IPSec
First of all, it should be pointed out that IPSec and TCP/IP filtering are different things, so don’t confuse them. The functions of TCP/IP filtering are very limited, far less flexible and powerful than IPSec. Let’s talk about how to control IPSec on the command line.
XP system uses ipseccmd, and ipsecpol is used under 2000. Unfortunately, none of them come with the system. ipseccmd is in SUPPORT\TOOLS\ of the xp system installation disk, and ipsecpol is in the 2000 Resource Kit. Moreover, to use ipsecpol, you must bring two other files: and. Three files total 119KB.
IPSec can be controlled through group policy, but I searched all MSDN and couldn't find the syntax for the corresponding security template. The configured IPSec policy cannot be exported as a template either. Therefore, the Group Policy path is not working. The settings of IPSec are saved in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local). In theory, IPSec can be configured by modifying the registry. But a lot of information is stored in binary form, and it is difficult to read and modify. In contrast, uploading command line tools is more convenient.
There are many information about ipsecpol and ipseccmd on the Internet, so this article will not go into details, just list some practical examples.
In terms of setting the IPSec policy, the syntax of the ipseccmd command is almost exactly the same as that of ipsecpol, so just take ipsecpol as an example:
1. Defense against rpc-dcom attacks
ipsecpol -p myfirewall -r rpc-dcom -f *+0:135:tcp *+0:135:udp *+0:137:udp *+0:138:udp *+0:139:tcp *+0:445:tcp *+0:445:udp -n BLOCK -w reg -x
This command closes the TCP135, 139, 445 and udp135, 137, 138, 445 ports of the local host.
The specific meanings are as follows:
-p myfirewall Specify the policy name as myfirewall
-r rpc-dcom Specify the rule name is rpc-dcom
-f … Create 7 filters. * indicates any address (source); 0 indicates the local address (destination); + indicates mirror (bidirectional) filtering. For detailed syntax, see ipsecpol-?
-n BLOCK Specifies that filter x is "blocking". Note that BLOCK must be in capitalization.
-w reg Write the configuration to the registry and remains valid after restart.
-x Activate the strategy immediately.
2. Prevent ping
ipsecpol -p myfirewall -r antiping -f *+0::icmp -n BLOCK -w reg -x
If a policy named myfirewall already exists, an antiping rule is added to it.
Note that this rule also prevents the host from pinging others.
3. Constrain IPs on the backdoor
Suppose you have DameWare Mini Remote Control installed on a host. To protect it from rupture of passwords or overflowing by others, access to its service port 6129 should be restricted.
ipsecpol -p myfw -r dwmrc_block_all -f *+0:6129:tcp -n BLOCK -w reg
ipsecpol -p myfw -r dwmrc_pass_me -f 123.45.67.89+0:6129:tcp -n PASS -w reg -x
In this way, only 123.45.67.89 can access the 6129 port of the host.
If you are a dynamic IP, you should set rules based on the range of IP allocation. for example:
ipsecpol -p myfw -r dwmrc_block_all -f *+0:6129:tcp -n BLOCK -w reg
ipsecpol -p myfw -r dwmrc_pass_me -f 123.45.67.*+0:6129:tcp -n PASS -w reg -x
This allows IPs from 123.45.67.1 to 123.45.67.254 to access port 6129.
When writing rules, you should be very careful not to block yourself. If you are not sure whether the effect of a certain rule is the same as expected, you can first use the planned task to "leave a way out". For example:
c:\>net start schedule
The Task Scheduler service is starting..
The Task Scheduler service has been started successfully.
c:\>time /t
12:34
c:\>at 12:39 ipsecpol -p myfw -y -w reg
A new assignment has been added, its assignment ID = 1
Then you have 5 minutes to set up a myfw policy and test it. The plan task will stop the strategy after 5 minutes.
If the test results are not ideal, delete the policy.
c:\>ipsecpol -p myfw -o -w reg
Note that you must make sure that it has stopped before deleting the policy. If you don't stop it, even the deletion will continue to take effect for a period of time. The duration depends on the refresh time of the policy, and the default is 180 minutes.
If the test passes, then enable it.
c:\>ipsecpol -p myfw -x -w reg
Finally, let’s talk about how to check the IPSec policy.
It's very simple for XP, one command can be done - ipseccmd show filters
ipsecpol does not have the function of querying. Need to use another command line tool netdiag. It is located in SUPPORT\TOOLS\ of the 2000 system installation disk. (Three files have been uploaded, so I don’t care about one more. ^_^)
netdiag requires support from the RemoteRegistry service. So start the service first:
net start remoteregistry
If you don't start RemoteRegistry, you will get an error:
[FATAL] Failed to get system information of this machine.
The netdiag tool has very powerful functions and can be obtained with network-related information! However, the output information is sometimes too detailed, exceeding the output cache of the command line console, rather than being paging with the more command per remote cmd shell.
The command to view the ipsec policy is:
netdiag /debug /test:ipsec
Then there is a long list of output information. The IPSec policy is at the end.
