ebook img

ALEXANDRE BORGES - BLOG Windows CLI and - WordPress.com PDF

22 Pages·2014·0.99 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview ALEXANDRE BORGES - BLOG Windows CLI and - WordPress.com

Windows CLI and Tools – Part 2 ALEXANDRE BORGES - BLOG Windows CLI and Tools – Part 2 Author: Alexandre Borges Revision: A.1 Website: http://alexandreborges.org This second part of the series brings some additional and useful command which can be used on a daily administration: Command 57: How to get a list of processes and associated network information The command tcpvcon.exe (from Sysinternals suite - http://technet.microsoft.com/en- us/sysinternals/bb842062.aspx) shows every processes and associated ports from a Windows system: C:\Sysinternals>Tcpvcon.exe -a TCPView v3.01 - TCP/UDP endpoint viewer Copyright (C) 1998-2010 Mark Russinovich and Bryce Cogswell Sysinternals - www.sysinternals.com [TCP] googledrivesync.exe PID: 2692 State: ESTABLISHED Local: exadata.example.com Remote: qc-in-f125.1e100.net [TCP] googledrivesync.exe PID: 2692 State: ESTABLISHED Local: exadata.example.com Remote: qc-in-f125.1e100.net [TCP] chrome.exe PID: 2836 State: ESTABLISHED Local: exadata.example.com Remote: qc-in-f125.1e100.net [TCP] AvastSvc.exe PID: 1920 State: ESTABLISHED Local: exadata.example.com Remote: r-051-044-234-077.ff.avast.com [TCP] vmware.exe PID: 9508 State: ESTABLISHED Local: EXADATA Remote: localhost [TCP] vmware.exe PID: 9508 State: CLOSE_WAIT Local: exadata.example.com Remote: a23-199-243-51.deploy.static.akamaitechnologies.com [TCP] vmnat.exe PID: 4464 http://alexandreborges.org Page 1 Windows CLI and Tools – Part 2 State: CLOSE_WAIT Local: exadata.example.com Remote: 69.31.75.226 [TCP] vmnat.exe PID: 4464 State: ESTABLISHED Local: exadata.example.com Remote: exadata.example.com (truncated output) Using Tcpvcon.exe is possible to export the output to a CSV file and import it into Excel: C:\Sysinternals>Tcpvcon.exe –a -c > list_conn.csv Figure 1 Command 58: How to determine resources are associated with a process Sometimes we need to know all resources (file, registry keys, and network ports) which are associated with a process and the handle.exe tool from Sysinternals can be appropriate: C:\Sysinternals>handle.exe -p Dropbox.exe Handle v3.51 Copyright (C) 1997-2013 Mark Russinovich http://alexandreborges.org Page 2 Windows CLI and Tools – Part 2 Sysinternals - www.sysinternals.com ---------------------------------------------------------------------- -------- Dropbox.exe pid: 1484 EXADATA\Administrator 14: File (RW-) C:\Windows 20: File (RW-) C:\Windows\SysWOW64 24: File (RW-) C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.61 61_none_50934f2ebcb7eb57 1C4: File (R-D) C:\Windows\SysWOW64\en-US\KernelBase.dll.mui 1C8: File (RW-) C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7 601.18120_none_72d2e82386681b36 1CC: File (RW-) C:\Windows\winsxs\x86_microsoft.windows.common- controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2 220: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters 2FC: Section \BaseNamedObjects\__ComCatalogCache__ 308: Section \BaseNamedObjects\__ComCatalogCache__ 3D8: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\notifications.dbx 408: File (R-D) C:\Windows\SysWOW64\wbem\wbemdisp.tlb 494: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\photo.dbx 4D8: File (RW-) C:\Users\Administrator\AppData\Roaming\DropboxMaster\instance.dbx 4DC: File (RW-) C:\Users\ADMINI~1\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153- 5bce-5766-8f84-3e3e7ecf0d81}.tmpwvlmpb.lck 588: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\config.dbx 5BC: File (R-D) C:\Windows\SysWOW64\FirewallAPI.dll 5C4: File (R-D) C:\Windows\SysWOW64\stdole2.tlb 698: Section \Sessions\1\BaseNamedObjects\libcef_5458814812778194973 70C: File (RWD) C:\Windows\System32\drivers\etc 7D0: File (R-D) C:\Windows\Fonts\StaticCache.dat 8EC: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\sigstore.dbx 8F8: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\filecache.dbx 9E0: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\TO_HASH_mwg23a BF0: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\deleted.dbx C5C: File (RW-) C:\Windows\winsxs\x86_microsoft.windows.common- controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2 C60: File (RW-) C:\Users\Administrator\Dropbox Command 59: How to detect network card interface (NIC) working in promiscuous mode To determine which NIC are working in promiscuous mode we can use a tool named promiscdetect (http://ntsecurity.nu/toolbox/promiscdetect/) . If exists any NIC that doesn’t support promiscuous mode (for example, wireless cards) then the tool can’t open the adapter: C:\Users\Administrator\Desktop\Forensic_Study>promiscdetect.exe PromiscDetect 1.0 - (c) 2002, Arne Vidstrom ([email protected]) - http://ntsecurity.nu/toolbox/promiscdetect/ http://alexandreborges.org Page 3 Windows CLI and Tools – Part 2 Adapter name: - Intel(R) 82579LM Gigabit Network Connection Active filter for the adapter: - Directed (capture packets directed to this computer) - Multicast (capture multicast packets for groups the computer is a member of) - Broadcast (capture broadcast packets) Adapter name: - Intel(R) Centrino(R) Ultimate-N 6300 AGN Active filter for the adapter: - Directed (capture packets directed to this computer) - Multicast (capture multicast packets for groups the computer is a member of) - Broadcast (capture broadcast packets) Adapter name: - Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter Warning: Cannot open the adapter Adapter name: - SAMSUNG Mobile USB Remote NDIS Network Device Warning: Cannot open the adapter Adapter name: - VirtualBox Host-Only Ethernet Adapter Active filter for the adapter: - Directed (capture packets directed to this computer) - Multicast (capture multicast packets for groups the computer is a member of) - Broadcast (capture broadcast packets) Command 60: How to list, disable and enable applications (programs, dlls, services, codecs, etc…) which will be started in next boot Doubtless, the best application for this task is Autoruns.exe and Autorunsc.exe from Sysinternals. Personally, I like the option –v (to verify digital signatures) and –m (to exclude signed Microsoft entries (applications, dlls, etc..) c:\Sysinternals>autorunsc.exe -v -m | more Autostart program viewer Copyright (C) 2002-2013 Mark Russinovich and Bryce Cogswell Sysinternals - www.sysinternals.com HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Entry last modified: 25/01/2014 22:23 [DISABLED] NVHotkey rundll32.exe C:\Windows\system32\nvHotkey.dll,Start http://alexandreborges.org Page 4 Windows CLI and Tools – Part 2 NVIDIA Hotkey Service, Version 268.83 (Verified) NVIDIA Corporation 8.17.12.6883 c:\windows\system32\nvhotkey.dll 05/06/2011 08:36 HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Entry last modified: 07/03/2014 13:39 ZoneAlarm "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe" ZoneAlarm (Verified) Check Point Software Technologies Ltd. 12.0.104.0 c:\program files (x86)\checkpoint\zonealarm\zatray.exe 26/10/2013 03:05 SDTray "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" Spybot - Search & Destroy tray access (Verified) Safer Networking Ltd. 2.0.12.127 c:\program files (x86)\spybot - search & destroy 2\sdtray.exe 