File000174

Module LXI - Windows-Based Command Line
Tools

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• IPSecScan
• MKBT
• Aircrack
• Outwit
• Joeware Tools
• MacMatch
• WhosIP
• Forfiles
• Sdelete
This module will familiarize you
with:

EC-Council
Module Flow
WhosIP
MacMatch
IPSecScan
Forfiles
Joeware Tools
MKBT
Sdelete
Outwit
Aircrack

EC-Council
IPSecScan
http://www.ntsecurity.nu/
IPSecScan scans single IP address or range of IP address
for systems which are ipsec enabled
It supports Windows 2000/XP

EC-Council
Windows-Based Command Line
Tools
LADS program lists all alternate
data streams of an NTFS directory
ListDLLs shows the full path
names of the loaded modules
Source: http://technet.microsoft.com/

EC-Council
Tools (cont’d)
Lsadump2 dumps the contents of the
LSA secrets on a machine
MBRWiz sets partitions active for
booting and can delete or hide partition

EC-Council
Tools (cont’d)
Mirror is a simple command line tool to
mirror two directories with sub-structures
that will only copy the files that are newer and
delete all files in the mirror that are no longer
present in the source
Make Bootable (MKBT ) is used for
installing boot sectors
Source: http://www.nu2.nu/

EC-Council
NBTScan
http://www.unixwiz.net/
NBTScan tool scans IP networks for NETBIOS name
information
Sends a NETBIOS status query to each host address
Displays IP address, NETBIOS computer name, logged-in user
name, and MAC address

EC-Council
Net Fizz
http://packetstorm.offensive-security.com/
Net Fizz multithreaded net share scanner for Windows NT
Shows hidden shares

EC-Council
Tools (cont’d)
NetPWAge displays password age
for both user and machines
NirCmd works without displaying
the user’s interface
Source: http://www.optimumx.com/
Source: http://www.nirsoft.net/

EC-Council
Tools (cont’d)
MacMatch searches and identifies
files that are last updated, accessed, or
created
NTFSinfo is an applet which shows
names and sizes of all NTFS meta-data
files
Source: http://www.ntsecurity.nu/

EC-Council
NTLast
http://www.foundstone.com/
NTLast identifies and tracks the users who gain access to the system
Reports on the status of IIS users
Filters out web server logons from the console logons
• C:CMDTntlast>ntlast
Syntax:

EC-Council
PMDump
http://www.ntsecurity.nu/
PMDump dumps the process memory contents to a file
Lists out the running processes and their PIDs
• C:CMDT>pmdump <pid><filename>
Syntax:

EC-Council
Tools (cont’d)
Poke is a run-time process
examination tool that helps if the
process to be examined has some
heavy anti-debugging features
Poorsniff is a Windows sniffer tool
that sniffs the IP addresses that are
accessed by the user
Source: http://www.toolcrypt.org

EC-Council
Tools (cont’d)
Procinfo displays information about
running processes
Ptime is an automatic process timer
that accurately measures the program
execution time in seconds

EC-Council
Tools (cont’d)
Sdelete allows to delete one or more
files and/or directories, or to cleanse the
free space on a logical disk
SetOwner changes the ownership of
files/directories to any account

EC-Council
SQLCmd
http://msdn.microsoft.com/
SQLCmd allows to execute sql queries against ODBC data sources
Executes sql query by specifying a database, username, and password (if required)
Captures output either on screen or in a log file
•C:CMDTsqlcmd>sqlcmd [options]
Syntax:

EC-Council
StreamFind
http://technet.microsoft.com/
StreamFind a command line utility for reporting alternate data streams
Reports the existence of Streams on an NTFS partition
Examines files on an NTFS partition for the presence of non-default data streams
•C:CMDTstreamfind>streamfind[drive:][path][filename]
[/E][/P][/S][/?]
Syntax:

EC-Council
Tools (cont’d)
Strings searches files for ASCII or
UNICODE strings
TestDisk tool recovers lost partitions
and/or makes non-booting disks
bootable again

EC-Council
UpTime analyzes a single server for
reliability and availability information
UPX is a free, portable, extendable, and
high-performance executable packer for
several different executable formats
Tools (cont’d)