Software installation
The installation process of a software/tool generally only does two things: copying files to a specific directory and modifying the registry. As long as you understand the specific content, you can implement it yourself on the command line. (Not considering the need to register and activate after installation)
WinPcap is a very common tool, but it must be installed under the window interface. You can also find versions that do not use GUI (but there is still a copyright page), but we can actually make one ourselves.
Take WinPcap 3.0a as an example. It is easy to understand the entire installation process by comparing file system and registry snapshots before and after installation.
Remove the anti-installation part, there are three key files: and. The first two files are located in the system32 directory, and the third one is located in the system32\drivers. The registry changes are the addition of a system service NPF. Note that it is the system service (i.e., driver) not the Win32 service.
As a system service, not only should we add the primary key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, but also add the primary key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root. The latter can only be modified by default. Fortunately, it doesn't need to be added manually, winpcap will be automatically done when it is called. There is no need to manually modify the registry at all. Winpcap will do everything by itself. You only need to copy three files to the appropriate location.
As an example, let’s demonstrate how to modify the registry: use the inf file mentioned above to implement it.
[Version]
Signature="$WINDOWS NT$"
[]
AddService=NPF,,winpcap_svr
[winpcap_svr]
DisplayName=Netgroup Packet Filter
ServiceType=0x1
StartType=3
ErrorControl=1
ServiceBinary=%12%\
Save the above contents as _wpcap_.inf file.
Write another batch_wpcap_.bat:
setupapi,InstallHinfSection DefaultInstall 128 %CD%\_wpcap_.inf
del _wpcap_.inf
if /i %CD%==%SYSTEMROOT%\system32 goto COPYDRV
copy %SYSTEMROOT%\system32\
copy %SYSTEMROOT%\system32\
del
del
:COPYDRV
if /i %CD%==%SYSTEMROOT%\system32\drivers goto END
copy %SYSTEMROOT%\system32\drivers\
del
:END
del %0
Then use winrar to package all files (5) into self-extracting exe, and set "Advanced Self-extracting Options" -> "Run after unzipping" to _wpcap_.bat, and the winpcap installation package on the command line is completed.
Note that there is no carriage return character on the last line of the batch. Otherwise, you will not be able to delete yourself because you are running.
All software installations can basically apply this idea. But there are exceptions, that is, the installation of system patches.
Since the system patch may replace the file being executed or accessed, it is not possible to use the copy command.
Fortunately, Windows patch package supports command-line installation.
for example:
-n -z -q
-n No backups are retained
-z No more
-q Quiet mode
If there are a bunch of patches to be made, then use RAR to package it into a self-extracting file, plus a batch.
for %%f in (KB??????.exe) do %%f -n -z -q
for %%f in (KB??????.exe) do del %%f
del %0
Windows Scripts
It is very concise to do many things with scripts. Below are some echo versions of common scripts.
1. Display the system version
@echo for each ps in getobject _ >
@echo ("winmgmts:\\.\root\cimv2:win32_operatingsystem").instances_ >>
@echo ^&" "^&:next >>
cscript //nologo & del
2. List the processes
@echo for each ps in getobject _ >
@echo ("winmgmts:\\.\root\cimv2:win32_process").instances_ >>
@echo ^&vbtab^&^&vbtab^&:next >>
cscript //nologo & del
3. Terminate the process
@echo for each ps in getobject _ >
@echo ("winmgmts:\\.\root\cimv2:win32_process").instances_ >>
@echo if =(0) then :end if:next >>
To terminate a process with PID 123, use the following syntax:
cscript 123
If a 0 is displayed, it means that the termination is successful.
Then:
del
4. Restart the system
@echo for each os in getobject _ >
@echo ("winmgmts:{(shutdown)}!\\.\root\cimv2:win32_operatingsystem").instances_ >>
@echo os.win32shutdown(2):next >> & cscript //nologo & del
5. List the services that are started
@echo for each sc in getobject("winmgmts:\\.\root\cimv2:win32_service").instances_ >
@echo if ="Auto" then ^&" - "^& >>
@echo next >> & cscript //nologo & del
6. List running services
@echo for each sc in getobject("winmgmts:\\.\root\cimv2:win32_service").instances_ >
@echo if ="Running" then ^&" - "^& >>
@echo next >> & cscript //nologo & del
7. Display the last time the system started
@echo for each os in getobject _ >
@echo ("winmgmts:\\.\root\cimv2:win32_operatingsystem").instances_ >>
@echo :next >> & cscript //nologo & del
The format for displaying the results is:
yyyymmddHHMMSSxxxxxxZZZZ
_Year_Day, Time, Minutes, Seconds_Microseconds_Time Zone
8. Show system running time
@echo for each os in getobject _ >
@echo ("winmgmts:\\.\root\cimv2:win32_perfrawdata_perfos_system").instances_ >>
@echo s=os.timestamp_sys100ns:l=len(s):s=left(s,l-7):for i=1 to l-7 >>
@echo t=t^&mid(s,i,1):d=t\86400:r=r^&d:t=t mod 86400:next >>
@echo cint(r)^&"d "^&t\3600^&"h "^&t\60 mod 60^&"m "^&t mod 60^&"s":next >>
cscript //nologo & del
This runtime is a 64-bit integer obtained from the performance counter and does not overflow after 49.7 days.