essential windows command line kung-fu for infosec pros
TRANSCRIPT
SANS Webcast © 2006
SANS Institute presents:Essential Windows Command-Line
Kung Fu for Info Sec Pros
• Speakers–Ed Skoudis, Intelguardians– Alexander Horan, Core Security
Technologies– Q/A session with today’s speakers– Send questions to ‘[email protected]’
Core Security Technologies46 Farnsworth St
Boston, MA 02210 Ph: (617) 399-6980
www.coresecurity.com
Security Assurance: Vulnerability Assessment,Management and Auditing
Handling Vulnerabilities is Crucial
Scanners are used to detect flaws on the first layer of defense,such as improper configurations or sub-par patch revisions
– Good for information assurance and compliance
Vulnerability scanning yields one view of the network topology– Does not show or exploit linkage between information systems and
assets
– Will not show the impact of loss of information assets (only shows the"outer layer" of the onion) such as theft of intellectual property,leakage of internal communications, etc.
– Does not show the true level of threat had the network beencompromised by a motivated adversary
Sample vulnerability scanning products– Nessus, Retina, GFI LanGuard
Penetration Testing Complements Vulnerability Scanning
Penetration Testing Overview
Penetration Testing: Actively exploits vulnerabilities within a network
Replicates access an intruder could achieve and safely proves actual paths ofattacks that must be eliminated
Only way to objectively gauge threats Without physically penetrating the host or network, there is no way to quantify and qualify
an organization’s true exposure in the event of a “real” security compromise
Advantages: Enables you to be proactive with informed security decisions
Provides efficient, precise, cost-effective remediation information, enablingaccurate, corrective action can be taken
Allows you to see your network through the eyes of an attacker to prevent attack
Exposes vulnerabilities and subsequent network information or resources that areat risk
CORE IMPACT – Automated Penetration Testing
Mimics attacker behavior launches real-world attacks safely andefficiently, demonstrating exactly what an attacker can do
Industrializes penetration testing automates previously manual,expensive process with Core Impact Rapid Penetration Test (RPT)
Provides important features:– Commercial-grade exploits
– Innovative agent technology
– Powerful user interface
– Automation of repetitive tasks
– Complete log of all activities
– Customizable reporting
– Links to fixes
Advanced Penetration Testing scenarios– External attacker with no previous knowledge
– Internal attacker w/access to internal network
Augment Vulnerability Management– Reduce false positives and know which vulnerabilities to remediate first
Verification of IDS / IPS and other security controls– Use real attacks to evaluate effectiveness of security products in your
specific environment
Legislative and industry compliance (SOX, HIPAA, FISMA, PCIrequirements, etc.)
– Meet regular network testing, reporting and auditing requirements
Benefits of CORE IMPACT
Demonstration
DIAGRAM OF DEMO NETWORK
Demonstration
DIAGRAM OF DEMO NETWORK
Demonstration
DIAGRAM OF DEMO NETWORK
Demonstration
DIAGRAM OF DEMO NETWORK
CORE IMPACT Delivers Significant Benefits
Encompasses all phases of PenetrationTesting in one comprehensive framework
Executes real attacks safely and efficiently
Enables consistent, repeatable tests
Helps test and evaluate other security
solutions and systems
Clearly identifies compromisable assets andhelps intelligently prioritize remediationefforts
CORE IMPACTReview
Core Security Technologies46 Farnsworth St
Boston, MA 02210 Ph: (617) 399-6980
www.coresecurity.com
Security Assurance: Vulnerability Assessment,Management and Auditing
1
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 1
Essential Windows Command-LineKung Fu
By Ed Skoudis
Copyright 2006, Ed SkoudisVersion 2Q06
Hello and welcome to this webcast on Windows Command-Line Kung Fu. Over thenext half hour or so, we’ll discuss several tools built-in to Windows that can be usedby security pros to better understand what’s happening on their systems.Unfortunately, too few people realize the power of built-in command-line tools onWindows that can help us all do our jobs better. I am hopeful that this session willhelp you improve your command-line kung fu in Windows.