EC-Council
Tools (cont’d)
VNCPwdump is used to dump and
decrypt the registry key containing the
encrypted VNC password in a few
different ways
WhosIP easily finds and retrieves the
available information about an IP
address

EC-Council
winarp_mim
http://www2.packetstormsecurity.org/
winarp_mim useful for sniffing in a switched network
Supports Win9x/Win2K/WinXP
• C: CMDT winarp_mim>winarp_mim -a target_a_ip -
b target_b_ip [-t delay] [-c count] [-v]
Syntax:

EC-Council
Tools (cont’d)
winarp_sk is a swiss knife tool that
forges ARP packets (Ethernet and ARP
headers)
WinDump is used to watch and
detect network traffic in Windows

EC-Council
Winexit
http://keepass.info/
Winexit is used to exit windows from the command line
• C:CMDTwinexit>logoff
• C: CMDT winexit>reboot
• C: CMDT winexit>reboot_force
• C: CMDT winexit>shutdown
• C: CMDT winexit>shutdown_force
Syntax:

EC-Council
Tools (cont’d)
NetE calls is an Application Program
Interfaces(APIs) that returns remote
information at each of their valid levels
until data is retrieved
PSCP application transfers files
securely between computers using an
SSH connection

EC-Council
Tools (cont’d)
PSFTP is used for transferring files
securely between computers using an
SSH connection
Pwdump2 can dump password hashes
from Active Directory

EC-Council
Tools (cont’d)
ScanLine is a command-line port
scanner for all Windows platforms
Strace is a debugging/investigation
utility that examines the NT system
calls made by a process

EC-Council
UnRAR
http://www.velocityreviews.com/
Resource Adapters aRchive (RAR) is a program to compress multiple files in an archive
UnRAR decompresses RAR archives
•C:CMDTunrar>unrar <command> -<switch 1> -<switch N>
<archive> <files...> <@listfiles...> <path_to_extract>
Syntax:

EC-Council
Nmap
http://nmap.org/
Network Mapper(Nmap) is an open source utility for network exploration or
security auditing
Uses raw IP packets to determine the available hosts on the network, services
they offer etc.
• C:CMDTNmap>nmap [Scan Type(s)] [Options] <host or
net list>
Syntax:

EC-Council
Tools (cont’d)
Rconip is a well-designed remote
console for NetWare running over IP
Outwit (docprop) utility is a suite
of tools based on the Unix tool design
principles

EC-Council
Tools (cont’d)
Outwit provides ODBC-based database
access and prints the results of an SQL select
command run on any database
Outwit (readlink) uses the Windows API
for resolving shortcuts and provides text-
based access to the Windows registry

EC-Council
Tools (cont’d)
Outwit (read log) provides text-based
access to the Windows event log
Outwit (winclip) provides access to
the Windows clipboard from a
console or MS-DOS window

EC-Council
Outwit (winreg)
http://dmst.aueb.gr/
Outwit (winreg) provides text-based access to the Windows registry
It will not process data types other than the ones described
•winreg [-F FS] [-r name] [-ntvci] [key]
Syntax :

EC-Council
pdftohtml, pdftotext(Xpdf)
http://sourceforge.net/
• Converts PDF files into HTML and XML formats
Pdftohtml:
• Converts Adobe PDF documents to simple text format
• It works as a open source viewer for pdf files
Pdftotext (Xpdf):

EC-Council
Tools (cont’d)
Permute is a word list permutation
program
Plink (puTTy) works as a command-
line interface to the PuTTY back ends

EC-Council
AccExp is a set of several useful
utilities, especially for Active Directory
management
AdFind is used for active directory
queries
Tools (cont’d)

EC-Council
Tools (cont’d)
AdMod tool can modify, delete,
rename, move, and undelete an
objects in Active Directories
ATSN converts IP addresses to
subnet/site information

EC-Council
Tools (cont’d)
AUTH tool is used for testing
authentication of the user id
ChangePW tool is used to change
the passwords using command line
prompt

EC-Council
Joeware Tools (CPAU)
http://www.joeware.net/
CAPU command line tool for starting process in alternate security context
Allows to create job files and encode the ID, password, and command line in a file
• CPAU -u user [-p password] -ex "WhatToRun"
[switches]
Syntax :

