essential windows command line kung-fu for infosec pros

SANS Webcast © 2006

SANS Institute presents:Essential Windows Command-Line

Kung Fu for Info Sec Pros

• Speakers–Ed Skoudis, Intelguardians– Alexander Horan, Core Security

Technologies– Q/A session with today’s speakers– Send questions to ‘[email protected]’

Core Security Technologies46 Farnsworth St

Boston, MA 02210 Ph: (617) 399-6980

www.coresecurity.com

Security Assurance: Vulnerability Assessment,Management and Auditing

Handling Vulnerabilities is Crucial

Scanners are used to detect flaws on the first layer of defense,such as improper configurations or sub-par patch revisions

– Good for information assurance and compliance

Vulnerability scanning yields one view of the network topology– Does not show or exploit linkage between information systems and

assets

– Will not show the impact of loss of information assets (only shows the"outer layer" of the onion) such as theft of intellectual property,leakage of internal communications, etc.

– Does not show the true level of threat had the network beencompromised by a motivated adversary

Sample vulnerability scanning products– Nessus, Retina, GFI LanGuard

Penetration Testing Complements Vulnerability Scanning

Penetration Testing Overview

Penetration Testing: Actively exploits vulnerabilities within a network

Replicates access an intruder could achieve and safely proves actual paths ofattacks that must be eliminated

Only way to objectively gauge threats Without physically penetrating the host or network, there is no way to quantify and qualify

an organization’s true exposure in the event of a “real” security compromise

Advantages: Enables you to be proactive with informed security decisions

Provides efficient, precise, cost-effective remediation information, enablingaccurate, corrective action can be taken

Allows you to see your network through the eyes of an attacker to prevent attack

Exposes vulnerabilities and subsequent network information or resources that areat risk

CORE IMPACT – Automated Penetration Testing

Mimics attacker behavior launches real-world attacks safely andefficiently, demonstrating exactly what an attacker can do

Industrializes penetration testing automates previously manual,expensive process with Core Impact Rapid Penetration Test (RPT)

Provides important features:– Commercial-grade exploits

– Innovative agent technology

– Powerful user interface

– Automation of repetitive tasks

– Complete log of all activities

– Customizable reporting

– Links to fixes

Advanced Penetration Testing scenarios– External attacker with no previous knowledge

– Internal attacker w/access to internal network

Augment Vulnerability Management– Reduce false positives and know which vulnerabilities to remediate first

Verification of IDS / IPS and other security controls– Use real attacks to evaluate effectiveness of security products in your

specific environment

Legislative and industry compliance (SOX, HIPAA, FISMA, PCIrequirements, etc.)

– Meet regular network testing, reporting and auditing requirements

Benefits of CORE IMPACT

Demonstration

DIAGRAM OF DEMO NETWORK

CORE IMPACT Delivers Significant Benefits

Encompasses all phases of PenetrationTesting in one comprehensive framework

Executes real attacks safely and efficiently

Enables consistent, repeatable tests

Helps test and evaluate other security

solutions and systems

Clearly identifies compromisable assets andhelps intelligently prioritize remediationefforts

CORE IMPACTReview

Core Security Technologies46 Farnsworth St

Boston, MA 02210 Ph: (617) 399-6980

www.coresecurity.com

Security Assurance: Vulnerability Assessment,Management and Auditing

1

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 1

Essential Windows Command-LineKung Fu

By Ed Skoudis

Copyright 2006, Ed SkoudisVersion 2Q06

Hello and welcome to this webcast on Windows Command-Line Kung Fu. Over thenext half hour or so, we’ll discuss several tools built-in to Windows that can be usedby security pros to better understand what’s happening on their systems.Unfortunately, too few people realize the power of built-in command-line tools onWindows that can help us all do our jobs better. I am hopeful that this session willhelp you improve your command-line kung fu in Windows.

2


Windows Command-LineKung Fu

• Introduction and Overview• Command Shell Stuff• The Wonderful World of WMIC• Other Odds and Ends• Conclusions• Some Exercises to Think About

Here is our outline. We’ll start out with an overview and then move into somegeneral command-line stuff. We’ll then cover in-depth the wmic command. Then,we’ll have some other odds and ends that include useful other tools, and we’llculminate with some exercises to challenge your kung fu.

