Windows CLI Network Troubleshooting
Just the commands. Some are CMD commands. Some are PowerShell commands.
! computer name
hostname
echo %computername%
[System.NET.DNS]::GetHostByName(‘‘)
! – two single quotes
$env:COMPUTERNAME
get-ciminstance -classname Win32_ComputerSystem
! – computer model number
! date / time
date /t
echo %date%
time /t
echo %time%
get-date
date
!
– this works in powershell
! MAC addresses
getmac /v
ipconfig /all
get-netadapter
wmic nic where physicaladapter=true get name,macaddress
get-ciminstance win32_networkadapterconfiguration | select description, macaddress
! interfaces and IP addresses
netsh interface show interface
get-netadapter
! – link speed
get-netadapter | ft Name, Status, LinkSpeed, VlanID
get-netadapteradvancedproperty
! – VLAN ID, wake on magic packet
netsh interface ipv4 show addresses
ipconfig
get-netipconfiguration
(Get-WmiObject Win32_NetworkAdapterConfiguration | where { (($_.IPEnabled -ne $null) -and ($_.DefaultIPGateway -ne $null)) } | select IPAddress -First 1).IPAddress[0]
get-ciminstance win32_networkadapterconfiguration | select description, ipaddress
[System.NET.DNS]::GetHostAddresses(‘‘)
! – two single quotes
! routing table
netsh interface ipv4 show route
netstat -r
route PRINT
get-netroute
! ARP table
arp -a
get-netneighbor
get-netneighbor -addressfamily ipv4
! DHCP
netsh dhcp show server
ipconfig /release
ipconfig /renew
ipconfig /registerdns
get-ciminstance win32_networkadapterconfiguration | select description, dhcpleaseobtained, dhcpserver
! – DHCP server
! DNS
netsh interface ipv4 show dnsservers
ipconfig /all
! – lists DNS servers
get-dnsclientserveraddress
ipconfig /registerdns
ipconfig /displaydns
nslookup cnn.com
resolve-dnsname -name cnn.com
get-dnsclientcache
nslookup cnn.com
resolve-dnsname -name cnn.com
get-ciminstance win32_networkadapterconfiguration | select description, dnsserversearchorder
! MTU
netsh interface ipv4 show subinterfaces
netsh interface ipv4 show interfaces level=verbose
get-netipinterface
ping -f -l 1400 192.0.2.1
! – adjust as necessary
! path MTU
netsh interface ipv4 show destinationcache
! discards, header errors, fragments, mtu
netsh interface ipv4 show subinterfaces level=verbose
get-ciminstance Win32_PerfRawData_Tcpip_NetworkInterface
! windows firewall
netsh advfirewall show currentprofile
get-netfirewallprofile
get-netfirewallprofile -name public | get-netfirewallrule
get-netfirewallportfilter
get-netfirewalladdressfilter
! connections and listening ports
netsh interface ipv4 show tcpconnections
netstat -a
netstat -an
get-nettcpconnection
netstat -ab | findstr “LISTENING”
! – lists the executable that is responsible for the listening port
netstat -ano
! – lists the owning process ID
netstat -ano | find `”LISTENING`”
! – ` escapes the “
! – needed with powershell
netstat -ano | find “””LISTENING”””
! – works with powershell
netstat -ano | find “LISTENING”
! – works with cmd.exe
tasklist | find “8076”
! – use the PID from the above netstat command
tasklist /FI “PID eq 8076”
tasklist /APPS /FI “PID eq 8076”
tasklist /SVC /FI “PID eq 8076”
tasklist /FI “STATUS eq RUNNING”
tasklist /FI “STATUS eq NOT RESPONDING”
! tcp / udp / ip / icmp statistics
netsh interface ipv4 show tcpstats
netsh interface ipv4 show udpstats
netsh interface ipv4 show ipstats
netsh interface ipv4 show icmpstats
netsh interface ipv4 show icmpstats | findstr /v ” 0$”
! – do not display entries with a zero count
! wireless
netsh wlan show wlanreport
! – save report as an .html file
! – error message0x2 if you have both LAN & WLAN connected
