Upload
desmond-devendran
View
257
Download
0
Tags:
Embed Size (px)
Citation preview
Module LXI - Windows-Based Command Line Tools
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• IPSecScan• MKBT• Aircrack• Outwit • Joeware Tools• MacMatch• WhosIP• Forfiles• Sdelete
This module will familiarize you with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
WhosIP
MacMatch
IPSecScan
Forfiles
Joeware Tools
MKBT
Sdelete
Outwit
Aircrack
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IPSecScanhttp://www.ntsecurity.nu/
IPSecScan scans single IP address or range of IP address for systems which are ipsec enabled
It supports Windows 2000/XP
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools
LADS program lists all alternate data streams of an NTFS directory
ListDLLs shows the full path names of the loaded modules
Source: http://technet.microsoft.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
Lsadump2 dumps the contents of the LSA secrets on a machine
MBRWiz sets partitions active for booting and can delete or hide partition
Source: http://technet.microsoft.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
Mirror is a simple command line tool to mirror two directories with sub-structures that will only copy the files that are newer and delete all files in the mirror that are no longer present in the source
Make Bootable (MKBT ) is used for installing boot sectors
Source: http://www.nu2.nu/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NBTScanhttp://www.unixwiz.net/
NBTScan tool scans IP networks for NETBIOS name information
Sends a NETBIOS status query to each host address
Displays IP address, NETBIOS computer name, logged-in user name, and MAC address
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Net Fizzhttp://packetstorm.offensive-security.com/
Net Fizz multithreaded net share scanner for Windows NT
Shows hidden shares
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
NetPWAge displays password age for both user and machines
NirCmd works without displaying the user’s interface
Source: http://www.optimumx.com/
Source: http://www.nirsoft.net/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
MacMatch searches and identifies files that are last updated, accessed, or created
NTFSinfo is an applet which shows names and sizes of all NTFS meta-data files
Source: http://www.ntsecurity.nu/
Source: http://technet.microsoft.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NTLasthttp://www.foundstone.com/
NTLast identifies and tracks the users who gain access to the system
Reports on the status of IIS users
Filters out web server logons from the console logons
• C:\CMDT\ntlast>ntlast
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
PMDumphttp://www.ntsecurity.nu/
PMDump dumps the process memory contents to a file
Lists out the running processes and their PIDs
• C:\CMDT>pmdump <pid><filename>
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
Poke is a run-time process examination tool that helps if the process to be examined has some heavy anti-debugging features
Poorsniff is a Windows sniffer tool that sniffs the IP addresses that are accessed by the user
Source: http://www.toolcrypt.org
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
Procinfo displays information about running processes
Ptime is an automatic process timer that accurately measures the program execution time in seconds
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
Sdelete allows to delete one or more files and/or directories, or to cleanse the free space on a logical disk
SetOwner changes the ownership of files/directories to any account
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SQLCmdhttp://msdn.microsoft.com/
SQLCmd allows to execute sql queries against ODBC data sources
Executes sql query by specifying a database, username, and password (if required)
Captures output either on screen or in a log file
•C:\CMDT\sqlcmd>sqlcmd [options]
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
StreamFindhttp://technet.microsoft.com/
StreamFind a command line utility for reporting alternate data streams
Reports the existence of Streams on an NTFS partition
Examines files on an NTFS partition for the presence of non-default data streams
•C:\CMDT\streamfind>streamfind[drive:][path][filename] [/E][/P][/S][/?]
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
Strings searches files for ASCII or UNICODE strings
TestDisk tool recovers lost partitions and/or makes non-booting disks bootable again
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
UpTime analyzes a single server for reliability and availability information
UPX is a free, portable, extendable, and high-performance executable packer for several different executable formats
Windows-Based Command Line Tools (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
VNCPwdump is used to dump and decrypt the registry key containing the encrypted VNC password in a few different ways
WhosIP easily finds and retrieves the available information about an IP address
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
winarp_mimhttp://www2.packetstormsecurity.org/
winarp_mim useful for sniffing in a switched network
Supports Win9x/Win2K/WinXP
•C:\ CMDT \winarp_mim>winarp_mim -a target_a_ip -b target_b_ip [-t delay] [-c count] [-v]
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
winarp_sk is a swiss knife tool that forges ARP packets (Ethernet and ARP headers)
WinDump is used to watch and detect network traffic in Windows
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Winexithttp://keepass.info/
Winexit is used to exit windows from the command line
• C:\CMDT\winexit>logoff• C:\ CMDT \winexit>reboot• C:\ CMDT \winexit>reboot_force• C:\ CMDT \winexit>shutdown• C:\ CMDT \winexit>shutdown_force
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
NetE calls is an Application Program Interfaces(APIs) that returns remote information at each of their valid levels until data is retrieved
PSCP application transfers files securely between computers using an SSH connection
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
PSFTP is used for transferring files securely between computers using an SSH connection
Pwdump2 can dump password hashes from Active Directory
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
ScanLine is a command-line port scanner for all Windows platforms
Strace is a debugging/investigation utility that examines the NT system calls made by a process
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
UnRARhttp://www.velocityreviews.com/
Resource Adapters aRchive (RAR) is a program to compress multiple files in an archive
UnRAR decompresses RAR archives
•C:\CMDT\unrar>unrar <command> -<switch 1> -<switch N> <archive> <files...> <@listfiles...> <path_to_extract\>
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Nmaphttp://nmap.org/
Network Mapper(Nmap) is an open source utility for network exploration or security auditing
Uses raw IP packets to determine the available hosts on the network, services they offer etc.
