Windows Networking & Services
In this Topic, we will cover Windows commands related to networking and services. There are many reasons to learn and understand Windows networking in particular. The most significant reason is the popularity of Windows machines in the workplace and their ubiquity in many enterprise networks. An information security professional who doesn’t know their way around a Windows network is operating at a significant disadvantage.
One quick note before we continue: we will be discussing services as we proceed. From a host perspective, services are programs that run in the background. Certain services are necessary for computers to run properly, so we will exercise some caution as we explore and interact with them.
While the majority of the topics covered in this lesson can be manipulated through the Graphical User Interface (GUI), we will instead focus on using the Command Line Interface (CLI).
First of all, the CLI gives us the ability to do a lot more in terms of interacting with the local or remote machine. Second, we might not always have GUI access. As a general rule, it is more likely that we will have CLI access than GUI access to a remote machine, especially as an offensive operator. A third advantage of using CLI over GUI is when dealing with more than one machine. For example, if there are 200 devices on the network and our task is to gather the IP addresses of all those machines, doing it manually through the GUI would take a very long time. The CLI allows us to automate and script such actions.
Essential Network Utilities (ping
, tracert
, arp
, netstat
, nbtstat
, nslookup
, ipconfig
, route
)
Introduction
To begin, we are going to use the Remote Desktop Protocol (RDP) to connect to the remote Windows machine. From your Kali VM, open up a terminal and run the following command: rdesktop [IP address]. The IP address within the brackets will be the IP address of the Windows VM, and it is going to be different for every student. For example, the command should look something like this rdesktop 1.2.3.4, but your IP address will correspond to your specific Windows exercise VM IP address.
Next, open up a CLI terminal. There are many ways to do this, but we are going to show two different methods. Also, some of these commands may require elevated privileges that a regular user might not have.
To keep this simple, we are going to use the CLI terminal with administrative privileges. Depending on the computer settings, we may need to provide the administrator password.
There are two ways to do this as described below.
The first way is to open up a Windows explorer and browse to C:\Windows\System32. There, we find the executable named conhost.exe, right-click it, and select Run as administrator.
The second method is to click the Start menu at the bottom left corner of the screen. We type “command prompt”, which will activate the search function within Windows. Then, we right-click on Command Prompt and select Run as administrator.
This is where we will interact with the system using the network utilities. In the next sections, we will break down the main features for each utility, followed by a few exercises.
These utilities are very powerful and have way too many command options to cover them all. After becoming comfortable with the basics, it’s important to experiment and learn about additional features within each command.
Basic System and Network Commands
We’ll start our journey by learning commands that can help us gain information about the network. One of the most frequently-used commands is ipconfig,1 which allows us to view specific network settings within each adapter. We can inspect our IPv4 and IPv6 address, the subnet mask, and the default gateway.
Running ipconfig with the /all option displays the full configuration information.
If we are on a network where the IPv4 address of our device is assigned from a DHCP2 server, we can also use ipconfig to release and renew our IP address.
We will demonstrate these commands, but performing these actions while connected to the Offsec Labs VPN could result in lab network disruption.
The /release option sends a DHCP Release message to the DHCP server, releasing the IPv4 address.
We can then run ipconfig with the /renew option to request a new IP address.
The /renew option will request an IP address from the DHCP server. The renewed IP address will depend on the configuration of the DHCP server. In this case, the last octet changed from 85 to 100.
In all of these examples so far, we specified an adapter in our release and renew commands. In order to apply those commands to all adapters, we simply omit the adapter argument.
This time, all of the connected network adapters had their IP addresses released and renewed.
As the name might suggest, we can also use the ipconfig command with the /displaydns option to display the DNS settings.
Another useful option is flushing the DNS cache, clearing the entries that show hostname to IP address. While the DNS cache helps you access certain web data faster, flushing it can help you troubleshoot web-related connections, among other things.
Here, we’ll use ipconfig to clear the DNS cache with /flushdns. We’ll then run ipconfig /displaydns confirm that our DNS cache was indeed flushed.
Another great information gathering command is systeminfo. This command displays information about the operating system to include hardware properties.
