the fu of netsh

netsh

Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh also provides a scripting feature that allows you to run a group of commands in batch mode against a specified computer. Netsh can also save a configuration script in a text file for archival purposes or to help you configure other servers. [1]

>netsh /? Usage: netsh [-a AliasFile] [-c Context] [-r RemoteMachine] [Command | -f ScriptFile] The following commands are available: Commands in this context: ? - Displays a list of commands. add - Adds a configuration entry to a list of entries. bridge - Changes to the `netsh bridge' context. delete - Deletes a configuration entry from a list of entries. diag - Changes to the `netsh diag' context. dump - Displays a configuration script. exec - Runs a script file. firewall - Changes to the `netsh firewall' context. help - Displays a list of commands. interface - Changes to the `netsh interface' context. ras - Changes to the `netsh ras' context. routing - Changes to the `netsh routing' context. set - Updates configuration settings. show - Displays information. wins - Changes to the `netsh wins' context. winsock - Changes to the `netsh winsock' context. The following sub-contexts are available: bridge diag firewall interface ras routing wins winsock To view help for a command, type the command, followed by a space, and then type ?. >netsh netsh<? The following commands are available: Commands in this context: .. - Goes up one context level. ? - Displays a list of commands. abort - Discards changes made while in offline mode. add - Adds a configuration entry to a list of entries. alias - Adds an alias. bridge - Changes to the `netsh bridge' context. bye - Exits the program. commit - Commits changes made while in offline mode. delete - Deletes a configuration entry from a list of entries. diag - Changes to the `netsh diag' context. dump - Displays a configuration script. exec - Runs a script file. exit - Exits the program. firewall - Changes to the `netsh firewall' context. help - Displays a list of commands. interface - Changes to the `netsh interface' context. offline - Sets the current mode to offline. online - Sets the current mode to online. popd - Pops a context from the stack. pushd - Pushes current context on stack. quit - Exits the program. ras - Changes to the `netsh ras' context. routing - Changes to the `netsh routing' context. set - Updates configuration settings. show - Displays information. unalias - Deletes an alias. wins - Changes to the `netsh wins' context. winsock - Changes to the `netsh winsock' context. The following sub-contexts are available: bridge diag firewall interface ras routing wins winsock To view help for a command, type the command, followed by a space, and then type ?. netsh>

How about we start off with controlling the firewall? Let’s look at the syntax of the netsh command in this case;

netsh firewall set portopening protocol = [TCP|UDP] port = <Number> name = <New Port Name> interface = ”>Interface Name<

If we need to open the Windows firewall to TCP traffic on port 445 for Windows 2000+ SMB over TCP/IP

netsh firewall set portopening TCP 445 ENABLE

or our new corporate antivirus server 192.168.0.10 needs access on :666 …

netsh firewall add portopening TCP 666 Anti-Virus ENABLE CUSTOM 192.168.0.66

Want a quick dump of your firewall config?