13/11/2012 10:08 VirtualCloneDrive "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s Virtual CloneDrive Daemon (Verified) Elaborate Bytes AG 5.4.5.1 c:\program files (x86)\elaborate bytes\virtualclonedrive\vcddaemon.exe 10/03/2013 14:08 vmware-tray.exe "C:\Program Files (x86)\VMware\VMware Workstation\vmware- tray.exe" VMware Tray Process (Verified) VMware 10.0.1.41495 c:\program files (x86)\vmware\vmware workstation\vmware-tray.exe 18/10/2013 15:49 (trucated output) Complementary you can use the GUI version (autoruns.exe): http://alexandreborges.org Page 5 Windows CLI and Tools – Part 2 Figure 2 It’s still possible to save the output in a CSV file and import it into Excel: c:\Sysinternals>autorunsc.exe -v -m -c > autoruns_list.csv Command 61: How to dump the Event log Managing event logs in Windows system is critical and exist nice tools when trying to dump the Event Logs. One of these good tools is psloglist.exe (from Sysinternals Suite – http://technet.microsoft.com/en-us/sysinternals/bb842062). For example, to dump the event log from last 1 day: C:\Sysinternals>psloglist.exe -d 1 | more PsLoglist v2.71 - local and remote event log viewer Copyright (C) 2000-2009 Mark Russinovich Sysinternals - www.sysinternals.com System log on \\EXADATA: [209298] Service Control Manager Type: INFORMATION Computer: EXADATA Time: 16/03/2014 19:20:34 ID: 7036 The Application Experience service entered the running state. [209297] Service Control Manager Type: INFORMATION Computer: EXADATA Time: 16/03/2014 19:19:35 ID: 7036 The Windows Modules Installer service entered the stopped state. [209296] Service Control Manager http://alexandreborges.org Page 6 Windows CLI and Tools – Part 2 Type: INFORMATION Computer: EXADATA Time: 16/03/2014 19:19:33 ID: 7040 User: NT AUTHORITY\SYSTEM The start type of the Windows Modules Installer service was changed from auto start to demand start. (truncated output) Even better, it’s possible to show events from last 60 minutes: C:\Sysinternals>psloglist.exe -m 60 | more PsLoglist v2.71 - local and remote event log viewer Copyright (C) 2000-2009 Mark Russinovich Sysinternals - www.sysinternals.com System log on \\EXADATA: [209299] Microsoft-Windows-DNS-Client Type: WARNING Computer: EXADATA Time: 16/03/2014 19:29:29 ID: 1014 User: NT AUTHORITY\NETWORK SERVICE Name resolution for the name wpad.example.com timed out after none of the configured DNS servers responded. [209298] Service Control Manager Type: INFORMATION Computer: EXADATA Time: 16/03/2014 19:20:34 ID: 7036 The Application Experience service entered the running state. [209297] Service Control Manager Type: INFORMATION Computer: EXADATA Time: 16/03/2014 19:19:35 ID: 7036 The Windows Modules Installer service entered the stopped state. (truncated output) Command 62: How to list DLLs When managing and reporting dll information,there’re relevant options when using listdlls.exe (from Sysinternals Suite – http://technet.microsoft.com/en-us/sysinternals/bb842062). Usually the first step is to run the command in its basic form: C:\Sysinternals>Listdlls.exe | more ListDLLs v3.1 - List loaded DLLs Copyright (C) 1997-2011 Mark Russinovich Sysinternals - www.sysinternals.com ---------------------------------------------------------------------- -------- smss.exe pid: 436 Command line: \SystemRoot\System32\smss.exe Base Size Path 0x0000000047660000 0x20000 C:\Windows\System32\smss.exe 0x0000000077240000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll ---------------------------------------------------------------------- -------- csrss.exe pid: 628 http://alexandreborges.org Page 7 Windows CLI and Tools – Part 2 Command