Windows Command Line cheatsheet (part 1): some useful tips

Yes, also Windows can be used by command line…


Today I propose a brief list of useful Windows CLI commands for daily use

Windows Registry


Adding Keys and Values

C:>reg add [\TargetIPaddr][RegDomain][Key]

Add a key to the registry on machine [TargetIPaddr] within the registry domain [RegDomain] to location [Key].

If no remote machine is specified, the current machine is assumed.

Export and Import

C:>reg export [RegDomain][Key] [FileName]

Export all subkeys and values located in the domain [RegDomain] under the location [Key] to the file [FileName]

C:>reg import [FileName]

Import all registry entries from the file [FileName].

Import and export can only be done from or to the local machine.

Query for a specific Value of a Key

C:>reg query [\TargetIPaddr][RegDomain][Key] /v [ValueName]

Query a key on machine [TargetIPaddr] within the registry domain [RegDomain] in location [Key] and get the specific value [ValueName] under that key.

Add /s to recurse all values.


WMIC


Fundamental grammar

C:>wmic [alias] [where clause] [verb clause]

Useful [aliases]:

  • process
  • service
  • share
  • nicconfig
  • startup
  • useraccount
  • qfe (Quick Fix Engineering — shows patches)

Example [where clauses]:

  • where name=”nc.exe”
  • where (commandline like “%stuff”)
  • where (name=”cmd.exe” and parentprocessid!=”[pid]”)

Example [verb clauses]:

  • list [full|brief]
  • get [attrib1,attrib2…]
  • call [method]
  • delete

List all attributes of [alias]:

C:> wmic [alias] get /?

List all callable methods of [alias]:

C:>wmic [alias] call /?

Example
List all attributes of all running processes:

C:>wmic process list full

Make WMIC effect remote[TargetIPaddr]:

C:>wmic /node:[TargetIPaddr] /user:[User] /password:[Passwd] process list full

Processes and Services


List all processes currently running:

C:>tasklist

List all processes currently running and the DLLs each has loaded:

C:>tasklist /m

Lists all processes currently running which have the specified [dll] loaded:

C:>tasklist /m [dll]

List all processes currently running and the services hosted in those processes:

C:>tasklist /svc

Query brief status of all services:

C:>sc query

Query the configuration of a specific service:

C:>sc qc [ServiceName]

File Search and Counting Lines


Search directory structure for a file in a specific directory:

C:>dir /b /s [Directory][FileName]

Count the number of lines on StandardOuy of [Command]:

C:>[Command] | find /c /v “”

Finds the count (/c) of lines that do not contain (/v) nothing (“”). 
Lines that do not have nothing are all lines, even blank lines, which contain CR/LF


Command line FOR loops


Counting Loop

C:>for /L %i in([start],[step],[stop]) do [command]

Set %i to an initial value of [start] and increment it by [step] at every iteration until its value is equal to [stop].

For each iteration, run [command].

The iterator variable %i can be used anywhere in the command to represent its current value.

Iterate over file contents

C:>for /F %i in ([file-set]) do[command]

Iterate through the contents of the file on a line-by-line basis. 
For each iteration, store the contents of the line into %i and run [command].


Networking


Useful NETSTAT syntax

Show all TCP and UDP port usage and process ID:

C:>netstat –nao

Look for usage of port [port] every [N] seconds:

C:>netstat –nao [N] | find [port]

Dump detailed protocol statistics:

C:>netstat –s –p [tcp|udp|ip|icmp]

Useful NETSH syntax

Turn off built-in Windows firewall:

C:>netsh firewall set opmode disable

Configure interface “Local Area Connection” with [IPaddr] [Netmask] [DefaultGW]:

C:>netsh interface ip set address local static [IPaddr] [Netmask] [DefaultGW] 1

Configure DNS server for “Local Area Connection”:

C:>netsh interface ip set dns local static [IPaddr]

Configure interface to use DHCP:

C:>netsh interface ip set address local dhcp

References

https://pen-testing.sans.org/resources/downloads
https://pen-testing.sans.org/resources/downloads
https://pen-testing.sans.org/resources/downloads

Windows XP is too unstable to spread WannaCry?