3


Introduction and Motivation

• A lot of people don’t realize the power of thecommand shell in Windows– Don’t laugh!– It’s not bash, but it’s got some pretty nice capabilities

• Why use it? Sometimes GUI tools aren’t available– Spyware has killed them– Task Manager or services.msc might not be available

• Command-line tools lend themselves better to:– Scripting– Pulling out important items from long lists of information

Windows ships with some amazingly powerful command-line tools, that often aren’tused. Instead, most Windows admins utilize GUI-based tools.

Although the Windows command shell (cmd.exe) is not as powerful as theLinux/Unix bash shell, it can let us do some very useful things.

But, you might be wondering, why would I ever want to use a command-line toolwhen I’m perfectly happy and comfortable using a GUI in Windows. Well,increasingly, spyware and rootkits alter the display in GUI-based tools, or preventthem for working at all. For instance, I was working on a project analyzing spywarethat had destroyed Task Manager and the Services Control Panel. Analysis at theGUI would have been very tough, given that we weren’t allowed to load anyadditional tools (like the great suite of analysis tools from www.sysinternals.com).Instead, we relied on built-in Windows command-line tools to do our heavy lifting.

Also, many command-line tools are better for pulling out subtle information thatcould be buried in a complex GUI. By sorting or searching command-line output,we can get a great level of insight into what’s happening on a machine.

It’s important to note that we will not go over every single option of every singlecommand. That would be boring and take too long. Instead, we’ll go over usingthese commands to improve the day-to-day world of an incident handler, systemadministrator, and security professional.

4




Let’s do a brief overview of the Windows command line, so we’re all on the samepage.

5


A Couple of Points About theWindows Shell

• Please use cmd.exe, not command.com• StartRun… and type “cmd.exe”

– I advise you to type cmd.exe, instead of just cmd– That’s because a bad guy could create a cmd.com,

which would run instead of the .exe– “.” is implicitly in your path

• Remember:– The > means put output in a file– The < means get input from a file– The | means take the output of one command and

use it as input for the next command

For all of the stuff we cover in this session (and for all of your Windows use afterthat, quite frankly), please use cmd.exe and avoid command.com like the plague thatit is. Command.com is a very limited shell, included for backward compatibilitywith DOS. It’s time to use cmd.exe, please!

To invoke cmd.exe, please go to StartRun… and type “cmd.exe”, without thequotes. Also, whenever you invoke cmd.exe, make sure that you put a .exe on itsend. If you just type cmd, without the .exe, an attacker could trick you into runninga backdoor called cmd.com. That’s because, with the Windows shell, your currentworking directory (called “.”), is in your PATH. What’s more, if no suffix isprovided by the user, Windows defaults to running .com files before .exe files.

Another couple of things to keep in mind involve redirecting standard input andstandard output at the shell. The > symbol means that the given command shouldplace its standard output in a file. The < symbol tells a program to get its standardinput from a file. And, finally, the pipe symbol (“|”) tells one program to send itsstandard output into the standard input of another program.

6


Controlling Output with cls,more, find, findstr, and sort

• To clear the screen, type:C:\> cls

• To paginate long output, use more:C:\> wmic process list full | more

• To find a particular string in output, use findwith quotes

C:\> wmic process list brief | find“cmd.exe”

• To exercise more complex finds (with regularexpressions), use findstr

• To sort output, use sort

And, a couple of other small notes.

To clear the screen, use the cls command, which stands for Clear Screen.

To paginate long output, pipe it through the more command. That’ll show you onepage at a time. Sadly, Windows does not include by default the less command,which on Unix and Linux gives more options for viewing and searching output thanmore. In this case, less is truly more than more.

To find a string in the output of a command, you could pipe it through the findcommand, as in wmic process list brief | find ”cmd.exe”. Thiswill run the wmic command with the “process list brief” options, and search itsoutput for the string cmd.exe. Note that with the find command, you need to putquotes around the item for which you search.

