Windows and CMD recap
GOPAS: [email protected] | www.gopas.cz | www.facebook.com/P.S.GOPAS
Ing. Ondřej Ševeček | GOPAS a.s. |
MCSM:Directory2012 | MCM:Directory2008 | MVP:Enterprise Security | CEH | CHFI | CISA |
[email protected] | www.sevecek.com |
#1 log on to WKS10as Kamil
▪ password is Pa$$w0rd
▪ use Enhanced Session Mode
• RDP + clipboard integration
1
2
#2 copy the training sample files into C:\TEMP\Training
▪ source files from HOSTcomputer C:\TEMP\GOPAS-GOC216\Training
▪ into the virtual machine WKS10folder C:\TEMP\Training
Useful WIN key combinations
▪ WIN search by typing
•
not always works
•
often finds shortcuts instead of .EXE
▪ WIN+R
•
low-level run .EXE
▪ WIN+E
•
Windows Explorer
▪ WIN+X
•
quick menu, PowerShell or CMD, some consoles
34
Alt sequences required with a Czech QWERTZ keyboard
Alt Gr + Alt + Num character name
V 64 @ at
W 124 | pipe, bar, vbar, stick
X 35 # hash
ů 36 $ dollar
š + mezera 94 ^ caret
C 38 & ampersand
- (dash) 42 * asterisk
+ (plus, 1) 126 ~ tilde
96 ` backtick, backquote, tick
Alt sequences required with a Czech QWERTZ keyboard
Alt Gr + Alt + Num character name
Q 92 \ backslash
B 123 { opening curly bracket (parentheses)
N 125 } closing curly bracket (parentheses)
F 91 [ opening square bracket (parentheses)
G 93 ] closing square bracket (parentheses)
< 60 < smaller
> 62 > greater
5
4
Distinguish the following characters as well
Alt Gr + Alt + Num character name
34 " double quotes, quotation mark
39 ' single quote, apostrophe
45 - dash, minus
95 _ underscore
59 ; semicolon
47 / slash, forward slash
46 , comma
58 : colon
:: double colon (just two colons in a sequence)
Some other special ASCII characters
what value C/C++ escape PowerShell escape
tab 09, 0x09 \t `t
line feed (LF) 10, 0x0A \n `n
carriage return (CR) 13, 0x0D \r `r
new line (CRLF) 13-10, 0x0D-0x0A \r\n `r`n
7
8
Windows processes
▪ .EXE vs. process vs. threads
▪ always running under a specific user account
•
SYSTEM, NETWORK SERVICE, gmsa$
▪ elevated "as Administrator"
▪ limited without Administrators group membership
▪ environment variables
•
system + user (overwrites)
▪ identity and environment inherited by child processes
•
child processes are independent of parent processes
WHOAMI /all - limited user
Administrators = group used for deny only 9
6
WHOAMI /all - elevated as Administrator
Administrators = mandatory, owner + many privileges
Environment variables (x64) in CMD 11
12
Process Explorer - command line, process ID, parent process ID, 64bit vs. 32bit
Process Explorer limited user 13
8
Process Explorer
elevated as Administrator
Process Explorer
environment variables (x64) 15
16
Environment variables in CMD
using the %(percent) sign, enclosing in "(doublequotation marks)
Processes can return an integer value to the operating system (default is 0)
▪ used by Task Scheduler to detect application failures
▪ logged in the Security event log
17
10
Example status code obtained from an executable in CMD
certutil -ping data echo %errorlevel%
Example status code obtained from an executable in PowerShell
certutil -ping data
$lastExitCode 19
20
Status codes in PowerShell and BAT
# terminating PowerShell with a status code exit 8
REM exiting BAT file with an error code EXIT /B 7
Template .BAT file for running PowerShell .PS1 scripts
@ECHO OFF
REM if this .BAT file is located at C:\TEMP\Training\STARTER.BAT then REM %~d0 is the drive path of this .BAT file (such as C:)
REM %~p0 is the path to this .BAT file (such as \TEMP\Training\) REM %~n0 is the name of this .BAT file (such as STARTER)
REM note that \\server\share\Training\starter.bat would resolve as well REM %~d0 \\
REM %~p0 \server\share\Training\
REM %~n0 starter.bat
REM %* means repeat all the command parameters supplied when calling this .BAT file REM you can also use only some or all of the parameters: %1 %2 %3 %4 %5 %6 %7 %8 %9 powershell -Exec Bypass -NoLogo -File "%~d0%~p0%~n0.ps1" %*
REM if you end the script with "exit 5" the %ERRORLEVEL% would contain the value of 5 and you can still pass this to the operating system