After all, the BSOD is also a useful feature!


The researchers of security firm Kryptos Logic has performed an extensive analysis of well known WannaCry ransomware.

One of the findings is really interesting (and funny!):

WannaCry can infect machines that still run Windows XP, but XP is so unstable and crashes too much to correctly spread the infection

In their sandbox, the researchers has first manually executed the WannaCry on a Windows 2008 machine, then tested propagation via the ETERNALBLUE exploit and sended the payload on using DOUBLEPULSAR.

Here’s the result:

  • Windows XP with Service Pack 2 —No infection
  • Windows XP with Service Pack 3 — Random blue-screen of death (BSOD) but no infection
  • Windows 7 64 bit with Service Pack 1 — Infected after multiple attempts
  • Windows Server 2008 with Service Pack 1 — Could not replicate infection, but reported exploited

http://dilbert.com/

Take a look to the full report on Kryptos Logic’s blog:

https://blog.kryptoslogic.com/malware/2017/05/29/two-weeks-later.html

The worst Windows RCE exploit of all time is coming?

Google Project Zero’s researchers have discovered another critical remote code execution vulnerability in Microsoft’s Windows, and it seems something truly bad!



UPDATE

Microsoft immediately releases a fix, and ProjectZero releases vulnerability details:

https://www.andreafortuna.org/the-crazy-bad-vulnerability-has-been-fixed-by-microsoft-in-a-very-short-time-9dd54c0d0ece


During the weekend, the Project Zero’s researchers Tavis Ormandy and Natalie Silvanovich announced that they have discovered

“the worst Windows remote code execution vulnerability in recent memory”

https://twitter.com/taviso/status/860679110728622080

The researchers did not provide any further details, as Google gives a 90-day security disclosure deadline to all software vendors to patch their products and disclose it to the public.


I will update the post as soon as more information is available …

Stay tuned!

How to open very large text files on Windows

Some graphical tools and two command line tips

I’ve had to search the occurrency of a string within some very large text files, as result of a “file carving” made with Autopsy.

Usually on Windows I use Notepad ++, that provides a convenient feature of ‘Search in files’, but this great tool has difficulty to open files larger than 2Gb.

However there are some other solutions on Windows:

  • gVim: you need to be familiar with VI/ VIM commands to use it, and loads entire file into memory.
  • 010Editor: Opens giant (think 5 GB) files in binary mode and allow you to edit and search the text
  • Liquid XML Community Edition Opens and edits TB+ files instantly, supports UTF-8, Unicode etc
  • SlickEdit: Useful IDE that can open very large files
  • Emacs: Must be compiled in 64Bit mode: has a low maximum buffer size limit if compiled in 32-bit mode.
  • glogg: Read only, allows search using regular expressions.
  • PilotEdit: Loads entire file into memory first
  • HxD: Hex editor, good for large files: portable version available
  • LogExpert: opens smoothly log files greater than 6GB
  • FileSeek: It can find text strings, or match regular expressions.

Furthermore, if you feel comfortable using the command line, there are some console solutions (built-in on Windows):

  • The more command might be good enough:
Displays output one screen at a time.
MORE [/E [/C] [/P] [/S] [/Tn] [+n]] < [drive:][path]filename
command-name | MORE [/E [/C] [/P] [/S] [/Tn] [+n]]
MORE /E [/C] [/P] [/S] [/Tn] [+n] [files]
[drive:][path]filename Specifies a file to display one
 screen at a time.
command-name Specifies a command whose output
 will be displayed.
/E Enable extended features
 /C Clear screen before displaying page
 /P Expand FormFeed characters
 /S Squeeze multiple blank lines into a single line
 /Tn Expand tabs to n spaces (default 8)
Switches can be present in the MORE environment
 variable.
+n Start displaying the first file at line n
files List of files to be displayed. Files in the list
 are separated by blanks.
If extended features are enabled, the following commands
 are accepted at the — More — prompt:
P n Display next n lines
 S n Skip next n lines
 F Display next file
 Q Quit
 = Show line number
 ? Show help line
 <space> Display next page
 <ret> Display next line

