Article Directory
foreword
In computing, white hats and black hats refer to two different types of hackers.
A white hat hacker is a duly licensed and certified cybersecurity expert who possesses advanced computer skills and is able to use those skills to keep networks and systems safe. White hat hackers usually participate in the mining and analysis of security vulnerabilities, as well as in the response and investigation of security incidents. They can discover and fix security vulnerabilities, thereby improving the security of networks and systems.
A black hat hacker is an unauthorized person who uses his or her skills to carry out illegal activities. They may use their skills to launch various cyber attacks such as malware, viruses, phishing attacks, etc. The actions of black hat hackers may cause various security threats, such as data leakage, financial loss, etc.
In addition to the two kinds of hackers, white hat and black hat, there are also gray hat hackers. They are a group of people between white hat and black hat. They are not authorized and certified by any party, but they do not carry out any illegal activities. . Gray hat hackers usually conduct illegal access for some personal purposes, such as scanning and attacking to test network security.
Whether they are white hat hackers, black hat hackers or gray hat hackers, they all play an important role in the computer field. White hat hackers can improve the security of networks and systems, and help companies and organizations prevent various malicious attacks; black hat hackers, although conducting illegal activities, will also prompt companies and organizations to strengthen security protection; gray hat hackers can use technical means to Discover and test network and system vulnerabilities to help improve security.
1. We also learn
For white hat hackers, they usually use the following CMD commands for system management and security assessment:
netstat: Used to view the status of network connections, which can help hackers determine whether there are malicious connections in the system.
arp: Used to view and modify the ARP cache table, which can be used to obtain and forge IP address and MAC address information.
route: Used to view and manage the routing table, which can help hackers understand the network connection of the system.
tracert: Used to track TCP connections, which can help hackers analyze the direction and target of network connections.
ipconfig: Used to view network configuration information, such as IP address, MAC address, DNS information, etc.
net: Used for network operations, such as adding, deleting, starting, and stopping network services and protocols, etc. netsh: Used to configure and monitor Windows Firewall and network connections, etc.
tasklist: Used to list currently running processes and tasks, which can help hackers understand the activities in the system.
taskkill: Used to terminate processes and tasks, which can help hackers control and limit system activities.
For black hat hackers, they usually use the following CMD commands to carry out malicious attacks and damage:
ping: Used for network detection and vulnerability scanning, which can detect the reachability and vulnerability of the target host.
nmap: Used for port scanning and vulnerability scanning, which can help hackers quickly discover open ports and vulnerabilities on the target host.
smb: Used for SMB protocol attacks, which can be used to invade network shares using the SMB protocol.
ftp: Used for FTP attacks, which can be used to invade FTP servers or FTP clients. ssh: Used for SSH attacks, which can be used to invade remote logins using the SSH protocol.
telnet: Used for TELNET attacks, which can be used to invade remote logins using the TELNET protocol.
http: Used for HTTP attacks, which can be used to invade web servers or clients.
reg: Used to access and modify the registry, which can help hackers perform some malicious operations, such as deleting system files, modifying system configuration, etc.
cmd: Used to execute other CMD commands, which can help hackers execute some system commands, such as deleting files, creating users, etc.
2. Introduction to common commands in windows system
1. netstat command
The netstat command is a command for viewing the network connection status and port conditions. It can help users understand the current computer network connection conditions, including local addresses, remote addresses, protocol types, port information, etc.
Here are some examples:
View all network connection information: netstat -a
View statistics of TCP connections and UDP connections: netstat -s -t tcp and netstat -s -t udp
View all routing table entries of the current computer: netstat -r
View port status: netstat - b
2.ping command
The ping command is used to test whether the network connection is normal. It can detect the reachability of the target host by sending ICMP packets.
Here are some examples:
Test whether the network connection of the machine is normal: ping 127.0.0.1 or ping localhost
Test whether an IP address is reachable: ping 192.168.0.1
Test whether the IP address of a domain name is reachable: ping www.google.com
3.arp command
The arp command is used to view and modify the ARP cache table (Address Resolution Protocol), which can help users obtain and forge IP address and MAC address information.
