file000174

Module LXI - Windows-Based Command Line Tools

Module Objective

• IPSecScan• MKBT• Aircrack• Outwit • Joeware Tools• MacMatch• WhosIP• Forfiles• Sdelete

This module will familiarize you with:

Module Flow

WhosIP

MacMatch

IPSecScan

Forfiles

Joeware Tools

Sdelete

Outwit

Aircrack

IPSecScanhttp://www.ntsecurity.nu/

IPSecScan scans single IP address or range of IP address for systems which are ipsec enabled

It supports Windows 2000/XP

Windows-Based Command Line Tools

LADS program lists all alternate data streams of an NTFS directory

ListDLLs shows the full path names of the loaded modules

Source: http://technet.microsoft.com/

Windows-Based Command Line Tools (cont’d)

Lsadump2 dumps the contents of the LSA secrets on a machine

MBRWiz sets partitions active for booting and can delete or hide partition

Mirror is a simple command line tool to mirror two directories with sub-structures that will only copy the files that are newer and delete all files in the mirror that are no longer present in the source

Make Bootable (MKBT ) is used for installing boot sectors

Source: http://www.nu2.nu/

NBTScanhttp://www.unixwiz.net/

NBTScan tool scans IP networks for NETBIOS name information

Sends a NETBIOS status query to each host address

Displays IP address, NETBIOS computer name, logged-in user name, and MAC address

Net Fizzhttp://packetstorm.offensive-security.com/

Net Fizz multithreaded net share scanner for Windows NT

Shows hidden shares

NetPWAge displays password age for both user and machines

NirCmd works without displaying the user’s interface

Source: http://www.optimumx.com/

Source: http://www.nirsoft.net/

MacMatch searches and identifies files that are last updated, accessed, or created

NTFSinfo is an applet which shows names and sizes of all NTFS meta-data files

Source: http://www.ntsecurity.nu/

NTLasthttp://www.foundstone.com/

NTLast identifies and tracks the users who gain access to the system

Reports on the status of IIS users

Filters out web server logons from the console logons

• C:\CMDT\ntlast>ntlast

Syntax:

PMDumphttp://www.ntsecurity.nu/

PMDump dumps the process memory contents to a file

Lists out the running processes and their PIDs

• C:\CMDT>pmdump <pid><filename>

Syntax:

Poke is a run-time process examination tool that helps if the process to be examined has some heavy anti-debugging features

Poorsniff is a Windows sniffer tool that sniffs the IP addresses that are accessed by the user

Source: http://www.toolcrypt.org

Procinfo displays information about running processes

Ptime is an automatic process timer that accurately measures the program execution time in seconds

Sdelete allows to delete one or more files and/or directories, or to cleanse the free space on a logical disk

SetOwner changes the ownership of files/directories to any account

SQLCmdhttp://msdn.microsoft.com/

SQLCmd allows to execute sql queries against ODBC data sources

Executes sql query by specifying a database, username, and password (if required)

Captures output either on screen or in a log file

•C:\CMDT\sqlcmd>sqlcmd [options]

Syntax:

StreamFindhttp://technet.microsoft.com/

StreamFind a command line utility for reporting alternate data streams

Reports the existence of Streams on an NTFS partition

Examines files on an NTFS partition for the presence of non-default data streams

•C:\CMDT\streamfind>streamfind[drive:][path][filename] [/E][/P][/S][/?]

