SmbShare Get-SmbConnection ```