Essential Windows Command-Line Kung Fu for Info Sec Pros

• Speakers – Ed Skoudis, Intelguardians
– Alexander Horan, Core Security Technologies – Q/A session with today’s speakers – Send questions to ‘q@sans.org’

SANS Institute presents:

SANS Webcast © 2006

Security Assurance: Vulnerability Assessment, Management and Auditing

Core Security Technologies
46 Farnsworth St Boston, MA 02210 Ph: (617) 399-6980 www.coresecurity.com

Handling Vulnerabilities is Crucial

Scanners are used to detect flaws on the first layer of defense, such as improper configurations or sub-par patch revisions

Good for information assurance and compliance

Vulnerability scanning yields one view of the network topology
– –

Does not show or exploit linkage between information systems and assets Will not show the impact of loss of information assets (only shows the "outer layer" of the onion) such as theft of intellectual property, leakage of internal communications, etc. Does not show the true level of threat had the network been compromised by a motivated adversary

Sample vulnerability scanning products

Nessus, Retina, GFI LanGuard

Penetration Testing Complements Vulnerability Scanning

Penetration Testing Overview

Penetration Testing:
  

Actively exploits vulnerabilities within a network Replicates access an intruder could achieve and safely proves actual paths of attacks that must be eliminated Only way to objectively gauge threats
 Without physically penetrating the host or network, there is no way to quantify and qualify an organization’s true exposure in the event of a “real” security compromise

Advantages:
   

Enables you to be proactive with informed security decisions Provides efficient, precise, cost-effective remediation information, enabling accurate, corrective action can be taken Allows you to see your network through the eyes of an attacker to prevent attack Exposes vulnerabilities and subsequent network information or resources that are at risk

CORE IMPACT – Automated Penetration Testing

Mimics attacker behavior  launches real-world attacks safely and efficiently, demonstrating exactly what an attacker can do Industrializes penetration testing  automates previously manual, expensive process with Core Impact Rapid Penetration Test (RPT) Provides important features:
– – – – – – –

Commercial-grade exploits Innovative agent technology Powerful user interface Automation of repetitive tasks Complete log of all activities Customizable reporting Links to fixes

Benefits of CORE IMPACT

Advanced Penetration Testing scenarios
– –

External attacker with no previous knowledge Internal attacker w/access to internal network

Augment Vulnerability Management

Reduce false positives and know which vulnerabilities to remediate first

Verification of IDS / IPS and other security controls

Use real attacks to evaluate effectiveness of security products in your specific environment

Legislative and industry compliance (SOX, HIPAA, FISMA, PCI requirements, etc.)

Meet regular network testing, reporting and auditing requirements

Demonstration
DIAGRAM OF DEMO NETWORK

Demonstration
DIAGRAM OF DEMO NETWORK

Demonstration
DIAGRAM OF DEMO NETWORK

Demonstration
DIAGRAM OF DEMO NETWORK

CORE IMPACT Delivers Significant Benefits

Encompasses all phases of Penetration Testing in one comprehensive framework Executes real attacks safely and efficiently Enables consistent, repeatable tests Helps test and evaluate other security solutions and systems Clearly identifies compromisable assets helps intelligently prioritize remediation efforts and

CORE IMPACT Review

  

Security Assurance: Vulnerability Assessment, Management and Auditing

Core Security Technologies
46 Farnsworth St Boston, MA 02210 Ph: (617) 399-6980 www.coresecurity.com

Essential Windows Command-Line Kung Fu

By Ed Skoudis
Copyright 2006, Ed Skoudis Version 2Q06

Essential Windows Command-Line Kung Fu - ©2006, Skoudis

1

Hello and welcome to this webcast on Windows Command-Line Kung Fu. Over the next half hour or so, we’ll discuss several tools built-in to Windows that can be used by security pros to better understand what’s happening on their systems. Unfortunately, too few people realize the power of built-in command-line tools on Windows that can help us all do our jobs better. I am hopeful that this session will help you improve your command-line kung fu in Windows.

1

Windows Command-Line Kung Fu
• Introduction and Overview • Command Shell Stuff • The Wonderful World of WMIC • Other Odds and Ends • Conclusions • Some Exercises to Think About
Essential Windows Command-Line Kung Fu - ©2006, Skoudis
2

Here is our outline. We’ll start out with an overview and then move into some general command-line stuff. We’ll then cover in-depth the wmic command. Then, we’ll have some other odds and ends that include useful other tools, and we’ll culminate with some exercises to challenge your kung fu.

