Shulou(Shulou.com)06/03 Report--

This article mainly shows you "how to configure network security under CMD". The content is simple and clear. I hope it can help you solve your doubts. Let me lead you to study and learn this article "how to configure network security under CMD".

There are many command-line tools about the network, such as ping,tracert,ipconfig,telnet,ftp,tftp,netstat that we are familiar with, and nbtstat,pathping,nslookup,finger,route,netsh that we are not familiar with.

These commands can be divided into three categories: network detection (such as ping), network connection (such as telnet), and network configuration (such as netsh). The first two are relatively simple, and this article only introduces two network configuration tools.

Netsh

The first step in using netsh in a remote shell is to solve the problem of interaction. As mentioned earlier, many shell cannot redirect output again, so command-line tools such as ftp cannot be used interactively in this environment. The solution is that generally interactive tools allow the use of scripts (or answer files). Such as ftp-s:filename. The same goes for netsh: netsh-f filename.

The netsh command has many functions, such as IAS, DHCP, RAS, WINS, NAT server, TCP/IP protocol, IPX protocol, routing and so on. We are not administrators, generally there is no need to know so much, we just need to use netsh to understand the network configuration information of the target host.

1dyne TCPUnip IP configuration

Echo interface ip > s

Echo show config > > s

Netsh-f s

Del s

From this you can know that the host has multiple network cards and IP, whether it is dynamically allocating IP (DHCP), and how much the intranet IP is (if any).

This command is similar to ipconfig / all.

Note that the following command requires the target host to start the remoteaccess service. If it is disabled, please first unban it by importing the registry, and then

Net start remoteaccess

2,ARP

Echo interface ip > s

Echo show ipnet > > s

Netsh-f s

Del s

This is a little more informative than the arp-a command.

3Gen TCPPUDP connection

Echo interface ip > s

Echo show tcpconn > > s

Echo show udpconn > > s

Netsh-f s

Del s

This set of commands is the same as netstat-an.

4. Network card information

If netsh commands are replaced by other commands, what is the need for it to exist? You can't find a replacement for the next one.

Echo interface ip > s

Echo show interface > > s

Netsh-f s

Del s

Other features of netsh, such as modifying IP, are generally unnecessary (in case you can't connect with IP, "heaven should not be called and earth should not work"), so skip them all.

IPSec

First of all, it is important to point out that IPSec and TCP/IP filtering are different things, so don't be confused. The functionality of TCP/IP filtering is very limited and is far less flexible and powerful than IPSec. Here's how to control IPSec from the command line.

XP system uses ipsecpol under ipseccmd,2000. Unfortunately, none of them come with the system. Ipseccmd is in SUPPORT\ TOOLS\ SUPPORT.CAB of the xp system installation disk, and ipsecpol is in 2000 Resource Kit. Also, you must bring two other files with you to use ipsecpol: ipsecutil.dll and text2pol.dll. A total of three files 119KB.

IPSec can be controlled through group policy, but I looked all over MSDN and couldn't find the syntax of the corresponding security template. IPSec policies that have been configured cannot be exported as templates. Therefore, the path of group policy is impassable. The settings for IPSec are saved in the registry (HKEY_LOCAL_MACHINE\ SOFTWARE\ Policies\ Microsoft\ Windows\ IPSec\ Policy\ Local), and IPSec can theoretically be configured by modifying the registry. However, a lot of information is stored in binary form, and it is difficult to read and modify. By contrast, uploading command-line tools is more convenient.

A lot of information about ipsecpol and ipseccmd can be found on the Internet, so this article will not go into detail, just give some practical examples.

In terms of setting IPSec policies, the syntax of the ipseccmd command is almost exactly the same as ipsecpol, so just take ipsecpol as an example:

1. Defend against rpc-dcom attacks

Ipsecpol-p myfirewall-r rpc-dcom-f * + 0:135:tcp * + 0:135:udp * + 0:137:udp * + 0:138:udp * + 0:139:tcp * + 0:445:tcp * + 0:445:udp-n BLOCK-w reg-x

This command shuts down the TCP135139445 and udp135137138445 ports of the local host.

The specific meaning is as follows:

-p myfirewall specifies that the policy name is myfirewall

-r rpc-dcom specifies that the rule name is rpc-dcom

-f. Create 7 filters. * indicates any address (source); 0 indicates local address (destination); + indicates mirror (bidirectional) filtering. For more information on syntax, see ipsecpol -?

