if you didnt catch it live you can watch the recorded version of “Penetration Testing Ninjitsu” with Ed Skoudis. it was pretty good and two more or lined up, next one is in April.
https://coresecurity.webex.com/coresecurity/lsr.php?AT=pb&SP=EC&rID=4214202&rKey=32920A3595EA5972
slides:
http://www.coresecurity.com/files/attachments/Core_Define_and_Win_Cmd_Line.pdf
Here are my notes from listening/watching it
C:\> ipconfig /displaydns
**dumps the DNS cache, targets that have been recently resolved (may or may not be in the same network)
C:\> arp -a
**dumps the ARP Cache, so that should be boxes on the same subnet as the box you are on
**check to see if anything is in the hosts file, hardcoded IP to DNS
C:\> net use \\[target] [password] /u:[user]
**smb session
C:\> net use * \\[targetip]\[share] [password] /u:[user]
**attaches to the next available file share, you can also specify a drive letter
C:\> net user \\[targetip] /del or net use & /del
**can only have one SMB session with a given target machine as one USERNAME at a time, so you have to delete and so you can delete them all when done
FOR /L Loops --counters
C:\> for /L %i in ([start], [step], [stop]) do [command]
C:\> for /L %i in (1,1,255) do echo %i
**simple counter
C:\> for /L %i in (1,1,255) do echo %i & ping -n 5 127.0.0.1
**pauses 5 seconds between each iteration by using the ping command
**to do more than one command [command1] & [command2]
**run command1 and only run command2 if command1 succeeds [command1] && [command2]
C:\> for /L %i in (1,1,255) do @echo %i & @ping -n 5 127.0.0.1 > nul
**@ = dont display the command
** send errors to file [command] 2>>errorfile.txt
C:\> for /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"
**ping sweeper
nslookup [IPaddr]
**reverse lookup
C:\> for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 2>nul | find "Name"
**displays successful reverse lookups
C:\> for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i
**shows IP and hostname if found
FOR /F Loops --files, strings, a file set's contents
C:\> for /f %i in (password.lst) do @echo %i & @net use \\[target_IP_addr] %i /u:[UserName] 2>nul && echo UserName: %i >>success.txt
** check slides for more examples
**scripting, .bat files
**you have to do double %% in bat files
C:\> for /L %i in (1,1,100) do @echo %i
**turns into
for /L %%i in (1,1,100) do @echo %%i
https://coresecurity.webex.com/coresecurity/lsr.php?AT=pb&SP=EC&rID=4214202&rKey=32920A3595EA5972
slides:
http://www.coresecurity.com/files/attachments/Core_Define_and_Win_Cmd_Line.pdf
Here are my notes from listening/watching it
C:\> ipconfig /displaydns
**dumps the DNS cache, targets that have been recently resolved (may or may not be in the same network)
C:\> arp -a
**dumps the ARP Cache, so that should be boxes on the same subnet as the box you are on
**check to see if anything is in the hosts file, hardcoded IP to DNS
C:\> net use \\[target] [password] /u:[user]
**smb session
C:\> net use * \\[targetip]\[share] [password] /u:[user]
**attaches to the next available file share, you can also specify a drive letter
C:\> net user \\[targetip] /del or net use & /del
**can only have one SMB session with a given target machine as one USERNAME at a time, so you have to delete and so you can delete them all when done
FOR /L Loops --counters
C:\> for /L %i in ([start], [step], [stop]) do [command]
C:\> for /L %i in (1,1,255) do echo %i
**simple counter
C:\> for /L %i in (1,1,255) do echo %i & ping -n 5 127.0.0.1
**pauses 5 seconds between each iteration by using the ping command
**to do more than one command [command1] & [command2]
**run command1 and only run command2 if command1 succeeds [command1] && [command2]
C:\> for /L %i in (1,1,255) do @echo %i & @ping -n 5 127.0.0.1 > nul
**@ = dont display the command
** send errors to file [command] 2>>errorfile.txt
C:\> for /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"
**ping sweeper
nslookup [IPaddr]
**reverse lookup
C:\> for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 2>nul | find "Name"
**displays successful reverse lookups
C:\> for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i
**shows IP and hostname if found
FOR /F Loops --files, strings, a file set's contents
C:\> for /f %i in (password.lst) do @echo %i & @net use \\[target_IP_addr] %i /u:[UserName] 2>nul && echo UserName: %i >>success.txt
** check slides for more examples
**scripting, .bat files
**you have to do double %% in bat files
C:\> for /L %i in (1,1,100) do @echo %i
**turns into
for /L %%i in (1,1,100) do @echo %%i