2

Introduction and Motivation
• A lot of people don’t realize the power of the command shell in Windows
– Don’t laugh! – It’s not bash, but it’s got some pretty nice capabilities

• Why use it? Sometimes GUI tools aren’t available
– Spyware has killed them – Task Manager or services.msc might not be available

• Command-line tools lend themselves better to:
– Scripting – Pulling out important items from long lists of information
3

Essential Windows Command-Line Kung Fu - ©2006, Skoudis

Windows ships with some amazingly powerful command-line tools, that often aren’t used. Instead, most Windows admins utilize GUI-based tools. Although the Windows command shell (cmd.exe) is not as powerful as the Linux/Unix bash shell, it can let us do some very useful things. But, you might be wondering, why would I ever want to use a command-line tool when I’m perfectly happy and comfortable using a GUI in Windows. Well, increasingly, spyware and rootkits alter the display in GUI-based tools, or prevent them for working at all. For instance, I was working on a project analyzing spyware that had destroyed Task Manager and the Services Control Panel. Analysis at the GUI would have been very tough, given that we weren’t allowed to load any additional tools (like the great suite of analysis tools from www.sysinternals.com). Instead, we relied on built-in Windows command-line tools to do our heavy lifting. Also, many command-line tools are better for pulling out subtle information that could be buried in a complex GUI. By sorting or searching command-line output, we can get a great level of insight into what’s happening on a machine. It’s important to note that we will not go over every single option of every single command. That would be boring and take too long. Instead, we’ll go over using these commands to improve the day-to-day world of an incident handler, system administrator, and security professional. 3

Windows Command-Line Kung Fu
• Introduction and Overview • Command Shell Stuff • The Wonderful World of WMIC • Other Odds and Ends • Conclusions • Some Exercises to Think About
Essential Windows Command-Line Kung Fu - ©2006, Skoudis
4

Let’s do a brief overview of the Windows command line, so we’re all on the same page.

4

A Couple of Points About the Windows Shell
• Please use cmd.exe, not command.com • StartRun… and type “cmd.exe”
– I advise you to type cmd.exe, instead of just cmd – That’s because a bad guy could create a cmd.com, which would run instead of the .exe – “.” is implicitly in your path

• Remember:
– The > means put output in a file – The < means get input from a file – The | means take the output of one command and use it as input for the next command Essential Windows Command-Line Kung Fu - ©2006, Skoudis
5

For all of the stuff we cover in this session (and for all of your Windows use after that, quite frankly), please use cmd.exe and avoid command.com like the plague that it is. Command.com is a very limited shell, included for backward compatibility with DOS. It’s time to use cmd.exe, please! To invoke cmd.exe, please go to StartRun… and type “cmd.exe”, without the quotes. Also, whenever you invoke cmd.exe, make sure that you put a .exe on its end. If you just type cmd, without the .exe, an attacker could trick you into running a backdoor called cmd.com. That’s because, with the Windows shell, your current working directory (called “.”), is in your PATH. What’s more, if no suffix is provided by the user, Windows defaults to running .com files before .exe files. Another couple of things to keep in mind involve redirecting standard input and standard output at the shell. The > symbol means that the given command should place its standard output in a file. The < symbol tells a program to get its standard input from a file. And, finally, the pipe symbol (“|”) tells one program to send its standard output into the standard input of another program.

5

Controlling Output with cls, more, find, findstr, and sort
• To clear the screen, type:
C:\> cls

• To paginate long output, use more:
C:\> wmic process list full | more

• To find a particular string in output, use find with quotes
C:\> wmic process list brief | find “cmd.exe”

• To exercise more complex finds (with regular expressions), use findstr • To sort output, use sort
Essential Windows Command-Line Kung Fu - ©2006, Skoudis
And, a couple of other small notes. To clear the screen, use the cls command, which stands for Clear Screen.