2
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 2
Windows Command-LineKung Fu
• Introduction and Overview• Command Shell Stuff• The Wonderful World of WMIC• Other Odds and Ends• Conclusions• Some Exercises to Think About
Here is our outline. We’ll start out with an overview and then move into somegeneral command-line stuff. We’ll then cover in-depth the wmic command. Then,we’ll have some other odds and ends that include useful other tools, and we’llculminate with some exercises to challenge your kung fu.
3
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 3
Introduction and Motivation
• A lot of people don’t realize the power of thecommand shell in Windows– Don’t laugh!– It’s not bash, but it’s got some pretty nice capabilities
• Why use it? Sometimes GUI tools aren’t available– Spyware has killed them– Task Manager or services.msc might not be available
• Command-line tools lend themselves better to:– Scripting– Pulling out important items from long lists of information
Windows ships with some amazingly powerful command-line tools, that often aren’tused. Instead, most Windows admins utilize GUI-based tools.
Although the Windows command shell (cmd.exe) is not as powerful as theLinux/Unix bash shell, it can let us do some very useful things.
But, you might be wondering, why would I ever want to use a command-line toolwhen I’m perfectly happy and comfortable using a GUI in Windows. Well,increasingly, spyware and rootkits alter the display in GUI-based tools, or preventthem for working at all. For instance, I was working on a project analyzing spywarethat had destroyed Task Manager and the Services Control Panel. Analysis at theGUI would have been very tough, given that we weren’t allowed to load anyadditional tools (like the great suite of analysis tools from www.sysinternals.com).Instead, we relied on built-in Windows command-line tools to do our heavy lifting.
Also, many command-line tools are better for pulling out subtle information thatcould be buried in a complex GUI. By sorting or searching command-line output,we can get a great level of insight into what’s happening on a machine.
It’s important to note that we will not go over every single option of every singlecommand. That would be boring and take too long. Instead, we’ll go over usingthese commands to improve the day-to-day world of an incident handler, systemadministrator, and security professional.
4
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 4
Windows Command-LineKung Fu
• Introduction and Overview• Command Shell Stuff• The Wonderful World of WMIC• Other Odds and Ends• Conclusions• Some Exercises to Think About
Let’s do a brief overview of the Windows command line, so we’re all on the samepage.
5
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 5
A Couple of Points About theWindows Shell
• Please use cmd.exe, not command.com• StartRun… and type “cmd.exe”
– I advise you to type cmd.exe, instead of just cmd– That’s because a bad guy could create a cmd.com,
which would run instead of the .exe– “.” is implicitly in your path
• Remember:– The > means put output in a file– The < means get input from a file– The | means take the output of one command and
use it as input for the next command
For all of the stuff we cover in this session (and for all of your Windows use afterthat, quite frankly), please use cmd.exe and avoid command.com like the plague thatit is. Command.com is a very limited shell, included for backward compatibilitywith DOS. It’s time to use cmd.exe, please!
To invoke cmd.exe, please go to StartRun… and type “cmd.exe”, without thequotes. Also, whenever you invoke cmd.exe, make sure that you put a .exe on itsend. If you just type cmd, without the .exe, an attacker could trick you into runninga backdoor called cmd.com. That’s because, with the Windows shell, your currentworking directory (called “.”), is in your PATH. What’s more, if no suffix isprovided by the user, Windows defaults to running .com files before .exe files.
Another couple of things to keep in mind involve redirecting standard input andstandard output at the shell. The > symbol means that the given command shouldplace its standard output in a file. The < symbol tells a program to get its standardinput from a file. And, finally, the pipe symbol (“|”) tells one program to send itsstandard output into the standard input of another program.
6
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 6
Controlling Output with cls,more, find, findstr, and sort
• To clear the screen, type:C:\> cls
• To paginate long output, use more:C:\> wmic process list full | more
• To find a particular string in output, use findwith quotes
C:\> wmic process list brief | find“cmd.exe”
• To exercise more complex finds (with regularexpressions), use findstr
• To sort output, use sort
And, a couple of other small notes.
To clear the screen, use the cls command, which stands for Clear Screen.
To paginate long output, pipe it through the more command. That’ll show you onepage at a time. Sadly, Windows does not include by default the less command,which on Unix and Linux gives more options for viewing and searching output thanmore. In this case, less is truly more than more.
To find a string in the output of a command, you could pipe it through the findcommand, as in wmic process list brief | find ”cmd.exe”. Thiswill run the wmic command with the “process list brief” options, and search itsoutput for the string cmd.exe. Note that with the find command, you need to putquotes around the item for which you search.