• C:\CMDT\Nmap>nmap [Scan Type(s)] [Options] <host or net list>
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
Rconip is a well-designed remote console for NetWare running over IP
Outwit (docprop) utility is a suite of tools based on the Unix tool design principles
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
Outwit provides ODBC-based database access and prints the results of an SQL selectcommand run on any database
Outwit (readlink) uses the Windows API for resolving shortcuts and provides text-based access to the Windows registry
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
Outwit (read log) provides text-based access to the Windows event log
Outwit (winclip) provides access to the Windows clipboard from a console or MS-DOS window
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Outwit (winreg)http://dmst.aueb.gr/
Outwit (winreg) provides text-based access to the Windows registry
It will not process data types other than the ones described
•winreg [-F FS] [-r name] [-ntvci] [key]
Syntax :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
pdftohtml, pdftotext(Xpdf)http://sourceforge.net/
• Converts PDF files into HTML and XML formats
Pdftohtml:
• Converts Adobe PDF documents to simple text format• It works as a open source viewer for pdf files
Pdftotext (Xpdf):
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
Permute is a word list permutation program
Plink (puTTy) works as a command-line interface to the PuTTY back ends
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AccExp is a set of several useful utilities, especially for Active Directory management
AdFind is used for active directory queries
Windows-Based Command Line Tools (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
AdMod tool can modify, delete, rename, move, and undelete an objects in Active Directories
ATSN converts IP addresses to subnet/site information
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
AUTH tool is used for testing authentication of the user id
ChangePW tool is used to change the passwords using command line prompt
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Joeware Tools (CPAU)http://www.joeware.net/
CAPU command line tool for starting process in alternate security context
Allows to create job files and encode the ID, password, and command line in a file
• CPAU -u user [-p password] -ex "WhatToRun" [switches]
Syntax :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Joeware Toolshttp://www.joeware.net/
ClientTest is a GUI tool that verifies TCP/IP socket communication
• clienttest [No Switches]
Syntax :
ELDLL holds basic resource information for customized event logging
• ELDLLInstall sourcenameeventlog [OPTIONS]
Syntax :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
ELDLLEx is a DLL that contains basic resource information for customized logging
ExchMbx is a command line tool for exchanging mailbox
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Joeware Tools (Expire)http://www.joeware.net/
Expire tool flags accounts and alter passwords on their next logon
• Expire filename [minimum password age]
Syntax :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
FindExpAcc locates accounts that are expired and accounts holding expired passwords
FindNBT scans a subnet looking for Windows PCs
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Joeware Tools (FindPDC)http://www.joeware.net/
FindPDC locates PDC of domain
• FindPDC domain count
Syntax :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
GCChk locates active directory consistency issues and picks up missing GUIDs
GetUserInfo extracts the user’s information from a domain
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
LG manages built-in, local, and domain local groups
MemberOf displays user’s group memberships
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Joeware Tools (NetSess)http://www.joeware.net/
NetSess enumerates Net BIOS sessions on a specified local or remote machine
• netsess [servername] [clientname] [switches]
Syntax :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
OldCmp is used to find and clean old computer accounts that have not been utilized
Quiet silently launches a process
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SecData displays security info about users/computers
SecTok displays parts of the process token of the current process
Windows-Based Command Line Tools (cont’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Joeware Tools (SeInteractiveLogonRight)http://www.joeware.net/
•seinteractivelogonright<[DOMAIN\]Account> [TargetMachine]
Syntax :
SeInteractiveLogonRight configures the system and approves specific user/groups to logon locally
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Windows-Based Command Line Tools (cont’d)
SidToName resolves SIDs to user friendly names ShrFlgs configures share flags
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Joeware Tools (SNU)http://www.joeware.net/
SNU is a network share connection tool which is mainly utilized for monitoring scripts
• SNU \\servername\sharename (/ADD | /DEL)
Syntax :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Joeware Tools (SvcUtl)http://www.joeware.net/
SvcUtl displays service informationUnlock displays current locked and unlocked accounts
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Joeware Tools (UserDump)http://www.joeware.net/
• userdump [machine]
Syntax :
UserDump dumps basic user information from NT Based system
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Joeware Tools (UserName)http://www.joeware.net/
UserName displays current user ID in multiple formats
• UserName [switches]
Syntax :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Joeware Tools (W2KLockDesktop)http://www.joeware.net/