6

To paginate long output, pipe it through the more command. That’ll show you one page at a time. Sadly, Windows does not include by default the less command, which on Unix and Linux gives more options for viewing and searching output than more. In this case, less is truly more than more. To find a string in the output of a command, you could pipe it through the find command, as in wmic process list brief | find ”cmd.exe”. This will run the wmic command with the “process list brief” options, and search its output for the string cmd.exe. Note that with the find command, you need to put quotes around the item for which you search. The findstr command goes further, allowing you to write regular expressions to match against the output of a command. Since we only have a half hour or so, we will not be covering regular expressions or the findstr command. Feel free to experiment with it on your own. And, finally, you can use the sort command to sort the output of another command, or to simply sort the contents of a file. 6

Windows Command-Line Kung Fu
• Introduction and Overview • Command Shell Stuff • The Wonderful World of WMIC • Other Odds and Ends • Conclusions • Some Exercises to Think About
Essential Windows Command-Line Kung Fu - ©2006, Skoudis
And now… let’s enter the wonderful world of WMIC!
7

7

WMIC Overview
• Windows Management Instrumentation Command
– Included in WinXP Pro and Win2003 (NOT in XP Home!) – Can be used to manage Win2000, XP, 2003
• And, with additional installed software, can manage 95/98/NT

• Not a command… it’s a world unto itself
– Allows view of 4,000 properties and configuring 40 in Win2K – Allows view of 6,000 properties and configuring >150 in XP – Even more in Win2003

• Run WMIC telling it what to do by typing:
C:\> wmic [commands]

• Or, invoke a custom wmic command prompt with:
C:\> wmic wmic:root\cli>

Essential Windows Command-Line Kung Fu - ©2006, Skoudis

8

WMIC stands for Windows Management Instrumentation Control. That’s a mouthful… let’s dissect it. First off, WMI is a framework and API Microsoft released for analyzing and controlling Windows systems. Similar in goals to the Simple Network Management Protocol (SNMP), WMI goes much further, but is Windows specific. Before WMIC, admins had to access WMI functionality by writing their own scripts or using executables that made WMI API calls. But, with WMIC, we now have a little command-line tool that lets us read and write WMI attributes without writing any code! That’s wonderful. Now, WMIC is built-in to WinXP Pro and Win2003. But, it is not in WinXP Home, which Microsoft doesn’t really consider a professional-class operating system. Thus, it doesn’t need fancy management capabilities like WMIC. Although the command is built-in to XP Pro and 2003, the WMIC command included in those operating systems can be used to manage to manage other system types, including Win2000, WinXP (Pro and Home), and Windows 2000. You can even manage older stuff (Win95/98/NT) if you install on them the WMI Core tools, available at no extra charge from Microsoft. Note that WMI Core does not equal WMIC! WMIC is a command tool for controlling WMI. WMI Core is WMI-manageability for older Windows versions, but you have to run the management tool from Win XP Pro or 2003. With WMI (and its tool WMIC), you can view thousands of properties of Windows, and update hundreds of them. You can invoke WMIC in two different ways. First, at a cmd.exe shell prompt, you could type wmic followed by all of the stuff that you want it to do. Or, you could invoke wmic’s own special command console shell by typing wmic and hitting enter (either at a cmd.exe prompt, or going to StartRun…).

8

WMIC at cmd.exe Shell vs. WMIC console shell
• I typically used WMIC at the command shell itself, so I can use >, sort, find, and findstr on its output • But, others prefer to use the WMIC console shell, particularly because it has a fail-safe interactive mode
– If you want to delete anything (such as running processes), you can make it verify with you before that happens – At WMIC prompt, type:

wmic:root\cli> /interactive:on
– But, that’ll only ask for confirmation for that wmic session
9

Essential Windows Command-Line Kung Fu - ©2006, Skoudis

But, which of these two ways of starting WMIC is superior? I prefer typing wmic followed by commands right in line at a cmd.exe prompt. That way, I can get my output on standard out, and search it using find, findstr, and sort. Other people like the WMIC command prompt, because they can set it to prompt them before they do something destructive, like killing processes. To get a confirmation prompt, invoke WMIC and hit enter. Then, at the WMIC prompt, type “/interactive:on”. For that one WMIC session, you’ll get a confirmation request before you delete anything. Note that if you exit WMIC (by typing “exit”), the interactive configuration disappears. You’ll have to turn it on again the next time you use WMIC. Also, the interactive setting has no impact at all if you just use WMIC followed by commands right at the command shell.

