*SWAT MAGAZINE ISSUE ELEVEN: NOVEMBER 1998* ********************************************************************** | .Windows NT Commands. | | By Netw0rk Bug | ----------------------------------------------------------------------- Table Of Contents =COMMANDS= The ARP Command The Traceroute Command The Netstat Command The Finger Command The Ping Command The Nbtstat Command Notes On Nbtstat Command ========================================================================= THE ARP COMMAND ========================================================================= The arp command will display internet to ethernet (IP to MAC) address translations which is normally handled by the arp protocol. When the hostname is the only parameter, this command will display the currect ARP entry for that hostname. Usage: arp hostname Switches: -a Displays current ARP entries by interrogating the current protocol data. If inet_addr is specified, the IP and Physical addresses for only the specified computer are displayed. If more than one network interface uses ARP, entries for each ARP table are displayed. -g Same as -a. inet_addr Specifies an internet address. -N if_addr Displays the ARP entries for the network interface specified by if_addr. -d Deletes the host specified by inet_addr. -s Adds the host and associates the Internet address inet_addr with the Physical address eth_addr. The Physical address is given as 6 hexadecimal bytes separated by hyphens. The entry is permanent. eth_addr Specifies a physical address. if_addr If present, this specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used. ========================================================================= THE TRACEROUTE COMMAND ========================================================================= The traceroute command is used to trace the route that a packet takes to reach its destination. This command works by using the time to live (TTL) filed in the IP packet. Usage: tracert IP or Hostname Switches: -d Do not resolve addresses to hostnames. -h maximum_hops Maximum number of hops to search for target. -j host-list Loose source route along host-list. -w timeout Wait timeout milliseconds for each reply. ========================================================================= THE NETSTAT COMMAND ========================================================================= This command is used to query the network subsystem regarding certain types of information. Different types of information will be received depending on the switches used in conjunction with this command. Usage: netstat [switch] Switches: -A Shows the addresses of any associated protocol control blocks. -a Will show the status of all sockets. Sockets associated with network server processes are normally not shown. -i Shows the state of the network interfaces. -m Prints the network memory usage. -n Causes netstat to show actual addresses as opposed to hostnames or network names. -r Prints the routing table. -s Tells netstat to show the per protocol statistics. -t Replaces the queue length information with timer information. ========================================================================= THE FINGER COMMAND ========================================================================= By default, finger will list the login name, full name, terminal name, and write status (shown as a "*" before the terminal name if write permission is denied), idle time, login time, office location, and phone number (if known) for each current user connected to the network. Usage: finger username@domain Switches: -b Brief output format -f Supresses the printing of the header line. -i Provides a quick list of users with idle time. -l Forces long output format. -p Supresses printing of the .plan file (if present) -q Provides a quick list of users. -s Forces short output form. -w Forces narrow output form. ========================================================================= THE PING COMMAND ========================================================================= The ping (Packet Internet Groper) is used to send ICMP (Internet Control Message Protocol) packets from one host to another. Ping transmits packets using the ICMP ECHO_REQUEST command and expects an ICMP ECHO_REPLY. Usage: ping IP address or Hostname Switches: -t Ping the specifed host until interrupted. -a Resolve addresses to hostnames. -n count Number of echo requests to send. -l size Send buffer size. -f Set Don't Fragment flag in packet. -i TTL Time To Live. -v TOS Type Of Service. -r count Record route for count hops. -s count Timestamp for count hops. -j host-list Loose source route along host-list. -k host-list Strict source route along host-list. -w timeout Timeout in milliseconds to wait for each reply. ========================================================================= THE NBTSTAT COMMAND ========================================================================= Can be used to query the network concerning NetBIOS information. It can also be useful for purging the NetBIOS cache and reloading the LMHOSTS file. This one command can be extremely useful when performing security audits. When one knows how to interpret the information, it can reveal more than one might think. Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval] Switches -a Lists the remote computer's name table given its host name. -A Lists the remote computer's name table given its IP address. -c Lists the remote name cache including the IP addresses. Lists the remote name cache including the IP addresses Lists local NetBIOS names. Lists names resolved by broadcast and via WINS Purges and reloads the remote cache name table Lists sessions table with the destination IP addresses Lists sessions table converting destination IP addresses to host names via the hosts file. -n Lists local NetBIOS names. -r Lists names resolved by broadcast and via WINS. -R Purges and reloads the remote cache name table. -S Lists sessions table with the destination IP addresses. -s Lists sessions table converting destination IP addresses to host names via the hosts file. interval This will redisplay the selected statistics, pausing for the number of seconds you choose as "interval" between each listing. Press CTRL+C to stop. EXAMPLE1 To see registered NetBIOS names and services: nbtstat -A [ipaddress] nbtstat –a [host] EXAMPLE2 C:\nbtstat -A XXX.XX.XXX.XX NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- STUDENT1 <20> UNIQUE Registered STUDENT1 <00> UNIQUE Registered DOMAIN1 <00> GROUP Registered DOMAIN1 <1C> GROUP Registered DOMAIN1 <1B> UNIQUE Registered STUDENT1 <03> UNIQUE Registered DOMAIN1 <1E> GROUP Registered DOMAIN1 <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered MAC Address = 00-C0-4F-C4-8C-9D Here is a partial NetBIOS 16th bit listing: Computername <00> UNIQUE workstation service name <00> GROUP domain name Server <20> UNIQUE Server Service name Computername <03> UNIQUE Registered by the messenger service. This is the computername to be added to the LMHOSTS file which is not necessary to use NAT.EXE but is necessary if you would like to view the remote computer in Network Neighborhood. Username <03> Registered by the messenger service. Domainname <1B> Registers the local computer as the master browser for the domain Domainname <1C> Registers the computer as a domain controller for the domain (PDC or BDC) Domainname <1D> Registers the local client as the local segments master browser for the domain Domainname <1E> Registers as a Group NetBIOS Name Network Monitor Name Network Monitor Agent <06> RAS Server <1F> Net DDE <21> RAS Client ========================================================================= NOTES ON NBTSTAT ========================================================================= The column headings generated by NBTSTAT have the following meanings: Input Number of bytes received. Output Number of bytes sent. In/Out Whether the connection is from the computer (outbound) or from another system to the local computer (inbound). Life The remaining time that a name table cache entry will "live" before your computer purges it. Local Name The local NetBIOS name given to the connection. Remote Host The name or IP address of the remote host. Type A name can have one of two types: unique or group. The last byte of the 16 character NetBIOS name often means something because the same name can be present multiple times on the same computer. This shows the last byte of the name converted into hex. State Your NetBIOS connections will be shown in one of the following "states": State Meaning Accepting An incoming connection is in process. Associated The endpoint for a connection has been created and your computer has ssociated it with an IP address. Connected This is a good state! It means you're connected to the remote resource. Connecting Your session is trying to resolve the name-to-IP address mapping of the destination resource. Disconnected Your computer requested a disconnect, and it is waiting for the remote computer to do so. Disconnecting Your connection is ending. Idle The remote computer has been opened in the current session, but is currently not accepting connections. Inbound An inbound session is trying to connect. Listening The remote computer is available. Outbound Your session is creating the TCP connection. Reconnecting If your connection failed on the first attempt, it will display this state as it tries to reconnect. Name Number Type Usage ========================================================================= 00 U Workstation Service 01 U Messenger Service <\\_MSBROWSE_> 01 G Master Browser 03 U Messenger Service 06 U RAS Server Service 1F U NetDDE Service 20 U File Server Service 21 U RAS Client Service 22 U Exchange Interchange 23 U Exchange Store 24 U Exchange Directory 30 U Modem Sharing Server Service 31 U Modem Sharing Client Service 43 U SMS Client Remote Control 44 U SMS Admin Remote Control Tool 45 U SMS Client Remote Chat 46 U SMS Client Remote Transfer 4C U DEC Pathworks TCPIP Service 52 U DEC Pathworks TCPIP Service 87 U Exchange MTA 6A U Exchange IMC BE U Network Monitor Agent BF U Network Monitor Apps 03 U Messenger Service 00 G Domain Name 1B U Domain Master Browser 1C G Domain Controllers 1D U Master Browser 1E G Browser Service Elections 1C G Internet Information Server 00 U Internet Information Server [2B] U Lotus Notes Server IRISMULTICAST [2F] G Lotus Notes IRISNAMESERVER [33] G Lotus Notes Forte_$ND800ZA [20] U DCA Irmalan Gateway Service Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique. Group (G): A normal group; the single name may exist with many IP addresses. Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25. Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names. Domain Name (D): New in NT 4.0