In this Topic, we will cover Windows commands related to networking and services. There are many reasons to learn and understand Windows networking in particular. The most significant reason is the popularity of Windows machines in the workplace and their ubiquity in many enterprise networks. An information security professional who doesn't know their way around a Windows network is operating at a significant disadvantage.
One quick note before we continue: we will be discussing services as we proceed. From a host perspective, services are programs that run in the background. Certain services are necessary for computers to run properly, so we will exercise some caution as we explore and interact with them.
While the majority of the topics covered in this lesson can be manipulated through the Graphical User Interface (GUI), we will instead focus on using the Command Line Interface (CLI).
First of all, the CLI gives us the ability to do a lot more in terms of interacting with the local or remote machine. Second, we might not always have GUI access. As a general rule, it is more likely that we will have CLI access than GUI access to a remote machine, especially as an offensive operator. A third advantage of using CLI over GUI is when dealing with more than one machine. For example, if there are 200 devices on the network and our task is to gather the IP addresses of all those machines, doing it manually through the GUI would take a very long time. The CLI allows us to automate and script such actions.
ping, tracert, arp, netstat, nbtstat, nslookup, ipconfig, route)To begin, we are going to use the Remote Desktop Protocol (RDP) to connect to the remote Windows machine. From your Kali VM, open up a terminal and run the following command: rdesktop [IP address]. The IP address within the brackets will be the IP address of the Windows VM, and it is going to be different for every student. For example, the command should look something like this rdesktop 1.2.3.4, but your IP address will correspond to your specific Windows exercise VM IP address.
$ rdesktop 1.1.1.1
Next, open up a CLI terminal. There are many ways to do this, but we are going to show two different methods. Also, some of these commands may require elevated privileges that a regular user might not have.
To keep this simple, we are going to use the CLI terminal with administrative privileges. Depending on the computer settings, we may need to provide the administrator password.
There are two ways to do this as described below.
The first way is to open up a Windows explorer and browse to C:\Windows\System32. There, we find the executable named conhost.exe, right-click it, and select Run as administrator.
The second method is to click the Start menu at the bottom left corner of the screen. We type "command prompt", which will activate the search function within Windows. Then, we right-click on Command Prompt and select Run as administrator.
This is where we will interact with the system using the network utilities. In the next sections, we will break down the main features for each utility, followed by a few exercises.
These utilities are very powerful and have way too many command options to cover them all. After becoming comfortable with the basics, it's important to experiment and learn about additional features within each command.
We'll start our journey by learning commands that can help us gain information about the network. One of the most frequently-used commands is ipconfig,1 which allows us to view specific network settings within each adapter. We can inspect our IPv4 and IPv6 address, the subnet mask, and the default gateway.
C:\WINDOWS\system32>ipconfig /all
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : localdomain
IPv4 Address. . . . . . . . . . . : 192.168.100.85
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.250
...
Running ipconfig with the /all option displays the full configuration information.
If we are on a network where the IPv4 address of our device is assigned from a DHCP2 server, we can also use ipconfig to release and renew our IP address.
We will demonstrate these commands, but performing these actions while connected to the Offsec Labs VPN could result in lab network disruption.
C:\WINDOWS\system32>ipconfig /release "Ethernet adapter Ethernet"
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
The /release option sends a DHCP Release message to the DHCP server, releasing the IPv4 address.
We can then run ipconfig with the /renew option to request a new IP address.
C:\WINDOWS\system32>ipconfig /renew "Ethernet adapter Ethernet"
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : localdomain
IPv4 Address. . . . . . . . . . . : 192.168.100.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.250
The /renew option will request an IP address from the DHCP server. The renewed IP address will depend on the configuration of the DHCP server. In this case, the last octet changed from 85 to 100.
In all of these examples so far, we specified an adapter in our release and renew commands. In order to apply those commands to all adapters, we simply omit the adapter argument.
C:\WINDOWS\system32>ipconfig /release
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
C:\WINDOWS\system32>ipconfig /renew
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : localdomain
IPv4 Address. . . . . . . . . . . : 192.168.100.9
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.250
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . : localdomain
IPv4 Address. . . . . . . . . . . : 192.168.100.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.250
This time, all of the connected network adapters had their IP addresses released and renewed.
As the name might suggest, we can also use the ipconfig command with the /displaydns option to display the DNS settings.
C:\WINDOWS\system32>ipconfig /displaydns
Windows IP Configuration
www.google.com
----------------------------------------
Record Name . . . . . : www.fubar.com
Record Type . . . . . : 1
Time To Live . . . . : 276
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . . . : 192.168.0.15
Another useful option is flushing the DNS cache, clearing the entries that show hostname to IP address. While the DNS cache helps you access certain web data faster, flushing it can help you troubleshoot web-related connections, among other things.