9

WMIC Help and Remote Usage
• To get help within WMIC, type: C:\> wmic /? • Or, for more detailed help: C:\> wmic /?:full • By default, WMIC runs against local machine • But, you can run WMIC queries or updates against a remote box using this notation: C:\> wmic /user:[admin_user] /password:[password] /node:[machine_name] [commands]
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 10
To see all of the incredible options available within WMIC, type “wmic /?”. For more detail, you can run “wmic /?:full”. Another really neat part about WMIC is that it can run locally or across the network against a machine for which you have admin privileges. By default, it runs against the local machine. But, you can run it against a remote system by typing the following:
C:\> wmic /user:[admin_user] /password:[password] /node:[machine_name] [commands]

Keep in mind that everything we are about to discuss regarding WMIC can be run locally or remotely! It’s very powerful when used remotely.

10

WMI Query Language (WQL)
• WMIC can be used simply to list various attributes using its own query language, called WQL (WMI Query Language)
– Subset of ANSI SQL – Primary useful elements of WQL:
• • • • • list: show a list of something get: get a value of an element create:create an element delete: delete an element where clauses to match some property: Example: where name=“cmd.exe” • /every:[N]: Run this every N seconds • like and % to match substrings

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 11
The commands that you type into WMIC are formatted in the WMI Query Language (WQL), which is a subset of SQL. There are many elements of WQL which we’ll use for this webcast. I’m hopeful that, by the end of this session, you’ll be able to navigate WQL, with some of its most useful query types. The syntax includes these key words: •list: shows a list of something. •get: gets one or more values of an element. You could get a list of things, separated by commas. •create:creates an element, which can be used to run programs. •delete: deletes an element, which can be used to kill processes. •where: these clauses can match some property to help us sort through a long list of things, for example: where name=“cmd.exe” •/every:[N]: Run this command every N seconds, which works for displaying items, but not creating or deleting them. •like and %: match specific substrings, a very nifty feature

11

WMIC Elements
• To get a list of elements associated with a particular area:
C:\> wmic [area] list full

• Then, you can query particular elements in that list
C:\> wmic [area] get [element1], [element2], [element3]

• Essentially creates your own reports • Order of elements is prebaked by WMIC, unfortunately • Try these:
C:\> wmic process list full C:\> wmic process get name, processid, commandline C:\> wmic process get processid, name, commandline

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 12
WMIC displays information in many dozens of areas, including processes, services, and users. To get a list of everything that WMIC knows about a given area, you could run WMIC with a list full option, as in: C:\> wmic [area] list full Or, more specifically, looking at processes: C:\> wmic process list full That will show you all of the attributes of processes that WMIC knows about. Then, we can query against specific elements in that list by using a get, as in: C:\> wmic [area] get [element1], [element2], [element3] Or, to be more specific, suppose we want to get a list of process names and Process Ids. We could run this: C:\> wmic process get name, processid This way, you can create your own little reports with just the information you want. Unfortunately, the order of the attributes displayed by WMIC is fixed. You can control what attributes you see, but the order is always the same. 12

WMIC and Listing Processes
• WMIC provides a lot of information about processes: C:\> wmic process list brief • Or, to narrow it down: C:\> wmic process list brief | find “cmd.exe”
– Fourth column is process id (first column is memory info)

• Or, to run it every 1 second: C:\> wmic process list brief /every:1
– Works kind of like Unix/Linux top command

• To get specific items, you can name what you want in a list:
C:\> wmic process get name, processid, commandline – Nice, because it shows the command-line invocation! – Somewhat like Unix/Linux ps -aux

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 13
So, let’s use WMIC to do some things that might be useful to an incident handler or system administrator. First off, to get a listing of the most interesting elements of running processes, you could do this: C:\> wmic process list brief Next, if you were only interested in the cmd.exe processes that are running, you could go through the output and pull out lines with cmd.exe in them as follows: C:\> wmic process list brief | find “cmd.exe” This command works rather like the “ps –aux | grep cmd.exe” command would on a Unix or Linux machine. You could display the process list every second with this syntax, which works something like the Unix or Linux top command: C:\> wmic process list brief /every:1 Also, you can get a list of process name, processids, and command-lines used to invoke each program with this little WQL: C:\> wmic process get name, processid, commandline That command-line invocation is especially helpful in investigations! 13

WMIC and Killing Processes
• To kill a process based on PID
C:\> wmic process [pid] delete
– Works kind of like Unix/Linux: kill –9 [pid]

• To kill a process based on name
C:\> wmic process where name=“cmd.exe” delete
– Works kind of like Unix/Linux: killall –9 cmd.exe – And, remember, you can do this remotely! Woohoo!