The findstr command goes further, allowing you to write regular expressions tomatch against the output of a command. Since we only have a half hour or so, wewill not be covering regular expressions or the findstr command. Feel free toexperiment with it on your own.
And, finally, you can use the sort command to sort the output of another command,or to simply sort the contents of a file.
7
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 7
Windows Command-LineKung Fu
• Introduction and Overview• Command Shell Stuff• The Wonderful World of WMIC• Other Odds and Ends• Conclusions• Some Exercises to Think About
And now… let’s enter the wonderful world of WMIC!
8
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 8
WMIC Overview• Windows Management Instrumentation Command
– Included in WinXP Pro and Win2003 (NOT in XP Home!)– Can be used to manage Win2000, XP, 2003
• And, with additional installed software, can manage 95/98/NT
• Not a command… it’s a world unto itself– Allows view of 4,000 properties and configuring 40 in Win2K– Allows view of 6,000 properties and configuring >150 in XP– Even more in Win2003
• Run WMIC telling it what to do by typing:C:\> wmic [commands]
• Or, invoke a custom wmic command prompt with:C:\> wmicwmic:root\cli>
WMIC stands for Windows Management Instrumentation Control. That’s a mouthful… let’s dissect it. Firstoff, WMI is a framework and API Microsoft released for analyzing and controlling Windows systems.Similar in goals to the Simple Network Management Protocol (SNMP), WMI goes much further, but isWindows specific.
Before WMIC, admins had to access WMI functionality by writing their own scripts or using executables thatmade WMI API calls. But, with WMIC, we now have a little command-line tool that lets us read and writeWMI attributes without writing any code! That’s wonderful.
Now, WMIC is built-in to WinXP Pro and Win2003. But, it is not in WinXP Home, which Microsoft doesn’treally consider a professional-class operating system. Thus, it doesn’t need fancy management capabilitieslike WMIC. Although the command is built-in to XP Pro and 2003, the WMIC command included in thoseoperating systems can be used to manage to manage other system types, including Win2000, WinXP (Pro andHome), and Windows 2000. You can even manage older stuff (Win95/98/NT) if you install on them theWMI Core tools, available at no extra charge from Microsoft. Note that WMI Core does not equal WMIC!WMIC is a command tool for controlling WMI. WMI Core is WMI-manageability for older Windowsversions, but you have to run the management tool from Win XP Pro or 2003.
With WMI (and its tool WMIC), you can view thousands of properties of Windows, and update hundreds ofthem.
You can invoke WMIC in two different ways. First, at a cmd.exe shell prompt, you could type wmicfollowed by all of the stuff that you want it to do. Or, you could invoke wmic’s own special commandconsole shell by typing wmic and hitting enter (either at a cmd.exe prompt, or going to StartRun…).
9
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 9
WMIC at cmd.exe Shell vs.WMIC console shell
• I typically used WMIC at the command shell itself, soI can use >, sort, find, and findstr on its output
• But, others prefer to use the WMIC console shell,particularly because it has a fail-safe interactivemode– If you want to delete anything (such as running processes),
you can make it verify with you before that happens– At WMIC prompt, type:
wmic:root\cli> /interactive:on– But, that’ll only ask for confirmation for that wmic session
But, which of these two ways of starting WMIC is superior? I prefer typing wmicfollowed by commands right in line at a cmd.exe prompt. That way, I can get myoutput on standard out, and search it using find, findstr, and sort.
Other people like the WMIC command prompt, because they can set it to promptthem before they do something destructive, like killing processes. To get aconfirmation prompt, invoke WMIC and hit enter. Then, at the WMIC prompt, type“/interactive:on”. For that one WMIC session, you’ll get a confirmation requestbefore you delete anything. Note that if you exit WMIC (by typing “exit”), theinteractive configuration disappears. You’ll have to turn it on again the next timeyou use WMIC. Also, the interactive setting has no impact at all if you just useWMIC followed by commands right at the command shell.
10
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 10
WMIC Help and RemoteUsage
• To get help within WMIC, type:C:\> wmic /?