EC-Council
Joeware Tools
ClientTest is a GUI tool that verifies
TCP/IP socket communication
• clienttest [No Switches]
Syntax :
ELDLL holds basic resource information
for customized event logging
• ELDLLInstall sourcename
eventlog [OPTIONS]
Syntax :

EC-Council
Tools (cont’d)
ELDLLEx is a DLL that contains
basic resource information for
customized logging
ExchMbx is a command line tool for
exchanging mailbox

EC-Council
Joeware Tools (Expire)
Expire tool flags accounts and alter passwords on their next logon
• Expire filename [minimum password age]
Syntax :

EC-Council
Tools (cont’d)
FindExpAcc locates accounts that
are expired and accounts holding
expired passwords
FindNBT scans a subnet looking for
Windows PCs

EC-Council
Joeware Tools (FindPDC)
FindPDC locates PDC of domain
• FindPDC domain count
Syntax :

EC-Council
Tools (cont’d)
GCChk locates active directory
consistency issues and picks up missing
GUIDs
GetUserInfo extracts the user’s
information from a domain

EC-Council
Tools (cont’d)
LG manages built-in, local, and
domain local groups
MemberOf displays user’s group
memberships

EC-Council
Joeware Tools (NetSess)
NetSess enumerates Net BIOS sessions on a specified local or remote machine
• netsess [servername] [clientname] [switches]
Syntax :

EC-Council
Tools (cont’d)
OldCmp is used to find and clean
old computer accounts that have not
been utilized
Quiet silently launches a process

EC-Council
SecData displays security info about
users/computers
SecTok displays parts of the process
token of the current process
Tools (cont’d)

EC-Council
Joeware Tools (SeInteractiveLogonRight)
• seinteractivelogonright<[DOMAIN]Account>
[TargetMachine]
Syntax :
SeInteractiveLogonRight configures the system and approves specific
user/groups to logon locally

EC-Council
Tools (cont’d)
SidToName resolves SIDs to user
friendly names
ShrFlgs configures share flags

EC-Council
Joeware Tools (SNU)
SNU is a network share connection tool which is mainly utilized for
monitoring scripts
• SNU servernamesharename (/ADD | /DEL)
Syntax :

EC-Council
Joeware Tools (SvcUtl)
SvcUtl displays service information
Unlock displays current locked and
unlocked accounts

EC-Council
Joeware Tools (UserDump)
• userdump [machine]
Syntax :
UserDump dumps basic user information from NT Based system

EC-Council
Joeware Tools (UserName)
UserName displays current user ID in multiple formats
• UserName [switches]
Syntax :

EC-Council
Joeware Tools (W2KLockDesktop)
W2KLockDesktop locks desktop immediately
No local security requirements is needed to run this tool
• w2klockdesktop
Syntax :

EC-Council
Joeware Tools (WriteProt)
WriteProt tool is used to write protect disk volumes in Windows XP and
Windows Server 2003
• WriteProt [switches]
Synopsis:

EC-Council
Cb, Cliptext
• Copies input to the clipboard
• Captures output from another program
• Syntax: dir /b /on | cb
Cb:
• Copies text from file to clipboard and vice-versa
• Syntax:
• ClipText from file.ext [/DOS] [/append]
• ClipText to file.ext [/DOS] [/append]
ClipText:

EC-Council
Screenshot : Cb, Cliptext
Cb
ClipText

EC-Council
Cmdline, Contig
• Lists all the process on the system
• Follows chronological order for listing processes
• Syntax: Cmdline [-pid][-u][-?]
Cmdline:
• Optimizes usage by making file contiguous in the memory
• Syntax: contig [-v] [-a] [-q] [-s] [filename]
-v Verbose -a Analyze fragmentation -q
Quiet mode -s Recurse subdirectories
Contig:

EC-Council
Screenshot : Cmdline, Contig
Cmdline Contig

EC-Council
cURL
http://curl.haxx.se/
cURL is a tool to transfer data from or to a server, using one of the supported protocols
(HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE)
curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based
upload, proxies, cookies, user and password authentication (Basic, Digest, NTLM,
Negotiate, kerberos...), file transfer resume, and proxy tunneling