The findstr command goes further, allowing you to write regular expressions tomatch against the output of a command. Since we only have a half hour or so, wewill not be covering regular expressions or the findstr command. Feel free toexperiment with it on your own.

And, finally, you can use the sort command to sort the output of another command,or to simply sort the contents of a file.

7




And now… let’s enter the wonderful world of WMIC!

8


WMIC Overview• Windows Management Instrumentation Command

– Included in WinXP Pro and Win2003 (NOT in XP Home!)– Can be used to manage Win2000, XP, 2003

• And, with additional installed software, can manage 95/98/NT

• Not a command… it’s a world unto itself– Allows view of 4,000 properties and configuring 40 in Win2K– Allows view of 6,000 properties and configuring >150 in XP– Even more in Win2003

• Run WMIC telling it what to do by typing:C:\> wmic [commands]

• Or, invoke a custom wmic command prompt with:C:\> wmicwmic:root\cli>

WMIC stands for Windows Management Instrumentation Control. That’s a mouthful… let’s dissect it. Firstoff, WMI is a framework and API Microsoft released for analyzing and controlling Windows systems.Similar in goals to the Simple Network Management Protocol (SNMP), WMI goes much further, but isWindows specific.

Before WMIC, admins had to access WMI functionality by writing their own scripts or using executables thatmade WMI API calls. But, with WMIC, we now have a little command-line tool that lets us read and writeWMI attributes without writing any code! That’s wonderful.

Now, WMIC is built-in to WinXP Pro and Win2003. But, it is not in WinXP Home, which Microsoft doesn’treally consider a professional-class operating system. Thus, it doesn’t need fancy management capabilitieslike WMIC. Although the command is built-in to XP Pro and 2003, the WMIC command included in thoseoperating systems can be used to manage to manage other system types, including Win2000, WinXP (Pro andHome), and Windows 2000. You can even manage older stuff (Win95/98/NT) if you install on them theWMI Core tools, available at no extra charge from Microsoft. Note that WMI Core does not equal WMIC!WMIC is a command tool for controlling WMI. WMI Core is WMI-manageability for older Windowsversions, but you have to run the management tool from Win XP Pro or 2003.

With WMI (and its tool WMIC), you can view thousands of properties of Windows, and update hundreds ofthem.

You can invoke WMIC in two different ways. First, at a cmd.exe shell prompt, you could type wmicfollowed by all of the stuff that you want it to do. Or, you could invoke wmic’s own special commandconsole shell by typing wmic and hitting enter (either at a cmd.exe prompt, or going to StartRun…).

9


WMIC at cmd.exe Shell vs.WMIC console shell

• I typically used WMIC at the command shell itself, soI can use >, sort, find, and findstr on its output

• But, others prefer to use the WMIC console shell,particularly because it has a fail-safe interactivemode– If you want to delete anything (such as running processes),

you can make it verify with you before that happens– At WMIC prompt, type:

wmic:root\cli> /interactive:on– But, that’ll only ask for confirmation for that wmic session

But, which of these two ways of starting WMIC is superior? I prefer typing wmicfollowed by commands right in line at a cmd.exe prompt. That way, I can get myoutput on standard out, and search it using find, findstr, and sort.

Other people like the WMIC command prompt, because they can set it to promptthem before they do something destructive, like killing processes. To get aconfirmation prompt, invoke WMIC and hit enter. Then, at the WMIC prompt, type“/interactive:on”. For that one WMIC session, you’ll get a confirmation requestbefore you delete anything. Note that if you exit WMIC (by typing “exit”), theinteractive configuration disappears. You’ll have to turn it on again the next timeyou use WMIC. Also, the interactive setting has no impact at all if you just useWMIC followed by commands right at the command shell.

10


WMIC Help and RemoteUsage

• To get help within WMIC, type:C:\> wmic /?