• Or, for more detailed help:C:\> wmic /?:full
• By default, WMIC runs against local machine• But, you can run WMIC queries or updates
against a remote box using this notation:C:\> wmic /user:[admin_user]/password:[password]/node:[machine_name] [commands]
To see all of the incredible options available within WMIC, type “wmic /?”. Formore detail, you can run “wmic /?:full”.
Another really neat part about WMIC is that it can run locally or across the networkagainst a machine for which you have admin privileges. By default, it runs againstthe local machine. But, you can run it against a remote system by typing thefollowing:
C:\> wmic /user:[admin_user] /password:[password]/node:[machine_name] [commands]
Keep in mind that everything we are about to discuss regarding WMIC can be runlocally or remotely! It’s very powerful when used remotely.
11
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 11
WMI Query Language (WQL)
• WMIC can be used simply to list variousattributes using its own query language,called WQL (WMI Query Language)– Subset of ANSI SQL– Primary useful elements of WQL:
• list: show a list of something• get: get a value of an element• create:create an element• delete: delete an element• where clauses to match some property: Example: where
name=“cmd.exe”• /every:[N]: Run this every N seconds• like and % to match substrings
The commands that you type into WMIC are formatted in the WMI QueryLanguage (WQL), which is a subset of SQL.
There are many elements of WQL which we’ll use for this webcast. I’m hopefulthat, by the end of this session, you’ll be able to navigate WQL, with some of itsmost useful query types.
The syntax includes these key words:
•list: shows a list of something.
•get: gets one or more values of an element. You could get a list of things, separatedby commas.
•create:creates an element, which can be used to run programs.
•delete: deletes an element, which can be used to kill processes.
•where: these clauses can match some property to help us sort through a long list ofthings, for example: where name=“cmd.exe”
•/every:[N]: Run this command every N seconds, which works for displaying items,but not creating or deleting them.
•like and %: match specific substrings, a very nifty feature
12
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 12
WMIC Elements• To get a list of elements associated with a particular area:
C:\> wmic [area] list full
• Then, you can query particular elements in that listC:\> wmic [area] get [element1], [element2],[element3]
• Essentially creates your own reports• Order of elements is prebaked by WMIC, unfortunately• Try these:
C:\> wmic process list fullC:\> wmic process get name, processid, commandlineC:\> wmic process get processid, name, commandline
WMIC displays information in many dozens of areas, including processes, services,and users. To get a list of everything that WMIC knows about a given area, youcould run WMIC with a list full option, as in:
C:\> wmic [area] list full
Or, more specifically, looking at processes:
C:\> wmic process list full
That will show you all of the attributes of processes that WMIC knows about. Then,we can query against specific elements in that list by using a get, as in:
C:\> wmic [area] get [element1], [element2],[element3]
Or, to be more specific, suppose we want to get a list of process names and ProcessIds. We could run this:
C:\> wmic process get name, processid
This way, you can create your own little reports with just the information you want.Unfortunately, the order of the attributes displayed by WMIC is fixed. You cancontrol what attributes you see, but the order is always the same.
13
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 13
WMIC and Listing Processes• WMIC provides a lot of information about processes:C:\> wmic process list brief
• Or, to narrow it down:C:\> wmic process list brief | find “cmd.exe”– Fourth column is process id (first column is memory info)
• Or, to run it every 1 second:C:\> wmic process list brief /every:1– Works kind of like Unix/Linux top command
• To get specific items, you can name what you want in a list:C:\> wmic process get name, processid, commandline– Nice, because it shows the command-line invocation!– Somewhat like Unix/Linux ps -aux
So, let’s use WMIC to do some things that might be useful to an incident handler orsystem administrator. First off, to get a listing of the most interesting elements ofrunning processes, you could do this:
C:\> wmic process list brief
Next, if you were only interested in the cmd.exe processes that are running, youcould go through the output and pull out lines with cmd.exe in them as follows:
C:\> wmic process list brief | find “cmd.exe”
This command works rather like the “ps –aux | grep cmd.exe” command would on aUnix or Linux machine.
You could display the process list every second with this syntax, which workssomething like the Unix or Linux top command:
C:\> wmic process list brief /every:1
Also, you can get a list of process name, processids, and command-lines used toinvoke each program with this little WQL:
C:\> wmic process get name, processid, commandline
That command-line invocation is especially helpful in investigations!