From an offensive perspective, systeminfo is useful because the information gathered here may be enough to identify a vulnerability and exploit it.
One interesting and useful feature of systeminfo is that it allows us to view configuration information of a remote computer. In some cases, we may have to specify the domain, username, and password. All of this is built in to the systeminfo utility. Let’s review a quick example.
Let’s review the individual parts of this command. First, the /s option denotes the computer name. In this case, our computer is somewhat uncreatively named “computer1”. The /u option is for username and domain. In this case, our user is “blue” and our domain is “domain1”. Finally, /p is for password. In this case, the user “blue” has the password “password”.
The final command covered in this section is set, which we can use to inspect and change Windows environment variables.
If we run the set command without any switches or options, we can inspect all current environment variables.
The output shows a long list of variables and the values associated with them. Note that in the output, the percent signs before and after the variable name are not included.
Let’s quickly explore how this might be useful. One very well-known Windows environment variable is %PATH%. Whenever we run a command in the CLI, we don’t always need to be in the same working directory as the command itself; instead, the command interpreter will search for the binary. The locations where it searches for are the values within the %PATH% variable.
We can run the ipconfig command from C:, even though ipconfig.exe is actually located in C:\Windows\system32. When we run the command, the CLI looks for the binary in folders denoted by the %PATH% variable.
We can run set PATH to display the values for this specific variable.
A real-world example of how set can be used by offensive operators is an attack known as “Hijack Execution Flow”. Essentially, an attacker might manipulate the %PATH% environment variable so that their malicious program is executed instead of the normal executable.
For example, imagine if we were able to manipulate the %PATH% environment variable to only have a value of C:\Windows. We could then place a malicious executable named ipconfig.exe there. When someone runs the ipconfig command, the system would actually run our malicious binary located in C:\Windows instead of the normal, expected program located in C:\Windows\system32. This is because we forced the system to search for programs in a different path than what it normally uses.
For example, if we run the command set path=C:\Windows followed by set path to display our changes, we get the following:
What we have done is change the path variable from the default value to C:\windows. A quick note: the set
Active Connections and Neighbors
Earlier, we learned that the ipconfig /all command displays all the detailed TCP/IP information for the network adapters. This is important because we may be working with multiple networks and network adapters. For example, the device may have multiple Network Interface Controllers (NICs) or be dual-homed. Additionally, we may have a VPN connection or be running multiple VMs on the host computer.
One device can have multiple network interfaces and it is critical to be able to differentiate between them. The ipconfig command can help identify the details of the specific network interface that we want to work with at that time.
Let’s pivot to two more commands that show active connections: netstat and arp. The netstat command not only shows the IP address of the source, but also displays things like the destination IP, source and destination port, connection state, and layers 3 and 4 protocol statistics. If we want to view what machines are connected with our current machine, this is an easy and quick way to do it.
Below, we run netstat with a to display listening ports, n to show addresses numerically, and o to display a Process ID (PID) for each connection.
The arp command lets us view and manipulate Address Resolution Protocol (ARP) cache entries. Running arp -a displays ARP entries for all network interfaces.
Routing and Network Troubleshooting
Let’s examine some routing-specific commands like route, ping, tracert, and pathping. With the route command, we can display and change entries within the routing table. The other three commands are used as diagnostic tools to troubleshoot the connections between the source and destination device.
Do note that these three tools rely on sending Internet Control Message Protocol (ICMP) echo request messages between the devices. ICMP traffic could be blocked, but traffic on other protocols between the source and destination devices could still traverse the network.
Generally, we will use these three commands to either identify if a host exists or if our source machine can reach it. All of this is important to know, because if a destination machine is deemed unreachable or a host is identified as not existing, it may be a false positive.
First, let’s run the route command with the print option.
We can find the active routes within the IPv4 route table. The interface is the IP address of the local network adapter or the source, the network destination is the location of the far end or destination, the netmask is the mask that divides the IP address into subnets, and the gateway is generally the external router or the device proxy that routes the traffic from the internal network to the external network.
The ping command sends ICMP echo requests and measures how long it took for the destination to send an echo reply message.
Above, four packets were sent and four packets were received. We also find that it resolved the hostname www.offensive-security.com to the IP address (64.233.177.106). If we had a certain loss percentage, it could signify that we have some sort of connection issue.