netsh firewall show config

Set the LAN connection to DHCP …

netsh interface ip set address "Local Area Connection" dhcp

Also checkout WMIC, tasklist and taskkill tools

WMIC

>wmic /? [global switches] <command> The following global switches are available: /NAMESPACE Path for the namespace the alias operate against. /ROLE Path for the role containing the alias definitions. /NODE Servers the alias will operate against. /IMPLEVEL Client impersonation level. /AUTHLEVEL Client authentication level. /LOCALE Language id the client should use. /PRIVILEGES Enable or disable all privileges. /TRACE Outputs debugging information to stderr. /RECORD Logs all input commands and output. /INTERACTIVE Sets or resets the interactive mode. /FAILFAST Sets or resets the FailFast mode. /USER User to be used during the session. /PASSWORD Password to be used for session login. /OUTPUT Specifies the mode for output redirection. /APPEND Specifies the mode for output redirection. /AGGREGATE Sets or resets aggregate mode. /AUTHORITY Specifies the <authority type=""> for the connection. /?[:<brief|full>] Usage information. For more information on a specific global switch, type: switch-name /? The following alias/es are available in the current role: ALIAS - Access to the aliases available on the local system BASEBOARD - Base board (also known as a motherboard or system boa rd) management. BIOS - Basic input/output services (BIOS) management. BOOTCONFIG - Boot configuration management. CDROM - CD-ROM management. COMPUTERSYSTEM - Computer system management. CPU - CPU management. CSPRODUCT - Computer system product information from SMBIOS. DATAFILE - DataFile Management. DCOMAPP - DCOM Application management. DESKTOP - User's Desktop management. DESKTOPMONITOR - Desktop Monitor management. DEVICEMEMORYADDRESS - Device memory addresses management. DISKDRIVE - Physical disk drive management. DISKQUOTA - Disk space usage for NTFS volumes. DMACHANNEL - Direct memory access (DMA) channel management. ENVIRONMENT - System environment settings management. FSDIR - Filesystem directory entry management. GROUP - Group account management. IDECONTROLLER - IDE Controller management. IRQ - Interrupt request line (IRQ) management. JOB - Provides access to the jobs scheduled using the sche dule service. LOADORDER - Management of system services that define execution d ependencies. LOGICALDISK - Local storage device management. LOGON - LOGON Sessions. MEMCACHE - Cache memory management. MEMLOGICAL - System memory management (configuration layout and av ailability of memory). MEMPHYSICAL - Computer system's physical memory management. NETCLIENT - Network Client management. NETLOGIN - Network login information (of a particular user) mana gement. NETPROTOCOL - Protocols (and their network characteristics) managem ent. NETUSE - Active network connection management. NIC - Network Interface Controller (NIC) management. NICCONFIG - Network adapter management. NTDOMAIN - NT Domain management. NTEVENT - Entries in the NT Event Log. NTEVENTLOG - NT eventlog file management. ONBOARDDEVICE - Management of common adapter devices built into the m otherboard (system board). OS - Installed Operating System/s management. PAGEFILE - Virtual memory file swapping management. PAGEFILESET - Page file settings management. PARTITION - Management of partitioned areas of a physical disk. PORT - I/O port management. PORTCONNECTOR - Physical connection ports management. PRINTER - Printer device management. PRINTERCONFIG - Printer device configuration management. PRINTJOB - Print job management. PROCESS - Process management. PRODUCT - Installation package task management. QFE - Quick Fix Engineering. QUOTASETTING - Setting information for disk quotas on a volume. RECOVEROS - Information that will be gathered from memory when t e operating system fails. REGISTRY - Computer system registry management. SCSICONTROLLER - SCSI Controller management. SERVER - Server information management. SERVICE - Service application management. SHARE - Shared resource management. SOFTWAREELEMENT - Management of the elements of a software product in talled on a system. SOFTWAREFEATURE - Management of software product subsets of SoftwareEl ment. SOUNDDEV - Sound Device management. STARTUP - Management of commands that run automatically when u ers log onto the computer system. SYSACCOUNT - System account management. SYSDRIVER - Management of the system driver for a base service. SYSTEMENCLOSURE - Physical system enclosure management. SYSTEMSLOT - Management of physical connection points including p rts, slots and peripherals, and proprietary connections points. TAPEDRIVE - Tape drive management. TEMPERATURE - Data management of a temperature sensor (electronic hermometer). TIMEZONE - Time zone data management. UPS - Uninterruptible power supply (UPS) management. USERACCOUNT - User account management. VOLTAGE - Voltage sensor (electronic voltmeter) data managemen . VOLUMEQUOTASETTING - Associates the disk quota setting with a specific di k volume. WMISET - WMI service operational parameters management. For more information on a specific alias, type: alias /? CLASS - Escapes to full WMI schema. PATH - Escapes to full WMI object paths. CONTEXT - Displays the state of all the global switches. QUIT/EXIT - Exits the program. For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?

tasklist

TASKLIST [/S system [/U username [/P [password]]]] [/M [module] | /SVC | /V] [/FI filter] [/FO format] [/NH] Description: This command line tool displays a list of application(s) and associated task(s)/process(es) currently running on either a local or remote system. Parameter List: /S system Specifies the remote system to connect to. /U [domain\]user Specifies the user context under which the command should execute. /P [password] Specifies the password for the given user context. Prompts for input if omitted. /M [module] Lists all tasks that have DLL modules loaded in them that match the given pattern name. If the module name is not specified, displays all modules loaded by each task. /SVC Displays services in each process. /V Specifies that the verbose information is to be displayed. /FI filter Displays a set of tasks that match a given criteria specified by the filter. /FO format Specifies the output format. Valid values: "TABLE", "LIST", "CSV". /NH Specifies that the "Column Header" should not be displayed in the output. Valid only for "TABLE" and "CSV" formats. /? Displays this help/usage. Filters: Filter Name Valid Operators Valid Value(s) ----------- --------------- -------------- STATUS eq, ne RUNNING | NOT RESPONDING IMAGENAME eq, ne Image name PID eq, ne, gt, lt, ge, le PID value SESSION eq, ne, gt, lt, ge, le Session number SESSIONNAME eq, ne Session name CPUTIME eq, ne, gt, lt, ge, le CPU time in the format of hh:mm:ss. hh - hours, mm - minutes, ss - seconds MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB USERNAME eq, ne User name in [domain\]user format SERVICES eq, ne Service name WINDOWTITLE eq, ne Window title MODULES eq, ne DLL name Examples: TASKLIST TASKLIST /M TASKLIST /V TASKLIST /SVC TASKLIST /M wbem* TASKLIST /S system /FO LIST TASKLIST /S system /U domain\username /FO CSV /NH TASKLIST /S system /U username /P password /FO TABLE /NH TASKLIST /FI "USERNAME ne NT AUTHORITY\SYSTEM" /FI "STATUS eq running"