Here, we'll use ipconfig to clear the DNS cache with /flushdns. We'll then run ipconfig /displaydns confirm that our DNS cache was indeed flushed.
C:\WINDOWS\system32>ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\WINDOWS\system32>ipconfig /displaydns
Windows IP Configuration
Another great information gathering command is systeminfo. This command displays information about the operating system to include hardware properties.
C:\WINDOWS\system32>systeminfo
Host Name: hostname
OS Name: Microsoft Windows 10 Home
OS Version: 10.0.19042 N/A Build 19042
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: admin
Registered Organization:
Product ID: #####-#####-#####-#####
Original Install Date: 5/2/2021, 11:59:36 AM
System Boot Time: 7/17/2021, 12:26:04 AM
System Manufacturer:
System Model: All Series
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 60 Stepping 3 GenuineIntel ~4001 Mhz
BIOS Version: American Megatrends Inc. 1202, 6/17/2014
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 16,259 MB
Available Physical Memory: 7,250 MB
Virtual Memory: Max Size: 32,643 MB
Virtual Memory: Available: 21,513 MB
Virtual Memory: In Use: 11,130 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\server
Hotfix(s): 5 Hotfix(s) Installed.
[01]: KB5003537
[02]: KB4562830
[03]: KB4580325
[04]: KB5004237
[05]: KB5003742
...
From an offensive perspective, systeminfo is useful because the information gathered here may be enough to identify a vulnerability and exploit it.
One interesting and useful feature of systeminfo is that it allows us to view configuration information of a remote computer. In some cases, we may have to specify the domain, username, and password. All of this is built in to the systeminfo utility. Let's review a quick example.
C:\WINDOWS\system32>systeminfo /s computer1 /u blue\domain1 /p password
Host Name: hostname
OS Name: Microsoft Windows 10 Home
OS Version: 10.0.19042 N/A Build 19042
...
Let's review the individual parts of this command. First, the /s option denotes the computer name. In this case, our computer is somewhat uncreatively named "computer1". The /u option is for username and domain. In this case, our user is "blue" and our domain is "domain1". Finally, /p is for password. In this case, the user "blue" has the password "password".
The final command covered in this section is set, which we can use to inspect and change Windows environment variables.
If we run the set command without any switches or options, we can inspect all current environment variables.
C:\WINDOWS\system32>set
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\user\AppData\Roaming
asl.log=Destination=file
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=Admin_Server
ComSpec=C:\WINDOWS\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\user
LOCALAPPDATA=C:\Users\user\AppData\Local
LOGONSERVER=\\server
NUMBER_OF_PROCESSORS=8
OneDrive=C:\Users\user\OneDrive
OS=Windows_NT
...
The output shows a long list of variables and the values associated with them. Note that in the output, the percent signs before and after the variable name are not included.
Let's quickly explore how this might be useful. One very well-known Windows environment variable is %PATH%. Whenever we run a command in the CLI, we don't always need to be in the same working directory as the command itself; instead, the command interpreter will search for the binary. The locations where it searches for are the values within the %PATH% variable.
We can run the ipconfig command from C:, even though ipconfig.exe is actually located in C:\Windows\system32. When we run the command, the CLI looks for the binary in folders denoted by the %PATH% variable.
We can run set PATH to display the values for this specific variable.
C:\WINDOWS\system32>set PATH
Path=C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\;C:\Windows\system32;
A real-world example of how set can be used by offensive operators is an attack known as "Hijack Execution Flow". Essentially, an attacker might manipulate the %PATH% environment variable so that their malicious program is executed instead of the normal executable.
For example, imagine if we were able to manipulate the %PATH% environment variable to only have a value of C:\Windows. We could then place a malicious executable named ipconfig.exe there. When someone runs the ipconfig command, the system would actually run our malicious binary located in C:\Windows instead of the normal, expected program located in C:\Windows\system32. This is because we forced the system to search for programs in a different path than what it normally uses.
For example, if we run the command set path=C:\Windows followed by set path to display our changes, we get the following:
C:\WINDOWS\system32>set path=c:\Windows
C:\WINDOWS\system32>set path
Path=C:\Windows\system32;
Earlier, we learned that the ipconfig /all command displays all the detailed TCP/IP information for the network adapters. This is important because we may be working with multiple networks and network adapters. For example, the device may have multiple Network Interface Controllers (NICs) or be dual-homed. Additionally, we may have a VPN connection or be running multiple VMs on the host computer.
One device can have multiple network interfaces and it is critical to be able to differentiate between them. The ipconfig command can help identify the details of the specific network interface that we want to work with at that time.