There is also a Windows built-in program called findstr.exe with which you can search within files:

Searches for strings in files.
FINDSTR [/B] [/E] [/L] [/R] [/S] [/I] [/X] [/V] [/N] [/M] [/O] [/P] [/F:file]
        [/C:string] [/G:file] [/D:dir list] [/A:color attributes] [/OFF[LINE]]
        strings [[drive:][path]filename[ ...]]
/B         Matches pattern if at the beginning of a line.
  /E         Matches pattern if at the end of a line.
  /L         Uses search strings literally.
  /R         Uses search strings as regular expressions.
  /S         Searches for matching files in the current directory and all
             subdirectories.
  /I         Specifies that the search is not to be case-sensitive.
  /X         Prints lines that match exactly.
  /V         Prints only lines that do not contain a match.
  /N         Prints the line number before each line that matches.
  /M         Prints only the filename if a file contains a match.
  /O         Prints character offset before each matching line.
  /P         Skip files with non-printable characters.
  /OFF[LINE] Do not skip files with offline attribute set.
  /A:attr    Specifies color attribute with two hex digits. See "color /?"
  /F:file    Reads file list from the specified file(/ stands for console).
  /C:string  Uses specified string as a literal search string.
  /G:file    Gets search strings from the specified file(/ stands for console).
  /D:dir     Search a semicolon delimited list of directories
  strings    Text to be searched for.
  [drive:][path]filename
             Specifies a file or files to search.
Use spaces to separate multiple search strings unless the argument is prefixed
with /C.  For example, 'FINDSTR "hello there" x.y' searches for "hello" or
"there" in file x.y.  'FINDSTR /C:"hello there" x.y' searches for
"hello there" in file x.y.
Regular expression quick reference:
  .        Wildcard: any character
  *        Repeat: zero or more occurrences of previous character or class
  ^        Line position: beginning of line
  $        Line position: end of line
  [class]  Character class: any one character in set
  [^class] Inverse class: any one character not in set
  [x-y]    Range: any characters within the specified range
  x       Escape: literal use of metacharacter x
  <xyz    Word position: beginning of word
  xyz>    Word position: end of word
For full information on FINDSTR regular expressions refer to the online Command
Reference.

For example:

findstr /s "Login failed" *.txt

Do you know other tools? I accept tips!

Are you telling me that you still have an internet-exposed IIS6?

You are insane!


TrendMicro on its blog has published an article about a new 0-Day vulnerability that affects the WebDAV component of Microsoft Internet Information Services 6.0.

The vulnerability ( CVE-2017–7269) is a bufferoverflow located into the webdav components of IIS:

A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application. According to the researchers who found this flaw, this vulnerability was exploited in the wild in July or August 2016. It was disclosed to the public on March 27.


What is WebDAV?

Web Distributed Authoring and Versioning (WebDAV) is

an extension of the HTTP protocol that allows clients to perform remote Web content authoring operations.


The exploit

This vulnerability is exploited using the PROPFIND method and IF header. The PROPFIND method retrieves properties defined on the resource identified by the Request-URI. All the WebDAV-Compliant resources must support the PROPFIND method.

A proof-of-concept exploit was published by Github user edwardz246003:

https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py

The python script exploits the vulnerability and sends a payload that only starts the calc.exe on remote machine, but

Other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code.


Mitigation?

IIS 6.0 was included with Windows Server 2003.

Unfortunately, Microsoft isn’t supporting and won’t be patching the old OS version anymore, unless you have access to a Custom Premium Support (yes, its really expensive!).

If you don’t have planned a Windows upgrade (newer versions of Windows Server shipped with newer versions of IIS are not affected by this vulnerability), you can mitigate the risk disabling the WebDAV service on the vulnerable IIS 6.0 installations.


More technical informations

https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py
https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py
https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py