-n BLOCK specifies that the filter operation is "blocking". Note that BLOCK must be uppercase.

-w reg writes the configuration to the registry and remains valid after reboot.

-x activate the policy immediately.

2. Prevent from being ping

Ipsecpol-p myfirewall-r antiping-f * + 0::icmp-n BLOCK-w reg-x

If a policy named myfirewall already exists, the antiping rule is added to it.

Note that this rule also prevents the host from ping others.

3. Impose IP restrictions on the back door

Suppose you have DameWare Mini Remote Control installed on a host. In order to protect it from being broken or overflowed by others, access to its service port 6129 should be restricted.

Ipsecpol-p myfw-r dwmrc_block_all-f * + 0:6129:tcp-n BLOCK-w reg

Ipsecpol-p myfw-r dwmrc_pass_me-f 123.45.67.89+0:6129:tcp-n PASS-w reg-x

In this way, only 123.45.67.89 can access port 6129 of the host.

If you are a dynamic IP, you should set rules according to the scope assigned by IP. For example:

Ipsecpol-p myfw-r dwmrc_block_all-f * + 0:6129:tcp-n BLOCK-w reg

Ipsecpol-p myfw-r dwmrc_pass_me-f 123.45.67.*+0:6129:tcp-n PASS-w reg-x

This allows IP from 123.45.67.1 to 123.45.67.254 to access port 6129.

When writing rules, you should be very careful not to block yourself. If you are not sure whether a rule works as expected, you can use the planned task to "leave the way". For example:

C:\ > net start schedule

The Task Scheduler service is starting..

The Task Scheduler service has started successfully.

C:\ > time / t

12:34

C:\ > at 12:39 ipsecpol-p myfw-y-w reg

A new assignment has been added, and its ID = 1

Then you have 5 minutes to set up a myfw policy and test it. The scheduled task will stop the policy after 5 minutes.

If the test results are not satisfactory, delete the policy.

C:\ > ipsecpol-p myfw-o-w reg

Note that you must make sure that the policy is stopped before you delete it. If it is not stopped, even the deletion will continue to take effect for a period of time. The duration depends on the refresh time of the policy, and the default is 180 minutes.

If the test passes, enable it.

C:\ > ipsecpol-p myfw-x-w reg

Finally, let's talk about how to view the IPSec policy.

It's easy for XP to do it with one command-- ipseccmd show filters.

Ipsecpol does not have the function of query. You need to use another command line tool, netdiag. It is located in SUPPORT\ TOOLS\ SUPPORT.CAB on the 2000 system installation disk. Three files have been uploaded, so I don't care about one more. ^ _ ^)

Netdiag requires support from RemoteRegistry services. So start the service first:

Net start remoteregistry

If you don't start RemoteRegistry, you'll get an error:

[FATAL] Failed to get system information of this machine.

Netdiag this tool is very powerful, and network-related information can be obtained! However, the output is sometimes too detailed to exceed the output cache of the command line console cmd.exe, rather than that every remote cmd shell can be paged with the more command.

The command to view the ipsec policy is:

Netdiag / debug / test:ipsec

Then there is a long list of output information. The IPSec policy is at the end.

Software installation

The installation process of a software / tool generally does two things: copying files to a specific directory and modifying the registry. As long as you figure out the details, you can do it yourself on the command line. (regardless of the need for registration and activation after installation)

WinPcap is a very common tool, but it must be installed in the window interface. You can also find a version that does not use GUI on the Internet (but there is still a copyright page). In fact, we can make one ourselves.

Take WinPcap 3.0a as an example. By comparing the file system and registry snapshots before and after installation, it is easy to understand the entire installation process.

Apart from the anti-installation part, there are three key files: wpcap.dll,packet.dll and npf.sys. The first two files are located in the system32 directory, and the third is under system32\ drivers. The change in the registry is the addition of a system service NPF. Note that it is the system service (that is, the driver), not the Win32 service.

As a system service, you need to add primary keys not only under HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services, but also under HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Enum\ Root. In the latter, only the SYSTEM identity can be modified by default. Fortunately, you don't need to add it manually, it will be done automatically when winpcap is called. Even without having to manually modify the registry, winpcap will do everything on its own, just copy the three files to the right location.

As an example, let's demonstrate how to modify the registry: using the inf file mentioned earlier.

