The method of network security configuration under CMD _dos/bat

Source: Internet
Author: User
Tags goto dameware mini remote control
There are many command-line tools for the network, such as the familiar ping,tracert,ipconfig,telnet,ftp,tftp,netstat, and the unfamiliar Nbtstat,pathping,nslookup,finger, Route,netsh ...
These commands can be divided into three categories: network detection (such as ping), network connectivity (such as Telnet), and network configuration (such as Netsh). The first two are relatively simple, and this article covers only two network configuration tools.

Netsh
Using netsh in a remote shell first solves the problem of an interactive approach. As mentioned earlier, many shells cannot redirect output output again, so command-line tools such as FTP cannot be used interactively in this environment. The solution is that generally interactive tools allow scripting (or an answer file). Like Ftp-s:filename. So is netsh: netsh-f filename.

The Netsh commands are very powerful and can be configured with IAS, DHCP, RAS, WINS, NAT servers, TCP/IP protocols, IPX protocols, routing, and more. We are not administrators, generally do not need to know so much, just use Netsh to understand the target host's network configuration information.

1,TCP/IP Configuration

Echo Interface IP >s
Echo Show config >>s
Netsh-f s
del s

From this you can understand that the host has more than one network card and IP, whether the dynamic allocation of IP (DHCP), intranet IP is how much (if any).
This command is about the same as Ipconfig/all.

Note that the following command requires the target host to start the RemoteAccess service. If it is disabled, please lift it by importing the registry first, and then
net start RemoteAccess

2,arp

Echo Interface IP >s
Echo Show Ipnet >>s
Netsh-f s
del s

This is a little more information than the ARP-A command.

3,TCP/UDP Connection

Echo Interface IP >s
Echo Show Tcpconn >>s
Echo Show Udpconn >>s
Netsh-f s
del s

This set of commands is the same as Netstat-an.

4, network card information
If the Netsh command has other commands to replace, what is the need for it to exist? There's no substitute for this one.

Echo Interface IP >s
Echo Show Interface >>s
Netsh-f s
del s

Other features of Netsh, such as the modification of IP, generally do not need to use (in case of IP after the change is not connected, "call the sky should not be called"), so all skipped.

Ipsec
The first thing to point out is that IPSec and TCP/IP filtering are different things and don't confuse them. TCP/IP filtering has very limited functionality and is far less flexible and powerful than IPSec. Let's talk about how to control IPSec at the command line.

XP systems use IPSecPol under ipseccmd,2000. Unfortunately, none of them are brought by the system itself. Ipseccmd the Support\tools\support of the XP system installation disk. In the cab, IPSecPol in Resource kit. Also, to use ipsecpol you must bring in another two files: Ipsecutil.dll and Text2pol.dll. Altogether 119KB of three files.

IPSec can be controlled by Group Policy, but I look for MSDN and don't find the appropriate security template syntax. IPSec policies that are already configured cannot be exported as templates. Therefore, Group Policy does not go through this path. The settings for IPSec are saved in the registry (hkey_local_machine\software\policies\microsoft\windows\ipsec\policy\local), You can theoretically configure IPSec by modifying the registry. But a lot of information is stored in binary form, it is difficult to read and modify. In contrast, it is more convenient to upload command line tools.

The information about IPSecPol and ipseccmd can be found on the Internet, so this article does not elaborate, but enumerates some practical examples.
The syntax and ipsecpol of the ipseccmd command are almost identical in setting IPSec policy, so just take IPSecPol as an example:

1, defensive rpc-dcom attack

Ipsecpol-p myfirewall-r rpc-dcom-f *+0:135:tcp *+0:135:udp *+0:137:udp *+0:138:udp *+0:139:tcp *+0:445:tcp *+0:445:udp -N block-w reg-x

This command closes the tcp135,139,445 and udp135,137,138,445 ports of the local host.
The specific meaning is as follows:
-P Myfirewall Specifies that the policy name is Myfirewall
-R rpc-dcom Specify rule name rpc-dcom
-F ... Create 7 filters. * represents any address (source), 0 represents the native address (target), + represents a mirrored (bidirectional) filter. Detailed syntax see IPSecPol-?
-N block specifies that the filtering operation is "blocked." Note that the block must be uppercase.
-W Reg writes the configuration to the registry and is still valid after reboot.
-X activates the policy immediately.