W2KLockDesktop locks desktop immediately
No local security requirements is needed to run this tool
• w2klockdesktop
Syntax :
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Joeware Tools (WriteProt)http://www.joeware.net/
WriteProt tool is used to write protect disk volumes in Windows XP and Windows Server 2003
• WriteProt [switches]
Synopsis:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cb, Cliptext
• Copies input to the clipboard• Captures output from another program• Syntax: dir /b /on | cb
Cb:
• Copies text from file to clipboard and vice-versa• Syntax:• ClipText from file.ext [/DOS] [/append]• ClipText to file.ext [/DOS] [/append]
ClipText:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot : Cb, Cliptext
Cb
ClipText
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cmdline, Contig
• Lists all the process on the system• Follows chronological order for listing processes• Syntax: Cmdline [-pid][-u][-?]
Cmdline:
• Optimizes usage by making file contiguous in the memory • Syntax: contig [-v] [-a] [-q] [-s] [filename] -v Verbose -a Analyze fragmentation -q Quiet mode -s Recurse subdirectories
Contig:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot : Cmdline, Contig
Cmdline Contig
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
cURLhttp://curl.haxx.se/
cURL is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE)
curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user and password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, and proxy tunneling
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Devconhttp://support.microsoft.com/
Devcon acts as an alternative to the device manager
Provides unavailable information in the device manager
• devcon.exe [-r][-m:\\<machine>]<command>[<arg>…] -r reboots the machine when command completes <machine> is the name of the target machine <command> is the command to perform <arg>… arguments, if required by the command
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot : Devcon
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dighttp://serghei.net/
Dig investigates and digs into DNS(Domain Name System)
• dig [@global-server] [domain] [q-type] [q-class] {q-opt}{global-d-opt}host [@local-server] {local-d-opt}[host [@local-server]{local-d-opt} […] ]
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Diskmaphttp://sourceforge.net/
• diskmap/<disk number> /d<disk number> shows number of the disk to map /h shows hexadecimal output
Syntax:
Diskmap tool depicts disk attributes and geometry from the registry
Reads and displays disk partitions and logical drives
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dispchghttp://www.arminhanisch.de/
Dispchg scans and alters video modes from display driver
option -help,
-list,
-current,
-set mode,
-change
[-freak] makes output
easier for
filters
• DispChg <option> [-freak]
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dumpwin, dWhichhttp://www.governmentsecurity.org/
• Provides information of the system where it is executed• Syntax: dumpwin (options) options are: -I, -d, -s, -m, -h, -t, -p, -v, -g, -u, -n
Dumpwin:
• Maps the full executable path of the file• Syntax: dWhich filename [.ext] [.ext] extension of the file is optional and applicable with .bat, .btm, .cmd, .com, or .exe file extensions
dWhich:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Dumpwin, dWhich
dWhich
Dumpwin
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Efsdump, Efsviewhttp://technet.microsoft.com/
• Lists users that can access encrypted file • Accepts wildcards to get encrypted program• Syntax: efsdump [-s] <file or directory> -S Recurse subdirectories
Efsdump:
• Shows users having decryption or recovery keys for encrypted directories or files• Syntax: efsview <filename>
Efsview:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Efsdump, Efsview
Efsdump
Efsview
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Eldumphttp://www.ibt.ku.dk/
• eldump [options]
Syntax:
• -f filename in which dump text is written• -s server for which to dump the eventlog• -l log name to be dumped like system, applications• -t tab separated output
Options:
Eldump tool dumps the contents of a NT event log
Dumping is made as text
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Eldump
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Enum, Evalhttp://sourceforge.net/
• Enumerates information with help of null sessions• Retrieves user, machine and share lists,name lists, group and
member lists, password, and LSA policy• Syntax: enum <-UMNSPGLdc> <-u username> <-p password><-f dictfile> <hostname|ip> -u get user list -m get machine list -s get share list -p get password policy information
Enum:
• Quickly evaluates mathematical expressions• Syntax: eval expression expression valid math equation with parenthesis precedence
Eval:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshots: Enum, Eval
Enum
Eval
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethernetchangehttp://www.aecom.yu.edu/
Ethernetchange alters the Ethernet address of the network adapters in Windows
• etherchange
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Eventsave http://www.heysoft.de/
Eventsave tool saves and clears event logs into files
Syntax: EventSave [Path][/CRemoteMachine|/A][-ANSI][/Mn]
Path Location of files
/c Save logs on
remote machine
Remote Machine
Save log of the
remote machine
/A Saves event
logs of all the NT
machines
ANSI ANSI character
set
/Mn Size of the target
file in MB
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Filecase, Fileupload
• Renames directory/ file to uppercase or lowercase• Syntax: filecase [/s][/h][/p][/q][/d][/l|/u]filespec..