• To start a process (say, calc.exe):
C:\> wmic process call create calc.exe
– And, remember, you can do this remotely too! – Who needs psexec (tool free from www.sysinternals.com)

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 14
Looking at processes is nice, but sometimes an incident handler or sys admin needs to kill processes. You can do this with WMIC as follows: C:\> wmic process [pid] delete This command functions rather like the Unix and Linux kill command, when used as “kill –9 [pid]”, immediately terminating a process. Alternatively, you can kill all processes with a given name, rather like the “killall –9 [name]” command would work on Unix or Linux, as follows: C:\> wmic process where name=“cmd.exe” delete You could even do that remotely, with the user name, password, and node syntax we described earlier, killing all cmd.exe’s running on a different machine, provided that you had administrative credentials on that system. But, WMIC doesn’t let you just view and kill processes. You can also start processes, using this syntax to run calc.exe: C:\> wmic process call create calc.exe With the remote syntax we presented earlier, you can use WMIC to run any command on a target system. The free psexec lets you do that as well (from www.sysinternals.com), but it is not built in to Windows. WMIC lets you have psexec-like functionality, but built in! Also, psexec sends credentials in clear text! WMIC does not, but instead uses the encrypted Windows authentication (LANMAN Challenge-Response, NTLMv1, NTLMv2, or 14 Microsoft Kerberos, depending on how the system is configured).

Using WMIC process
1

2

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 15
Let’s quickly look at WMIC’s process abilities. In Step 1, simply type: C:\> wmic process list brief See all of the processes you have running! Nice! Next, in Step 2, invoke a calc.exe process from the command shell by running this: C:\> wmic process call create calc.exe Of course, you could have just typed “calc.exe” at the command prompt… but with WMIC, you have an option of doing this remotely!

15

Using wmic process delete
1 2

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 16
Next, we’ll use WMIC to pull specific attributes associated with our running calc.exe process. This technique will show two things. First, it’ll let us see how to use a where clause to focus on a particular entity. Secondly, it’ll show us how to get some specific attributes of that entity. In Step 1, type: C:\> wmic process where name=“calc.exe” get name, processid, commandline Note that you can see the command-line used to invoke each running process! That’s very helpful. In Step 2, we’ll kill our calc.exe process based on its name, using WMIC thusly: C:\> wmic process where name=“calc.exe” delete Your running calculator should disappear.

16

WMIC and Services
• To get a list of all services and their stettings:
C:\> wmic service list full

• To just look at started services:
C:\> wmic service where started=“true”

• To get a list of process IDs associated with started services:
C:\> wmic service where started=“true” get name, pathname, processid Essential Windows Command-Line Kung Fu - ©2006, Skoudis 17
Beyond processes, WMIC also lets us interact with services. To get a list of all services defined on the box (whether they are running or not), simply type: C:\> wmic service list full That’ll also show you all of the attributes of each service. If you only want to see running services, you can use the where clause to look for items with the attribute called started set to true, as follows: C:\> wmic service where started=“true” If you want to get a list of process Ids associated with each started service, you could use the following (again, note the WQL used to pull information from specific attributes with a get, using a where clause to narrow down our search): C:\> wmic service where started=“true” get name, pathname, processid 17

WMIC and Shares
• To get a list of available shares:
C:\> wmic share

• For more details:
C:\> wmic share list full

• To get rid of a share:
C:\> wmic share [share_name] delete

• To see all shares on the E: partition:
C:\> wmic share where (path like “%E:%”) list brief

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 18
We can also pull share information using WMIC, to see what file shares our local system has made available through Windows networking, as follows: C:\> wmic share If you want more details, you could run: C:\> wmic share list full You can even use WMIC to delete a given file share so that no one can connect to it, as follows: C:\> wmic share [share_name] delete (By the way, you could, if you want, just temporarily delete your ADMIN$ share this way… then run the “net share” command to verify that it is gone). When you reboot, it should come back. Now, let’s look at the substring options of wmic. If you want to see all of the shares you’ve got on a given partition (such as, say, your E: drive), you could run: C:\> wmic share where (path like “%E:%”) list brief That ability to use like and % is incredibly useful. I like using it for wmic process, wmic share, and wmic qfe (which we’ll cover shortly). 18

WMIC and System Details
• To get a list of all start-up items
C:\> wmic startup list full – Who needs msconfig (built-in) or autoruns (again, www.sysinternals.com)?