Syntax:

Strings searches files for ASCII or UNICODE strings

TestDisk tool recovers lost partitions and/or makes non-booting disks bootable again

UpTime analyzes a single server for reliability and availability information

UPX is a free, portable, extendable, and high-performance executable packer for several different executable formats

VNCPwdump is used to dump and decrypt the registry key containing the encrypted VNC password in a few different ways

WhosIP easily finds and retrieves the available information about an IP address

winarp_mimhttp://www2.packetstormsecurity.org/

winarp_mim useful for sniffing in a switched network

Supports Win9x/Win2K/WinXP

•C:\ CMDT \winarp_mim>winarp_mim -a target_a_ip -b target_b_ip [-t delay] [-c count] [-v]

Syntax:

winarp_sk is a swiss knife tool that forges ARP packets (Ethernet and ARP headers)

WinDump is used to watch and detect network traffic in Windows

Winexithttp://keepass.info/

Winexit is used to exit windows from the command line

• C:\CMDT\winexit>logoff• C:\ CMDT \winexit>reboot• C:\ CMDT \winexit>reboot_force• C:\ CMDT \winexit>shutdown• C:\ CMDT \winexit>shutdown_force

Syntax:

NetE calls is an Application Program Interfaces(APIs) that returns remote information at each of their valid levels until data is retrieved

PSCP application transfers files securely between computers using an SSH connection

PSFTP is used for transferring files securely between computers using an SSH connection

Pwdump2 can dump password hashes from Active Directory

ScanLine is a command-line port scanner for all Windows platforms

Strace is a debugging/investigation utility that examines the NT system calls made by a process

UnRARhttp://www.velocityreviews.com/

Resource Adapters aRchive (RAR) is a program to compress multiple files in an archive

UnRAR decompresses RAR archives

•C:\CMDT\unrar>unrar <command> -<switch 1> -<switch N> <archive> <files...> <@listfiles...> <path_to_extract\>

Syntax:

Nmaphttp://nmap.org/

Network Mapper(Nmap) is an open source utility for network exploration or security auditing

Uses raw IP packets to determine the available hosts on the network, services they offer etc.

• C:\CMDT\Nmap>nmap [Scan Type(s)] [Options] <host or net list>

Syntax:

Rconip is a well-designed remote console for NetWare running over IP

Outwit (docprop) utility is a suite of tools based on the Unix tool design principles

Outwit provides ODBC-based database access and prints the results of an SQL selectcommand run on any database

Outwit (readlink) uses the Windows API for resolving shortcuts and provides text-based access to the Windows registry

Outwit (read log) provides text-based access to the Windows event log

Outwit (winclip) provides access to the Windows clipboard from a console or MS-DOS window

Outwit (winreg)http://dmst.aueb.gr/

Outwit (winreg) provides text-based access to the Windows registry

It will not process data types other than the ones described

•winreg [-F FS] [-r name] [-ntvci] [key]

Syntax :

pdftohtml, pdftotext(Xpdf)http://sourceforge.net/

• Converts PDF files into HTML and XML formats

Pdftohtml:

• Converts Adobe PDF documents to simple text format• It works as a open source viewer for pdf files

Pdftotext (Xpdf):

Permute is a word list permutation program

Plink (puTTy) works as a command-line interface to the PuTTY back ends

AccExp is a set of several useful utilities, especially for Active Directory management

AdFind is used for active directory queries

AdMod tool can modify, delete, rename, move, and undelete an objects in Active Directories

ATSN converts IP addresses to subnet/site information

AUTH tool is used for testing authentication of the user id

ChangePW tool is used to change the passwords using command line prompt

Joeware Tools (CPAU)http://www.joeware.net/

CAPU command line tool for starting process in alternate security context

Allows to create job files and encode the ID, password, and command line in a file

• CPAU -u user [-p password] -ex "WhatToRun" [switches]

Syntax :

Joeware Toolshttp://www.joeware.net/

ClientTest is a GUI tool that verifies TCP/IP socket communication

• clienttest [No Switches]

Syntax :

ELDLL holds basic resource information for customized event logging

• ELDLLInstall sourcenameeventlog [OPTIONS]

Syntax :

ELDLLEx is a DLL that contains basic resource information for customized logging

ExchMbx is a command line tool for exchanging mailbox

Joeware Tools (Expire)http://www.joeware.net/

Expire tool flags accounts and alter passwords on their next logon

• Expire filename [minimum password age]