• Or, for more detailed help:C:\> wmic /?:full

• By default, WMIC runs against local machine• But, you can run WMIC queries or updates

against a remote box using this notation:C:\> wmic /user:[admin_user]/password:[password]/node:[machine_name] [commands]

To see all of the incredible options available within WMIC, type “wmic /?”. Formore detail, you can run “wmic /?:full”.

Another really neat part about WMIC is that it can run locally or across the networkagainst a machine for which you have admin privileges. By default, it runs againstthe local machine. But, you can run it against a remote system by typing thefollowing:

C:\> wmic /user:[admin_user] /password:[password]/node:[machine_name] [commands]

Keep in mind that everything we are about to discuss regarding WMIC can be runlocally or remotely! It’s very powerful when used remotely.

11


WMI Query Language (WQL)

• WMIC can be used simply to list variousattributes using its own query language,called WQL (WMI Query Language)– Subset of ANSI SQL– Primary useful elements of WQL:

• list: show a list of something• get: get a value of an element• create:create an element• delete: delete an element• where clauses to match some property: Example: where

name=“cmd.exe”• /every:[N]: Run this every N seconds• like and % to match substrings

The commands that you type into WMIC are formatted in the WMI QueryLanguage (WQL), which is a subset of SQL.

There are many elements of WQL which we’ll use for this webcast. I’m hopefulthat, by the end of this session, you’ll be able to navigate WQL, with some of itsmost useful query types.

The syntax includes these key words:

•list: shows a list of something.

•get: gets one or more values of an element. You could get a list of things, separatedby commas.

•create:creates an element, which can be used to run programs.

•delete: deletes an element, which can be used to kill processes.

•where: these clauses can match some property to help us sort through a long list ofthings, for example: where name=“cmd.exe”

•/every:[N]: Run this command every N seconds, which works for displaying items,but not creating or deleting them.

•like and %: match specific substrings, a very nifty feature

12


WMIC Elements• To get a list of elements associated with a particular area:

C:\> wmic [area] list full

• Then, you can query particular elements in that listC:\> wmic [area] get [element1], [element2],[element3]

• Essentially creates your own reports• Order of elements is prebaked by WMIC, unfortunately• Try these:

C:\> wmic process list fullC:\> wmic process get name, processid, commandlineC:\> wmic process get processid, name, commandline

WMIC displays information in many dozens of areas, including processes, services,and users. To get a list of everything that WMIC knows about a given area, youcould run WMIC with a list full option, as in:

C:\> wmic [area] list full

Or, more specifically, looking at processes:

C:\> wmic process list full

That will show you all of the attributes of processes that WMIC knows about. Then,we can query against specific elements in that list by using a get, as in:

C:\> wmic [area] get [element1], [element2],[element3]

Or, to be more specific, suppose we want to get a list of process names and ProcessIds. We could run this:

C:\> wmic process get name, processid

This way, you can create your own little reports with just the information you want.Unfortunately, the order of the attributes displayed by WMIC is fixed. You cancontrol what attributes you see, but the order is always the same.

13


WMIC and Listing Processes• WMIC provides a lot of information about processes:C:\> wmic process list brief

• Or, to narrow it down:C:\> wmic process list brief | find “cmd.exe”– Fourth column is process id (first column is memory info)

• Or, to run it every 1 second:C:\> wmic process list brief /every:1– Works kind of like Unix/Linux top command

• To get specific items, you can name what you want in a list:C:\> wmic process get name, processid, commandline– Nice, because it shows the command-line invocation!– Somewhat like Unix/Linux ps -aux

So, let’s use WMIC to do some things that might be useful to an incident handler orsystem administrator. First off, to get a listing of the most interesting elements ofrunning processes, you could do this:

C:\> wmic process list brief

Next, if you were only interested in the cmd.exe processes that are running, youcould go through the output and pull out lines with cmd.exe in them as follows:

C:\> wmic process list brief | find “cmd.exe”

This command works rather like the “ps –aux | grep cmd.exe” command would on aUnix or Linux machine.

You could display the process list every second with this syntax, which workssomething like the Unix or Linux top command:

C:\> wmic process list brief /every:1

Also, you can get a list of process name, processids, and command-lines used toinvoke each program with this little WQL:

C:\> wmic process get name, processid, commandline

That command-line invocation is especially helpful in investigations!

14


WMIC and Killing Processes

• To kill a process based on PIDC:\> wmic process [pid] delete

– Works kind of like Unix/Linux: kill –9 [pid]

• To kill a process based on nameC:\> wmic process where name=“cmd.exe” delete

– Works kind of like Unix/Linux: killall –9 cmd.exe– And, remember, you can do this remotely! Woohoo!

• To start a process (say, calc.exe):C:\> wmic process call create calc.exe

– And, remember, you can do this remotely too!– Who needs psexec (tool free from www.sysinternals.com)

Looking at processes is nice, but sometimes an incident handler or sys admin needs to killprocesses. You can do this with WMIC as follows:

C:\> wmic process [pid] delete

This command functions rather like the Unix and Linux kill command, when used as “kill–9 [pid]”, immediately terminating a process.

Alternatively, you can kill all processes with a given name, rather like the “killall –9[name]” command would work on Unix or Linux, as follows:

C:\> wmic process where name=“cmd.exe” delete

You could even do that remotely, with the user name, password, and node syntax wedescribed earlier, killing all cmd.exe’s running on a different machine, provided that youhad administrative credentials on that system.

But, WMIC doesn’t let you just view and kill processes. You can also start processes, usingthis syntax to run calc.exe:

C:\> wmic process call create calc.exe

With the remote syntax we presented earlier, you can use WMIC to run any command on atarget system. The free psexec lets you do that as well (from www.sysinternals.com), but itis not built in to Windows. WMIC lets you have psexec-like functionality, but built in!Also, psexec sends credentials in clear text! WMIC does not, but instead uses the encryptedWindows authentication (LANMAN Challenge-Response, NTLMv1, NTLMv2, orMicrosoft Kerberos, depending on how the system is configured).

15


Using WMIC process1

2

Let’s quickly look at WMIC’s process abilities.

In Step 1, simply type:

C:\> wmic process list brief

See all of the processes you have running! Nice!

Next, in Step 2, invoke a calc.exe process from the command shell by running this:

C:\> wmic process call create calc.exe

Of course, you could have just typed “calc.exe” at the command prompt… but withWMIC, you have an option of doing this remotely!

16


Using wmic process delete1

2

Next, we’ll use WMIC to pull specific attributes associated with our runningcalc.exe process. This technique will show two things. First, it’ll let us see how touse a where clause to focus on a particular entity. Secondly, it’ll show us how to getsome specific attributes of that entity.

In Step 1, type:

C:\> wmic process where name=“calc.exe” get name,processid, commandline

Note that you can see the command-line used to invoke each running process!That’s very helpful.

In Step 2, we’ll kill our calc.exe process based on its name, using WMIC thusly:

C:\> wmic process where name=“calc.exe” delete

Your running calculator should disappear.

17


WMIC and Services

• To get a list of all services and theirstettings:C:\> wmic service list full

• To just look at started services:C:\> wmic service where started=“true”

• To get a list of process IDs associated withstarted services:C:\> wmic service where started=“true”get name, pathname, processid

Beyond processes, WMIC also lets us interact with services.

To get a list of all services defined on the box (whether they are running or not),simply type:

C:\> wmic service list full

That’ll also show you all of the attributes of each service.

If you only want to see running services, you can use the where clause to look foritems with the attribute called started set to true, as follows:

C:\> wmic service where started=“true”

If you want to get a list of process Ids associated with each started service, youcould use the following (again, note the WQL used to pull information from specificattributes with a get, using a where clause to narrow down our search):

C:\> wmic service where started=“true” get name,pathname, processid

18


WMIC and Shares

• To get a list of available shares:C:\> wmic share

• For more details:C:\> wmic share list full

• To get rid of a share:C:\> wmic share [share_name] delete

• To see all shares on the E: partition:C:\> wmic share where (path like “%E:%”) list brief

We can also pull share information using WMIC, to see what file shares our localsystem has made available through Windows networking, as follows:

C:\> wmic share

If you want more details, you could run:

C:\> wmic share list full

You can even use WMIC to delete a given file share so that no one can connect to it,as follows:

C:\> wmic share [share_name] delete

(By the way, you could, if you want, just temporarily delete your ADMIN$ sharethis way… then run the “net share” command to verify that it is gone). When youreboot, it should come back.

Now, let’s look at the substring options of wmic. If you want to see all of the sharesyou’ve got on a given partition (such as, say, your E: drive), you could run:

C:\> wmic share where (path like “%E:%”) list brief

That ability to use like and % is incredibly useful. I like using it for wmic process,wmic share, and wmic qfe (which we’ll cover shortly).

19


WMIC and System Details• To get a list of all start-up items

C:\> wmic startup list full– Who needs msconfig (built-in) or autoruns (again,

www.sysinternals.com)?

• To get a list of user accounts:C:\> wmic useraccount list full– Even gives you SIDs! Who needs net user?

• To get a list of installed service packs and patches (quick fixengineering)C:\> wmic qfe– Or, for more details,C:\> wmic qfe list full– Who needs hfnetchk? And, remember, you can do this remotely!

Here is an extremely useful aspect of WMIC… getting a list of all start up programs,whether they start-up from a autostart folder or from a registry key. You can getthis comprehensive list by running:

C:\> wmic startup list full

Now, this command can be used to pull very similar information to the msconfigcommand built into WinXP and 2003, or the Autoruns tool fromwww.sysinternals.com. But, wmic is built-in, and provides it all at the commandline.

You can get a list of users (including their SID numbers) from the local SAMdatabase with this command:

C:\> wmic useraccount list full

Why, that’s even more and better information than you get from the “net user”command. Clearly, not all Windows Command-Line Kung Fu is create equal.

And, here’s a vital one… getting a list of all installed service packs and patches,using this command:

C:\> wmic qfe

For even more info, add a “list full” to the end, which will even show you the datewhen a given patch was installed. Remember, you can even do this remotely! So,this WMIC option supplants a lot of the functionality in the hfnetchk tool, and isbuilt in.

20


Using wmic useraccount and qfe

1

2

Let’s look at this in more detail.

Check out your administrator account with the following command, in Step 1:

C:\> wmic useraccount where name=“Administrator” listfull

Note the SID and other security settings.

Next, look at the installed patches, using this syntax:

C:\> wmic qfe where FixComments=“Update” get HotFixID,InstalledOn, InstalledBy

21


WMIC and Network Interfaces• You can get a list of network interfaces configured

for IP with:C:\> wmic nicconfig where ipenabled=‘true’ get

index,caption

• You can configure an IP addr and netmask with:C:\> wmic nicconfig where ipenabled=‘true’ get

index,caption– The index is the thing you get from the first command above

• You can set DHCP with:C:\> wmic nicconfig where index=2 call enabledhcp

– Or, for more details,C:\> wmic nicconfig list full

• I personally hate this notation, and prefer the netshcommand for doing this kind of thing

Next, you can use WMIC to update your network settings at the command line.

To view your network interfaces, run this command:

C:\> wmic nicconfig where ipenabled=‘true’ getindex,caption

To alter the IP address or netmask, you could do this:

C:\> wmic nicconfig where ipenabled=‘true’ getindex,caption

Or, to use DHCP, try this:

C:\> wmic nicconfig where index=2 call enabledhcp

To see all that you can set using this command, you could run:

C:\> wmic nicconfig list full

I personally dislike this network-attribute-setting notation within WMIC. I find itcumbersome, and much prefer the netsh command for this kind of stuff, which youcan review on your own later.

22


WMIC Output Options

• WMIC can format its output in many different ways• To get a list of options:

C:\> wmic [commands] /format /?– As in:C:\> wmic process list /format /?– Possibilities include CSV, HTML Table (htable), etc.

• Store output in a file using the /output:[file] options,as in:C:\> wmic /output:c:\temp.html process list/format:htable

– Open that in a browser, and get some nice output!