Let’s pivot to two more commands that show active connections: netstat and arp. The netstat command not only shows the IP address of the source, but also displays things like the destination IP, source and destination port, connection state, and layers 3 and 4 protocol statistics. If we want to view what machines are connected with our current machine, this is an easy and quick way to do it.
Below, we run netstat with a to display listening ports, n to show addresses numerically, and o to display a Process ID (PID) for each connection.
C:\WINDOWS\system32>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1120
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:902 0.0.0.0:0 LISTENING 4212
TCP 0.0.0.0:912 0.0.0.0:0 LISTENING 4212
TCP 0.0.0.0:1536 0.0.0.0:0 LISTENING 956
TCP 0.0.0.0:1537 0.0.0.0:0 LISTENING 864
TCP 0.0.0.0:1538 0.0.0.0:0 LISTENING 1544
TCP 0.0.0.0:1539 0.0.0.0:0 LISTENING 1808
TCP 0.0.0.0:1541 0.0.0.0:0 LISTENING 3500
TCP 0.0.0.0:1543 0.0.0.0:0 LISTENING 4860
TCP 0.0.0.0:1599 0.0.0.0:0 LISTENING 936
TCP 0.0.0.0:1801 0.0.0.0:0 LISTENING 4860
TCP 0.0.0.0:2103 0.0.0.0:0 LISTENING 4860
TCP 0.0.0.0:2105 0.0.0.0:0 LISTENING 4860
TCP 0.0.0.0:2107 0.0.0.0:0 LISTENING 4860
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 604
The arp command lets us view and manipulate Address Resolution Protocol (ARP) cache entries. Running arp -a displays ARP entries for all network interfaces.
C:\WINDOWS\system32>arp -a
Interface: 192.168.100.85 --- 0x5
Internet Address Physical Address Type
192.168.100.250 20-f3-75-d3-60-d0 dynamic
192.168.100.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Let's examine some routing-specific commands like route, ping, tracert, and pathping. With the route command, we can display and change entries within the routing table. The other three commands are used as diagnostic tools to troubleshoot the connections between the source and destination device.
Do note that these three tools rely on sending Internet Control Message Protocol (ICMP) echo request messages between the devices. ICMP traffic could be blocked, but traffic on other protocols between the source and destination devices could still traverse the network.
Generally, we will use these three commands to either identify if a host exists or if our source machine can reach it. All of this is important to know, because if a destination machine is deemed unreachable or a host is identified as not existing, it may be a false positive.
First, let’s run the route command with the print option.
C:\WINDOWS\system32>route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.100.250 192.168.100.85 25
0.0.0.0 0.0.0.0 10.5.0.0 10.5.0.2 0
10.5.0.0 255.255.0.0 10.5.0.0 10.5.0.2 0
10.5.0.2 255.255.255.255 On-link 10.5.0.2 256
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.100.0 255.255.255.0 On-link 192.168.100.85 281
192.168.100.85 255.255.255.255 On-link 192.168.100.85 281
We can find the active routes within the IPv4 route table. The interface is the IP address of the local network adapter or the source, the network destination is the location of the far end or destination, the netmask is the mask that divides the IP address into subnets, and the gateway is generally the external router or the device proxy that routes the traffic from the internal network to the external network.
The ping command sends ICMP echo requests and measures how long it took for the destination to send an echo reply message.
C:\WINDOWS\system32>ping www.offensive-security.com
Pinging www.offensive-security.com [192.124.249.5] with 32 bytes of data:
Reply from 192.124.249.5: bytes=32 time=353ms TTL=55
Reply from 192.124.249.5: bytes=32 time=24ms TTL=55
Reply from 192.124.249.5: bytes=32 time=21ms TTL=55
Reply from 192.124.249.5: bytes=32 time=23ms TTL=55
Ping statistics for 192.124.249.5
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 9ms, Average = 6ms
Above, four packets were sent and four packets were received. We also find that it resolved the hostname www.offensive-security.com to the IP address (64.233.177.106). If we had a certain loss percentage, it could signify that we have some sort of connection issue.
C:\WINDOWS\system32>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Other useful case scenarios are pinging the loopback address (127.0.0.1) to determine if the network drivers work, or pinging the default gateway to find out if our host can connect to its router.
The tracert and pathping commands are very similar. Tracert uses the ICMP Time To Live (TTL) field values. As packets make their way along the path from router to router, the TTL is decremented until it reaches 0. At that point, an ICMP "time exceeded" message is sent back to the source device.
By default, tracert will output a maximum of 30 hops between the source and destination. Pathping works in a very similar fashion, but once it confirms a hop, it will send multiple messages and provide the statistics. Because of that, pathping can be a little more reliable when compared to tracert to provide latency information. Let’s run both commands on www.offensive-security.com.