[Version]

Signature= "$WINDOWS NT$"

[DefaultInstall.Services]

AddService=NPF,winpcap_svr

[winpcap_svr]

DisplayName=Netgroup Packet Filter

ServiceType=0x1

StartType=3

ErrorControl=1

ServiceBinary=%\ npf.sys

Save the above as a _ wpcap_.inf file.

Write another batch _ wpcap_.bat:

Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128% CD%\ _ wpcap_.inf

Del _ wpcap_.inf

If / I% CD%==%SYSTEMROOT%\ system32 goto COPYDRV

Copy packet.dll% SYSTEMROOT%\ system32\

Copy wpcap.dll% SYSTEMROOT%\ system32\

Del packet.dll

Del wpcap.dll

: COPYDRV

If / I% CD%==%SYSTEMROOT%\ system32\ drivers goto END

Copy npf.sys% SYSTEMROOT%\ system32\ drivers\

Del npf.sys

: END

Del 0

Then use winrar to package all the files (5) into a self-extracting exe, and set "Advanced self-extracting options"-> "run after extraction" to _ wpcap_.bat, and the winpcap installation package on the command line is completed.

Notice that there is no carriage return on the last line of the batch. Otherwise, you will not be able to delete yourself because you are running.

This idea can basically be applied to all software installations. But there is an exception, and that is the installation of system patches.

Because it is possible for system patches to replace files that are being executed or accessed, it is not possible to use the copy command.

Fortunately, the Windows fix pack supports command line installation.

For example:

KB824146.exe-n-z-Q

-n do not keep backup

-Z do not start over

-Q quiet mode

If you have a bunch of patches to make, package them in RAR into a self-extracting file, plus a batch.

For f in (KB?.exe) do f-n-z-Q

For f in (KB?.exe) do del f

Del 0

Windows script

A lot of things are very simple to do with scripts. Here are a few echo versions of commonly used scripts.

1, display the system version

@ echo for each ps in getobject _ > ps.vbs

@ echo ("winmgmts:\\.\ root\ cimv2:win32_operatingsystem") .instances_ > > ps.vbs

@ echo wscript.echo ps.caption ^ & "^ & ps.version:next > > ps.vbs

Cscript / / nologo ps.vbs & del ps.vbs

2, enumerate processes

@ echo for each ps in getobject _ > ps.vbs

@ echo ("winmgmts:\\.\ root\ cimv2:win32_process") .instances_ > > ps.vbs

@ echo wscript.echo ps.handle^ & vbtab^ & ps.name ^ & vbtab^ & ps.executablepath:next > > ps.vbs

Cscript / / nologo ps.vbs & del ps.vbs

3. Terminate the process

@ echo for each ps in getobject _ > pk.vbs

@ echo ("winmgmts:\\.\ root\ cimv2:win32_process") .instances_ > > pk.vbs

@ echo if ps.handle=wscript.arguments (0) then wscript.echo ps.terminate:end if:next > > pk.vbs

To terminate a process with a PID of 123, use the following syntax:

Cscript pk.vbs 123

If a 0 is displayed, the termination is successful.

Then:

Del pk.vbs

4, restart the system

@ echo for each os in getobject _ > rb.vbs

@ echo ("winmgmts: {(shutdown)}!\\.\ root\ cimv2:win32_operatingsystem") .instances_ > > rb.vbs

@ echo os.win32shutdown (2): next > > rb.vbs & cscript / / nologo rb.vbs & del rb.vbs

5, list the self-starting services

@ echo for each sc in getobject ("winmgmts:\\.\ root\ cimv2:win32_service") .instances_ > sc.vbs

@ echo if sc.startmode= "Auto" then wscript.echo sc.name ^ & "-" ^ & sc.pathname > > sc.vbs

@ echo next > > sc.vbs & cscript / / nologo sc.vbs & del sc.vbs

6, list the services that are running

@ echo for each sc in getobject ("winmgmts:\\.\ root\ cimv2:win32_service") .instances_ > sc.vbs

@ echo if sc.state= "Running" then wscript.echo sc.name ^ & "-" ^ & sc.pathname > > sc.vbs

@ echo next > > sc.vbs & cscript / / nologo sc.vbs & del sc.vbs

7, showing the time when the system was last started

@ echo for each os in getobject _ > bt.vbs

@ echo ("winmgmts:\\.\ root\ cimv2:win32_operatingsystem") .instances_ > > bt.vbs

@ echo wscript.echo os.lastbootuptime:next > > bt.vbs & cscript / / nologo bt.vbs & del bt.vbs

These are all the contents of the article "how to configure Network Security under CMD". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.