File000174

Module LXI - Windows-Based Command Line Tools

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Module Objective

• IPSecScan• MKBT• Aircrack• Outwit • Joeware Tools• MacMatch• WhosIP• Forfiles• Sdelete

This module will familiarize you with:



Module Flow

WhosIP

MacMatch

IPSecScan

Forfiles

Joeware Tools

MKBT

Sdelete

Outwit

Aircrack



IPSecScanhttp://www.ntsecurity.nu/

IPSecScan scans single IP address or range of IP address for systems which are ipsec enabled

It supports Windows 2000/XP



Windows-Based Command Line Tools

LADS program lists all alternate data streams of an NTFS directory

ListDLLs shows the full path names of the loaded modules

Source: http://technet.microsoft.com/



Windows-Based Command Line Tools (cont’d)

Lsadump2 dumps the contents of the LSA secrets on a machine

MBRWiz sets partitions active for booting and can delete or hide partition





Mirror is a simple command line tool to mirror two directories with sub-structures that will only copy the files that are newer and delete all files in the mirror that are no longer present in the source

Make Bootable (MKBT ) is used for installing boot sectors

Source: http://www.nu2.nu/



NBTScanhttp://www.unixwiz.net/

NBTScan tool scans IP networks for NETBIOS name information

Sends a NETBIOS status query to each host address

Displays IP address, NETBIOS computer name, logged-in user name, and MAC address



Net Fizzhttp://packetstorm.offensive-security.com/

Net Fizz multithreaded net share scanner for Windows NT

Shows hidden shares




NetPWAge displays password age for both user and machines

NirCmd works without displaying the user’s interface

Source: http://www.optimumx.com/

Source: http://www.nirsoft.net/




MacMatch searches and identifies files that are last updated, accessed, or created

NTFSinfo is an applet which shows names and sizes of all NTFS meta-data files

Source: http://www.ntsecurity.nu/




NTLasthttp://www.foundstone.com/

NTLast identifies and tracks the users who gain access to the system

Reports on the status of IIS users

Filters out web server logons from the console logons

• C:\CMDT\ntlast>ntlast

Syntax:



PMDumphttp://www.ntsecurity.nu/

PMDump dumps the process memory contents to a file

Lists out the running processes and their PIDs

• C:\CMDT>pmdump <pid><filename>

Syntax:




Poke is a run-time process examination tool that helps if the process to be examined has some heavy anti-debugging features

Poorsniff is a Windows sniffer tool that sniffs the IP addresses that are accessed by the user

Source: http://www.toolcrypt.org




Procinfo displays information about running processes

Ptime is an automatic process timer that accurately measures the program execution time in seconds




Sdelete allows to delete one or more files and/or directories, or to cleanse the free space on a logical disk

SetOwner changes the ownership of files/directories to any account



SQLCmdhttp://msdn.microsoft.com/

SQLCmd allows to execute sql queries against ODBC data sources

Executes sql query by specifying a database, username, and password (if required)

Captures output either on screen or in a log file

•C:\CMDT\sqlcmd>sqlcmd [options]

Syntax:



StreamFindhttp://technet.microsoft.com/

StreamFind a command line utility for reporting alternate data streams

Reports the existence of Streams on an NTFS partition

Examines files on an NTFS partition for the presence of non-default data streams

•C:\CMDT\streamfind>streamfind[drive:][path][filename] [/E][/P][/S][/?]

Syntax:




Strings searches files for ASCII or UNICODE strings

TestDisk tool recovers lost partitions and/or makes non-booting disks bootable again



UpTime analyzes a single server for reliability and availability information

UPX is a free, portable, extendable, and high-performance executable packer for several different executable formats





VNCPwdump is used to dump and decrypt the registry key containing the encrypted VNC password in a few different ways

WhosIP easily finds and retrieves the available information about an IP address



winarp_mimhttp://www2.packetstormsecurity.org/

winarp_mim useful for sniffing in a switched network

Supports Win9x/Win2K/WinXP

•C:\ CMDT \winarp_mim>winarp_mim -a target_a_ip -b target_b_ip [-t delay] [-c count] [-v]

Syntax:




winarp_sk is a swiss knife tool that forges ARP packets (Ethernet and ARP headers)

WinDump is used to watch and detect network traffic in Windows



Winexithttp://keepass.info/

Winexit is used to exit windows from the command line

• C:\CMDT\winexit>logoff• C:\ CMDT \winexit>reboot• C:\ CMDT \winexit>reboot_force• C:\ CMDT \winexit>shutdown• C:\ CMDT \winexit>shutdown_force