C:\Windows\system32>tracert www.offensive-security.com
Tracing route to www.offensive-security.com [192.124.249.5]
over a maximum of 30 hops:
1 39 ms 1 ms 2 ms dsldevice.attlocal.net [192.168.100.250]
2 2 ms 2 ms 2 ms 45-20-16-1.lightspeed.tukrga.sbcglobal.net [45.20.16.1]
3 12 ms 3 ms 3 ms 107.212.168.252
4 11 ms 9 ms 9 ms 12.242.113.47
5 8 ms 14 ms 12 ms ae4.cr4-atl2.ip4.gtt.net [173.241.128.81]
6 25 ms 22 ms 22 ms ae11.cr2-was1.ip4.gtt.net [89.149.142.238]
7 22 ms 22 ms 32 ms ip4.gtt.net [209.120.131.170]
8 21 ms 21 ms 20 ms cloudproxy10005.sucuri.net [192.124.249.5]
Trace complete.
C:\Windows\system32>pathping www.offensive-security.com
Tracing route to www.offensive-security.com [192.124.249.5]
over a maximum of 30 hops:
0 hostname.attlocal.net [192.168.100.77]
1 dsldevice.attlocal.net [192.168.100.250]
2 45-20-16-1.lightspeed.tukrga.sbcglobal.net [45.20.16.1]
3 107.212.168.252
4 12.242.113.47
5 ae4.cr4-atl2.ip4.gtt.net [173.241.128.81]
6 ae11.cr2-was1.ip4.gtt.net [89.149.142.238]
7 ip4.gtt.net [209.120.131.170]
8 cloudproxy10005.sucuri.net [192.124.249.5]
Computing statistics for 200 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 hostname.attlocal.net [192.168.100.77]
0/ 100 = 0% |
1 4ms 0/ 100 = 0% 0/ 100 = 0% dsldevice.attlocal.net [192.168.100.250]
0/ 100 = 0% |
2 4ms 0/ 100 = 0% 0/ 100 = 0% 45-20-16-1.lightspeed.tukrga.sbcglobal.net [45.20.16.1]
1/ 100 = 1% |
3 6ms 2/ 100 = 2% 1/ 100 = 1% 107.212.168.252
0/ 100 = 0% |
4 --- 100/ 100 =100% 99/ 100 = 99% 12.242.113.47
0/ 100 = 0% |
5 15ms 2/ 100 = 2% 1/ 100 = 1% ae4.cr4-atl2.ip4.gtt.net [173.241.128.81]
0/ 100 = 0% |
6 --- 100/ 100 =100% 99/ 100 = 99% ae11.cr2-was1.ip4.gtt.net [89.149.142.238]
0/ 100 = 0% |
7 26ms 1/ 100 = 1% 0/ 100 = 0% ip4.gtt.net [209.120.131.170]
0/ 100 = 0% |
8 24ms 1/ 100 = 1% 0/ 100 = 0% cloudproxy10005.sucuri.net [192.124.249.5]
Trace complete.
This section is going to cover commands related to name resolution. In a nutshell, name resolution is a process where numerical values, like IP addresses, are connected to host or domain names. Under the hood, network traffic requires IP addresses to travel from source to destination. When we enter "www.google.com" into the browser, one of the things that happens is translating the domain name to its IP address. Before we discuss nbtstat and nslookup, let’s cover what NetBIOS means, and how it is similar to Domain Name System (DNS).
NetBIOS was originally created as a Layer 5 (OSI model) protocol to connect devices to each other within a Local Area Network (LAN). As time went on, there was a higher demand in requiring data to traverse outside of the LAN. Because packets needed to be routed externally, NetBIOS was eventually updated to a Layer 4 protocol, called NetBIOS over TCP/IP (NetBT). By default, NBT runs on ports 137 (TCP/UDP), 138 (UDP), and 139 (TCP). While NBT is similar to DNS in that it resolves IP addresses to host/domain names, DNS is a layer 7 protocol (port 53 - TCP/UDP) and is more scalable due to its hierarchical naming structure.
The last bit of information to cover before jumping into the commands themselves is to discuss the hosts file. On Windows, the hosts file is located in the %SystemRoot%\System32\drivers\etc folder by default. This is a plain text file that contains hosts-to-IP mappings, and is one of the primary locations the OS checks when it attempts to resolve host/domain names.
The nbtstat command shows information like the NetBIOS name table and cache. It also has the ability to display the NetBT protocol information for local and remote machines. Lastly, the /n option will display the name table of the local computer.