Other useful case scenarios are pinging the loopback address (127.0.0.1) to determine if the network drivers work, or pinging the default gateway to find out if our host can connect to its router.
The tracert and pathping commands are very similar. Tracert uses the ICMP Time To Live (TTL) field values. As packets make their way along the path from router to router, the TTL is decremented until it reaches 0. At that point, an ICMP “time exceeded” message is sent back to the source device.
By default, tracert will output a maximum of 30 hops between the source and destination. Pathping works in a very similar fashion, but once it confirms a hop, it will send multiple messages and provide the statistics. Because of that, pathping can be a little more reliable when compared to tracert to provide latency information. Let’s run both commands on www.offensive-security.com.
Name Resolution
This section is going to cover commands related to name resolution. In a nutshell, name resolution is a process where numerical values, like IP addresses, are connected to host or domain names. Under the hood, network traffic requires IP addresses to travel from source to destination. When we enter “www.google.com” into the browser, one of the things that happens is translating the domain name to its IP address. Before we discuss nbtstat and nslookup, let’s cover what NetBIOS means, and how it is similar to Domain Name System (DNS).
NetBIOS was originally created as a Layer 5 (OSI model) protocol to connect devices to each other within a Local Area Network (LAN). As time went on, there was a higher demand in requiring data to traverse outside of the LAN. Because packets needed to be routed externally, NetBIOS was eventually updated to a Layer 4 protocol, called NetBIOS over TCP/IP (NetBT). By default, NBT runs on ports 137 (TCP/UDP), 138 (UDP), and 139 (TCP). While NBT is similar to DNS in that it resolves IP addresses to host/domain names, DNS is a layer 7 protocol (port 53 - TCP/UDP) and is more scalable due to its hierarchical naming structure.
The last bit of information to cover before jumping into the commands themselves is to discuss the hosts file. On Windows, the hosts file is located in the %SystemRoot%\System32\drivers\etc folder by default. This is a plain text file that contains hosts-to-IP mappings, and is one of the primary locations the OS checks when it attempts to resolve host/domain names.
The nbtstat command shows information like the NetBIOS name table and cache. It also has the ability to display the NetBT protocol information for local and remote machines. Lastly, the /n option will display the name table of the local computer.
We find that the host is “Registered”. This means that the name is registered by the workstation.
The nslookup command will either find the IP of a domain name or the domain name of an IP address (reverse lookup).
Common Clients
In computing, client and server are terms referring to a relationship process. Generally, servers provide a service, like data, to clients. A simple example is how browsers are used as a way to have a client connect to a web server. As an administrator or security engineer, we can use many different utilities to connect to servers or other clients from our own machine. In this Learning Unit, we are going to discuss some common client utilities.
Network Shares
Networking is an important concept for any administrator or cybersecurity professional to understand. In this section, we are going to learn more about network shares. Nowadays, almost every environment requires users to access internal resources, like printers, for example. Other examples include shared file servers, centralized event logging, or internally-accessible web servers. All of these examples share the client-server relationship where data traverses the network.
First, let’s briefly discuss a very famous network protocol known as Server Message Block (SMB). The SMB protocol allows clients to access shared resources. By default, depending on the Windows OS, we can expect SMB to run either on port 139 or 445. Currently, there are multiple SMB versions, and historically SMB has a reputation of being very vulnerable. Because of this, targeting SMB (or similar services) is generally at the top of the list for attackers.
Next, we will examine the net share
and net use
commands, which directly relate to shared resources. These commands can mount to things like SMB shares. The net share command helps us configure and manage shared resources hosted on our local machine, and we can leverage net use to connect to remote shared resources, interact with them, and manage those connections.
These two powerful commands are important to know because we may not always have the tools we want to use or the ability to use the GUI. Having CLI access is more likely as opposed to the GUI and these two commands are native, or built-in. We can use these tools to pivot laterally, or transfer data in or out of the target network.
Running net share without any options will display information about current shares on the local computer.
Let’s mount a remote shared resource with net use, passing the local drive letter we wish to use (z:) and the UNC path to the share (\192.168.1.1\public).
