Wednesday, March 18, 2009

Story of IT Novice

I read a very good story on my frens profile... I thought I should share with all

IT Novice and Master...

One day a Novice came to the Master.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code?" the Master asked.
"No," replied the Novice. The Master sent the Novice on a quest to the Store of Software.
Many hours later the Novice returned.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code?" the Master asked.
"Yes," replied the Novice.
The Master frowned at the Novice.
"You have a Compiler of Source. What now can prevent you from becoming a Writer of Programs?".
The Novice fidgeted nervously and presented his Compiler of Source to the Master.
"How is this used?" asked the Novice.
"Have you in your possession a Manual of Operation?" the Master asked.
"No," replied the Novice.
The Master instructed the Novice as to where he could find the Manual of Operation.
Many days later the Novice returned.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code?" the Master asked.
"Yes," replied the Novice.
"Have you in your possession a Manual of Operation?" the Master asked.
"Yes," replied the Novice.
The Master frowned at the Novice.
"You have a Compiler of Source, and a Manual of Operation. What now can prevent you from becoming a Writer of Programs?".
At this the Novice fidgeted nervously and presented his Manual of Operations to the Master.
"How is this used?" asked the Novice.
The Master closed his eyes, and heaved a great sigh.
The Master sent the Novice on a quest to the School of Elementary.
Many years later the Novice returned.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code, a Manual of Operation and an Education of Elementary?" the Master asked.
"Yes," replied the Novice.
The Master frowned at the Novice.
"What then can prevent you from becoming a Writer of Programs?".
The Novice fidgeted nervously. He looked around but could find nothing to present to the Master.
The Master smiled at the Novice.
"I see what problem plagues you." said the Master.
"Oh great master, please tell me." asked the Novice.
The Master turned the Novice toward the door, and with a supportive hand on his shoulder said, "Go young Novice, and Read The Fucking Manual." And so the Novice became enlightened.

Tuesday, March 17, 2009

Windows Commandline KungFu Part 2

If you check out wmic has many good feature that we never use. Since I like commandline very much I am always upto commands and keybord shortcuts. :D

Now some more info about wmic...
If you use command

C:\> wmic /?
Then you would get a list of attributes and all the settings for given alias.

For example type

C:\>wmic share list full

AccessMask=
AllowMaximum=TRUE
Description=Remote IPC
InstallDate=
MaximumAllowed=
Name=IPC$
Path=
Status=OK
Type=-2147483645
...
...

Good ? not enough but there is more wmic is object oriented , so you've got attributes and methods. Attributes are cool, letting you get info about your box and tweak it a bit, but methods let you take action on a box, giving you real power.

For example

C:\> wmic process where name="cmd.exe" call getowner

Or, even:

C:\> wmic process where name="cmd.exe" call getownersid

Nice ! isnt it ?

Second Example : We want a built in command to reboot or shutdown windows box accross the network. Try this

C:\> wmic os where buildnumber="2600" call reboot


Third example get parameter (Atrribute of object)

C:\>wmic nic get macaddress,name


You want interface-related methods? Check these out:

C:\> wmic nicconfig call setdefaultttl 200
C:\> wmic nicconfig call settcpwindowsize 3212

Those change the IP TTL and TCP Window size from default settings to something else, possibly fooling some forms of passive OS fingerprinting. Be careful with them, though... changing those settings could hose your network performance, make your system ugly, and make your hair fall out. You have been warned!

Now how about some nasty example :D
Like from POST Exploitation ;)

you could:

C:\> wmic nteventlog where (description like "%secevent%") call cleareventlog

Guess what it would do ????


or events like those associated with logging onto the box:

C:\> wmic ntevent where (message like "%logon%") list brief

Fifth, here is one that could be useful for handlers:

C:\>wmic netlogin where (name like "%neo%") get numberoflogons
NumberOfLogons
1760

Where neo is username offcourse.

you can use methods associated with "wmic service" to change the service configuration, as in:

C:\> wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled


//Spot odd executables
C:\> wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath

//Look at services that are set to start automatically
C:\> wmic SERVICE WHERE StartMode="Auto" GET Name, State

//Find user-created shares (usually not hidden)
C:\> wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path

//Find stuff that starts on boot
C:\> wmic STARTUP GET Caption, Command, User

//Identify any local system accounts that are enabled (guest, etc.)
C:\> wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"

Enjoyyyyy....

Sunday, March 15, 2009

Windows Commandline KungFu Part 1

When I first attended training by ed on commandline kungFu I was just amzed.

Well bassically commandline KungFu is more about windows commandline since linux already has extremly powerfull commandline so need to go to that side.

Lots of people dont know or ignore the power of wmic commands, we will start with wmic command which will allow us some stuff that we always do on linux.

C:\> wmic process [pid] delete

That's the rough equivalent (for you UNIX/Linux minded folks) of "kill -9 [pid]".

Or, better yet, try this one on for size:

C:\> wmic process where name='cmd.exe' delete

I love that one! It functions something like "killall -9 cmd.exe" would on a Linux box, where killall lets you kill processes by name.

And, check this out:

C:\> wmic process list brief /every:1

Sort of like (but not exactly) the Linux/UNIX top command.

But, wait! There's more...

C:\> wmic useraccount

This one gives a lot more detail than the old "net user" command. With "wmic useraccount" you get user names, SIDs, and various security settings.

Fun, fun, fun! Here's another:

C:\> wmic qfe

This one shows all hotfixes and service packs. qfe doesn't stand for Quad Fast Ethernet... It stands for Quick Fix Engineering in this context.

C:\> wmic startup list full

It shows a whole bunch of stuff useful in malware analysis, including all files loaded at Startup and the reg keys associated with autostart.

C:\> wmic process list brief | find "cmd.exe"

That works a little like a Linux "ps -aux | grep cmd.exe".

So, I run it as I show above, piping its output through sort, find, findstr, etc.

C:\> wmic /output:[file] [stuff you want it to do] /format:[format]

Numerous formats are supported, including HTML format (hform), CSV, XSL, and so on. So, check this out:

C:\> wmic /output:c:\os.html os get /format:hform

Then, open c:\os.html in a browser, and soak in that beautiful output. Ooooohhhh. Ahhhhhhh.

For a list of format types supported by WMIC, you could type:

C:\> wmic [stuff to do] /format /?

As in:

C:\> wmic process list /format /?

Going further, there is ability to pull lists of attributes and output them nicely, as follows:

C:\> wmic /output:c:\temp.html os get name,version /format:htable.xsl