Tools you probably didn’t know you had – Windows Edition

Update 05-03-2018

Shortly after posting this, Microsoft released their Command Line Reference document.  Recommend pulling this down as it covers all the commands available in Windows.

For those of us that have been in the industry for a while now, we have picked up a number of these in our daily activities.  Whether you are a systems administrator/engineer, desktop support, or help desk, these commands will help you get the job done.  They don’t require any installation and can be found built-in to all versions of Windows from XP to Server 2016.  As management is so enthralled with buying the latest products to get the job done, it is still beneficial to learn about these utilities and what they can accomplish.  Please refer to the links for additional options that the commands support.

We will get right to it!

nbtstat

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc940106(v=technet.10)

nbtstat -a <IP address> | will perform a NetBIOS adapter status command on the target. It will return MAC Address, Hostname, Workgroup/Domain information if the system is online.  This command is useful if a system is not registering with internal DNS.  Tools like nslookup, are only useful if the clients are registering properly, but if the device is using static configurations, then that will not be the case.  Additionally, DNS could have been configured with a static entry for the intended IP address, therefore producing incorrect information all together.

So yes, a pretty nifty command if you need to identify some shadow IT systems, but it is not full proof.  If NetBIOS is disabled or the system is using a software firewall, you may not be able to gain any information from it and will need to employ other techniques.

wmic

Windows Management Instrumentation command-line – https://msdn.microsoft.com/en-us/library/aa394531(v=vs.85).aspx This requires admin rights and WMI to be enabled in order to work.  By default WMI is enabled on most modern Windows systems.

wmic /node:<IP Address> startup list full |  This will dump the systems list of startup processes, handy for identifying potentially malicious executables that are trying to maintain persistence

wmic /node:<IP Address> process list full /format:csv > <path to local csv on your system> | dumps a csv formatted file to your local hard drive.

There is much more you can do with this command.  It is highly recommended that you learn this tool set as it can become very valuable with remote investigations.  One of the other useful techniques is using it to execute programs remote on the system.  For instance, if you can copy an exe to the remote system, you can then use a command to execute it.  The example below will install install the Encase remote agent allowing Incident Responders to pull a full forensic image of the system in it’s current state:

wmic /node:<SystemName> process call create "C:\Windows\Temp\EnSetup.exe"

netstat

This will list the current network connections on a system and what state they are in.  With the various switches, you can list out associated PIDs to get the service making the connection – https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat

netstat -nao | Shows list of TCP/UDP connections and their process ID

netstat -nao 5 | similar as above but adds a scrolling update every 5 seconds

SC

Service Control, can be used locally or remotely – https://msdn.microsoft.com/en-us/library/windows/desktop/ms682107(v=vs.85).aspx

sc query <servicename> | shows information on a specific service

sc config <servicename> start= disable | sets the run status for a service to disabled.

sc stop <servicename> | stops a service

Now why would you use this rather than the standard control panel?  Well sometimes the GUI is not available and some malware will run services that are not going to be listed in the control panel.  For example Wannacry will execute processes that you will not see listed in the task manager and it will run services that will need to be properly disabled.  With SC you can both stop the service and disable it.  Then when you run your AV scan it should properly clean/delete the malware files.  Otherwise you will just get a warning that it detected but couldn’t clean.  Best of all this sort of method can be scripted.  Which means it is a good way to automate remediation on a larger scale.

tasklist

Command-line version of Task Manager for listing running processes.  Pretty self explanatory, just another way to get the information and dump it to a text export.  You can’t copy and paste from a screenshot after all!

tasklist | just dumps the running processes

tasklist /svc | dumps the running processes with their associated service.

net view

Lists files shares of a system.  You can use this information to look for unauthorized shares that have been enabled.  Not much else to this command but still can be useful.

net view \\127.0.0.1 | lists local file shares.

net view \\servername | lists visible file share on target server

So there you have it.  There are many more built-in tools that both penetration testers and actual bad guys will utilize.  It is best to learn how you can use them for defense.  I would recommend heading over to SANS to download all the useful cheat sheets.  Print out and stick them on your cube wall for quick reference!

Leave a Reply