Here are some examples:
View the local ARP cache table: arp -a
Add an ARP record: arp -s 192.168.0.1 00-11-22-33-44-55
Delete an ARP record: arp -d 192.168.0.1
4. route command
The route command is used to view and manage the routing table, which can help users understand the network connection of the system.
Here are some examples:
View the routing table of this machine: route print
Add a route entry: route add -p <destination address> <subnet mask> <gateway address>
Delete a route entry: route delete -p <destination address> <subnet mask > <gateway address>
5. tracert command
The tracert command (also called traceroute on some systems) is used to diagnose and trace the routing path of network packets from source to destination. It shows the routers and transmission delays that packets travel along the way.
For example, to trace to Google's server (domain name www.google.com), you can execute the following command:
tracert www.google.com
After the command is executed, the system will start sending a series of network requests, and record the round-trip time (RTT) and routers passed by each request. This can help identify any issues with network connectivity and identify bottlenecks causing delays or failures.
The output usually shows each node's IP address, hostname (if available), and round-trip time to that node. It also shows the serial number of each node in the whole. By analyzing this information, insights into network connection quality and path efficiency can be gained for troubleshooting or network optimization.
6. telnet command
Telnet is a network protocol that uses the TCP/IP protocol to establish a connection between a local computer and a remote computer. In Windows systems, the telnet command is used to establish a terminal session with a remote host.
NOTE: As of Windows 10, version 1803, the telnet client is not installed by default. But it can be installed by enabling Windows features. The following examples assume the telnet client is enabled.
To use the telnet command, perform the following steps:
telnet [remote host address] [port number]
For example, to connect to the default port 23 of the Telnet service of the remote host, you can execute the following command:
telnet example.com 23
If no port number is specified, Telnet's default port 23 will be used.
If the connection is successful, you will enter a new terminal session and can interact with the remote host.
If the connection fails, it may be because the remote host is not accessible, firewall restrictions, or the destination port is not open.
Telnet is an insecure protocol because it uses clear text for data transfers, including passwords and sensitive information. Therefore, a more secure alternative protocol such as SSH is recommended for remote access and terminal sessions.
7. nmap command
nmap is a network probing and security assessment tool that scans hosts and networks for port, service, and operating system information. It helps system administrators find holes or misconfigurations in the network and provides detailed information about the target system.
For example, to scan a host (IP address 192.168.0.1), you can execute the following command:
nmap 192.168.0.1
Or, if you have a domain name, say example.com, you can scan using the domain name:
nmap example.com
The nmap command will start scanning the target host and display port status, services and possibly OS information about that host.
Scan results may include open ports, known services, operating system guesses, network device information, and more. This information can be used to assess the security and configuration status of the target host.
8. SMB commands
SMB (Server Message Block) is a network communication protocol for sharing files, printers, and other resources between computers. In the Windows system, the smb command is used to perform SMB operations with remote computers.
Enter the following command format to connect to a remote computer using the smbclient tool:
smbclient //[remote host address]/[share name] -U [user name]
Among them, [remote host address] is the IP address or domain name of the remote computer, [share name] is the name of the shared resource to be accessed, and [user name] is the user name to be used.
For example, assuming you want to connect to a shared folder named "sharefolder" on a computer located at 192.168.0.100, and use the username "john", you can execute the following command:
smbclient //192.168.0.100/sharefolder -U john
If the authentication is successful, you will enter the smbclient interactive mode, and you can use various SMB commands for file and directory operations. For example, you can use the ls command to list files and directories in a shared folder. Other available commands include put (upload a file to a share), get (download a file from a share), etc.
9. tasklist command
The tasklist command is used to list the list of currently running processes in the Windows system. It provides detailed information about each process, including process ID (PID), memory usage, session ID, and more.
The system will display a list of currently running processes with detailed information about each process such as process ID, process name, session ID, memory usage, etc.
Example output might resemble the following:
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 8 K
System 4 Services 0 20,900 K
smss.exe 10 Services 0 1,576 K
csrss.exe 368 Services 0 4,144 K
...
The output lists the name of each process, the process ID (PID), and some other information, such as the name of the session it is in and memory usage.
In addition to simply listing all processes, the tasklist command also supports some options and parameters for filtering and sorting the process list to better meet special requirements. A complete list of available options and their usage can be viewed with the tasklist /? command.