C:\WINDOWS\system32>nbtstat /n
Ethernet 33:
Node IpAddress: [192.168.100.85] Scope Id: []
NetBIOS Local Name Table
Name Type Status
---------------------------------------------
WORKGROUP <00> GROUP Registered
We find that the host is "Registered". This means that the name is registered by the workstation.
The nslookup command will either find the IP of a domain name or the domain name of an IP address (reverse lookup).
C:\WINDOWS\system32>nslookup www.offensive-security.com
Server: dsldevice6.attlocal.net
Address: 2600:1700:1d40:b2b0::1
Non-authoritative answer:
Name: www.offensive-security.com
Address: 192.124.249.5
In computing, client and server are terms referring to a relationship process. Generally, servers provide a service, like data, to clients. A simple example is how browsers are used as a way to have a client connect to a web server. As an administrator or security engineer, we can use many different utilities to connect to servers or other clients from our own machine. In this Learning Unit, we are going to discuss some common client utilities.
Networking is an important concept for any administrator or cybersecurity professional to understand. In this section, we are going to learn more about network shares. Nowadays, almost every environment requires users to access internal resources, like printers, for example. Other examples include shared file servers, centralized event logging, or internally-accessible web servers. All of these examples share the client-server relationship where data traverses the network.
First, let’s briefly discuss a very famous network protocol known as Server Message Block (SMB). The SMB protocol allows clients to access shared resources. By default, depending on the Windows OS, we can expect SMB to run either on port 139 or 445. Currently, there are multiple SMB versions, and historically SMB has a reputation of being very vulnerable. Because of this, targeting SMB (or similar services) is generally at the top of the list for attackers.
Next, we will examine the net share and net use commands, which directly relate to shared resources. These commands can mount to things like SMB shares. The net share command helps us configure and manage shared resources hosted on our local machine, and we can leverage net use to connect to remote shared resources, interact with them, and manage those connections.
These two powerful commands are important to know because we may not always have the tools we want to use or the ability to use the GUI. Having CLI access is more likely as opposed to the GUI and these two commands are native, or built-in. We can use these tools to pivot laterally, or transfer data in or out of the target network.
Running net share without any options will display information about current shares on the local computer.
C:\WINDOWS\system32>net share
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
E$ E:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
Let’s mount a remote shared resource with net use, passing the local drive letter we wish to use (z:) and the UNC path to the share (\192.168.1.1\public).
C:\WINDOWS\system32>net use z: \\192.168.1.1\public
The command completed successfully.
When the command complete, we can use the newly-mounted drive like any other.
Netcat (nc) is a powerful tool that can be used for remote administration, among other things. Netcat can open up ports to allow other clients to connect to the machine, it can connect to other machines, it can transfer files, and it can even scan ports. That is obviously a lot to unpack, so we’ll cover the highlights.
We'll open up two different command prompt terminals and navigate to the Tools folder on the Desktop. In this scenario, terminal 1 represents the server, and terminal 2 represents the client. We are going to set up a listener in terminal 1 and then connect to our listener from terminal 2.
In terminal 1, we set up Netcat to listen for incoming connections on TCP port 1234. We will use the -n option to disable DNS name resolution, -l to create a listener, -v to add verbosity, -s 127.0.0.1 to listen on the localhost interface, and -p to specify the listening port number.
C:\Users\offsec\Desktop\Tools>nc.exe -n -l -v -s 127.0.0.1 -p 1234
listening on [127.0.0.1] 1234 ...
Now that we have a listener on port 1234, we can connect to it from terminal 2.
C:\Users\offsec\Desktop\Tools>nc.exe 127.0.0.1 1234
Now we have terminal 2 connected to terminal 1. In this specific instance, we basically created a sort of chat functionality.
listening on [127.0.0.1] 1234 ...
Connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 50334
Hello!
Anything typed in one terminal will be echoed, or transmitted, to the other terminal.
Hello!
Learning about netcat is fun
A way to close the connection is to issue what’s called a signal interrupt or signal break by holding down the CTRL and C buttons at the same exact time when you are within a terminal. Basically, this stops or kills the process, and in our situation, it will terminate the connection.
Socat is similar to Netcat, but with a lot more functionality. Socat is considered to be a more stable way of connecting to remote machines, since it doesn’t immediately terminate when the connection closes. It also supports more protocols like OPENSSL.
As with the Netcat example, terminal 1 represents the server, and terminal 2 represents the client. We are again going to set up a listener in terminal 1 and then connect to it from terminal 2. We'll start a listener on the loopback interface with an IP address of 127.0.0.1 (bind=127.0.0.1) on port 5678 (OPENSSL-LISTEN:5678). The -d option provides diagnostic (verbose) output, cert=offsec.pem specifies the SSL certificate, verify=0 skips certificate verification, and STDOUT allows the terminal to output data.