14
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 14
WMIC and Killing Processes
• To kill a process based on PIDC:\> wmic process [pid] delete
– Works kind of like Unix/Linux: kill –9 [pid]
• To kill a process based on nameC:\> wmic process where name=“cmd.exe” delete
– Works kind of like Unix/Linux: killall –9 cmd.exe– And, remember, you can do this remotely! Woohoo!
• To start a process (say, calc.exe):C:\> wmic process call create calc.exe
– And, remember, you can do this remotely too!– Who needs psexec (tool free from www.sysinternals.com)
Looking at processes is nice, but sometimes an incident handler or sys admin needs to killprocesses. You can do this with WMIC as follows:
C:\> wmic process [pid] delete
This command functions rather like the Unix and Linux kill command, when used as “kill–9 [pid]”, immediately terminating a process.
Alternatively, you can kill all processes with a given name, rather like the “killall –9[name]” command would work on Unix or Linux, as follows:
C:\> wmic process where name=“cmd.exe” delete
You could even do that remotely, with the user name, password, and node syntax wedescribed earlier, killing all cmd.exe’s running on a different machine, provided that youhad administrative credentials on that system.
But, WMIC doesn’t let you just view and kill processes. You can also start processes, usingthis syntax to run calc.exe:
C:\> wmic process call create calc.exe
With the remote syntax we presented earlier, you can use WMIC to run any command on atarget system. The free psexec lets you do that as well (from www.sysinternals.com), but itis not built in to Windows. WMIC lets you have psexec-like functionality, but built in!Also, psexec sends credentials in clear text! WMIC does not, but instead uses the encryptedWindows authentication (LANMAN Challenge-Response, NTLMv1, NTLMv2, orMicrosoft Kerberos, depending on how the system is configured).
15
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 15
Using WMIC process1
2
Let’s quickly look at WMIC’s process abilities.
In Step 1, simply type:
C:\> wmic process list brief
See all of the processes you have running! Nice!
Next, in Step 2, invoke a calc.exe process from the command shell by running this:
C:\> wmic process call create calc.exe
Of course, you could have just typed “calc.exe” at the command prompt… but withWMIC, you have an option of doing this remotely!
16
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 16
Using wmic process delete1
2
Next, we’ll use WMIC to pull specific attributes associated with our runningcalc.exe process. This technique will show two things. First, it’ll let us see how touse a where clause to focus on a particular entity. Secondly, it’ll show us how to getsome specific attributes of that entity.
In Step 1, type:
C:\> wmic process where name=“calc.exe” get name,processid, commandline
Note that you can see the command-line used to invoke each running process!That’s very helpful.
In Step 2, we’ll kill our calc.exe process based on its name, using WMIC thusly:
C:\> wmic process where name=“calc.exe” delete
Your running calculator should disappear.
17
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 17
WMIC and Services
• To get a list of all services and theirstettings:C:\> wmic service list full
• To just look at started services:C:\> wmic service where started=“true”
• To get a list of process IDs associated withstarted services:C:\> wmic service where started=“true”get name, pathname, processid
Beyond processes, WMIC also lets us interact with services.
To get a list of all services defined on the box (whether they are running or not),simply type:
C:\> wmic service list full
That’ll also show you all of the attributes of each service.
If you only want to see running services, you can use the where clause to look foritems with the attribute called started set to true, as follows:
C:\> wmic service where started=“true”
If you want to get a list of process Ids associated with each started service, youcould use the following (again, note the WQL used to pull information from specificattributes with a get, using a where clause to narrow down our search):
C:\> wmic service where started=“true” get name,pathname, processid
18
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 18
WMIC and Shares
• To get a list of available shares:C:\> wmic share
• For more details:C:\> wmic share list full
• To get rid of a share:C:\> wmic share [share_name] delete
• To see all shares on the E: partition:C:\> wmic share where (path like “%E:%”) list brief
We can also pull share information using WMIC, to see what file shares our localsystem has made available through Windows networking, as follows:
C:\> wmic share
If you want more details, you could run:
C:\> wmic share list full
You can even use WMIC to delete a given file share so that no one can connect to it,as follows:
C:\> wmic share [share_name] delete
(By the way, you could, if you want, just temporarily delete your ADMIN$ sharethis way… then run the “net share” command to verify that it is gone). When youreboot, it should come back.