Syntax :

FindExpAcc locates accounts that are expired and accounts holding expired passwords

FindNBT scans a subnet looking for Windows PCs

Joeware Tools (FindPDC)http://www.joeware.net/

FindPDC locates PDC of domain

• FindPDC domain count

Syntax :

GCChk locates active directory consistency issues and picks up missing GUIDs

GetUserInfo extracts the user’s information from a domain

LG manages built-in, local, and domain local groups

MemberOf displays user’s group memberships

Joeware Tools (NetSess)http://www.joeware.net/

NetSess enumerates Net BIOS sessions on a specified local or remote machine

• netsess [servername] [clientname] [switches]

Syntax :

OldCmp is used to find and clean old computer accounts that have not been utilized

Quiet silently launches a process

SecData displays security info about users/computers

SecTok displays parts of the process token of the current process

Joeware Tools (SeInteractiveLogonRight)http://www.joeware.net/

•seinteractivelogonright<[DOMAIN\]Account> [TargetMachine]

Syntax :

SeInteractiveLogonRight configures the system and approves specific user/groups to logon locally

SidToName resolves SIDs to user friendly names ShrFlgs configures share flags

Joeware Tools (SNU)http://www.joeware.net/

SNU is a network share connection tool which is mainly utilized for monitoring scripts

• SNU \\servername\sharename (/ADD | /DEL)

Syntax :

Joeware Tools (SvcUtl)http://www.joeware.net/

SvcUtl displays service informationUnlock displays current locked and unlocked accounts

Joeware Tools (UserDump)http://www.joeware.net/

• userdump [machine]

Syntax :

UserDump dumps basic user information from NT Based system

Joeware Tools (UserName)http://www.joeware.net/

UserName displays current user ID in multiple formats

• UserName [switches]

Syntax :

Joeware Tools (W2KLockDesktop)http://www.joeware.net/

W2KLockDesktop locks desktop immediately

No local security requirements is needed to run this tool

• w2klockdesktop

Syntax :

Joeware Tools (WriteProt)http://www.joeware.net/

WriteProt tool is used to write protect disk volumes in Windows XP and Windows Server 2003

• WriteProt [switches]

Synopsis:

Cb, Cliptext

• Copies input to the clipboard• Captures output from another program• Syntax: dir /b /on | cb

• Copies text from file to clipboard and vice-versa• Syntax:• ClipText from file.ext [/DOS] [/append]• ClipText to file.ext [/DOS] [/append]

ClipText:

Screenshot : Cb, Cliptext

ClipText

Cmdline, Contig

• Lists all the process on the system• Follows chronological order for listing processes• Syntax: Cmdline [-pid][-u][-?]

Cmdline:

• Optimizes usage by making file contiguous in the memory • Syntax: contig [-v] [-a] [-q] [-s] [filename] -v Verbose -a Analyze fragmentation -q Quiet mode -s Recurse subdirectories

Contig:

Screenshot : Cmdline, Contig

Cmdline Contig

cURLhttp://curl.haxx.se/

cURL is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE)

curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user and password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, and proxy tunneling

Devconhttp://support.microsoft.com/

Devcon acts as an alternative to the device manager

Provides unavailable information in the device manager

• devcon.exe [-r][-m:\\<machine>]<command>[<arg>…] -r reboots the machine when command completes <machine> is the name of the target machine <command> is the command to perform <arg>… arguments, if required by the command

Syntax:

Screenshot : Devcon

Dighttp://serghei.net/

Dig investigates and digs into DNS(Domain Name System)

• dig [@global-server] [domain] [q-type] [q-class] {q-opt}{global-d-opt}host [@local-server] {local-d-opt}[host [@local-server]{local-d-opt} […] ]

Syntax:

Diskmaphttp://sourceforge.net/

• diskmap/<disk number> /d<disk number> shows number of the disk to map /h shows hexadecimal output