C:\Users\offsec\Desktop\Tools>socat.exe -d OPENSSL-LISTEN:5678,cert=offsec.pem, verify=0 STDOUT, bind=127.0.0.1
In terminal 2, we connect to 127.0.0.1 on port 5678 (OPENSSL:127.0.0.1:5678). The cmd.exe creates an interactive terminal access.
C:\Users\offsec\Desktop\Tools>socat.exe OPENSSL:127.0.0.1:5678, verify=0 EXEC=’cmd.exe’
We can again terminate the connection by issuing Ctrl + C.
There are many other tools that allow us to execute commands remotely. Windows Sysinternals is a collection of freeware tools that can assist in things like diagnosing, troubleshooting, and managing Windows systems. Psexec is one of the CLI tools within the Sysinternals suite that has many features, but one of the more prominent features is the ability to launch command prompts on remote devices.
The following psexec command will execute cmd.exe. In turn the cmd command will execute systeminfo. This all happens on the remote device called "myComputer" and output the results locally.
C:\>psexec -i \myComputer cmd /c "systeminfo"
Host Name: hostname
OS Name: Microsoft Windows 10 Home
OS Version: 10.0.19042 N/A Build 19042
OS Manufacturer: Microsoft Corporation
To open up a fully interactive session with a username/password requirement, we would run the following command:
C:\>psexec -i \myComputer cmd -u username -p password
Firewalls are used as a network protective measure because they can control the traffic that travels through them. Firewalls are generally used to filter traffic between the internet and the internal network. This makes it more difficult for attackers to target internal machines, because the attackers have to work harder to identify ways to bypass those protective measures. Up until this point, we’ve covered numerous network-related commands and tools. Let’s take it a step further, by examining firewalls.
In this section, we’re going to explore some of the Windows firewall features. The network shell (netsh) command is a CLI tool that allows us to view and manipulate networking configurations of our local Windows device.
The netsh command has two options when it comes to interacting with the firewall: firewall and advfirewall. Since the firewall option is deprecated on modern Windows OS, and because advfirewall has more capabilities, we will only briefly cover the former.
We can run netsh firewall with the ? flag to view the available commands.
C:\WINDOWS\system32>netsh firewall ?
The following commands are available:
Commands in this context:
? - Displays a list of commands.
add - Adds firewall configuration.
delete - Deletes firewall configuration.
dump - Displays a configuration script.
help - Displays a list of commands.
set - Sets firewall configuration.
show - Shows firewall configuration.
The output tells us that we can run some basic commands to add, delete, set, or show the firewall configuration.
Let’s compare that to the features of netsh advfirewall.
C:\WINDOWS\system32>netsh advfirewall ?
The following commands are available:
Commands in this context:
? - Displays a list of commands.
consec - Changes to the `netsh advfirewall consec' context.
dump - Displays a configuration script.
export - Exports the current policy to a file.
firewall - Changes to the `netsh advfirewall firewall' context.
help - Displays a list of commands.
import - Imports a policy file into the current policy store.
mainmode - Changes to the `netsh advfirewall mainmode' context.
monitor - Changes to the `netsh advfirewall monitor' context.
reset - Resets the policy to the default out-of-box policy.
set - Sets the per-profile or global settings.
show - Displays profile or global properties.
With advfirewall, we can view, add, or delete inbound or outbound rules, giving us great capabilities. Let’s inspect the options for the add rule command.
C:\WINDOWS\system32>netsh advfirewall firewall add rule ?
The number of arguments provided is not valid. Check help for the correct syntax.
Usage: add rule name=<string>
dir=in|out
action=allow|block|bypass
[program=<program path>]
[service=<service short name>|any]
[description=<string>]
[enable=yes|no (default=yes)]
[profile=public|private|domain|any[,...]]
[localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|
<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>]
[localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)]
[remoteport=0-65535|<port range>[,...]|any (default=any)]
[protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|
tcp|udp|any (default=any)]
[interfacetype=wireless|lan|ras|any]
[rmtcomputergrp=<SDDL string>]
[rmtusrgrp=<SDDL string>]
[edge=yes|deferapp|deferuser|no (default=no)]
[security=authenticate|authenc|authdynenc|authnoencap|notrequired
(default=notrequired)]
At a minimum, we will need a name of the rule, the direction (in or out), and the action (allow, block, or bypass). There are more options we can use like identifying a specific program or service, protocol, source or destination IP, source or destination port, the interface, and if there are any authentication protocols required.
To demonstrate, we'll add a firewall rule that will prevent us from pinging www.offensive-security.com. First, we'll ping the host to get its IP address and verify that it is reachable.