Filecase:
/s Processes subdirectories /h Process hidden files/directories /q Quiet mode /p Prompts for each file/directory to be renamed (Yes/No/All/Quit)/d Renames directories and files /l Convert to lowercase /u Convert to uppercase
• Uploads file to a Web or a FTP server• Syntax: upload [path]file.ext><url>[<login>][<password>][/passive][/validate][/post][/proxy][/delete][/noappend][/quiet] [path]file.ext name of the file to upload urldestination url Login and password for authentication
FileUpload:
[path]file.ext name of the file to uploadurl destination urlLogin and password for authentication
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot : Filecase, FileUpload
Filecase
FileUpload
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ForceDisconnect, Format144
• Forcefully disconnects network volumes irrespective of open files • Syntax: forcedisconnect
ForceDisconnect:
• Formats 1.44 MB floppy diskette• Syntax: format144
Format144:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot : ForceDisconnect, Format144
Format144
Force Disconnect
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Fpipehttp://www.secureroot.com/
Fpipe redirects source port and generates TCP or UDP stream
Syntax: FPipe [-hvu?] [-lrs <port>] [-i IP] IP
-?/-h - Shows this help text -i - Listening interface IP address-l - Listening port number -r - Remote port number-u - UDP mode -s - Outbound source port number -v - Verbose mode -c - Maximum TCP connections
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Fporthttp://www.foundstone.com/
Fport lists all open TCP/IP and UDP ports and maps them to the owning application
Syntax: fport
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Fsumhttp://www.slavasoft.com/
Fsum generates and verifies file checksum calculations
Syntax: fsum.exe [<OPTIONS>] [<FILES>]
-c Checksum against given list -d Set working directory -jf Prints failed lines -jm Use MD5 format -js Use SFV format
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
GetLocale, Global
• Maps locale and code page information of the system• Syntax: getlocale [ <options> ]
GetLocale:
none Get complete LCID /user = Get user language setting/pri Get primary language ID /sub = Get only sublanguage ID /cp Get output codepage number /1024 = Multiply sublanguage ID by 1024
• Recursively calls any utility or program• Syntax: global [/h] [/p] [/q] [/i] command [args ...]
Global:
/h Process hidden/system directories/p Prompt for each directory to be processed (Yes/No/All/Quit)/q Quiet mode. Does not display each directory name before processed /i Ignore exit codes. Default is to exit if command returns non-zero
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: GetLocale, Global
GetLocale
Global
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
GNU Httptunnelhttp://www.nocrew.org/
GNU Httptunnel is used to create bidirectional virtual data path tunneled in HTTP requests
The requests can be sent via an HTTP proxy if required
It can be used to bypass firewalls
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Gplist, Gsar
• Describes about applied group policies • Syntax: gplist
Gplist:
• Performs general search and replace on files• Syntax: gsar [options] [infile(s)] [outfile]
Gsar:
Options:
-s<string> Search string -i Ignores cases
-r[string] Replace string -o Overwrite existing input file
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot : Gplist, Gsar
Gplist Gsar
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Guid2objhttp://support.microsoft.com/
Guid2obj alters GUID to a distinguished name
Syntax: guid2obj [{]Guid[}] [/server:ServerName] [/site[:SiteName]] [/?]