line: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesr v,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThre ads=16 Base Size Path 0x0000000049b70000 0x6000 C:\Windows\system32\csrss.exe 0x0000000077240000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll 0x00000000fd070000 0x13000 C:\Windows\system32\CSRSRV.dll 0x00000000fd050000 0x11000 C:\Windows\system32\basesrv.DLL 0x00000000fd010000 0x38000 C:\Windows\system32\winsrv.DLL 0x0000000077020000 0xfa000 C:\Windows\system32\USER32.dll 0x00000000fe8f0000 0x67000 C:\Windows\system32\GDI32.dll 0x0000000077120000 0x11f000 C:\Windows\SYSTEM32\kernel32.dll 0x00000000fd1b0000 0x6b000 C:\Windows\system32\KERNELBASE.dll 0x00000000fe7d0000 0xe000 C:\Windows\system32\LPK.dll 0x00000000fd970000 0xc9000 C:\Windows\system32\USP10.dll 0x00000000ff4b0000 0x9f000 C:\Windows\system32\msvcrt.dll 0x00000000fd000000 0xc000 C:\Windows\system32\sxssrv.DLL 0x00000000fcef0000 0x91000 C:\Windows\system32\sxs.dll 0x00000000fd5a0000 0x12d000 C:\Windows\system32\RPCRT4.dll 0x00000000fcee0000 0xf000 C:\Windows\system32\CRYPTBASE.dll 0x00000000fd420000 0xdb000 C:\Windows\system32\ADVAPI32.dll 0x00000000ff310000 0x1f000 C:\Windows\SYSTEM32\sechost.dll ---------------------------------------------------------------------- -------- wininit.exe pid: 704 Command line: wininit.exe Base Size Path 0x00000000ff8f0000 0x23000 C:\Windows\system32\wininit.exe 0x0000000077240000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll 0x0000000077120000 0x11f000 C:\Windows\system32\kernel32.dll (truncate output) Nonetheless, other interesting options to be tested. For example, we could be interested in finding DLLs associated with winlogon.exe process: C:\Sysinternals>Listdlls.exe winlogon.exe ListDLLs v3.1 - List loaded DLLs Copyright (C) 1997-2011 Mark Russinovich Sysinternals - www.sysinternals.com ---------------------------------------------------------------------- -------- winlogon.exe pid: 1016 Command line: winlogon.exe Base Size Path 0x00000000ffae0000 0x62000 C:\Windows\system32\winlogon.exe 0x0000000077240000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll 0x0000000077120000 0x11f000 C:\Windows\system32\kernel32.dll 0x00000000fd1b0000 0x6b000 C:\Windows\system32\KERNELBASE.dll 0x0000000077020000 0xfa000 C:\Windows\system32\USER32.dll 0x00000000fe8f0000 0x67000 C:\Windows\system32\GDI32.dll 0x00000000fe7d0000 0xe000 C:\Windows\system32\LPK.dll 0x00000000fd970000 0xc9000 C:\Windows\system32\USP10.dll 0x00000000ff4b0000 0x9f000 C:\Windows\system32\msvcrt.dll 0x00000000fc250000 0x3d000 C:\Windows\system32\WINSTA.dll 0x00000000fd5a0000 0x12d000 C:\Windows\system32\RPCRT4.dll 0x00000000fd930000 0x2e000 C:\Windows\system32\IMM32.DLL 0x00000000fe7e0000 0x109000 C:\Windows\system32\MSCTF.dll http://alexandreborges.org Page 8 Windows CLI and Tools – Part 2 0x00000000fcfb0000 0x3c000 C:\Windows\system32\nvinitx.dll 0x00000000fd420000 0xdb000 C:\Windows\system32\ADVAPI32.dll 0x00000000ff310000 0x1f000 C:\Windows\SYSTEM32\sechost.dll 0x00000000fcff0000 0xf000 C:\Windows\system32\profapi.dll 0x00000000fcf90000 0x14000 C:\Windows\system32\RpcRtRemote.dll 0x00000000fce80000 0x57000 C:\Windows\system32\apphelp.dll 0x00000000fa170000 0xa000 C:\Windows\system32\UXINIT.dll 0x00000000fb480000 0x56000 C:\Windows\system32\UxTheme.dll 0x00000000fc880000 0x17000 C:\Windows\system32\CRYPTSP.dll 0x00000000fc580000 0x47000 C:\Windows\system32\rsaenh.dll 0x00000000fcee0000 0xf000 C:\Windows\system32\CRYPTBASE.dll 0x00000000faca0000 0x161000 C:\Windows\system32\WindowsCodecs.dll 0x00000000fed40000 0x203000 C:\Windows\system32\ole32.dll 0x00000000fc470000 0x15000 C:\Windows\system32\wkscli.dll 0x00000000fc990000 0x32000 