C:\Users\user\Desktop>ping www.offensive-security.com
Pinging www.offensive-security.com [192.124.249.5] with 32 bytes of data:
Reply from 192.124.249.5: bytes=32 time=353ms TTL=55
Reply from 192.124.249.5: bytes=32 time=24ms TTL=55
Reply from 192.124.249.5: bytes=32 time=21ms TTL=55
Reply from 192.124.249.5: bytes=32 time=23ms TTL=55
Ping statistics for 192.124.249.5
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 9ms, Average = 6ms
Now, we'll add a new firewall rule, specifying a name (name="Deny Ping OffSec"), direction (dir=in), action (action=block), protocol (protocol=icmpv4), and remote IP address (remoteip=192.124.249.5).
C:\Users\user\Desktop>netsh advfirewall firewall add rule name="Deny Ping OffSec" dir=in action=block protocol=icmpv4 remoteip=192.124.249.5
Ok.
C:\Users\user\Desktop>netsh advfirewall firewall show rule name="Deny Ping OffSec"
Rule Name: Deny Ping OffSec
----------------------------------------------------------------------
Enabled: Yes
Direction: Out
Profiles: Domain,Private,Public
Grouping:
LocalIP: Any
RemoteIP: 192.124.249.5/32
Protocol: ICMPv4
TypeCode
AnyAny
Edge traversal: No
Action: Block
Ok.
With our firewall rule added, we can try our ping command again.
C:\Users\user\Desktop>ping www.offensive-security.com
Pinging www.offensive-security.com [192.124.249.5] with 32 bytes of data:
General failure
General failure
General failure
General failure
Ping statistics for 192.124.249.5
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Our firewall rule is working correctly and we can no longer ping www.offensive-security.com. Now let's delete the firewall rule (rule="Deny Ping OffSec") and retry our ping.
C:\Users\user\Desktop>netsh advfirewall firewall delete rule="Deny Ping OffSec"
Deleted 1 rule(s).
Ok.
C:\Users\user\Desktop>ping www.offensive-security.com
Pinging www.offensive-security.com [192.124.249.5] with 32 bytes of data:
Reply from 192.124.249.5: bytes=32 time=353ms TTL=55
Reply from 192.124.249.5: bytes=32 time=24ms TTL=55
Reply from 192.124.249.5: bytes=32 time=21ms TTL=55
Reply from 192.124.249.5: bytes=32 time=23ms TTL=55
Ping statistics for 192.124.249.5
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 9ms, Average = 6ms
After deleting the rule, we were able to ping the website again, because the traffic was no longer blocked.
In this section, we will start discussing what services are, how to view them, and how to interact with them. Afterwards, we will discuss a few client-server protocols native to the Windows environment.
A windows service is a program that usually runs in the background. Some good examples of services are drivers, network services, and antivirus software. Services can be started automatically during system startup or from a trigger, or they can be started manually. They can also run with different permissions, as an unprivileged user, or as SYSTEM. Generally, services run as non-interactive, but we can enable and disable them. In the next two sections, we will use commands specific to services to interact with them.
Let’s examine starting and stopping a service with sc, which references the Service Control executable. Officially, it is known as the Service Control Manager (SCM), which is a program that enables, disables, and interacts with Windows services. As an offensive operator, the sc utility is powerful because we are able to use it for things like system enumeration, privilege escalation, and persistence.
To start a service, we run sc start, passing in the name of the service we want to start. To stop a service, we instead use sc stop as shown below.
C:\Users\user\Desktop>sc start WSearch
SERVICE_NAME: WSearch
TYPE 10 WIN32_OWN_PROCESS
STATE: 3 STOP_PENDING
WIN32_EXIT_CODE: 0 (0X0)
SERVICE_EXIT_CODE: 0 (0X0)
CHECKPOINT: 0X1
WAIT_HINT: 0X7530
C:\Users\user\Desktop>sc stop WSearch
SERVICE_NAME: WSearch
TYPE 10 WIN32_OWN_PROCESS
STATE: 3 START_PENDING
WIN32_EXIT_CODE: 0 (0X0)
SERVICE_EXIT_CODE: 0 (0X0)
CHECKPOINT: 0X1
WAIT_HINT: 0X7d0
PID:2812
FLAGS:
As an offensive operator, enumeration is key in identifying vulnerabilities and crafting our exploits. Making sure we are comfortable with various tools and utilities that gather information on system services is crucial. Let’s explore a few commands that allow us to view system data on services.
The first command we are going to run is the tasklist command with the /svc argument. By default, this command actually displays processes, which are similar to services. In terms of normal operations, whenever a user runs an executable, the program will spawn one more process. Processes may start or stop a service, but it doesn’t always have to happen.