taskkill

>taskkill /? TASKKILL [/S system [/U username [/P [password]]]] { [/FI filter] [/PID processid | /IM imagename] } [/F] [/T] Description: This command line tool can be used to end one or more processes. Processes can be killed by the process id or image name. Parameter List: /S system Specifies the remote system to connect to. /U [domain\]user Specifies the user context under which the command should execute. /P [password] Specifies the password for the given user context. Prompts for input if omitted. /F Specifies to forcefully terminate process(es). /FI filter Displays a set of tasks that match a given criteria specified by the filter. /PID process id Specifies the PID of the process that has to be terminated. /IM image name Specifies the image name of the process that has to be terminated. Wildcard '*' can be used to specify all image names. /T Tree kill: terminates the specified process and any child processes which were started by it. /? Displays this help/usage. Filters: Filter Name Valid Operators Valid Value(s) ----------- --------------- -------------- STATUS eq, ne RUNNING | NOT RESPONDING IMAGENAME eq, ne Image name PID eq, ne, gt, lt, ge, le PID value SESSION eq, ne, gt, lt, ge, le Session number. CPUTIME eq, ne, gt, lt, ge, le CPU time in the format of hh:mm:ss. hh - hours, mm - minutes, ss - seconds MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB USERNAME eq, ne User name in [domain\]user format MODULES eq, ne DLL name SERVICES eq, ne Service name WINDOWTITLE eq, ne Window title NOTE: Wildcard '*' for the /IM switch is accepted only with filters. NOTE: Termination of remote processes will always be done forcefully irrespective of whether /F option is specified or not. Examples: TASKKILL /S system /F /IM notepad.exe /T TASKKILL /PID 1230 /PID 1241 /PID 1253 /T TASKKILL /F /IM notepad.exe /IM mspaint.exe TASKKILL /F /FI "PID ge 1000" /FI "WINDOWTITLE ne untitle*" TASKKILL /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /IM notepad.exe TASKKILL /S system /U domain\username /FI "USERNAME ne NT*" /IM * TASKKILL /S system /U username /P password /FI "IMAGENAME eq note*"

[1.] Using Netsh [MS]
[2.] Command line kung-fu 24-Aug-2006 [SANS]
[3.] Windows Command-Line Kung Fu with WMIC 30-Mar-2006 [SANS]
[4.] Netsh Command (Certification) [Lockergnome]
[5.] How to Use the Netsh.exe Tool and Command-Line Switches [MS]
[6.] How to Use the NETSH Command to Change from Static IP Address to DHCP in Windows 2000 [MS]
[7.] Using Netsh with Windows Firewall [WindowsNetworking]

Patch Tuesday Wednesday (SEP-2006)

12 September 2006 – Patch Tuesday
Welcome to another ‘Patch Tuesday’, this months show bag contains the following fun products; Critical (1) Important (1) Moderate (1)

Bulletin	KB number	Description	Severity	Impact
MS06-054	910729	Vulnerability in Microsoft Publisher Could Allow Remote Code Execution	Critical	Remote Code Execution
MS06-052	919007	Vulnerability in Reliable Multicast Program (PGM) Could Result in Denial of Service	Important	Denial of Service
MS06-053	920685	Vulnerability in Indexing Service Could Allow Cross-Site Scripting	Moderate	Information Disclosure
	922582	Update for Windows XP		Fixes a problem in Filter Manager
	890830	Windows Malicious Software Removal Tool – September 2006		Update
	921580	Update for Outlook 2003 Junk Email Filter		Update

In our environment:
MS06-052 – Windows XP Service Pack 2 (Important), Windows 2000 Service Pack 4 (Non-Affected)
MS06-053 – Windows XP Service Pack 2 (Moderate), Windows 2000 Service Pack 4 (Moderate)
MS06-054 – Publisher 2000 (Critical), Publisher 2002 (Important), Publisher 2003 (Important)

Re-released:
MS06-040, MS06-042 (second change) *PATCH NOW*

Actions:
Staff – patch as regular maintainance
Labs – push patches asap after testing on LCG, Publisher expolit risk is minimal but exists.

[1.] Microsoft Security Bulletin Advance Notification [MS]
[2.] Microsoft security patches for September 2006 [SANS]
[3.] Microsoft Security Bulletin Summary for September, 2006 [MS]
[4.] Microsoft security updates for September 2006 [MS]
[5.] Microsoft Patch Disclosure – September 2006 [eEye]