Now, let’s look at the substring options of wmic. If you want to see all of the sharesyou’ve got on a given partition (such as, say, your E: drive), you could run:
C:\> wmic share where (path like “%E:%”) list brief
That ability to use like and % is incredibly useful. I like using it for wmic process,wmic share, and wmic qfe (which we’ll cover shortly).
19
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 19
WMIC and System Details• To get a list of all start-up items
C:\> wmic startup list full– Who needs msconfig (built-in) or autoruns (again,
www.sysinternals.com)?
• To get a list of user accounts:C:\> wmic useraccount list full– Even gives you SIDs! Who needs net user?
• To get a list of installed service packs and patches (quick fixengineering)C:\> wmic qfe– Or, for more details,C:\> wmic qfe list full– Who needs hfnetchk? And, remember, you can do this remotely!
Here is an extremely useful aspect of WMIC… getting a list of all start up programs,whether they start-up from a autostart folder or from a registry key. You can getthis comprehensive list by running:
C:\> wmic startup list full
Now, this command can be used to pull very similar information to the msconfigcommand built into WinXP and 2003, or the Autoruns tool fromwww.sysinternals.com. But, wmic is built-in, and provides it all at the commandline.
You can get a list of users (including their SID numbers) from the local SAMdatabase with this command:
C:\> wmic useraccount list full
Why, that’s even more and better information than you get from the “net user”command. Clearly, not all Windows Command-Line Kung Fu is create equal.
And, here’s a vital one… getting a list of all installed service packs and patches,using this command:
C:\> wmic qfe
For even more info, add a “list full” to the end, which will even show you the datewhen a given patch was installed. Remember, you can even do this remotely! So,this WMIC option supplants a lot of the functionality in the hfnetchk tool, and isbuilt in.
20
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 20
Using wmic useraccount and qfe
1
2
Let’s look at this in more detail.
Check out your administrator account with the following command, in Step 1:
C:\> wmic useraccount where name=“Administrator” listfull
Note the SID and other security settings.
Next, look at the installed patches, using this syntax:
C:\> wmic qfe where FixComments=“Update” get HotFixID,InstalledOn, InstalledBy
21
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 21
WMIC and Network Interfaces• You can get a list of network interfaces configured
for IP with:C:\> wmic nicconfig where ipenabled=‘true’ get
index,caption
• You can configure an IP addr and netmask with:C:\> wmic nicconfig where ipenabled=‘true’ get
index,caption– The index is the thing you get from the first command above
• You can set DHCP with:C:\> wmic nicconfig where index=2 call enabledhcp
– Or, for more details,C:\> wmic nicconfig list full
• I personally hate this notation, and prefer the netshcommand for doing this kind of thing
Next, you can use WMIC to update your network settings at the command line.
To view your network interfaces, run this command:
C:\> wmic nicconfig where ipenabled=‘true’ getindex,caption
To alter the IP address or netmask, you could do this:
C:\> wmic nicconfig where ipenabled=‘true’ getindex,caption
Or, to use DHCP, try this:
C:\> wmic nicconfig where index=2 call enabledhcp
To see all that you can set using this command, you could run:
C:\> wmic nicconfig list full
I personally dislike this network-attribute-setting notation within WMIC. I find itcumbersome, and much prefer the netsh command for this kind of stuff, which youcan review on your own later.
22
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 22
WMIC Output Options
• WMIC can format its output in many different ways• To get a list of options:
C:\> wmic [commands] /format /?– As in:C:\> wmic process list /format /?– Possibilities include CSV, HTML Table (htable), etc.
• Store output in a file using the /output:[file] options,as in:C:\> wmic /output:c:\temp.html process list/format:htable
– Open that in a browser, and get some nice output!
WMIC normally dumps its output as plain text on standard out. But, you canchange this using the /format option. Numerous different output formats aresupported, but the most useful are CSV and HTML tables.
You can dump WMIC’s output into a file using the /output:[file_name] directive aswell.
For example, to get a process list as an html table, stored in a file calledc:\temp.html, you could run:
C:\> wmic /output:c:\temp.html process list/format:htable
Then, from within a browser, you could open c:\temp.html and view your beautifuloutput.