• To get a list of user accounts:
C:\> wmic useraccount list full – Even gives you SIDs! Who needs net user?

• To get a list of installed service packs and patches (quick fix engineering)
C:\> wmic qfe – Or, for more details, C:\> wmic qfe list full – Who needs hfnetchk? And, remember, you can do this remotely!

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 19
Here is an extremely useful aspect of WMIC… getting a list of all start up programs, whether they start-up from a autostart folder or from a registry key. You can get this comprehensive list by running: C:\> wmic startup list full Now, this command can be used to pull very similar information to the msconfig command built into WinXP and 2003, or the Autoruns tool from www.sysinternals.com. But, wmic is built-in, and provides it all at the command line. You can get a list of users (including their SID numbers) from the local SAM database with this command: C:\> wmic useraccount list full Why, that’s even more and better information than you get from the “net user” command. Clearly, not all Windows Command-Line Kung Fu is create equal. And, here’s a vital one… getting a list of all installed service packs and patches, using this command: C:\> wmic qfe For even more info, add a “list full” to the end, which will even show you the date when a given patch was installed. Remember, you can even do this remotely! So, this WMIC option supplants a lot of the functionality in the hfnetchk tool, and is built in. 19

Using wmic useraccount and qfe
1

2

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 20
Let’s look at this in more detail. Check out your administrator account with the following command, in Step 1: C:\> wmic useraccount where name=“Administrator” list full Note the SID and other security settings. Next, look at the installed patches, using this syntax: C:\> wmic qfe where FixComments=“Update” get HotFixID, InstalledOn, InstalledBy

20

WMIC and Network Interfaces
• You can get a list of network interfaces configured for IP with:
C:\> wmic nicconfig where ipenabled=‘true’ get index,caption

• You can configure an IP addr and netmask with:
C:\> wmic nicconfig where ipenabled=‘true’ get index,caption
– The index is the thing you get from the first command above

• You can set DHCP with:
C:\> wmic nicconfig where index=2 call enabledhcp

– Or, for more details,
C:\> wmic nicconfig list full

• I personally hate this notation, and prefer the netsh command for doing this kind of thing Essential Windows Command-Line Kung Fu - ©2006, Skoudis 21
Next, you can use WMIC to update your network settings at the command line. To view your network interfaces, run this command: C:\> wmic nicconfig where ipenabled=‘true’ get index,caption To alter the IP address or netmask, you could do this: C:\> wmic nicconfig where ipenabled=‘true’ get index,caption Or, to use DHCP, try this: C:\> wmic nicconfig where index=2 call enabledhcp To see all that you can set using this command, you could run: C:\> wmic nicconfig list full I personally dislike this network-attribute-setting notation within WMIC. I find it cumbersome, and much prefer the netsh command for this kind of stuff, which you can review on your own later. 21

WMIC Output Options
• WMIC can format its output in many different ways • To get a list of options:
C:\> wmic [commands] /format /? – As in: C:\> wmic process list /format /? – Possibilities include CSV, HTML Table (htable), etc.

• Store output in a file using the /output:[file] options, as in:
C:\> wmic /output:c:\temp.html process list /format:htable – Open that in a browser, and get some nice output!

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 22
WMIC normally dumps its output as plain text on standard out. But, you can change this using the /format option. Numerous different output formats are supported, but the most useful are CSV and HTML tables. You can dump WMIC’s output into a file using the /output:[file_name] directive as well. For example, to get a process list as an html table, stored in a file called c:\temp.html, you could run: C:\> wmic /output:c:\temp.html process list /format:htable Then, from within a browser, you could open c:\temp.html and view your beautiful output.