When the command complete, we can use the newly-mounted drive like any other.
Netcat / Socat
Netcat (nc) is a powerful tool that can be used for remote administration, among other things. Netcat can open up ports to allow other clients to connect to the machine, it can connect to other machines, it can transfer files, and it can even scan ports. That is obviously a lot to unpack, so we’ll cover the highlights.
We’ll open up two different command prompt terminals and navigate to the Tools folder on the Desktop. In this scenario, terminal 1 represents the server, and terminal 2 represents the client. We are going to set up a listener in terminal 1 and then connect to our listener from terminal 2.
In terminal 1, we set up Netcat to listen for incoming connections on TCP port 1234. We will use the -n option to disable DNS name resolution, -l to create a listener, -v to add verbosity, -s 127.0.0.1 to listen on the localhost interface, and -p to specify the listening port number.
Now that we have a listener on port 1234, we can connect to it from terminal 2.
Now we have terminal 2 connected to terminal 1. In this specific instance, we basically created a sort of chat functionality.
Anything typed in one terminal will be echoed, or transmitted, to the other terminal.
A way to close the connection is to issue what’s called a signal interrupt or signal break by holding down the CTRL and C buttons at the same exact time when you are within a terminal. Basically, this stops or kills the process, and in our situation, it will terminate the connection.
Socat is similar to Netcat, but with a lot more functionality. Socat is considered to be a more stable way of connecting to remote machines, since it doesn’t immediately terminate when the connection closes. It also supports more protocols like OPENSSL.
As with the Netcat example, terminal 1 represents the server, and terminal 2 represents the client. We are again going to set up a listener in terminal 1 and then connect to it from terminal 2. We’ll start a listener on the loopback interface with an IP address of 127.0.0.1 (bind=127.0.0.1) on port 5678 (OPENSSL-LISTEN:5678). The -d option provides diagnostic (verbose) output, cert=offsec.pem specifies the SSL certificate, verify=0 skips certificate verification, and STDOUT allows the terminal to output data.
In terminal 2, we connect to 127.0.0.1 on port 5678 (OPENSSL:127.0.0.1:5678). The cmd.exe creates an interactive terminal access.
We can again terminate the connection by issuing Ctrl + C.
Remote Administration
There are many other tools that allow us to execute commands remotely. Windows Sysinternals is a collection of freeware tools that can assist in things like diagnosing, troubleshooting, and managing Windows systems. Psexec is one of the CLI tools within the Sysinternals suite that has many features, but one of the more prominent features is the ability to launch command prompts on remote devices.
The following psexec command will execute cmd.exe. In turn the cmd command will execute systeminfo. This all happens on the remote device called “myComputer” and output the results locally.
To open up a fully interactive session with a username/password requirement, we would run the following command:
Firewalls
Firewalls are used as a network protective measure because they can control the traffic that travels through them. Firewalls are generally used to filter traffic between the internet and the internal network. This makes it more difficult for attackers to target internal machines, because the attackers have to work harder to identify ways to bypass those protective measures. Up until this point, we’ve covered numerous network-related commands and tools. Let’s take it a step further, by examining firewalls.
Windows Defender Firewall
In this section, we’re going to explore some of the Windows firewall features. The network shell (netsh) command is a CLI tool that allows us to view and manipulate networking configurations of our local Windows device.
The netsh command has two options when it comes to interacting with the firewall: firewall and advfirewall. Since the firewall option is deprecated on modern Windows OS, and because advfirewall has more capabilities, we will only briefly cover the former.
We can run netsh firewall with the ? flag to view the available commands.
The output tells us that we can run some basic commands to add, delete, set, or show the firewall configuration.
Let’s compare that to the features of netsh advfirewall.
With advfirewall, we can view, add, or delete inbound or outbound rules, giving us great capabilities. Let’s inspect the options for the add rule command.
At a minimum, we will need a name of the rule, the direction (in or out), and the action (allow, block, or bypass). There are more options we can use like identifying a specific program or service, protocol, source or destination IP, source or destination port, the interface, and if there are any authentication protocols required.