EC-Council
Devcon
http://support.microsoft.com/
Devcon acts as an alternative to the device manager
Provides unavailable information in the device manager
• devcon.exe [-r][-m:<machine>]<command>[<arg>…]
-r reboots the machine when command completes
<machine> is the name of the target machine
<command> is the command to perform
<arg>… arguments, if required by the command
Syntax:

EC-Council
Screenshot : Devcon

EC-Council
Dig
http://serghei.net/
Dig investigates and digs into
DNS(Domain Name System)
• dig [@global-server]
[domain] [q-type] [q-
class] {q-opt}{global-d-
opt}host [@local-server]
{local-d-opt}[host
[@local-server]{local-d-
opt} […] ]
Syntax:

EC-Council
Diskmap
• diskmap/<disk number>
/d<disk number> shows
number of the disk to map
/h shows hexadecimal
output
Syntax:
Diskmap tool depicts disk attributes
and geometry from the registry
Reads and displays disk partitions and
logical drives

EC-Council
Dispchg
http://www.arminhanisch.de/
Dispchg scans and alters video modes from display driver
option -help,
-list,
-current,
-set mode,
-change
[-freak] makes output
easier for
filters
• DispChg <option> [-freak]
Syntax:

EC-Council
Dumpwin, dWhich
http://www.governmentsecurity.org/
• Provides information of the system where it is executed
• Syntax: dumpwin (options)
options are: -I, -d, -s, -m, -h, -t, -p, -v, -g, -u, -n
Dumpwin:
• Maps the full executable path of the file
• Syntax: dWhich filename [.ext]
[.ext] extension of the file is optional and
applicable with .bat, .btm,
.cmd, .com, or .exe file extensions
dWhich:

EC-Council
Screenshot: Dumpwin, dWhich
dWhich
Dumpwin

EC-Council
Efsdump, Efsview
• Lists users that can access encrypted file
• Accepts wildcards to get encrypted program
• Syntax: efsdump [-s] <file or directory>
-S Recurse subdirectories
Efsdump:
• Shows users having decryption or recovery keys for encrypted directories or files
• Syntax: efsview <filename>
Efsview:

EC-Council
Screenshot: Efsdump, Efsview
Efsdump
Efsview

EC-Council
Eldump
http://www.ibt.ku.dk/
• eldump [options]
Syntax:
• -f filename in which dump text is written
• -s server for which to dump the eventlog
• -l log name to be dumped like system, applications
• -t tab separated output
Options:
Eldump tool dumps the contents of a NT event log
Dumping is made as text

EC-Council
Screenshot: Eldump

EC-Council
Enum, Eval
• Enumerates information with help of null sessions
• Retrieves user, machine and share lists,name lists, group and
member lists, password, and LSA policy
• Syntax: enum <-UMNSPGLdc> <-u username> <-p
password><-f dictfile> <hostname|ip>
-u get user list -m get machine list
-s get share list -p get password policy
information
Enum:
• Quickly evaluates mathematical expressions
• Syntax: eval expression
expression valid math equation with parenthesis
precedence
Eval:

EC-Council
Screenshots: Enum, Eval
Enum
Eval

EC-Council
Ethernetchange
http://www.aecom.yu.edu/
Ethernetchange alters the Ethernet address of the network adapters in
Windows
• etherchange
Syntax:

EC-Council
Eventsave
http://www.heysoft.de/
Eventsave tool saves and clears event logs into files
Syntax: EventSave [Path][/CRemoteMachine|/A][-ANSI][/Mn]
Path Location of files
/c Save logs on
remote machine
Remote Machine
Save log of the
remote machine
/A Saves event
logs of all the NT
machines
ANSI ANSI character
set
/Mn Size of the target
file in MB