22

WMIC Recording
• WMIC can record the user, command typed, the output, and a timestamp, by using the /record: option, as in:
C:\> wmic /record:c:\test.xml process list brief

• That’s nice for incident handling, because you’ll have a record of what you typed… but some big limitations • Output only in xml format (just open it in a browser) • Output overwrites any previous c:\test.xml file (does not append) • Thus, you have to vary your file names for recording Essential Windows Command-Line Kung Fu - ©2006, Skoudis 23
Another really nifty feature of WMIC that could help incident handlers is the recording feature, implemented via the /record:[file_name] option. When used in a WMIC command, this option makes WMIC create a file that contains the command, the date and time, the user that ran the command, and the output of the command, a handy history of what you did. But, there are some big limitations here. The result is in XML, and isn’t overly pretty. You could open it in a browser, though, which will parse it pretty well. And, keep in mind that if there is a file already with the name you choose, you’ll over write it with the new record. Thus, if you want an evidence trail of all the WMIC commands you typed, you’d have to remember to vary the file_name entry you put in as follows: C:\> wmic /record:c:\test1.xml process list brief C:\> wmic /record:c:\test2.xml process list full C:\> wmic /record:c:\test3.xml process where name=“cmd.exe” delete 23

Windows Command-Line Kung Fu
• Introduction and Overview • Command Shell Stuff • The Wonderful World of WMIC • Other Odds and Ends • Conclusions • Some Exercises to Think About
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 24
And now, it is time for some other useful odds and ends, especially some items that can help deal with fighting spyware.

24

Other Useful Commands: Tasklist
• Tasklist command shows running processes
C:> tasklist – Ho hum… – Yes, but there are some nice options! – Show all services associated with each process C:\> tasklist /svc – Show all dlls loaded into processes with a given name C:\> tasklist /fi “imagename eq cmd.exe” /m – Show all processes with a given dll C:\> tasklist /m ntdll.dll Essential Windows Command-Line Kung Fu - ©2006, Skoudis 25
The tasklist command, included in WinXP Pro and Win2003, shows running processes, king of replicating the functionality of “wmic process list brief”. But, it’s nice to have another option. You can run it by itself as follows: C:\> tasklist Some of the options it includes are very nice. Particularly, you can see all services associated with each running process by using this command: C:\> tasklist /svc Going further, the /m options shows you a list of DLLs that each process has loaded (something that you could also see with Process Explorer for www.sysinternals.com). Also, you can look for processes based on their name, using the syntax /fi (which stands for filter) followed by “imagename eq [process_name]”. Putting these concepts together, you can get a list of all the DLLs loaded by all cmd.exe processes by running this: C:\> tasklist /fi “imagename eq cmd.exe” /m Or, if you want to see all processes that have loaded the ntdll.dll DLL, you could run: C:\> tasklist /m ntdll.dll 25

Other Useful Commands: Taskkill
• Taskkill kills processes by PID
C:\> taskkill /PID [pid] – Like Unix/Linux kill –9 [pid] – Can also make a list of pids and kill them all quickly one after another C:\> taskkill /PID [pid1] /PID [pid2]

• Taskkill also kills processes by name
C:\> taskkill /IM [name] – Like Unix/Linux killall –9 [name] Essential Windows Command-Line Kung Fu - ©2006, Skoudis 26
Taskkill lets you kill processes, based on various attributes. One nice option is that you can kill multiple processes on the same command line, provided that you have their PIDs. You can do this by typing: C:\> taskkill /PID [pid1] /PID [pid2] Or, you can kill a process based on its name by typing: C:\> taskkill /IM [name]

26

Using tasklist and taskkill
1

2

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 27
Let’s look at tasklist and taskkill quickly… In Step 1, run the following command to see all of the services associated with each process: C:\> tasklist /svc Wow! Svchost.exe is one busy little process, isn’t it? Thanks, Microsoft, for bundling all of that splendid functionality into one process. Now, let’s kill our cmd.exe based on its name, as follows: C:\> taskkill /IM cmd.exe

27

Windows Command-Line Kung Fu
• Introduction and Overview • Command Shell Stuff • The Wonderful World of WMIC • Other Odds and Ends • Conclusions • Some Exercises to Think About
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 28
And now, some conclusions… followed by exercises for you to think about. We won’t cover the answers for the exercises on the webcast. Feel free to do them on your own at a later time, and check the answers against the slides included at the end of this PDF.