Syntax:

Diskmap tool depicts disk attributes and geometry from the registry

Reads and displays disk partitions and logical drives

Dispchghttp://www.arminhanisch.de/

Dispchg scans and alters video modes from display driver

option -help,

-list,

-current,

-set mode,

-change

[-freak] makes output

easier for

filters

• DispChg <option> [-freak]

Syntax:

Dumpwin, dWhichhttp://www.governmentsecurity.org/

• Provides information of the system where it is executed• Syntax: dumpwin (options) options are: -I, -d, -s, -m, -h, -t, -p, -v, -g, -u, -n

Dumpwin:

• Maps the full executable path of the file• Syntax: dWhich filename [.ext] [.ext] extension of the file is optional and applicable with .bat, .btm, .cmd, .com, or .exe file extensions

dWhich:

Screenshot: Dumpwin, dWhich

dWhich

Dumpwin

Efsdump, Efsviewhttp://technet.microsoft.com/

• Lists users that can access encrypted file • Accepts wildcards to get encrypted program• Syntax: efsdump [-s] <file or directory> -S Recurse subdirectories

Efsdump:

• Shows users having decryption or recovery keys for encrypted directories or files• Syntax: efsview <filename>

Efsview:

Screenshot: Efsdump, Efsview

Efsdump

Efsview

Eldumphttp://www.ibt.ku.dk/

• eldump [options]

Syntax:

• -f filename in which dump text is written• -s server for which to dump the eventlog• -l log name to be dumped like system, applications• -t tab separated output

Options:

Eldump tool dumps the contents of a NT event log

Dumping is made as text

Screenshot: Eldump

Enum, Evalhttp://sourceforge.net/

• Enumerates information with help of null sessions• Retrieves user, machine and share lists,name lists, group and

member lists, password, and LSA policy• Syntax: enum <-UMNSPGLdc> <-u username> <-p password><-f dictfile> <hostname|ip> -u get user list -m get machine list -s get share list -p get password policy information

• Quickly evaluates mathematical expressions• Syntax: eval expression expression valid math equation with parenthesis precedence

Screenshots: Enum, Eval

Ethernetchangehttp://www.aecom.yu.edu/

Ethernetchange alters the Ethernet address of the network adapters in Windows

• etherchange

Syntax:

Eventsave http://www.heysoft.de/

Eventsave tool saves and clears event logs into files

Syntax: EventSave [Path][/CRemoteMachine|/A][-ANSI][/Mn]

Path Location of files

/c Save logs on

remote machine

Remote Machine

Save log of the

remote machine

/A Saves event

logs of all the NT

machines

ANSI ANSI character

/Mn Size of the target

file in MB

Filecase, Fileupload

• Renames directory/ file to uppercase or lowercase• Syntax: filecase [/s][/h][/p][/q][/d][/l|/u]filespec..

Filecase:

/s Processes subdirectories /h Process hidden files/directories /q Quiet mode /p Prompts for each file/directory to be renamed (Yes/No/All/Quit)/d Renames directories and files /l Convert to lowercase /u Convert to uppercase

• Uploads file to a Web or a FTP server• Syntax: upload [path]file.ext><url>[<login>][<password>][/passive][/validate][/post][/proxy][/delete][/noappend][/quiet] [path]file.ext name of the file to upload urldestination url Login and password for authentication

FileUpload:

[path]file.ext name of the file to uploadurl destination urlLogin and password for authentication

Screenshot : Filecase, FileUpload

Filecase

FileUpload

ForceDisconnect, Format144

• Forcefully disconnects network volumes irrespective of open files • Syntax: forcedisconnect

ForceDisconnect:

• Formats 1.44 MB floppy diskette• Syntax: format144

Format144:

Screenshot : ForceDisconnect, Format144

Format144

Force Disconnect

Fpipehttp://www.secureroot.com/

Fpipe redirects source port and generates TCP or UDP stream

Syntax: FPipe [-hvu?] [-lrs <port>] [-i IP] IP

-?/-h - Shows this help text -i - Listening interface IP address-l - Listening port number -r - Remote port number-u - UDP mode -s - Outbound source port number -v - Verbose mode -c - Maximum TCP connections

Fporthttp://www.foundstone.com/

Fport lists all open TCP/IP and UDP ports and maps them to the owning application

Syntax: fport

Fsumhttp://www.slavasoft.com/

Fsum generates and verifies file checksum calculations

Syntax: fsum.exe [<OPTIONS>] [<FILES>]

-c Checksum against given list -d Set working directory -jf Prints failed lines -jm Use MD5 format -js Use SFV format

GetLocale, Global

• Maps locale and code page information of the system• Syntax: getlocale [ <options> ]

GetLocale:

none Get complete LCID /user = Get user language setting/pri Get primary language ID /sub = Get only sublanguage ID /cp Get output codepage number /1024 = Multiply sublanguage ID by 1024

• Recursively calls any utility or program• Syntax: global [/h] [/p] [/q] [/i] command [args ...]

Global:

/h Process hidden/system directories/p Prompt for each directory to be processed (Yes/No/All/Quit)/q Quiet mode. Does not display each directory name before processed /i Ignore exit codes. Default is to exit if command returns non-zero

Screenshot: GetLocale, Global

GetLocale

Global

GNU Httptunnelhttp://www.nocrew.org/

GNU Httptunnel is used to create bidirectional virtual data path tunneled in HTTP requests

The requests can be sent via an HTTP proxy if required

It can be used to bypass firewalls

Gplist, Gsar

• Describes about applied group policies • Syntax: gplist

Gplist:

• Performs general search and replace on files• Syntax: gsar [options] [infile(s)] [outfile]

Options:

-s<string> Search string -i Ignores cases

-r[string] Replace string -o Overwrite existing input file

Screenshot : Gplist, Gsar

Gplist Gsar

Guid2objhttp://support.microsoft.com/

Guid2obj alters GUID to a distinguished name

Syntax: guid2obj [{]Guid[}] [/server:ServerName] [/site[:SiteName]] [/?]

[{]Guid[}] specifies a GUID, optionally with surrounding braces

/server:ServerName binds to the server ServerName

/site[:SiteName] binds to a domain controller on the site SiteName

/? Help screen

Handlehttp://support.microsoft.com/

• Maps process handle information• Syntax: handle [[-a][-u]|[-c<handle>]|[-s]][-<processname>|<pid>][name]

Handle:

-a Dumps handle information -c Closes the handle -s Print count of open handles -u Show user name -p Scan named processes -name Search for object with a

particular name

3Scanhttp://sourceforge.net/

3Scan detector for open HTTP/CONNECT/SOCKS4/FTP/Telnet proxy

Checks accessibility of given HTTP or SMTP server via given proxy

Does not scan port and IP ranges

AGREPhttp://www.tgries.de/

AGREP searches the input filenames for records containing strings which either exactly or approximately match a pattern

Each record found is copied to the standard output

Approximate matching allows locating records that consist of patterns with several errors including substitutions, insertions, and deletions

Aircrackhttp://aircrack-ng.org/

Aircrack is an 802.11 WEP key cracker

Implements Fluhrer – Mantin – Shamir attacks

Instantly recovers the WEP key when sufficient encrypted packets have been obtained

ARPFlashhttp://osflash.org/

ARPFlash is a pcap-based network discovery tool

Utilizes ARP messages to identify live hosts within a given IP-range

Does not require administrative privileges for operations

ASPNetUserPasshttp://www.nirsoft.net/

ASPNetUserPass tool displays the password of the ASPNet user on the computer

When the user runs the file in command prompt, it simply displays the password of ASPNet user if it is stored on the system

