Your SlideShare is downloading. ×
Windows Command Line Tools
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Windows Command Line Tools

1,834

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,834
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Windows Command Line
    Prepared by-: Pratik Mavani
    Technical Security Consultant
    Aptec Distribution - UAE
  • 2. Overview of commands
    • RUN AS – Grants the ability to run commands as an alternative user
    • 3. WMIC – A Command line Interpreter for Windows Management Instrumentation
    • 4. PSTools – A suite of very useful tools put out by the old Sysinternals crew now owned by Microsoft
    • 5. Reg – Allows command line access to the registry
  • RunAs: Shortcut to Admin
    • Yes, it sounds insane but some of them don’t know that it exists and if we know we forget to use it when its required.
    • 6. Allows a user a run a specific program or tools with different user permissions than the current user logon.
    • 7. Use Shift + “Right Click” on the program and it gives us an option to run as administrator or as a different user.
    • 8. from cmd-: runas /user:DomanAdminusername “teamviewer.exe”
    from cmd -: runas /user:localmachinenameAdminusername “teamviewer.exe”
  • 9. PSTools
    • Download it from http://technet.microsoft.com/en-us/sysinternals/bb896649
    • 10. Unzip the tools in a folder.
    • 11. Access the Command prompt as administrator (Domain Admin for controlling other machines on Domain). Navigate to the folder where you have unzipped your tools and start using it.
  • PSTools
    Use IP address or DNS name of remote machine with PSExec command as shown above
    You will get the remote machine access as shown below. (check the highlighted IP address
    As per the pre-requisites “remote registry” service should be started on remote machine
  • 12. PSTools
    Use /? As argument to get help on specific PS command
    Save a list of computers to do an inventory of software installed
    As per the pre-requisites “remote registry” service should be started on remote machine
  • 13. PSTools
    Use this to store the command output to a text file locally
    As per the pre-requisites “remote registry” service should be started on remote machine
  • 14. Summary of PSTools
    PSExec- execute processes remotely
    PSFile- shows files opened remotely
    PSGetSid- display the SID of a computer or a user
    PSinfo - list information about a system
    PSKill- kill processes by name or process ID
    PSList - list detailed information about processes
    PSLoggedon - see who's logged on locally and via resource sharing (full source is included)
    PSLogList - dump event log records
    PSPasswd- changes account passwords
    PSService - view and control services
    PSShutdown - shuts down and optionally reboots a computer
    PSSuspent- suspends processes
    PsUptime- shows you how long a system has been running since its last reboot)
    As per the pre-requisites “remote registry” service should be started on remote machine
  • 15. WMIC
    • Object Oriented Command line interface to windows Management interface.
    • 16. Can be used to trace some really good information.
    • 17. Easy to use.
    • 18. Yes, it’s in built windows tool but still useful.
    • 19. Let’s get into it…..
  • WMIC
    How to get to it….
    Start  Run  PowerShell
    It will give you the screen as below
    Type “wmic” at the prompt and press enter
    It will give you a prompt “wmic:rootcli>”
  • 20. WMIC
     /? Switch will give you the help as usual.
  • 21. WMIC
     Using one the WMIC command to find number of networks shares on a machine
    • Use /node:ipaddress and then the command to execute command on remote machine
    • 22. It can fetch BIOS Information
    /node:x.x.x.x bios get name
    • It can get you motherboard info
    /node:x.x.x.x baseboard get product,manufacturer
    • Processor information
    /node:x.x.x.x Path Win32_processor Get AddressWidth
  • 23. Start talking to the OS
    • If you want to get the exact install date and build version of the software use the WMIC command “ product list full”
    • 24. If you receive an attack alert on your IPS and the remedy information suggests that a particular security patch/service pack should be installed. So to find out whether that is installed on victim machine or not, just reach WMIC use the command
    “/node:victim_ipaddress qfe list”
  • 25. Start talking to the OS (REG Command)
