Windows Command-Line Kung Fu (1)
Everything started about 4 months ago, when Ed Skoudis posted an entry in the ISC Handler's Diary talking about how to improve your Windows infosec skills using the built-in WMIC command line tool.
I strongly encourage you to read this post (specially if you're a Unix techie) and enjoy the fun of managing a Windows box from the dark command prompt. After running a few wmic commands you won't know if you're in a bash or DOS shell!! ;-)
The list of Windows command-line kung-fu tools was extended with the famous netsh and the new tasklist and taskkill tools. All these tools (WMIC included) have been detailed through the previous ISC post, plus:
During their research, they had to deal with a system full of all types of spy/malware where there was no GUI available. Besides, they tried to avoid an incident response based on the usage of external Windows tools, like the ones from Sysinternals that all us use for malware analysis, and... this is how this new set of tools came to light!
BTW, their initial concern about external and built-in tools is no longer valid, because last week Mark Russinovich announced that Microsoft has acquired Sysinternals. Oh my!! Did they drink the Kool-Aid? Only time will tell!!
In a future post I may point out some challenges based on these tools, so that you can practice your Windows command-line kung-fu!!
Trying to add some technical details, when using WMIC you need to test your specific OS version capabilities. For example, the Pauldotcom's challenge asked for two ways of enabling the DHCP capabilities of a Windows NIC using command-line tools. My response was:
I strongly encourage you to read this post (specially if you're a Unix techie) and enjoy the fun of managing a Windows box from the dark command prompt. After running a few wmic commands you won't know if you're in a bash or DOS shell!! ;-)
The list of Windows command-line kung-fu tools was extended with the famous netsh and the new tasklist and taskkill tools. All these tools (WMIC included) have been detailed through the previous ISC post, plus:
- The publication of another Ed's hacker challenge (the previous one was published long time ago). Unfortunately, this time my submission could only get the 2nd place for creativity.
- The release of a SANS Webcast called "Essential Windows Command-Line Kung Fu for Info Sec Pros" (registration required).
- Podcasts like Pauldotcom referenced this topic in episode 35 for their question of the week challenge.
During their research, they had to deal with a system full of all types of spy/malware where there was no GUI available. Besides, they tried to avoid an incident response based on the usage of external Windows tools, like the ones from Sysinternals that all us use for malware analysis, and... this is how this new set of tools came to light!
BTW, their initial concern about external and built-in tools is no longer valid, because last week Mark Russinovich announced that Microsoft has acquired Sysinternals. Oh my!! Did they drink the Kool-Aid? Only time will tell!!
In a future post I may point out some challenges based on these tools, so that you can practice your Windows command-line kung-fu!!
Trying to add some technical details, when using WMIC you need to test your specific OS version capabilities. For example, the Pauldotcom's challenge asked for two ways of enabling the DHCP capabilities of a Windows NIC using command-line tools. My response was:
1) Netsh:
C:\> netsh interface ip set address "Local Area Connection" dhcp
2) WMIC:
C:\> wmic nicconfig where index=1 call enabledhcpThe wmic command above works like a charm in Windows 2003 (no SP) although the "enabledhcp" call is not supported on Windows XP Pro SP2. So, watch out every OS WMIC capabilities when designing your Windows-based incident response processes!!
posted by Raul Siles at 11:04 AM
0 Comments:
Post a Comment
<< Home