AtNowhttp://www.nirsoft.net/

AtNow schedules programs and commands to execute in the near feature

The commands are executed within 70 seconds or less from the moments it is executed, by default

Syntax: C:/>atnow [\\ComputerName] [Delay] [/interactive] “command” [Parameters]

BBIEhttp://www.nu2.nu/

Bart’s Boot Image Extractor (BBIE) tool extracts all boot images from a bootable CD-ROM or ISO image file

Follows El Torito Bootable CD-ROM Format Specification v1.0

BFIhttp://www.nu2.nu/

Builds Floppy Image(BFI) tool builds FAT floppy images

Programmed to be used on bootable CD-ROMs

Supported floppy sizes vary from 720 KB to 2.88 MB

Renamerhttp://www.den4b.com/

Renamer performs mass renaming of files based on a UNIX-style regular expression

Syntax: Bkren [-s] “searchexpression” “replaceexpression”

BootParthttp://www.winimage.com/

BootPart adds additional partitions to the Windows NT multi boot menu

Compatible with Windows NT/2000/XP

Requires administrative privileges

User can also add an OS/2 multiboot or a Linux partition

BuiltIn Account Managerhttp://www.optimumx.com/

BuiltIn Account Manager displays or manages the built-in administrator or guest account without knowing the user account name

Requires administrative privileges

bzip2http://www.bzip.org/

bzip2 is a command line Data compressor and open source tool

Runs on any 32 or 64-bit machine with an ANSI C compiler

T4eWebPinghttp://www.tools4ever.com/

T4eWebPing command line application is a MonitorMagic plugin to gather iNtra/Internet script performance data

It can be used to 'ping' a web-page

T4eSQLhttp://www.tools4ever.com/

T4eSQL command line tool reads the entire command line and query information from text files, which enables large command structures and queries

T4eDirSizehttp://www.tools4ever.com/

T4eDirSize gets the free and used space of any directory or share

It can be used to enable share monitoring free space and file statistics

T4ePortPinghttp://www.tools4ever.com/

T4ePortPing can be used to 'ping' a specific port on any TCP/IP host

Use T4ePortPing as a standard plugin, or in own scripts to see which ports are open in clients or servers

T4eRexechttp://www.tools4ever.com/

T4eRexec accepts a password as input and can therefore run in unattended mode

It is used to execute remotely a command on computer running an operating system that supports the standard Rexec protocol

Forfileshttp://technet.microsoft.com/

Forfiles selects files in a folder or tree for batch processing

• forfiles [/p Path] [/m SearchMask] [/s] [/c Command] [/d[{+ | -}] [{MM/DD/YYYY | DD}]]

Syntax:

Exe2binhttp://technet.microsoft.com/

Exe2bin converts executable (.exe) files to binary format

•exe2bin[drive1:][path1]InputFile [[drive2:][path2]OutputFile]

Syntax:

Summary

IpSecScan scans single IP address or range of IP address for systems which are IPSec enabled

MacMatch searches and identifies files that are last updated, accessed or created

chkdsk command lists and corrects errors on the disk

Nslookup will display the information that you can use to diagnose Domain Name System (DNS) infrastructure

file000174

eccouncil copyright

ipsecscan http

nbtscan http

streamfind http

pmdump http

sqlcmd http

ntlast http

command line utility

Technology

6 key learnings for responsive webdesign

the art & science of seductive interactions

best practice for ux deliverables - eventhandler, london, 05...

the essence of design for startups

using social networks as job searching tools

personal branding presentation for hcc

simple steps to ux/ui web design

what is big data?

advertising psychology

psychology of the winner

leaving positive impression

the art of colors

campaign tracking and adwords integration

on digital transformation - 10 observations

roi in the age of keyword not provided [mozinar]

expert positioning using linkedin

apple 03 - management mistakes

trendwatching.com's internet of caring things

profile & resume buzzkill - words to avoid

evangelizing yourself