EC-Council
Filecase, Fileupload
• Renames directory/ file to uppercase or lowercase
• Syntax: filecase [/s][/h][/p][/q][/d][/l|/u]filespec..
Filecase:
/s Processes subdirectories /h Process hidden files/directories /q Quiet mode
/p Prompts for each file/directory to be renamed (Yes/No/All/Quit)
/d Renames directories and files /l Convert to lowercase /u Convert to uppercase
• Uploads file to a Web or a FTP server
• Syntax: upload
[path]file.ext><url>[<login>][<password>][/passive][/validate][
/post][/proxy][/delete][/noappend][/quiet] [path]file.ext
name of the file to upload url
destination url Login and password for authentication
FileUpload:
[path]file.ext name of the file to upload
url destination url
Login and password for authentication

EC-Council
Screenshot : Filecase, FileUpload
Filecase
FileUpload

EC-Council
ForceDisconnect, Format144
• Forcefully disconnects network volumes irrespective of open files
• Syntax: forcedisconnect
ForceDisconnect:
• Formats 1.44 MB floppy diskette
• Syntax: format144
Format144:

EC-Council
Screenshot : ForceDisconnect,
Format144
Format144
Force
Disconnect

EC-Council
Fpipe
http://www.secureroot.com/
Fpipe redirects source port and generates TCP or UDP stream
Syntax: FPipe [-hvu?] [-lrs <port>] [-i IP] IP
-?/-h - Shows this help text -i - Listening interface IP address
-l - Listening port number -r - Remote port number
-u - UDP mode -s - Outbound source port number
-v - Verbose mode -c - Maximum TCP connections

EC-Council
Fport
http://www.foundstone.com/
Fport lists all open TCP/IP and UDP ports and maps them to the owning
application
Syntax: fport

EC-Council
Fsum
http://www.slavasoft.com/
Fsum generates and verifies file checksum calculations
Syntax: fsum.exe [<OPTIONS>] [<FILES>]
-c Checksum against given list -d Set working directory
-jf Prints failed lines -jm Use MD5 format -js Use SFV format

EC-Council
GetLocale, Global
• Maps locale and code page information of the system
• Syntax: getlocale [ <options> ]
GetLocale:
none Get complete LCID /user = Get user language setting
/pri Get primary language ID /sub = Get only sublanguage ID
/cp Get output codepage number /1024 = Multiply sublanguage ID by 1024
• Recursively calls any utility or program
• Syntax: global [/h] [/p] [/q] [/i] command [args ...]
Global:
/h Process hidden/system directories
/p Prompt for each directory to be processed (Yes/No/All/Quit)
/q Quiet mode. Does not display each directory name before processed
/i Ignore exit codes. Default is to exit if command returns non-zero

EC-Council
Screenshot: GetLocale, Global
GetLocale
Global

EC-Council
GNU Httptunnel
http://www.nocrew.org/
GNU Httptunnel is used to create bidirectional virtual data path tunneled in HTTP requests
The requests can be sent via an HTTP proxy if required
It can be used to bypass firewalls

EC-Council
Gplist, Gsar
• Describes about applied group policies
• Syntax: gplist
Gplist:
• Performs general search and replace on files
• Syntax: gsar [options] [infile(s)]
[outfile]
Gsar:
Options:
-s<string> Search string -i Ignores cases
-r[string] Replace string -o Overwrite existing input file

EC-Council
Screenshot : Gplist, Gsar
Gplist Gsar

EC-Council
Guid2obj
Guid2obj alters GUID to a distinguished name
Syntax: guid2obj [{]Guid[}] [/server:ServerName]
[/site[:SiteName]] [/?]
[{]Guid[}]
specifies a GUID,
optionally with
surrounding braces
/server:ServerName
binds to the
server ServerName
/site[:SiteName]
binds to a domain
controller on the
site SiteName
/? Help screen

EC-Council
Handle
• Maps process handle information
• Syntax: handle [[-a][-u]|[-
c<handle>]|[-s]][-
<processname>|<pid>][name]
Handle:
-a Dumps handle information
-c Closes the handle
-s Print count of open handles
-u Show user name
-p Scan named processes
-name Search for object with a
particular name

EC-Council
3Scan
3Scan detector for open HTTP/CONNECT/SOCKS4/FTP/Telnet proxy
Checks accessibility of given HTTP or SMTP server via given proxy
Does not scan port and IP ranges

EC-Council
AGREP
http://www.tgries.de/
AGREP searches the input filenames for records containing strings which either exactly
or approximately match a pattern
Each record found is copied to the standard output
Approximate matching allows locating records that consist of patterns with several
errors including substitutions, insertions, and deletions