23
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 23
WMIC Recording
• WMIC can record the user, command typed, the output,and a timestamp, by using the /record: option, as in:C:\> wmic /record:c:\test.xml process list brief
• That’s nice for incident handling, because you’ll have arecord of what you typed… but some big limitations
• Output only in xml format (just open it in a browser)• Output overwrites any previous c:\test.xml file (does not
append)• Thus, you have to vary your file names for recording
Another really nifty feature of WMIC that could help incident handlers is therecording feature, implemented via the /record:[file_name] option. When used in aWMIC command, this option makes WMIC create a file that contains the command,the date and time, the user that ran the command, and the output of the command, ahandy history of what you did.
But, there are some big limitations here. The result is in XML, and isn’t overlypretty. You could open it in a browser, though, which will parse it pretty well.
And, keep in mind that if there is a file already with the name you choose, you’llover write it with the new record. Thus, if you want an evidence trail of all theWMIC commands you typed, you’d have to remember to vary the file_name entryyou put in as follows:
C:\> wmic /record:c:\test1.xml process list brief
C:\> wmic /record:c:\test2.xml process list full
C:\> wmic /record:c:\test3.xml process wherename=“cmd.exe” delete
24
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 24
Windows Command-LineKung Fu
• Introduction and Overview• Command Shell Stuff• The Wonderful World of WMIC• Other Odds and Ends• Conclusions• Some Exercises to Think About
And now, it is time for some other useful odds and ends, especially some items thatcan help deal with fighting spyware.
25
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 25
Other Useful Commands:Tasklist
• Tasklist command shows running processesC:> tasklist– Ho hum…– Yes, but there are some nice options!– Show all services associated with each processC:\> tasklist /svc– Show all dlls loaded into processes with a given nameC:\> tasklist /fi “imagename eq cmd.exe” /m– Show all processes with a given dllC:\> tasklist /m ntdll.dll
The tasklist command, included in WinXP Pro and Win2003, shows runningprocesses, king of replicating the functionality of “wmic process list brief”. But, it’snice to have another option.
You can run it by itself as follows:
C:\> tasklist
Some of the options it includes are very nice. Particularly, you can see all servicesassociated with each running process by using this command:
C:\> tasklist /svc
Going further, the /m options shows you a list of DLLs that each process has loaded(something that you could also see with Process Explorer forwww.sysinternals.com). Also, you can look for processes based on their name,using the syntax /fi (which stands for filter) followed by “imagename eq[process_name]”.
Putting these concepts together, you can get a list of all the DLLs loaded by allcmd.exe processes by running this:
C:\> tasklist /fi “imagename eq cmd.exe” /m
Or, if you want to see all processes that have loaded the ntdll.dll DLL, you couldrun:
C:\> tasklist /m ntdll.dll
26
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 26
Other Useful Commands:Taskkill
• Taskkill kills processes by PIDC:\> taskkill /PID [pid]– Like Unix/Linux kill –9 [pid]– Can also make a list of pids and kill them all quickly one
after anotherC:\> taskkill /PID [pid1] /PID [pid2]
• Taskkill also kills processes by nameC:\> taskkill /IM [name]– Like Unix/Linux killall –9 [name]
Taskkill lets you kill processes, based on various attributes. One nice option is thatyou can kill multiple processes on the same command line, provided that you havetheir PIDs. You can do this by typing:
C:\> taskkill /PID [pid1] /PID [pid2]
Or, you can kill a process based on its name by typing:
C:\> taskkill /IM [name]
27
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 27
Using tasklist and taskkill1
2
Let’s look at tasklist and taskkill quickly…
In Step 1, run the following command to see all of the services associated with eachprocess:
C:\> tasklist /svc
Wow! Svchost.exe is one busy little process, isn’t it? Thanks, Microsoft, forbundling all of that splendid functionality into one process.
Now, let’s kill our cmd.exe based on its name, as follows:
C:\> taskkill /IM cmd.exe
28
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 28
Windows Command-LineKung Fu
• Introduction and Overview• Command Shell Stuff• The Wonderful World of WMIC• Other Odds and Ends• Conclusions• Some Exercises to Think About
And now, some conclusions… followed by exercises for you to think about. Wewon’t cover the answers for the exercises on the webcast. Feel free to do them onyour own at a later time, and check the answers against the slides included at the endof this PDF.