    • If you receive an alert of skype traffic going out of your network, and before you physically reach to the machine the user is smart enough to uninstall it.
    • 26. In such cases take remote shell of that machine through
    Psexec remotemachine_IP cmd.exe
     Use command like “REG Query” to fetch information from registry
  • 27. Start talking to the OS (REG Command)
    • Notice the last command in the screenshot of previous slide, it fetches the list of uninstalled programs from the registry and saves it to 136_unistinfo.txt
    • 28. Below is the snipped of the file
    • 29. To get more information I will run the following command on the remote cmd -:
    REG QUERY HKLMsoftwareMicrosoftWindowsCurrentVersionUninstallbittorrent
    I WAS REALLY NOT AWARE OF THIS COMMAND TILL I ATTENDED A SECURITY CONFERENCE ONLINE, THIS COMMAND CAN FETCH YOU TONS OF INFORMATION IF USED PROPERLY.
  • 30. Compiling all the information
    You receive an alert in IPS for P2P traffic originating from x.x.x.x (which is a part of your internal segment
    • Get a list of software installed on that machine (Remotely with WMIC)
    • 31. Check what are the current process running on that machine (Remotely with WMIC)
    • 32. Is any P2P client running on the machine ? If yes kill the process (WMIC/PSTools) and uninstall the software
    • 33. If not, check the uninstalled list ? (WMIC) Has the user uninstalled the software recently.
    • 34. If there is no trace of P2P software client, do netstat on the remote shell of machine and check where is traffic going.
    • 35. Determine outgoing traffic is going to legitimate domains (by “who is”) .
    • 36. If not, and you feel it is affected by Botnet/malware, collect the event logs(PSTools) kill the processes remotely and shutdown the machine (WMIC / PS) till its re-installed.
    • 37. Check the OS install date with WMIC to see that it is actually re-imaged before bringing it online
  • Some more tips….
    • If you have allowed only some USBs to be used in your corporate network but if some upper level management has privilege to use personal drives and if their machine is affected by a virus. Now to determine which USB did actually transferred the virus, use
    REG QUERY remotehostipHKLM SystemCurrentControlSetEnumUSBSTOR
    • Security Event log for a particular event
    WMIC ntevent where “logfile=“Security” AND (eventcode=“529”)” list brief
    • WMIC Process list brief
    • 38. WMIC Service list brief
    • 39. WMIC Startup list brief
    • 40. If you think a particular services is doing some remote connection, try to get more info
    WMIC process get Name,ExecutablePath,CommandLine,ProcessID /param:list
    (when you get the information list for all services, and if you are checking for e.g. services.exe is the name of process but executable path is c:windowszi789r8.exe )
    (it’s time to shout ooooopppppssss)
  • 41. After Enough Monitoring...Take an Action…..
    • Run a program (Run a Symantec Scan remotely)
    WMIC /node:remote_ip process call create “C:program filesSymantec Client SecuritySymantec Antivirusdoscan /scanalldrives”
    I have symantec on my machine so I know the path
    • Install a program
    WMIC /node:remote_ip process call create “C:location of fileinstaller.exe“
    • Un Install a program
    WMIC /node:remote_ip product where name =“symantec” call unistall
  • 42. Some more Action…..
    • Reboot a Machine
    WMIC /node:remote_ip OS where buildnumber=“2600” call reboot
    • Kill a Process
    WMIC /node:remote_ip process where name=“greetingcard.exe” call terminate
    • Clear security event Log
    WMIC /node:remote_ip nteventlog where (description like “%secevent%”) call cleareventlog
  • 43. A simple attack vector throgh WMIC
    Re route DNS of a machine in two steps
    WMIC /node:remote_ip nicconfig list brief
    (note down the index number from the output)
    WMIC /node:remote_ip nicconfig where index=9 call SetDNSServerSearchOrder (“1.1.1.1”,”2.2.2.2”)
    You need patience of a saint after issuing this command……
    Waaaaiiittt……..till you see the results
  • 44. Downloads and Help
    Download a WMI Script generator from
    http://www.robvanderwoude.com/wmigen.php
    Find More WMIC examples at
    http://blogs.technet.com/b/jhoward/archive/2005/02/23/378726.aspx
    Books on Amazon
    http://www.amazon.com/Understanding-Scripting-Instrumentation-Mission-Critical-Infrastructures/dp/1555582664/ref=sr_1_1?ie=UTF8&s=books&qid=1304833283&sr=8-1

×