EC-Council
Aircrack
http://aircrack-ng.org/
Aircrack is an 802.11 WEP key cracker
Implements Fluhrer – Mantin – Shamir attacks
Instantly recovers the WEP key when sufficient encrypted packets have been obtained

EC-Council
ARPFlash
http://osflash.org/
ARPFlash is a pcap-based network discovery tool
Utilizes ARP messages to identify live hosts within a given IP-range
Does not require administrative privileges for operations

EC-Council
ASPNetUserPass
http://www.nirsoft.net/
ASPNetUserPass tool displays the password of the ASPNet user on the
computer
When the user runs the file in command prompt, it simply displays the
password of ASPNet user if it is stored on the system

EC-Council
AtNow
http://www.nirsoft.net/
AtNow schedules programs and commands to execute in
the near feature
The commands are executed within 70 seconds or less from
the moments it is executed, by default
Syntax: C:/>atnow [ComputerName] [Delay]
[/interactive] “command” [Parameters]

EC-Council
BBIE
http://www.nu2.nu/
Bart’s Boot Image Extractor (BBIE) tool extracts all boot images from a
bootable CD-ROM or ISO image file
Follows El Torito Bootable CD-ROM Format Specification v1.0

EC-Council
BFI
http://www.nu2.nu/
Builds Floppy Image(BFI) tool builds FAT floppy images
Programmed to be used on bootable CD-ROMs
Supported floppy sizes vary from 720 KB to 2.88 MB

EC-Council
Renamer
http://www.den4b.com/
Renamer performs mass renaming of files based on a UNIX-style regular
expression
Syntax: Bkren [-s] “searchexpression” “replaceexpression”

EC-Council
BootPart
http://www.winimage.com/
BootPart adds additional partitions to the Windows NT multi boot menu
Compatible with Windows NT/2000/XP
Requires administrative privileges
User can also add an OS/2 multiboot or a Linux partition

EC-Council
BuiltIn Account Manager
http://www.optimumx.com/
BuiltIn Account Manager displays or manages the built-in administrator or
guest account without knowing the user account name
Requires administrative privileges

EC-Council
bzip2
http://www.bzip.org/
bzip2 is a command line Data compressor and open source tool
Runs on any 32 or 64-bit machine with an ANSI C compiler

EC-Council
T4eWebPing
http://www.tools4ever.com/
T4eWebPing command line application is a MonitorMagic plugin to gather
iNtra/Internet script performance data
It can be used to 'ping' a web-page

EC-Council
T4eSQL
T4eSQL command line tool reads the entire command line and query information
from text files, which enables large command structures and queries

EC-Council
T4eDirSize
T4eDirSize gets the free and used space of any directory or share
It can be used to enable share monitoring free space and file statistics

EC-Council
T4ePortPing
T4ePortPing can be used to 'ping' a specific port on any TCP/IP host
Use T4ePortPing as a standard plugin, or in own scripts to see which ports are open in
clients or servers

EC-Council
T4eRexec
T4eRexec accepts a password as input and can therefore run in unattended mode
It is used to execute remotely a command on computer running an operating system
that supports the standard Rexec protocol

EC-Council
Forfiles
Forfiles selects files in a folder or tree for batch processing
• forfiles [/p Path] [/m SearchMask]
[/s] [/c Command] [/d[{+ | -}]
[{MM/DD/YYYY | DD}]]
Syntax:

EC-Council
Exe2bin
Exe2bin converts executable (.exe) files to binary format
•exe2bin[drive1:][path1]InputFile [[drive2:][path2]OutputFile]
Syntax:

EC-Council
Summary
IpSecScan scans single IP address or range of IP address for systems which
are IPSec enabled
MacMatch searches and identifies files that are last updated, accessed or
created
chkdsk command lists and corrects errors on the disk
Nslookup will display the information that you can use to diagnose Domain
Name System (DNS) infrastructure

EC-Council

File000174

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (6)

Ähnlich wie File000174

Ähnlich wie File000174 (20)

Mehr von Desmond Devendran

Mehr von Desmond Devendran (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

File000174