2, to prevent being ping

Ipsecpol-p myfirewall-r antiping-f *+0::icmp-n block-w reg-x

If a policy named Myfirewall already exists, the antiping rule is added to it.
Note that the rule also prevents the host from pinging others.

3, IP restrictions on the back door
Let's say you installed the Dameware Mini Remote control on a host. To protect it from being broken by someone else's password or overflow, you should restrict access to its service port 6129.

Ipsecpol-p myfw-r dwmrc_block_all-f *+0:6129:tcp-n block-w reg
Ipsecpol-p myfw-r dwmrc_pass_me-f 123.45.67.89+0:6129:tcp-n pass-w reg-x

This means that only 123.45.67.89 can access the host's 6129 ports.
If you are a dynamic IP, you should set the rules based on the range of IP allocations. Like what:

Ipsecpol-p myfw-r dwmrc_block_all-f *+0:6129:tcp-n block-w reg
Ipsecpol-p myfw-r dwmrc_pass_me-f 123.45.67.*+0:6129:tcp-n pass-w reg-x

This allows 123.45.67.1 to 123.45.67.254 IP access to port 6129.

When writing rules, you should be especially careful not to block yourself. If you're not sure if the effect of a rule is the same as expected, you can "leave the way" with a scheduled task. For example:

C:\>net Start Schedule
Task Scheduler Service is starting.
The Task Scheduler service has started successfully.

c:\>time/t
12:34

C:\>at 12:39 ipsecpol-p myfw-y-w Reg
A new job with a job ID = 1

Then you have 5 minutes to set up a MYFW policy and test it. The scheduled task will stop the policy after 5 minutes.
If the test results are not ideal, delete the policy.

C:\>ipsecpol-p Myfw-o-W Reg

Note that before you delete a policy, you must make sure it is stopped. Do not stop it, even if the deletion will continue to take effect for some time. The duration depends on the refresh time of the policy, which defaults to 180 minutes.

If the test passes, then enable it.

C:\>ipsecpol-p Myfw-x-W Reg

Finally, the way to view IPSec policies.
For XP It's simple, one command to fix--ipseccmd show filters
IPSecPol does not have the ability to query. You need to netdiag with a command-line tool. It is located in the Support\tools\support of the 2000 system installation disk. Cab. (three files have been uploaded, do not care more than one.) ^_^)

Netdiag requires support for remoteregistry services. So start the service first:

net start RemoteRegistry

If you do not start remoteregistry you will get an error:

[FATAL] Failed to get system information the This machine.

Netdiag This tool is very powerful, network-related information can be obtained! However, the output information is sometimes too detailed to exceed the command line console cmd.exe output cache, rather than each remote CMD shell can be paged with the more command.

The commands for viewing IPSec policies are:
Netdiag/debug/test:ipsec

Then a long string of output information. IPSec policy is at the end.


Software Installation
The installation process of a software/tool typically only does two things: copy files to a specific directory and modify the registry. As long as you understand the specific content, you can do it yourself at the command line. (Do not consider the need to register for activation after installation, etc.)

WinPcap is a very common tool, but it must be installed under the window interface. On the internet can also be found without the GUI version (but there is a copyright page), in fact, we can do it ourselves.

Take WinPcap 3.0a for example. By comparing the file system and registry snapshots before and after the installation, it is easy to understand the entire installation process.
To remove the reverse installation, there are three key files: Wpcap.dll,packet.dll and Npf.sys. The first two files are located in the System32 directory, and the third is under System32\Drivers. The change in registry is the addition of a system service NPF. Note that the system service (that is, the drive) is not a Win32 service.

As a system service, not only to add the primary key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, in the hkey_local_machine\system\ Currentcontrolset\enum\root also increases the primary key. The latter default only system identity can be modified. Fortunately, there is no need to add it manually, and WinPcap is automatically handled when invoked. Even if you don't have to manually modify the registry, all the WinPcap will do it yourself, just copy three files to the appropriate location.

As an example, let's show you how to modify the registry by using the INF file that you mentioned earlier.