Comparatively, all services are processes and as mentioned previously, do not require user interaction. Here, we can find which services, if any, are tied to processes.
C:\WINDOWS\system32>tasklist /svc
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
Registry 124 N/A
smss.exe 520 N/A
csrss.exe 696 N/A
wininit.exe 784 N/A
csrss.exe 792 N/A
winlogon.exe 852 N/A
services.exe 924 N/A
lsass.exe 948 KeyIso, SamSs, VaultSvc
svchost.exe 528 BrokerInfrastructure, DcomLaunch, PlugPlay,
Power, SystemEventsBroker
svchost.exe 2808 Wcmsvc
svchost.exe 8368 Appinfo
svchost.exe 9552 RmSvc
explorer.exe 9280 N/A
svchost.exe 5648 wscsvc
svchost.exe 8064 OneSyncSvc_1dfa24,
PimIndexMaintenanceSvc_1dfa24,
UnistoreSvc_1dfa24, UserDataSvc_1dfa24
svchost.exe 1296 Netman
Working with processes and services is a critical skill as cyber security professionals. We have to know what processes and services are running, what permissions are they running as, whether they are set to run automatically or is there some other trigger, and how can we defend and/or exploit them. The tasklist command helps us identify information to answer those questions.
The next commands we will examine are sc query and sc qc. Below, we run each command, provding dhcp as the service name.
C:\WINDOWS\system32>sc query dhcp
SERVICE_NAME: dhcp
TYPE : 30 WIN32
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
C:\WINDOWS\system32>sc qc dhcp
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: dhcp
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : NSI
: Afd
SERVICE_START_NAME : NT Authority\LocalService
We find that sc query shows information like the current state of the service, and certain codes specific to the service. The sc qc command shows if the service has autostart enabled, what dependencies are associated with the service, and the binary path name.
The last tool we are going to cover is PsService, which is part of Windows Sysinternals suite.
The downside to using PsService is that it is not built into Windows. PsService is very similar to the sc utility, but one thing PsService can do that sc cannot is access a remote system with a different user account. This can be helpful when a certain user has the necessary permissions and we can exploit that.
C:\WINDOWS\system32>PsService.exe query WSearch
SERVICE_NAME: WSearch
DISPLAY_NAME: Windows Search
Provides content indexing, property caching, and search results for files, e-mail, and other content
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0 ms
C:\WINDOWS\system32>PsService.exe config WSearch
SERVICE_NAME: WSearch
DISPLAY_NAME: Windows Search
Provides content indexing, property caching, and search results for files, e-mail, and other content
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\SearchIndexer.exe /Embedding
LOAD_ORDER_GROUP :
TAG : 0
DEPENDENCIES : RPCSS
: BrokerInfrastructure
SERVICE_START_NAME : Localsystem
FAIL_RESET_PERIOD: 86400 seconds
PService and and the sc commands will display similar configuration information regarding services and have similar capabilities.
In this section, we are going to move from examining information about services to interacting with them. We will cover the net and taskkill commands, and expand on the sc and PsService utilities some more.
The net command can be used to interact with numerous Windows environment objects like users, shares, services, and account policies. Below, we use net with the stop and start options to stop and then restart the WSearch service.
C:\WINDOWS\system32>net stop WSearch
The Windows Search service is stopping
The Windows Search service was stopped successfully.
C:\WINDOWS\system32>net start WSearch
The Windows Search service is starting
The Windows Search service was starting successfully.
For more capabilities of the net command, we run it with the help option.
C:\WINDOWS\system32>net help
The syntax of this command is:
NET HELP
command
-or-
NET command /HELP
Commands available are:
NET ACCOUNTS NET HELPMSG NET STATISTICS
NET COMPUTER NET LOCALGROUP NET STOP
NET CONFIG NET PAUSE NET TIME
NET CONTINUE NET SESSION NET USE
NET FILE NET SHARE NET USER
NET GROUP NET START NET VIEW
In summary, we can use the net command to view, start, stop, pause services, and configure service values.
The sc and PsService utilities have many more functions and capabilities like starting, stopping, pausing, and continuing services, modifying values of a service’s entries within the database, and providing specific instructions as to how the service should act if certain conditions are met.
Remote Desktop is a feature that is native to most Windows systems. It allows clients to use the Remote Desktop Protocol (RDP) client to connect to servers that run on TCP port 3389 by default. The great benefit about RDP is that we can connect to a remote computer with GUI capabilities. Using RDP is fairly simple, as it requires the computer name/domain or IP, and credentials in most cases. If we have that information, and there is a RDP server running, we can use our RDP client to connect to the remote machine.
Relevant Note(s): Windows Basics