Syntax:




NetE calls is an Application Program Interfaces(APIs) that returns remote information at each of their valid levels until data is retrieved

PSCP application transfers files securely between computers using an SSH connection




PSFTP is used for transferring files securely between computers using an SSH connection

Pwdump2 can dump password hashes from Active Directory




ScanLine is a command-line port scanner for all Windows platforms

Strace is a debugging/investigation utility that examines the NT system calls made by a process



UnRARhttp://www.velocityreviews.com/

Resource Adapters aRchive (RAR) is a program to compress multiple files in an archive

UnRAR decompresses RAR archives

•C:\CMDT\unrar>unrar <command> -<switch 1> -<switch N> <archive> <files...> <@listfiles...> <path_to_extract\>

Syntax:



Nmaphttp://nmap.org/

Network Mapper(Nmap) is an open source utility for network exploration or security auditing

Uses raw IP packets to determine the available hosts on the network, services they offer etc.

• C:\CMDT\Nmap>nmap [Scan Type(s)] [Options] <host or net list>

Syntax:




Rconip is a well-designed remote console for NetWare running over IP

Outwit (docprop) utility is a suite of tools based on the Unix tool design principles




Outwit provides ODBC-based database access and prints the results of an SQL selectcommand run on any database

Outwit (readlink) uses the Windows API for resolving shortcuts and provides text-based access to the Windows registry




Outwit (read log) provides text-based access to the Windows event log

Outwit (winclip) provides access to the Windows clipboard from a console or MS-DOS window



Outwit (winreg)http://dmst.aueb.gr/

Outwit (winreg) provides text-based access to the Windows registry

It will not process data types other than the ones described

•winreg [-F FS] [-r name] [-ntvci] [key]

Syntax :



pdftohtml, pdftotext(Xpdf)http://sourceforge.net/

• Converts PDF files into HTML and XML formats

Pdftohtml:

• Converts Adobe PDF documents to simple text format• It works as a open source viewer for pdf files

Pdftotext (Xpdf):




Permute is a word list permutation program

Plink (puTTy) works as a command-line interface to the PuTTY back ends



AccExp is a set of several useful utilities, especially for Active Directory management

AdFind is used for active directory queries





AdMod tool can modify, delete, rename, move, and undelete an objects in Active Directories

ATSN converts IP addresses to subnet/site information




AUTH tool is used for testing authentication of the user id

ChangePW tool is used to change the passwords using command line prompt



Joeware Tools (CPAU)http://www.joeware.net/

CAPU command line tool for starting process in alternate security context

Allows to create job files and encode the ID, password, and command line in a file

• CPAU -u user [-p password] -ex "WhatToRun" [switches]

Syntax :



Joeware Toolshttp://www.joeware.net/

ClientTest is a GUI tool that verifies TCP/IP socket communication

• clienttest [No Switches]

Syntax :

ELDLL holds basic resource information for customized event logging

• ELDLLInstall sourcenameeventlog [OPTIONS]

Syntax :




ELDLLEx is a DLL that contains basic resource information for customized logging

ExchMbx is a command line tool for exchanging mailbox



Joeware Tools (Expire)http://www.joeware.net/

Expire tool flags accounts and alter passwords on their next logon

• Expire filename [minimum password age]

Syntax :




FindExpAcc locates accounts that are expired and accounts holding expired passwords

FindNBT scans a subnet looking for Windows PCs



Joeware Tools (FindPDC)http://www.joeware.net/

FindPDC locates PDC of domain

• FindPDC domain count

Syntax :




GCChk locates active directory consistency issues and picks up missing GUIDs

GetUserInfo extracts the user’s information from a domain




LG manages built-in, local, and domain local groups

MemberOf displays user’s group memberships



Joeware Tools (NetSess)http://www.joeware.net/

NetSess enumerates Net BIOS sessions on a specified local or remote machine

• netsess [servername] [clientname] [switches]

Syntax :




OldCmp is used to find and clean old computer accounts that have not been utilized

Quiet silently launches a process



SecData displays security info about users/computers

SecTok displays parts of the process token of the current process




Joeware Tools (SeInteractiveLogonRight)http://www.joeware.net/

•seinteractivelogonright<[DOMAIN\]Account> [TargetMachine]

Syntax :

SeInteractiveLogonRight configures the system and approves specific user/groups to logon locally




SidToName resolves SIDs to user friendly names ShrFlgs configures share flags



Joeware Tools (SNU)http://www.joeware.net/

SNU is a network share connection tool which is mainly utilized for monitoring scripts

• SNU \\servername\sharename (/ADD | /DEL)

Syntax :



Joeware Tools (SvcUtl)http://www.joeware.net/

SvcUtl displays service informationUnlock displays current locked and unlocked accounts



Joeware Tools (UserDump)http://www.joeware.net/

• userdump [machine]

Syntax :

UserDump dumps basic user information from NT Based system



Joeware Tools (UserName)http://www.joeware.net/

UserName displays current user ID in multiple formats

• UserName [switches]

Syntax :



Joeware Tools (W2KLockDesktop)http://www.joeware.net/

W2KLockDesktop locks desktop immediately

No local security requirements is needed to run this tool

• w2klockdesktop

Syntax :



Joeware Tools (WriteProt)http://www.joeware.net/

WriteProt tool is used to write protect disk volumes in Windows XP and Windows Server 2003

• WriteProt [switches]

Synopsis:



Cb, Cliptext

• Copies input to the clipboard• Captures output from another program• Syntax: dir /b /on | cb

Cb:

• Copies text from file to clipboard and vice-versa• Syntax:• ClipText from file.ext [/DOS] [/append]• ClipText to file.ext [/DOS] [/append]

ClipText:



Screenshot : Cb, Cliptext

Cb

ClipText



Cmdline, Contig

• Lists all the process on the system• Follows chronological order for listing processes• Syntax: Cmdline [-pid][-u][-?]

Cmdline:

• Optimizes usage by making file contiguous in the memory • Syntax: contig [-v] [-a] [-q] [-s] [filename] -v Verbose -a Analyze fragmentation -q Quiet mode -s Recurse subdirectories

Contig:



Screenshot : Cmdline, Contig

Cmdline Contig



cURLhttp://curl.haxx.se/

cURL is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE)

curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user and password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, and proxy tunneling



Devconhttp://support.microsoft.com/

Devcon acts as an alternative to the device manager

Provides unavailable information in the device manager

• devcon.exe [-r][-m:\\<machine>]<command>[<arg>…] -r reboots the machine when command completes <machine> is the name of the target machine <command> is the command to perform <arg>… arguments, if required by the command

Syntax:



Screenshot : Devcon



Dighttp://serghei.net/

Dig investigates and digs into DNS(Domain Name System)

• dig [@global-server] [domain] [q-type] [q-class] {q-opt}{global-d-opt}host [@local-server] {local-d-opt}[host [@local-server]{local-d-opt} […] ]

Syntax:



Diskmaphttp://sourceforge.net/

• diskmap/<disk number> /d<disk number> shows number of the disk to map /h shows hexadecimal output

Syntax:

Diskmap tool depicts disk attributes and geometry from the registry

Reads and displays disk partitions and logical drives



Dispchghttp://www.arminhanisch.de/

Dispchg scans and alters video modes from display driver

option -help,

-list,

-current,

-set mode,

-change

[-freak] makes output

easier for

filters

• DispChg <option> [-freak]

Syntax:



Dumpwin, dWhichhttp://www.governmentsecurity.org/

• Provides information of the system where it is executed• Syntax: dumpwin (options) options are: -I, -d, -s, -m, -h, -t, -p, -v, -g, -u, -n

Dumpwin:

• Maps the full executable path of the file• Syntax: dWhich filename [.ext] [.ext] extension of the file is optional and applicable with .bat, .btm, .cmd, .com, or .exe file extensions

dWhich:



Screenshot: Dumpwin, dWhich

dWhich

Dumpwin



Efsdump, Efsviewhttp://technet.microsoft.com/

• Lists users that can access encrypted file • Accepts wildcards to get encrypted program• Syntax: efsdump [-s] <file or directory> -S Recurse subdirectories

Efsdump:

• Shows users having decryption or recovery keys for encrypted directories or files• Syntax: efsview <filename>

Efsview:



Screenshot: Efsdump, Efsview

Efsdump

Efsview



Eldumphttp://www.ibt.ku.dk/

• eldump [options]

Syntax:

• -f filename in which dump text is written• -s server for which to dump the eventlog• -l log name to be dumped like system, applications• -t tab separated output

Options:

Eldump tool dumps the contents of a NT event log

Dumping is made as text



Screenshot: Eldump



Enum, Evalhttp://sourceforge.net/

• Enumerates information with help of null sessions• Retrieves user, machine and share lists,name lists, group and

member lists, password, and LSA policy• Syntax: enum <-UMNSPGLdc> <-u username> <-p password><-f dictfile> <hostname|ip> -u get user list -m get machine list -s get share list -p get password policy information

Enum:

• Quickly evaluates mathematical expressions• Syntax: eval expression expression valid math equation with parenthesis precedence

Eval:



Screenshots: Enum, Eval

Enum

Eval



Ethernetchangehttp://www.aecom.yu.edu/

Ethernetchange alters the Ethernet address of the network adapters in Windows

• etherchange

Syntax:



Eventsave http://www.heysoft.de/

Eventsave tool saves and clears event logs into files

Syntax: EventSave [Path][/CRemoteMachine|/A][-ANSI][/Mn]

Path Location of files

/c Save logs on

remote machine

Remote Machine

Save log of the

remote machine

/A Saves event

logs of all the NT

machines

ANSI ANSI character

set

/Mn Size of the target

file in MB



Filecase, Fileupload

• Renames directory/ file to uppercase or lowercase• Syntax: filecase [/s][/h][/p][/q][/d][/l|/u]filespec..

Filecase:

/s Processes subdirectories /h Process hidden files/directories /q Quiet mode /p Prompts for each file/directory to be renamed (Yes/No/All/Quit)/d Renames directories and files /l Convert to lowercase /u Convert to uppercase

• Uploads file to a Web or a FTP server• Syntax: upload [path]file.ext><url>[<login>][<password>][/passive][/validate][/post][/proxy][/delete][/noappend][/quiet] [path]file.ext name of the file to upload urldestination url Login and password for authentication

FileUpload:

[path]file.ext name of the file to uploadurl destination urlLogin and password for authentication



Screenshot : Filecase, FileUpload

Filecase

FileUpload



ForceDisconnect, Format144

• Forcefully disconnects network volumes irrespective of open files • Syntax: forcedisconnect

ForceDisconnect:

• Formats 1.44 MB floppy diskette• Syntax: format144

Format144:



Screenshot : ForceDisconnect, Format144

Format144

Force Disconnect



Fpipehttp://www.secureroot.com/

Fpipe redirects source port and generates TCP or UDP stream

Syntax: FPipe [-hvu?] [-lrs <port>] [-i IP] IP

-?/-h - Shows this help text -i - Listening interface IP address-l - Listening port number -r - Remote port number-u - UDP mode -s - Outbound source port number -v - Verbose mode -c - Maximum TCP connections



Fporthttp://www.foundstone.com/

Fport lists all open TCP/IP and UDP ports and maps them to the owning application

Syntax: fport



Fsumhttp://www.slavasoft.com/

Fsum generates and verifies file checksum calculations

Syntax: fsum.exe [<OPTIONS>] [<FILES>]

-c Checksum against given list -d Set working directory -jf Prints failed lines -jm Use MD5 format -js Use SFV format



GetLocale, Global

• Maps locale and code page information of the system• Syntax: getlocale [ <options> ]

GetLocale:

none Get complete LCID /user = Get user language setting/pri Get primary language ID /sub = Get only sublanguage ID /cp Get output codepage number /1024 = Multiply sublanguage ID by 1024

• Recursively calls any utility or program• Syntax: global [/h] [/p] [/q] [/i] command [args ...]

Global:

/h Process hidden/system directories/p Prompt for each directory to be processed (Yes/No/All/Quit)/q Quiet mode. Does not display each directory name before processed /i Ignore exit codes. Default is to exit if command returns non-zero



Screenshot: GetLocale, Global

GetLocale

Global



GNU Httptunnelhttp://www.nocrew.org/

GNU Httptunnel is used to create bidirectional virtual data path tunneled in HTTP requests

The requests can be sent via an HTTP proxy if required

It can be used to bypass firewalls



Gplist, Gsar

• Describes about applied group policies • Syntax: gplist

Gplist:

• Performs general search and replace on files• Syntax: gsar [options] [infile(s)] [outfile]

Gsar:

Options:

-s<string> Search string -i Ignores cases

-r[string] Replace string -o Overwrite existing input file



Screenshot : Gplist, Gsar

Gplist Gsar



Guid2objhttp://support.microsoft.com/

Guid2obj alters GUID to a distinguished name

Syntax: guid2obj [{]Guid[}] [/server:ServerName] [/site[:SiteName]] [/?]

[{]Guid[}] specifies a GUID, optionally with surrounding braces

/server:ServerName binds to the server ServerName

/site[:SiteName] binds to a domain controller on the site SiteName

/? Help screen



Handlehttp://support.microsoft.com/

• Maps process handle information• Syntax: handle [[-a][-u]|[-c<handle>]|[-s]][-<processname>|<pid>][name]

Handle:

-a Dumps handle information -c Closes the handle -s Print count of open handles -u Show user name -p Scan named processes -name Search for object with a

particular name



3Scanhttp://sourceforge.net/

3Scan detector for open HTTP/CONNECT/SOCKS4/FTP/Telnet proxy

Checks accessibility of given HTTP or SMTP server via given proxy

Does not scan port and IP ranges



AGREPhttp://www.tgries.de/

AGREP searches the input filenames for records containing strings which either exactly or approximately match a pattern

Each record found is copied to the standard output

Approximate matching allows locating records that consist of patterns with several errors including substitutions, insertions, and deletions



Aircrackhttp://aircrack-ng.org/

Aircrack is an 802.11 WEP key cracker

Implements Fluhrer – Mantin – Shamir attacks

Instantly recovers the WEP key when sufficient encrypted packets have been obtained



ARPFlashhttp://osflash.org/

ARPFlash is a pcap-based network discovery tool

Utilizes ARP messages to identify live hosts within a given IP-range

Does not require administrative privileges for operations



ASPNetUserPasshttp://www.nirsoft.net/

ASPNetUserPass tool displays the password of the ASPNet user on the computer

When the user runs the file in command prompt, it simply displays the password of ASPNet user if it is stored on the system



AtNowhttp://www.nirsoft.net/

AtNow schedules programs and commands to execute in the near feature

The commands are executed within 70 seconds or less from the moments it is executed, by default

Syntax: C:/>atnow [\\ComputerName] [Delay] [/interactive] “command” [Parameters]



BBIEhttp://www.nu2.nu/

Bart’s Boot Image Extractor (BBIE) tool extracts all boot images from a bootable CD-ROM or ISO image file

Follows El Torito Bootable CD-ROM Format Specification v1.0



BFIhttp://www.nu2.nu/

Builds Floppy Image(BFI) tool builds FAT floppy images

Programmed to be used on bootable CD-ROMs

Supported floppy sizes vary from 720 KB to 2.88 MB



Renamerhttp://www.den4b.com/

Renamer performs mass renaming of files based on a UNIX-style regular expression

Syntax: Bkren [-s] “searchexpression” “replaceexpression”



BootParthttp://www.winimage.com/

BootPart adds additional partitions to the Windows NT multi boot menu

Compatible with Windows NT/2000/XP

Requires administrative privileges

User can also add an OS/2 multiboot or a Linux partition



BuiltIn Account Managerhttp://www.optimumx.com/

BuiltIn Account Manager displays or manages the built-in administrator or guest account without knowing the user account name

Requires administrative privileges



bzip2http://www.bzip.org/

bzip2 is a command line Data compressor and open source tool

Runs on any 32 or 64-bit machine with an ANSI C compiler



T4eWebPinghttp://www.tools4ever.com/

T4eWebPing command line application is a MonitorMagic plugin to gather iNtra/Internet script performance data

It can be used to 'ping' a web-page



T4eSQLhttp://www.tools4ever.com/

T4eSQL command line tool reads the entire command line and query information from text files, which enables large command structures and queries



T4eDirSizehttp://www.tools4ever.com/

T4eDirSize gets the free and used space of any directory or share

It can be used to enable share monitoring free space and file statistics



T4ePortPinghttp://www.tools4ever.com/

T4ePortPing can be used to 'ping' a specific port on any TCP/IP host

Use T4ePortPing as a standard plugin, or in own scripts to see which ports are open in clients or servers



T4eRexechttp://www.tools4ever.com/

T4eRexec accepts a password as input and can therefore run in unattended mode

It is used to execute remotely a command on computer running an operating system that supports the standard Rexec protocol



Forfileshttp://technet.microsoft.com/

Forfiles selects files in a folder or tree for batch processing

• forfiles [/p Path] [/m SearchMask] [/s] [/c Command] [/d[{+ | -}] [{MM/DD/YYYY | DD}]]

Syntax:



Exe2binhttp://technet.microsoft.com/

Exe2bin converts executable (.exe) files to binary format

•exe2bin[drive1:][path1]InputFile [[drive2:][path2]OutputFile]

Syntax:



Summary

IpSecScan scans single IP address or range of IP address for systems which are IPSec enabled

MacMatch searches and identifies files that are last updated, accessed or created

chkdsk command lists and corrects errors on the disk

Nslookup will display the information that you can use to diagnose Domain Name System (DNS) infrastructure





Technology

File000174