WMIC normally dumps its output as plain text on standard out. But, you canchange this using the /format option. Numerous different output formats aresupported, but the most useful are CSV and HTML tables.

You can dump WMIC’s output into a file using the /output:[file_name] directive aswell.

For example, to get a process list as an html table, stored in a file calledc:\temp.html, you could run:

C:\> wmic /output:c:\temp.html process list/format:htable

Then, from within a browser, you could open c:\temp.html and view your beautifuloutput.

23


WMIC Recording

• WMIC can record the user, command typed, the output,and a timestamp, by using the /record: option, as in:C:\> wmic /record:c:\test.xml process list brief

• That’s nice for incident handling, because you’ll have arecord of what you typed… but some big limitations

• Output only in xml format (just open it in a browser)• Output overwrites any previous c:\test.xml file (does not

append)• Thus, you have to vary your file names for recording

Another really nifty feature of WMIC that could help incident handlers is therecording feature, implemented via the /record:[file_name] option. When used in aWMIC command, this option makes WMIC create a file that contains the command,the date and time, the user that ran the command, and the output of the command, ahandy history of what you did.

But, there are some big limitations here. The result is in XML, and isn’t overlypretty. You could open it in a browser, though, which will parse it pretty well.

And, keep in mind that if there is a file already with the name you choose, you’llover write it with the new record. Thus, if you want an evidence trail of all theWMIC commands you typed, you’d have to remember to vary the file_name entryyou put in as follows:

C:\> wmic /record:c:\test1.xml process list brief

C:\> wmic /record:c:\test2.xml process list full

C:\> wmic /record:c:\test3.xml process wherename=“cmd.exe” delete

24




And now, it is time for some other useful odds and ends, especially some items thatcan help deal with fighting spyware.

25


Other Useful Commands:Tasklist

• Tasklist command shows running processesC:> tasklist– Ho hum…– Yes, but there are some nice options!– Show all services associated with each processC:\> tasklist /svc– Show all dlls loaded into processes with a given nameC:\> tasklist /fi “imagename eq cmd.exe” /m– Show all processes with a given dllC:\> tasklist /m ntdll.dll

The tasklist command, included in WinXP Pro and Win2003, shows runningprocesses, king of replicating the functionality of “wmic process list brief”. But, it’snice to have another option.

You can run it by itself as follows:

C:\> tasklist

Some of the options it includes are very nice. Particularly, you can see all servicesassociated with each running process by using this command:

C:\> tasklist /svc

Going further, the /m options shows you a list of DLLs that each process has loaded(something that you could also see with Process Explorer forwww.sysinternals.com). Also, you can look for processes based on their name,using the syntax /fi (which stands for filter) followed by “imagename eq[process_name]”.

Putting these concepts together, you can get a list of all the DLLs loaded by allcmd.exe processes by running this:

C:\> tasklist /fi “imagename eq cmd.exe” /m

Or, if you want to see all processes that have loaded the ntdll.dll DLL, you couldrun:

C:\> tasklist /m ntdll.dll

26


Other Useful Commands:Taskkill

• Taskkill kills processes by PIDC:\> taskkill /PID [pid]– Like Unix/Linux kill –9 [pid]– Can also make a list of pids and kill them all quickly one

after anotherC:\> taskkill /PID [pid1] /PID [pid2]

• Taskkill also kills processes by nameC:\> taskkill /IM [name]– Like Unix/Linux killall –9 [name]

Taskkill lets you kill processes, based on various attributes. One nice option is thatyou can kill multiple processes on the same command line, provided that you havetheir PIDs. You can do this by typing:

C:\> taskkill /PID [pid1] /PID [pid2]

Or, you can kill a process based on its name by typing:

C:\> taskkill /IM [name]

27


Using tasklist and taskkill1

2

Let’s look at tasklist and taskkill quickly…

In Step 1, run the following command to see all of the services associated with eachprocess:

C:\> tasklist /svc

Wow! Svchost.exe is one busy little process, isn’t it? Thanks, Microsoft, forbundling all of that splendid functionality into one process.