29
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 29
Conclusions
• Built-in Windows command line tools arequite powerful
• But, their syntax can be rather obscure• Still, with a little exposure, Windows
command-line tools can be very helpful tosecurity personnel
In conclusion, you now should feel more comfortable using Windows command-line tools for your analysis of computer attacks.
Note that some of the syntax we covered looks a little obscure at first. However,after using it for a while, you’ll become much more comfortable with it.
And, if you have any additional ideas of cool Windows command line tricks, pleaselet me know at [email protected].
Thank you!
SPOILER: IF YOU TURN THE PAGE, YOU WILL SEE SOME POSSIBLEANSWERS TO THE CHALLENGES… DON’T TURN THE PAGE IF YOUDON’T WANT TO SEE THEM YET!
30
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 30
Windows Command-LineKung Fu
• Introduction and Overview• Command Shell Stuff• The Wonderful World of WMIC• Other Odds and Ends• Conclusions• Some Exercises to Think About
And now, if you’ve downloaded this slide deck, here are some exercises for you tothink about… We won’t cover these in the main webcast presentation, but youshould be able to do these items. The answers are included at the end of thissession..
31
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 31
Some Exercises
• Using your Windows command-linekung fu…
• Try the following exercises(answers are listed later)
So, using your Windows Command-Line Kung Fu, we have a series of sixchallenges for you to undertake. First, we’ll list all of the challenges. Then, we’llinclude some possible answers.
Good luck!
32
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 32
Challenge 1: Killing ProcessesBy Name
• Go to startrun, and bringup calc.exe
• Do it again, so that you havetwo calc.exe processesrunning
• Challenge: Kill bothprocesses rapidly using asingle command, assumingyou know their name(calc.exe)
Here is challenge 1. It illustrates how to kill multiple processes based on theirname, assuming they have the same name.
33
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 33
Challenge 2: Killing ProcessesBased on PID
• Go to startrun, and bring upcalc.exe
• Do it again, so that you have twocalc.exe processes running
• Challenge: Run a single command todetermine the process IDs of thecalc.exe processes
• Challenge: Then, run a singlecommand to kill those processesrapidly, assuming you know theirprocess IDs
Here is challenge 2. This one is very helpful in stopping some forms of malwarethat have cooperating processes that spawn each other rapidly.
34
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 34
Challenge 3: DeterminingCommand Line Invocation
• Run a calc process with a whole bunchof bogus command flags– C:\> calc.exe –l –p 2222 –e cmd.exe
• Challenge: Using a single command,find the command line used to invokecalc
• Bonus challenge: Make sure yourcommand output also shows the fullpath to calc!
Here is challenge 3, illustrating techniques that are useful in figuring out wheremalware is running from and how it was invoked.
35
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 35
Challenge 4: Determine If aGiven Patch Is Installed
• Challenge: With a single command,determine if the patch associatedwith KB896428 is installed
• Bonus Challenge: What date wasthat hotfix installed?
Here is challenge 4, which shows how to look at patch levels and installation dates.
36
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 36
Challenge 5: Determine RunReg Keys
• Challenge: With a single WMICcommand, find the Caption andLocation of every autostartprogram that begins from a Runregistry key
This challenge, number 5, is very helpful in figuring out how something might bestarting at system boot or user logon.
37
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 37
Challenge 6: Find Elements ofWMIC area and Use Them
• Challenge: Determine all elementsof wmic usernames
• More Challenge: Then, in a singlecommand, show the name and SIDof all local accounts that do nothave account Lockout enabled
This challenge (number 6) lets us look at the details of a user account, based on thestatus of that account.
38
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 38
Answer to Challenge 1
Here are two different ways to answer Challenge 1.
39
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 39
Answer to Challenge 2
Here is how to do Challenge 2.
40
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 40
Answer to Challenge 3
Here is the answer for Challenge 3.
41
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 41
Answer to Challenge 4
And, here, my friends, is the answer to Challenge 4.
42
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 42
Answer to Challenge 5
Here are two approaches to answering Challenge 5.
43
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 43
Answer to Challenge 6
This is the answer to Challenge 6. Note that we first got a list of all attributes thatcan be see with wmic useraccount, and then we queried against some of thoseattributes.