[{]Guid[}] specifies a GUID, optionally with surrounding braces
/server:ServerName binds to the server ServerName
/site[:SiteName] binds to a domain controller on the site SiteName
/? Help screen
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Handlehttp://support.microsoft.com/
• Maps process handle information• Syntax: handle [[-a][-u]|[-c<handle>]|[-s]][-<processname>|<pid>][name]
Handle:
-a Dumps handle information -c Closes the handle -s Print count of open handles -u Show user name -p Scan named processes -name Search for object with a
particular name
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
3Scanhttp://sourceforge.net/
3Scan detector for open HTTP/CONNECT/SOCKS4/FTP/Telnet proxy
Checks accessibility of given HTTP or SMTP server via given proxy
Does not scan port and IP ranges
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AGREPhttp://www.tgries.de/
AGREP searches the input filenames for records containing strings which either exactly or approximately match a pattern
Each record found is copied to the standard output
Approximate matching allows locating records that consist of patterns with several errors including substitutions, insertions, and deletions
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Aircrackhttp://aircrack-ng.org/
Aircrack is an 802.11 WEP key cracker
Implements Fluhrer – Mantin – Shamir attacks
Instantly recovers the WEP key when sufficient encrypted packets have been obtained
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ARPFlashhttp://osflash.org/
ARPFlash is a pcap-based network discovery tool
Utilizes ARP messages to identify live hosts within a given IP-range
Does not require administrative privileges for operations
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ASPNetUserPasshttp://www.nirsoft.net/
ASPNetUserPass tool displays the password of the ASPNet user on the computer
When the user runs the file in command prompt, it simply displays the password of ASPNet user if it is stored on the system
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AtNowhttp://www.nirsoft.net/
AtNow schedules programs and commands to execute in the near feature
The commands are executed within 70 seconds or less from the moments it is executed, by default
Syntax: C:/>atnow [\\ComputerName] [Delay] [/interactive] “command” [Parameters]
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BBIEhttp://www.nu2.nu/
Bart’s Boot Image Extractor (BBIE) tool extracts all boot images from a bootable CD-ROM or ISO image file
Follows El Torito Bootable CD-ROM Format Specification v1.0
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BFIhttp://www.nu2.nu/
Builds Floppy Image(BFI) tool builds FAT floppy images
Programmed to be used on bootable CD-ROMs
Supported floppy sizes vary from 720 KB to 2.88 MB
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Renamerhttp://www.den4b.com/
Renamer performs mass renaming of files based on a UNIX-style regular expression
Syntax: Bkren [-s] “searchexpression” “replaceexpression”
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BootParthttp://www.winimage.com/
BootPart adds additional partitions to the Windows NT multi boot menu
Compatible with Windows NT/2000/XP
Requires administrative privileges
User can also add an OS/2 multiboot or a Linux partition
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BuiltIn Account Managerhttp://www.optimumx.com/
BuiltIn Account Manager displays or manages the built-in administrator or guest account without knowing the user account name
Requires administrative privileges
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
bzip2http://www.bzip.org/
bzip2 is a command line Data compressor and open source tool
Runs on any 32 or 64-bit machine with an ANSI C compiler
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
T4eWebPinghttp://www.tools4ever.com/
T4eWebPing command line application is a MonitorMagic plugin to gather iNtra/Internet script performance data
It can be used to 'ping' a web-page
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
T4eSQLhttp://www.tools4ever.com/
T4eSQL command line tool reads the entire command line and query information from text files, which enables large command structures and queries
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
T4eDirSizehttp://www.tools4ever.com/
T4eDirSize gets the free and used space of any directory or share
It can be used to enable share monitoring free space and file statistics
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
T4ePortPinghttp://www.tools4ever.com/
T4ePortPing can be used to 'ping' a specific port on any TCP/IP host
Use T4ePortPing as a standard plugin, or in own scripts to see which ports are open in clients or servers
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
T4eRexechttp://www.tools4ever.com/
T4eRexec accepts a password as input and can therefore run in unattended mode
It is used to execute remotely a command on computer running an operating system that supports the standard Rexec protocol
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forfileshttp://technet.microsoft.com/
Forfiles selects files in a folder or tree for batch processing
• forfiles [/p Path] [/m SearchMask] [/s] [/c Command] [/d[{+ | -}] [{MM/DD/YYYY | DD}]]
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Exe2binhttp://technet.microsoft.com/
Exe2bin converts executable (.exe) files to binary format
•exe2bin[drive1:][path1]InputFile [[drive2:][path2]OutputFile]
Syntax:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
IpSecScan scans single IP address or range of IP address for systems which are IPSec enabled
MacMatch searches and identifies files that are last updated, accessed or created
chkdsk command lists and corrects errors on the disk
Nslookup will display the information that you can use to diagnose Domain Name System (DNS) infrastructure
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited