If you check out wmic has many good feature that we never use. Since I like commandline very much I am always upto commands and keybord shortcuts. :D
Now some more info about wmic...
If you use command
C:\> wmic /?
Then you would get a list of attributes and all the settings for given alias.
For example type
C:\>wmic share list full
AccessMask=
AllowMaximum=TRUE
Description=Remote IPC
InstallDate=
MaximumAllowed=
Name=IPC$
Path=
Status=OK
Type=-2147483645
...
...
Good ? not enough but there is more wmic is object oriented , so you've got attributes and methods. Attributes are cool, letting you get info about your box and tweak it a bit, but methods let you take action on a box, giving you real power.
For example
C:\> wmic process where name="cmd.exe" call getowner
Or, even:
C:\> wmic process where name="cmd.exe" call getownersid
Nice ! isnt it ?
Second Example : We want a built in command to reboot or shutdown windows box accross the network. Try this
C:\> wmic os where buildnumber="2600" call reboot
Third example get parameter (Atrribute of object)
C:\>wmic nic get macaddress,name
You want interface-related methods? Check these out:
C:\> wmic nicconfig call setdefaultttl 200
C:\> wmic nicconfig call settcpwindowsize 3212
Those change the IP TTL and TCP Window size from default settings to something else, possibly fooling some forms of passive OS fingerprinting. Be careful with them, though... changing those settings could hose your network performance, make your system ugly, and make your hair fall out. You have been warned!
Now how about some nasty example :D
Like from POST Exploitation ;)
you could:
C:\> wmic nteventlog where (description like "%secevent%") call cleareventlog
Guess what it would do ????
or events like those associated with logging onto the box:
C:\> wmic ntevent where (message like "%logon%") list brief
Fifth, here is one that could be useful for handlers:
C:\>wmic netlogin where (name like "%neo%") get numberoflogons
NumberOfLogons
1760
Where neo is username offcourse.
you can use methods associated with "wmic service" to change the service configuration, as in:
C:\> wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled
//Spot odd executables
C:\> wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath
//Look at services that are set to start automatically
C:\> wmic SERVICE WHERE StartMode="Auto" GET Name, State
//Find user-created shares (usually not hidden)
C:\> wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path
//Find stuff that starts on boot
C:\> wmic STARTUP GET Caption, Command, User
//Identify any local system accounts that are enabled (guest, etc.)
C:\> wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"
Enjoyyyyy....
Showing posts with label command line. Show all posts
Showing posts with label command line. Show all posts
Tuesday, March 17, 2009
Thursday, January 29, 2009
Post Exploitation 2
We had discussion going on the topic Post exploitation when I realized that in my first post I didnt put any special things on windows. So I am adding that information in this second post on this topic.
Like lots of people dont know that there are FOR loop on windows command line using which we can have a ping sweep or port scan from cmd without any thirdparty tools.
Ex.
Ping Sweep: Using following command we can run a ping sweep
FOR /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"
This command will run a ping sweep on 10.10.10.0/24
Command line port scanner using ftp client:
The windows ftp client can be used as a port scanner.
But
C:\> ftp [IP_address]
This is not allowing to put port number and defaults to port 21 for connection.
But... we can specify a destination port in a ftp command file
- open [IP_addr] [port]
FTP client then can read this ftp commands file and execute them.
C:\> ftp -s:[filename]
So using this and FOR loop together...
for /L %i in (1,1,1024) do echo open [IPaddr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt
Now the ports.txt will have output of the port scanner.
One more option in the FOR command let us use file as input
Ex. There is file with name PTips.txt containing one IP address each line
so following command will iterate through the file.
FOR /F "delims=^" %i in (PTips.txt) do ping %i
C:\>ping 222.222.222.222
Pinging 222.222.222.222 with 32 bytes of data:
Reply from 222.222.222.222: Destination net unreachable.
...
...
Like lots of people dont know that there are FOR loop on windows command line using which we can have a ping sweep or port scan from cmd without any thirdparty tools.
Ex.
Ping Sweep: Using following command we can run a ping sweep
FOR /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"
This command will run a ping sweep on 10.10.10.0/24
Command line port scanner using ftp client:
The windows ftp client can be used as a port scanner.
But
C:\> ftp [IP_address]
This is not allowing to put port number and defaults to port 21 for connection.
But... we can specify a destination port in a ftp command file
- open [IP_addr] [port]
FTP client then can read this ftp commands file and execute them.
C:\> ftp -s:[filename]
So using this and FOR loop together...
for /L %i in (1,1,1024) do echo open [IPaddr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt
Now the ports.txt will have output of the port scanner.
One more option in the FOR command let us use file as input
Ex. There is file with name PTips.txt containing one IP address each line
so following command will iterate through the file.
FOR /F "delims=^" %i in (PTips.txt) do ping %i
C:\>ping 222.222.222.222
Pinging 222.222.222.222 with 32 bytes of data:
Reply from 222.222.222.222: Destination net unreachable.
...
...
One more addition
Having only cmd in windows does put lot of restrictions.
Lots of time I miss the simple commands like in linux to get HTML pages.
Can we download HTML pages on windows without Browser ???
...
...
...
Yes We Can
The problem with telnet is it dont allows us to redirect the output or screen to some file...
So... so we use -f for creating log of the telnet session.
Ex. Windows telnet as simple HTTP GET tool
C:\> telnet -f log.txt
Welcome to Microsoft Telnet Client
Escape Character is 'CTRL+]'
Microsoft Telnet>o in.yahoo.com 80
...
...
Microsoft Telnet>sen GET / HTTP/1.0
...
Html contents will scroll down all of sudden but dont worry,
all that content will be saved to the log file: log.txt
There you go.
Having only cmd in windows does put lot of restrictions.
Lots of time I miss the simple commands like in linux to get HTML pages.
Can we download HTML pages on windows without Browser ???
...
...
...
Yes We Can
The problem with telnet is it dont allows us to redirect the output or screen to some file...
So... so we use -f for creating log of the telnet session.
Ex. Windows telnet as simple HTTP GET tool
C:\> telnet -f log.txt
Welcome to Microsoft Telnet Client
Escape Character is 'CTRL+]'
Microsoft Telnet>o in.yahoo.com 80
...
...
Microsoft Telnet>sen GET / HTTP/1.0
...
Html contents will scroll down all of sudden but dont worry,
all that content will be saved to the log file: log.txt
There you go.
 |
Subscribe to:
Posts (Atom)
