Question:
When the RN150 is collecting netstat data, does it use \\127.0.0.1\admin$ or does it use the connection IP, \\10.0.0.1\admin$?
Answer:
A DCE/RPC connection is then opened to deliver the command to the cmd.exe utility. The command issued redirects its output to a temporary plain text file in the ADMIN$ share, where the name is the timestamp of the current time prefixed by two underscores and suffixed with a random number, eg, ‘__1497992728.46’. The final form of the command executed on the remote Windows system is:
cmd.exe /Q /c netstat -anop TCP 1> \\127.0.0.1\ADMIN$\filename 2>&1