July 31, 2006

Windows Command-Line Kung Fu (1)

Everything started about 4 months ago, when Ed Skoudis posted an entry in the ISC Handler's Diary talking about how to improve your Windows infosec skills using the built-in WMIC command line tool.

I strongly encourage you to read this post (specially if you're a Unix techie) and enjoy the fun of managing a Windows box from the dark command prompt. After running a few wmic commands you won't know if you're in a bash or DOS shell!! ;-)

The list of Windows command-line kung-fu tools was extended with the famous netsh and the new tasklist and taskkill tools. All these tools (WMIC included) have been detailed through the previous ISC post, plus:
Ed Skoudis and Tom Listom started to research about these Windows capabilities and tools when analyzing industry-leading enterprise anti-spyware tools. As a result they also released a bening spyware-like tool, called Spycar. It is a free suite of tools (samples) that let you test your anti-spyware tool defenses.

During their research, they had to deal with a system full of all types of spy/malware where there was no GUI available. Besides, they tried to avoid an incident response based on the usage of external Windows tools, like the ones from Sysinternals that all us use for malware analysis, and... this is how this new set of tools came to light!

BTW, their initial concern about external and built-in tools is no longer valid, because last week Mark Russinovich announced that Microsoft has acquired Sysinternals. Oh my!! Did they drink the Kool-Aid? Only time will tell!!

In a future post I may point out some challenges based on these tools, so that you can practice your Windows command-line kung-fu!!

Trying to add some technical details, when using WMIC you need to test your specific OS version capabilities. For example, the Pauldotcom's challenge asked for two ways of enabling the DHCP capabilities of a Windows NIC using command-line tools. My response was:

1) Netsh:

C:\> netsh interface ip set address "Local Area Connection" dhcp

2) WMIC:

C:\> wmic nicconfig where index=1 call enabledhcp

The wmic command above works like a charm in Windows 2003 (no SP) although the "enabledhcp" call is not supported on Windows XP Pro SP2. So, watch out every OS WMIC capabilities when designing your Windows-based incident response processes!!


Post a Comment

<< Home