The Windows operating system has come a long way. You literally can’t do anything in Windows without it being logged somewhere. It is important that you understand some of the common functions of the Windows OS. Let’s look at some commands and tools that will help identify current settings and possible vulnerabilities.
As a cyber professional you will want to become very comfortable typing commands at the Windows command prompt. Here are two easy ways to access the command prompt:
- Press Win-R to open a Run window, then type cmd and press Enter or the OK button. To open an Administrator command prompt (if needed), type cmd and press Ctrl-Shift-Enter.
- Press Win-X to open the Power Users menu, then select either Command Prompt or Command Prompt (Admin) as needed. If you have the Windows 10 Creators Update installed you may see PowerShell in place of Command Prompt; you can switch back to Command Prompt by selecting Win-I > Personalization > Taskbar and turning off the “Replace Command Prompt with Windows PowerShell” option.
Practice using these methods a few times; you’ll be using them a lot!
Here are some commands you can use to identify important information on a Windows OS. Keep in mind that attackers use the same commands as part of the post-exploitation process, so you should become familiar with these commands and how they work.
To get a good overview of the current system:
To identify the current user:
C:> echo %username%
To view all the users:
C:> net users
To view all the users on the domain:
C:> net users /domain
To view domain properties of a specific user:
C:> net user "user1" /domain
To view all of the groups on a domain:
C:> net groups /domain
To view a specific group:
C:> net groups "Domain Admins" /domain
To view the firewall profiles:
C:> netsh advfirewall show allprofiles
To view a verbose output of all scheduled tasks:
C:> schtasks /query /fo LIST /v
To see a list of started services:
C:> net start
To view a list of current drivers:
To view the Address Resolution Protocol (ARP) table:
C:> arp -a
To view current connections and port status:
C:> netstat -ano
To view other host names on the network:
C:> net view /all
To view file/printer shares on a remote machine:
C:> net view \computername
To view logged on users on a remote machine:
C:> psloggedon \computername
To view a remote machine’s NetBIOS Remote Name Table:
C:> nbtstat -A 10.0.6.202
Windows Sysinternals is a suite of utilities designed to help you manage, troubleshoot, and diagnose your Windows systems and applications. Let’s go ahead and download the suite:
Next, unpack the downloaded zip file and copy the tools to your System32 folder. You’re all set!
Now let’s look at a few tools.
One of the most used tools in the suite is Process Explorer so we’ll start there.
An alternative to Process Explorer is the Process Monitor:
To view programs that are configured to run during system bootup or login:
To view a listing of all TCP and UDP endpoints:
To view important system information and display it on the desktop:
Below are some links to documentation for the different tools we have described. While you don’t need to commit every detail of these tools to memory, it is in your interest as a cyber professional to study and experiment as much as possible; you should assume that any attacker will do the same!