To demonstrate, we’ll add a firewall rule that will prevent us from pinging www.offensive-security.com. First, we’ll ping the host to get its IP address and verify that it is reachable.
Now, we’ll add a new firewall rule, specifying a name (name=“Deny Ping OffSec”), direction (dir=in), action (action=block), protocol (protocol=icmpv4), and remote IP address (remoteip=192.124.249.5).
With our firewall rule added, we can try our ping command again.
Our firewall rule is working correctly and we can no longer ping www.offensive-security.com. Now let’s delete the firewall rule (rule=“Deny Ping OffSec”) and retry our ping.
After deleting the rule, we were able to ping the website again, because the traffic was no longer blocked.
Services
In this section, we will start discussing what services are, how to view them, and how to interact with them. Afterwards, we will discuss a few client-server protocols native to the Windows environment.
Services Introduction
A windows service is a program that usually runs in the background. Some good examples of services are drivers, network services, and antivirus software. Services can be started automatically during system startup or from a trigger, or they can be started manually. They can also run with different permissions, as an unprivileged user, or as SYSTEM. Generally, services run as non-interactive, but we can enable and disable them. In the next two sections, we will use commands specific to services to interact with them.
Let’s examine starting and stopping a service with sc, which references the Service Control executable. Officially, it is known as the Service Control Manager (SCM), which is a program that enables, disables, and interacts with Windows services. As an offensive operator, the sc utility is powerful because we are able to use it for things like system enumeration, privilege escalation, and persistence.
To start a service, we run sc start, passing in the name of the service we want to start. To stop a service, we instead use sc stop as shown below.
Service Applications Enumeration
As an offensive operator, enumeration is key in identifying vulnerabilities and crafting our exploits. Making sure we are comfortable with various tools and utilities that gather information on system services is crucial. Let’s explore a few commands that allow us to view system data on services.
The first command we are going to run is the tasklist command with the /svc argument. By default, this command actually displays processes, which are similar to services. In terms of normal operations, whenever a user runs an executable, the program will spawn one more process. Processes may start or stop a service, but it doesn’t always have to happen.
Comparatively, all services are processes and as mentioned previously, do not require user interaction. Here, we can find which services, if any, are tied to processes.
Working with processes and services is a critical skill as cyber security professionals. We have to know what processes and services are running, what permissions are they running as, whether they are set to run automatically or is there some other trigger, and how can we defend and/or exploit them. The tasklist command helps us identify information to answer those questions.
The next commands we will examine are sc query and sc qc. Below, we run each command, provding dhcp as the service name.
We find that sc query shows information like the current state of the service, and certain codes specific to the service. The sc qc command shows if the service has autostart enabled, what dependencies are associated with the service, and the binary path name.
The last tool we are going to cover is PsService, which is part of Windows Sysinternals suite.
The downside to using PsService is that it is not built into Windows. PsService is very similar to the sc utility, but one thing PsService can do that sc cannot is access a remote system with a different user account. This can be helpful when a certain user has the necessary permissions and we can exploit that.
PService and and the sc commands will display similar configuration information regarding services and have similar capabilities.
Interacting with Services
In this section, we are going to move from examining information about services to interacting with them. We will cover the net and taskkill commands, and expand on the sc and PsService utilities some more.
The net command can be used to interact with numerous Windows environment objects like users, shares, services, and account policies. Below, we use net with the stop and start options to stop and then restart the WSearch service.
For more capabilities of the net command, we run it with the help option.
In summary, we can use the net command to view, start, stop, pause services, and configure service values.
The sc and PsService utilities have many more functions and capabilities like starting, stopping, pausing, and continuing services, modifying values of a service’s entries within the database, and providing specific instructions as to how the service should act if certain conditions are met.
Remote Desktop
Remote Desktop is a feature that is native to most Windows systems. It allows clients to use the Remote Desktop Protocol (RDP) client to connect to servers that run on TCP port 3389 by default. The great benefit about RDP is that we can connect to a remote computer with GUI capabilities. Using RDP is fairly simple, as it requires the computer name/domain or IP, and credentials in most cases. If we have that information, and there is a RDP server running, we can use our RDP client to connect to the remote machine.
Relevant Note(s): Windows Basics