28

Conclusions
• Built-in Windows command line tools are quite powerful • But, their syntax can be rather obscure • Still, with a little exposure, Windows command-line tools can be very helpful to security personnel

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 29
In conclusion, you now should feel more comfortable using Windows commandline tools for your analysis of computer attacks. Note that some of the syntax we covered looks a little obscure at first. However, after using it for a while, you’ll become much more comfortable with it. And, if you have any additional ideas of cool Windows command line tricks, please let me know at ed@intelguardians.com. Thank you! SPOILER: IF YOU TURN THE PAGE, YOU WILL SEE SOME POSSIBLE ANSWERS TO THE CHALLENGES… DON’T TURN THE PAGE IF YOU DON’T WANT TO SEE THEM YET!

29

Windows Command-Line Kung Fu
• Introduction and Overview • Command Shell Stuff • The Wonderful World of WMIC • Other Odds and Ends • Conclusions • Some Exercises to Think About
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 30
And now, if you’ve downloaded this slide deck, here are some exercises for you to think about… We won’t cover these in the main webcast presentation, but you should be able to do these items. The answers are included at the end of this session..

30

Some Exercises
• Using your Windows command-line kung fu… • Try the following exercises (answers are listed later)

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 31
So, using your Windows Command-Line Kung Fu, we have a series of six challenges for you to undertake. First, we’ll list all of the challenges. Then, we’ll include some possible answers. Good luck!

31

Challenge 1: Killing Processes By Name
• Go to startrun, and bring up calc.exe • Do it again, so that you have two calc.exe processes running • Challenge: Kill both processes rapidly using a single command, assuming you know their name (calc.exe)
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 32
Here is challenge 1. It illustrates how to kill multiple processes based on their name, assuming they have the same name.

32

Challenge 2: Killing Processes Based on PID
• Go to startrun, and bring up calc.exe • Do it again, so that you have two calc.exe processes running • Challenge: Run a single command to determine the process IDs of the calc.exe processes • Challenge: Then, run a single command to kill those processes rapidly, assuming you know their process IDs Essential Windows Command-Line Kung Fu - ©2006, Skoudis 33
Here is challenge 2. This one is very helpful in stopping some forms of malware that have cooperating processes that spawn each other rapidly.

33

Challenge 3: Determining Command Line Invocation
• Run a calc process with a whole bunch of bogus command flags
– C:\> calc.exe –l –p 2222 –e cmd.exe

• Challenge: Using a single command, find the command line used to invoke calc • Bonus challenge: Make sure your command output also shows the full path to calc!
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 34
Here is challenge 3, illustrating techniques that are useful in figuring out where malware is running from and how it was invoked.

34

Challenge 4: Determine If a Given Patch Is Installed
• Challenge: With a single command, determine if the patch associated with KB896428 is installed • Bonus Challenge: What date was that hotfix installed?

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 35
Here is challenge 4, which shows how to look at patch levels and installation dates.

35

Challenge 5: Determine Run Reg Keys
• Challenge: With a single WMIC command, find the Caption and Location of every autostart program that begins from a Run registry key

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 36
This challenge, number 5, is very helpful in figuring out how something might be starting at system boot or user logon.

36

Challenge 6: Find Elements of WMIC area and Use Them
• Challenge: Determine all elements of wmic usernames • More Challenge: Then, in a single command, show the name and SID of all local accounts that do not have account Lockout enabled
Essential Windows Command-Line Kung Fu - ©2006, Skoudis 37
This challenge (number 6) lets us look at the details of a user account, based on the status of that account.

37

Answer to Challenge 1

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 38
Here are two different ways to answer Challenge 1.

38

Answer to Challenge 2

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 39
Here is how to do Challenge 2.

39

Answer to Challenge 3

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 40
Here is the answer for Challenge 3.

40

Answer to Challenge 4

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 41
And, here, my friends, is the answer to Challenge 4.

41

Answer to Challenge 5

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 42
Here are two approaches to answering Challenge 5.

42

Answer to Challenge 6

Essential Windows Command-Line Kung Fu - ©2006, Skoudis 43
This is the answer to Challenge 6. Note that we first got a list of all attributes that can be see with wmic useraccount, and then we queried against some of those attributes.

43

Sign up to vote on this title
UsefulNot useful