Now, let’s kill our cmd.exe based on its name, as follows:

C:\> taskkill /IM cmd.exe

28




And now, some conclusions… followed by exercises for you to think about. Wewon’t cover the answers for the exercises on the webcast. Feel free to do them onyour own at a later time, and check the answers against the slides included at the endof this PDF.

29


Conclusions

• Built-in Windows command line tools arequite powerful

• But, their syntax can be rather obscure• Still, with a little exposure, Windows

command-line tools can be very helpful tosecurity personnel

In conclusion, you now should feel more comfortable using Windows command-line tools for your analysis of computer attacks.

Note that some of the syntax we covered looks a little obscure at first. However,after using it for a while, you’ll become much more comfortable with it.

And, if you have any additional ideas of cool Windows command line tricks, pleaselet me know at [email protected].

Thank you!

SPOILER: IF YOU TURN THE PAGE, YOU WILL SEE SOME POSSIBLEANSWERS TO THE CHALLENGES… DON’T TURN THE PAGE IF YOUDON’T WANT TO SEE THEM YET!

30




And now, if you’ve downloaded this slide deck, here are some exercises for you tothink about… We won’t cover these in the main webcast presentation, but youshould be able to do these items. The answers are included at the end of thissession..

31


Some Exercises

• Using your Windows command-linekung fu…

• Try the following exercises(answers are listed later)

So, using your Windows Command-Line Kung Fu, we have a series of sixchallenges for you to undertake. First, we’ll list all of the challenges. Then, we’llinclude some possible answers.

Good luck!

32


Challenge 1: Killing ProcessesBy Name

• Go to startrun, and bringup calc.exe

• Do it again, so that you havetwo calc.exe processesrunning

• Challenge: Kill bothprocesses rapidly using asingle command, assumingyou know their name(calc.exe)

Here is challenge 1. It illustrates how to kill multiple processes based on theirname, assuming they have the same name.

33


Challenge 2: Killing ProcessesBased on PID

• Go to startrun, and bring upcalc.exe

• Do it again, so that you have twocalc.exe processes running

• Challenge: Run a single command todetermine the process IDs of thecalc.exe processes

• Challenge: Then, run a singlecommand to kill those processesrapidly, assuming you know theirprocess IDs

Here is challenge 2. This one is very helpful in stopping some forms of malwarethat have cooperating processes that spawn each other rapidly.

34


Challenge 3: DeterminingCommand Line Invocation

• Run a calc process with a whole bunchof bogus command flags– C:\> calc.exe –l –p 2222 –e cmd.exe

• Challenge: Using a single command,find the command line used to invokecalc

• Bonus challenge: Make sure yourcommand output also shows the fullpath to calc!

Here is challenge 3, illustrating techniques that are useful in figuring out wheremalware is running from and how it was invoked.

35


Challenge 4: Determine If aGiven Patch Is Installed

• Challenge: With a single command,determine if the patch associatedwith KB896428 is installed

• Bonus Challenge: What date wasthat hotfix installed?

Here is challenge 4, which shows how to look at patch levels and installation dates.

36


Challenge 5: Determine RunReg Keys

• Challenge: With a single WMICcommand, find the Caption andLocation of every autostartprogram that begins from a Runregistry key

This challenge, number 5, is very helpful in figuring out how something might bestarting at system boot or user logon.

37


Challenge 6: Find Elements ofWMIC area and Use Them

• Challenge: Determine all elementsof wmic usernames

• More Challenge: Then, in a singlecommand, show the name and SIDof all local accounts that do nothave account Lockout enabled

This challenge (number 6) lets us look at the details of a user account, based on thestatus of that account.

38


Answer to Challenge 1

Here are two different ways to answer Challenge 1.

39



Here is how to do Challenge 2.

40



Here is the answer for Challenge 3.

41



And, here, my friends, is the answer to Challenge 4.

42



Here are two approaches to answering Challenge 5.

43



This is the answer to Challenge 6. Note that we first got a list of all attributes thatcan be see with wmic useraccount, and then we queried against some of thoseattributes.

essential windows command line kung-fu for infosec pros

Documents