EXIT /B %ERRORLEVEL%
21
12
Let you see the return status code or any exception thrown inside the .PS1 script
@ECHO OFF
powershell -Exec Bypass -NoLogo -File "%~d0%~p0%~n0.ps1" %*
REM internal BAT commands such as ECHO or PAUSE do not affect the
%ERRORLEVE% value, but remember not to call anything else ECHO Return value: %ERRORLEVEL%
PAUSE
EXIT /B %ERRORLEVEL%
#3link two existing GPOs at the domain level 23
24
Together they enable auditing of Process Creationand Process Termination
Sample process audits 25
14
#4 schedule the starter.batfile within a Task Schedulerfor manual running
#5 schedule the starter.batfile within a Task Schedulerfor manual running
27
28
Sample Task Schedulerhistory event
Return status code added to 2147942400= 0x80070000
32bit subsystem
▪ %windir%\system32
•
default installation of 64bit components
▪ %windir%\syswow64
•
32bit components on a 64bit system
▪ %windir%\sysnative
• virtual access point
into the 64bit's system32 directory for 32bit processes
•
does not exist in 64bit processes
2916
Process Explorer
environment variables (x32)
64bit PowerShell
[IntPtr]::Size
dir c:\windows\system32 dir c:\windows\syswow64 31
32
32bit PowerShell
[IntPtr]::Size
dir c:\windows\system32 dir c:\windows\syswow64 dir c:\windows\sysnative
Starting CMD from any process
shell opendialog -openor run as administrator 33
18
CMD built-in commands (no .EXE on disk)
cd dir copy del mkdir rmdir mklink for echo date time pause
Other Windows built-in executables
xcopy ipconfig net robocopy diskpart wmic netdom tasklist powershell
sysdm.cpl (control.exe) ncpa.cpl (control.exe) dsa.msc (mmc.exe) compmgmt.msc (mmc.exe) more
findstr 35
36
CMD output redirection
REM overwrite the text file
echo Hello Kamil > c:\temp\greeting.txt
REM append to the end of the text file echo How are you >> c:\temp\greeting.txt
CMD textual pipe
REM require user interaction in order to obtain paged output line-by-line
netstat -ano | more
REM filter textual lines by searching literal strings in a case insensitive manner
netstat -ano | findstr /L /I listen
REM filter textual lines by matching regex (also case insensitive)
ipconfig -all | finstr /R /I address.*\d 37
20
Combining more commands on a single line
ipconfig /all & klist & netstat
CMD (command line) escape sequences
%%
^^
^&
^<
^>
^|
""
echo installation folder: %programfiles%
echo installation folder: %%programfiles%%
REM will fail
echo you should use the | (pipe) symbol
REM this works fine
echo you should use the ^| (pipe) symbol 39
40
Console window defaults and properties
▪ defaults
•
HKCU:\Console
▪ specific .EXE properties
•
HKCU:\Console\..._folder_path.exe
Windows 8.1/2012 R2 and older console properties 41
22
Console properties notes
▪ [non-default] quick edit mode (mouse right-click)
•
copy-paste blocks easily
• stops program execution!!!
▪ [default] insert mode
•
instead of overwriting
Windows 10 and newer console properties
▪ [default] line-wrapping selection
▪ [default] extended text seletction
• Shift+arrows
• Ctrl+A
43
44
Console properties of .LNK shortcuts
Console command history and navigation
▪ up, down arrows
•
scroll through the command history
▪ home, end
▪ ctrl+left, ctrl+alt
•
one word left/right
▪ F7
•
history box
4524
%PATH% variable combined from both SYSTEM and USER
#6 create shortcuts on desktop for easy Run As
▪ Shift+[right-click] to see the Run as different user
47
48
Shortcut with a predefined username and change icon runas /user:gps\domain-admin powershell
Advanced optional hint for geeks :-) Ultra complex UAC elevating starter.bat
▪ starter-elevating.bat
▪ automatically elevates to Administrators
▪ you can keep the CMD running to see any errors
• %cmdNoExit%
▪ you can keep the PowerShell running after the script finishes using the -NoLogo parameter
• %psNoExit%
▪ you can also Import-Module instead of starting a .PS1 file with the same name
• %psCommandToStart%=Import-Module
'%psROOTFILENAME%.psm1' -DisableNameChecking - ArgumentList @($false, $true, ...); cd
$env:SystemRoot; cd ..
49