10. at command
The at command is a task scheduling command in the Windows system, which is used to execute a certain command or program at a specified time. It allows users to schedule future tasks without the need for manual execution.
at [time] [/interactive] [/every: date,…] [/next: date] "command"
where [time] is the time to execute the task, which can be expressed in 24 hours; the [/interactive] option allows Execute the task interactively; the [/every: date,…] option can repeat the task and run it on the specified date; the [/next: date] option will schedule the task to the next specified date.
A command is a command or program to run at a specified time.
For example, to run a certain command at 2pm, you can execute the following command:
at 14:00 “command”
If you want to run a certain command every Monday at 9:00 AM, you can execute the following command:
at 09:00 /every:M “command”
Note that the at command requires administrator privileges to create scheduled tasks. Also, the at command requires the Task Scheduler service to be running and properly configured to work properly. Run the at /? command to see more detailed descriptions of options and usage.
Also starting with Windows 7, the schtasks command has replaced the at command in older versions. Therefore, in the latest version of the Windows system, it is recommended to use the schtasks command instead of the at command for task scheduling operations.
11. nslookup command
The nslookup command is a command-line tool for performing domain name resolution and query on Windows systems. It is used to query the DNS (Domain Name System) server to obtain the IP address, domain name server records and other related information of a specific domain name.
For example, to query the IP address of "www.example.com", you can execute the following command:
nslookup www.example.com
After executing the above command, nslookup will send a query request to the default DNS server and display the resolution result of the domain name.
Example output might include the domain name's IP address, associated nameserver records, etc.
For example:
Server: UnKnown Address: 192.0.2.1
Non-authoritative answer: Name: www.example.com Addresses:
203.0.113.10
203.0.113.20
The "Server" field in the output shows the DNS server used, and the "Addresses" field lists the IP addresses associated with the domain name.
In addition to simple domain name query, nslookup also supports other options and parameters, such as specifying different DNS servers for query, reverse analysis, etc. A detailed description of all available options and usage can be found with nslookup /?.
12. ftp command
The ftp command is a network protocol for transferring files between computers. In the Windows system, the ftp command is used to establish an FTP connection with a remote computer and perform file transfers and operations.
ftp [remote host address]
Among them, [remote host address] is the IP address or domain name of the remote FTP server.
For example, to connect to a host with an FTP server on 192.168.0.100, you can execute the following command:
ftp 192.168.0.100
If the FTP server requires a username and password for authentication, you will be prompted to enter the correct username and password.
Once connected, you will enter FTP interactive mode. In this mode, you can use various FTP commands to browse, upload, download and delete files.
For example, to download a file named file.txt, you can execute the following command:
get file.txt
If you want to upload a local file named file.txt to the FTP server, you can execute the following command:
put file.txt
Other FTP commands available include ls (list remote directory contents), cd (change remote directory), etc.
13. net commands
The net command is a command-line tool used to manage network resources and perform network operations in Windows systems. It can be used to configure and manage various network components of local or remote computers, such as user accounts, shared folders, printers, etc.
Command format:
net [options] [command]
Among them, [option] is optional, and different options can be specified according to needs; [command] is a specific net command to be executed.
For example, to display all user accounts on the local computer, execute the following command:
net user
The output will be a list of users with information like username, account type, etc.
As another example, if you want to start or stop a Windows service (such as the Print Spooler print pool service), you can use the following command:
net start spooler // start the print pool service
net stop spooler // stop the print pool service
Use the /? parameter, such as net user /? or net start /?, to view detailed parameters and usage instructions for a specific net command.
14. ipconfig command
The ipconfig command is used to display the network configuration information of the computer in the Windows system, including the IP address, subnet mask, default gateway, and other network interface related information.
Enter the following command:
ipconfig [option]
Among them, [option] is optional, used to specify the network configuration information that needs to be obtained. Common options include:
/all: Display detailed configuration information for all network interfaces.
/renew: Attempts to obtain a new IP address for the network interface (useful for DHCP).
/release: Release the current IP address of the network interface (for DHCP).
Summarize
These commonly used commands in the windows system are used in the context of use, which is helpful for system management and network troubleshooting. I hope it will be helpful to the friends who saw it, and don't use it for illegal purposes!
Of course, there are many things that have not been mentioned, and we can discuss them together, thank you all.