C:\Windows\system32\netjoin.dll 0x00000000fc490000 0xc000 C:\Windows\system32\netutils.dll 0x00000000fce50000 0x25000 C:\Windows\system32\SspiCli.dll 0x00000000fab90000 0xb000 C:\Windows\system32\slc.dll 0x00000000f87e0000 0x18000 C:\Windows\system32\MPR.dll 0x00000000fca50000 0x2f000 C:\Windows\system32\AUTHZ.dll Command 63: How to find local and remote logged users This command (PsLoggedon.exe - from Sysinternals Suite – http://technet.microsoft.com/en- us/sysinternals/bb842062) lists which users are logged from local or remote machine: C:\Sysinternals>PsLoggedon.exe PsLoggedon v1.34 - See who's logged on Copyright (C) 2000-2010 Mark Russinovich Sysinternals - www.sysinternals.com Users logged on locally: 14/03/2014 17:33:08 EXADATA\Administrator No one is logged on via resource shares. Command 64: How to use Tlist.exe command The tlist.exe command isn’t installed by default in Windows operating system so it’s necessary to download and install the Windbg for Windows 7 or 8 from http://msdn.microsoft.com/en- us/windows/hardware/hh852365.aspx. A first use of tlist.exe is to show services active in each process: C:\Program Files\Debugging Tools for Windows (x64)> tlist -s | more 0 System Process 4 System 436 smss.exe 628 csrss.exe 704 wininit.exe 724 csrss.exe 776 services.exe 784 lsass.exe Svcs: KeyIso,ProtectedStorage,SamSs 792 lsm.exe 892 svchost.exe Svcs: DcomLaunch,PlugPlay,Power 968 nvvsvc.exe Svcs: NVSvc 992 GbpSv.exe Svcs: GbpSv 1016 winlogon.exe 592 svchost.exe Svcs: RpcEptMapper,RpcSs 728 svchost.exe Svcs: AudioSrv,Dhcp,eventlog,lmhosts,wscsvc http://alexandreborges.org Page 9 Windows CLI and Tools – Part 2 1060 svchost.exe Svcs: AudioEndpointBuilder,CscService,IPBusEnum,Netman,PcaSvc,SysMain,TrkWks ,UxSms,Wlansvc,wudfsvc 1096 svchost.exe Svcs: EventSystem,fdPHost,FontCache,netprofm,nsi,WdiServiceHost,WinHttpAutoP roxySvc 1120 svchost.exe Svcs: AeLookupSvc,Appinfo,BITS,Browser,CertPropSvc,EapHost,gpsvc,IKEEXT,iphl psvc,LanmanServer,MSiSCSI,ProfSvc,Schedule,seclogon ,SENS,ShellHWDetection,Themes,Winmgmt,wuauserv 1404 svchost.exe Svcs: CryptSvc,Dnscache,LanmanWorkstation,NlaSvc 1548 vsmon.exe Svcs: vsmon 1612 NvXDSync.exe 1628 nvvsvc.exe 1448 AvastSvc.exe Svcs: avast! Antivirus 1748 spoolsv.exe Svcs: Spooler 1904 svchost.exe Svcs: SCardSvr,SSDPSRV,upnphost 1976 svchost.exe Svcs: BFE,DPS,MpsSvc 2400 armsvc.exe Svcs: AdobeARMservice 2432 BvSshServer.exe Svcs: BvSshServer 2496 httpd.exe Svcs: EnterpriseDBApachePHP 2564 sqlservr.exe Svcs: MSSQL$SQLEXPRESS 2680 httpd.exe (truncated output) Other very useful approach using tlist.exe is to show the command line associated with each process: C:\Program Files\Debugging Tools for Windows (x64)>tlist.exe -c | more 0 System Process Command Line: 4 System Command Line: 436 smss.exe Command Line: \SystemRoot\System32\smss.exe 628 csrss.exe Command Line: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=b asesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxReques tThreads=16 704 wininit.exe Command Line: wininit.exe 724 csrss.exe Command Line: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=b asesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxReques tThreads=16 776 services.exe Command Line: C:\Windows\system32\services.exe 784 lsass.exe Command Line: C:\Windows\system32\lsass.exe 792 lsm.exe Command Line: C:\Windows\system32\lsm.exe (truncated output) The tlist.exe makes possible to list the processes tree: http://alexandreborges.org Page 10

Description:
Mar 7, 2014 x2APIC. * Supports x2APIC. CNXT-ID. - L1 data cache mode adaptive or BIOS Maximum implemented CPUID leaves: 0000000D (Basic),
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.