We have all heard people talk about how much cooler Linux is than Windows, so much easier to use, etc. Well, they are not necessarily wrong… but we have learned that Microsoft has some very interesting gems hiding in plain sight.
Seriously, Microsoft seems to be making a concerted effort to add some Linux-y functionality. In fact, they introduced Linux as a subsystem on Windows 10 back in 2016. You enable the feature using PowerShell, then visit the Microsoft Store and pick your favorite distro to install. But I digress… this blog post is not about Linux, it is about some neat utilities built into Windows… some are in fact very Linux-y and some are unique to Windows but still interesting to pentesters. We will show you some of the interesting finds below.
Note that the help docs for many of the tools can be found in the Windows Command reference document here.
The built-in certutil command can be used as a quick base64 encoder/decoder. It is meant to encode and decode SSL certificates but can be used for other things as well. For example, let’s say you need to get an executable file on to a target system but a network control detects/prevents the transfer of an EXE file. Well, in that case, you can base64 encode it prior to sending and then base64 decode it using certutil once it’s on the target system. Nice.
Here is an example using a string of text but it would work the same way for a binary executable file.
By default, certutil decodes and encodes base64 data. But another fun fact is that it can also decode hexadecimal:
While the help text does not show an option for hex encoding, we tried it and it actually does work… have a look.
This might come in very handy if you are looking for, say, strings in a binary. Below is an example showing a hex dump of notepad.exe.
Microsoft developed the “Clippy” character to assist users with Office products. He has been on and off the payroll since 1997 and (understandably) appears to be currently on leave.
Completely unrelated to “Clippy” is the clip utility.
This utility redirects output to the clipboard. For example, if you want to capture running services and insert the list into the clipboard:
You can direct the output from a command into the clipboard for easy copy/pasting or you stuff the contents of a whole file into the clipboard.
- net1 start | clip
- PS C:\> net1 user /domain | clip
- clip < myTextFile.txt
In all three cases, you have loaded something into the clipboard, which you can retrieve and paste where you need it using right-click “paste” or Control-V.
I use clip.exe all the time with WSL (Windows Subsystem for Linux) as well using something like this:
$ cat file.csv | cut -f2 -d"," | sort | uniq | clip.exe
It is a very handy way to slice and dice data for use in a report.
Clipboard saving of multiple items is off by default but if you turn it on….
…you can use Windows + V to access all of the “clips” in the clipboard.
To paste one of the items in the clipboard, just click on the one you want.
You can even PIN a clip and it will be saved (until a reboot) even if you clear the clipboard.
This is a great place to store passwords.
Cmdkey is the command version of the Windows credential manager. The equivalent GUI version can be launched using “control keymgr.dll” or by selecting “Credential Manager” from the Control Panel. Show any saved credentials using the command
But what if there were stored credentials that were privileged? How could an attacker use them?
According to this blog post, it’s easy, although when I set up Cobalt Strike and tried it, it didn’t work, but your mileage may vary.
Curl is a command-line browser, like wget, that pulls content from a web server and is found on most Linux systems by default and it was recently added to Windows!
For pentesters, maybe proxy configurations prevent you from downloading files using a browser. If so, try curl and maybe such downloads won’t get noticed.
Here is an example of something very useful you can do with curl:
Curl has an in-depth help page as well. Use “curl –help” to view all the options.
“net1” is pretty much the same as “net” but about 20 years ago, as we approached Y2K, there was a problem with the “net” command. The “net1” command was the remedy for that issue and it has stuck around ever since. Why does this matter now? It probably doesn’t in most cases but if you are a pentester, you might just find that the “net” command gets noticed by the blue team while the “net1” command does not.
net1 localgroup administrators - enumerate local admin accounts
net1 start - see list of running services
net1 start | find /v “” /c - show a count of running services
Tar is an old Unix utility originally created to make tape archives from one or more files. This was developed as a backup solution. Today, tar is used similar to zip – to make a single archive out of multiple files in order to backup, archive, transmit, etc. In April 2018, tar was included in Windows 10 builds.
Using the standard Windows help “/?” it appears as though tar for Windows has very few options.
However, when the “–help” option is requested, you can see that there is actually much more functionality, including compression options like its Linux cousin.
We tested this by using tar to archive and compress a few files on a Windows system.
We then moved the files to a Debian Linux machine and found that they are in fact valid tarballs, one without and one with compression.
“Where” is like the Linux “locate” command. It finds files for you and is very handy.
where /R c:\ /F *.conf *.xml
This will search recursively through the C drive looking for conf and xml files. If found, the “/F” means show the full path.
The Whoami command displays information about the current account. Used without arguments, it displays the account name.
It can show the privileges or group membership associated with the current account using the “/priv” and “/groups” options respectively.
It can also display the FQDN and UPN for the account:
This built-in command shows the current Windows Subsystem for Linux installations. It also allows you to do some other administrative tasks associated with Linux distributions, provided you have admin-level access.
It is definitely interesting to know if WSL has been enabled on a system that you are testing from or have pivoted to. If you see this message, then WSL has not been enabled on the system:
This, on the other hand, indicates that Kali Linux has been installed on the system:
If it has not been enabled and you have admin rights, by all means, go ahead and enable it!
So, for the red-teamers out there, add these to your repertoire of “living off the land” tools. And blue-teamers might want to keep an eye out for use of these tools. Regular users will not likely be using curl, certutil, and tar so monitoring their use should generate actionable alerts instead of noise.
That’s all for now…
…but we will keep digging and if we find more interesting Windows commands we will compose a sequel.