[Version]
Signature= "$WINDOWS nt$"
[Defaultinstall.services]
Addservice=npf,,winpcap_svr
[Winpcap_svr]
Displayname=netgroup Packet Filter
servicetype=0x1
Starttype=3
Errorcontrol=1
Servicebinary=%12%\npf.sys

Save the above content as a _wpcap_.inf file.
Write a batch _wpcap_.bat:

rundll32.exe setupapi,installhinfsection DefaultInstall 128%cd%\_wpcap_.inf
Del _wpcap_.inf
if/i%cd%==%systemroot%\system32 Goto Copydrv
Copy Packet.dll%systemroot%\system32\
Copy Wpcap.dll%systemroot%\system32\
Del Packet.dll
Del Wpcap.dll
: Copydrv
if/i%cd%==%systemroot%\system32\drivers Goto End
Copy Npf.sys%systemroot%\system32\drivers\
Del Npf.sys
: End
Del%0

Then use WinRAR to package all files (5) as self-extracting EXE, and "Advanced self-extracting Options"-> "Run after decompression" set to _wpcap_.bat, the command line WinPcap installation package is finished.

Note that there is no carriage return on the last line of the batch process. Otherwise, you will not be able to delete yourself because you are running.

All software installation, basically can apply this idea. But there are exceptions, and that is the installation of system patches.
It is not possible to use the Copy command because the system patch may be replacing files that are being executed or accessed.
Fortunately, Windows fix packs support command-line installations.
Like what:

Kb824146.exe-n-z-q

-N Do not keep backup
-Z Not reset
-Q Quiet mode

If there is a pile of patches to play, then the RAR package into a self-extracting file, plus a batch.

For%%f in (KB??????. EXE) do%%f-n-z-q
For%%f in (KB??????. EXE) do del%%f
Del%0


Windows Script
A lot of things to do with the foot is very concise. Here are the echo versions of several common scripts.

1, display system version

@echo for each PS in GetObject _ >ps.vbs
@echo ("Winmgmts:\\.\root\cimv2:win32_operatingsystem"). Instances_ >>ps.vbs
@echo WScript.Echo ps.caption^& "" ^&ps.version:next >>ps.vbs
cscript//nologo Ps.vbs & del ps.vbs

2, enumerating the processes

@echo for each PS in GetObject _ >ps.vbs
@echo ("Winmgmts:\\.\root\cimv2:win32_process"). Instances_ >>ps.vbs
@echo WScript.Echo Ps.handle^&vbtab^&ps.name^&vbtab^&ps.executablepath:next >>ps.vbs
cscript//nologo Ps.vbs & del ps.vbs

3, terminate the process

@echo for each PS in GetObject _ >pk.vbs
@echo ("Winmgmts:\\.\root\cimv2:win32_process"). Instances_ >>pk.vbs
@echo if ps.handle=wscript.arguments (0) then WScript.Echo ps.terminate:end If:next >>pk.vbs

To terminate a process with PID 123, use the following syntax:
cscript Pk.vbs 123

If a 0 is displayed, it indicates that the termination was successful.

And then:
Del Pk.vbs

4, Reboot the system

@echo for each OS in GetObject _ >rb.vbs
@echo ("winmgmts:{(shutdown)}!\\.\root\cimv2:win32_operatingsystem"). Instances_ >>rb.vbs
@echo Os.win32shutdown (2): Next >>rb.vbs & cscript//nologo Rb.vbs & del rb.vbs

5, list the services that start from

@echo for each sc in GetObject ("Winmgmts:\\.\root\cimv2:win32_service"). Instances_ >sc.vbs
@echo if sc.startmode= "Auto" then WScript.Echo sc.name^& "-" ^&sc.pathname >>sc.vbs
@echo Next >>sc.vbs & cscript//nologo Sc.vbs & del sc.vbs

6, enumerating the services that are running

@echo for each sc in GetObject ("Winmgmts:\\.\root\cimv2:win32_service"). Instances_ >sc.vbs
@echo if sc.state= "Running" then WScript.Echo sc.name^& "-" ^&sc.pathname >>sc.vbs
@echo Next >>sc.vbs & cscript//nologo Sc.vbs & del sc.vbs

7, display the last time the system started

@echo for each OS in GetObject _ >bt.vbs
@echo ("Winmgmts:\\.\root\cimv2:win32_operatingsystem"). Instances_ >>bt.vbs
@echo WScript.Echo Os.lastbootuptime:next >>bt.vbs & cscript//nologo Bt.vbs & del bt.vbs

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.