netsh wlan show networks
netsh wlan show all
! ECN capability
netsh interface tcp show global
get-nettcpsetting
! IPSec
netsh ipsec dynamic show all
! test reachability
nslookup cnn.com
ping 192.0.2.1
ping 192.0.2.1 -t
test-netconnection 192.0.2.1
1..10 | % { test-netconnection 192.0.2.$_ } | ft -AutoSize
! – ping sweep
telnet 192.0.2.1 80
test-netconnection 192.0.2.1 -port 80
tracert 192.0.2.1
tracert -d 192.0.2.1
test-netconnection 192.0.2.1 -traceroute
pathping 192.0.2.1
! nmap
! -sT – TCP connect scan
! -sV – version scan, try to identify the what is running on any open ports
! -F – fast mode
nmap -sT -sV -F 192.0.2.1
! aggressive scan, throw everything at it, including the kitchen sink
! -T4 enables aggressive timing to speed up the scan, otherwise it will take forever to run
nmap -A -T4 192.0.2.1
! scan a subnet, but only send ICMP echo requests
! exclude the network address, the broadcast address, and the local honeypot the “infosec” team is proud of
! -n to disable DNS lookups
! -sn to disable port scan
! -PE to specify ICMP echo request packets
nmap -n -sn -PE 192.0.2.0/24 –exclude 192.0.2.0,192.0.2.69,192.0.2.255
! run a script to determine what SSL ciphers are available
! https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
nmap -sV –script .\ssl-enum-ciphers -p 443 192.0.2.1
! display the packets being sent and received
! -n disables DNS lookup
! -sT runs a TCP connect scan
! -F enables fast mode, only scan 100 ports
! -Pn disables host discovery, with the TCP connect scan no ICMP packets will be sent
nmap -n -sT -F -Pn –packet-trace 192.0.2.1
! run CMD command in powershell
invoke-command -scriptblock {ipconfig /all}
! username
echo %username%
whoami
! active directory
get-addomain
get-addomaincontroller
get-aduser -identity feralpacket
get-aduser -identity feralpacket -properties *
! – LockedOut, PasswordExpired, PasswordLastSet
get-aduser -identity feralpacket -properties * | format-list LockedOut
get-adprincipalgroupmembership feralpacket | select name
get-adcomputer -identity heimdallr
! – Enabled
get-adcomputer -identity heimdallr -properties *
echo %logonserver%
$env:LOGONSERVER
! – LOGONSERVER
get-adcomputer heimdallr -properties memberof |
foreach-object{
$_.memberof | %{get-adobject $_ }
} |
select name
get-aduser feralpacket -properties memberof |
foreach-object{
$_.memberof | %{get-adobject $_ }
} |
select name
! logged in users
(Get-WmiObject -Class win32_computersystem | Select-Object -ExpandProperty username).split(‘\’)[1]
(Get-WmiObject -Class win32_computersystem | Select-Object -ExpandProperty username)
quser
query user
query session
qwinsta
query process
qprocess
! group policy
gpresult /r
! environment variables
set
get-item env:*
ls env:
! path
echo %PATH%
echo $env:path
$env:path-split’;’
! everything and the kitchen sink
wmic nic where physicaladapter=true list full
get-ciminstance win32_networkadapter -property *
get-ciminstance win32_networkadapterconfiguration -property *
get-ciminstance Win32_OperatingSystem -property *
get-ciminstance Win32_PerfRawData_Tcpip_ICMP -property *
get-ciminstance Win32_PerfRawData_Tcpip_ICMPv6 -property *
get-ciminstance Win32_PerfRawData_Tcpip_IPv4 -property *
get-ciminstance Win32_PerfRawData_Tcpip_IPv6 -property *
get-ciminstance Win32_PerfRawData_Tcpip_UDPv4 -property *
get-ciminstance Win32_PerfRawData_Tcpip_UDPv6 -property *
get-ciminstance Win32_PerfRawData_TCPIPCounters_TCPIPPerformanceDiagnostics -property *
! windows 10 builtin packet capture tool
! run CMD as Administrator
c:\WINDOWS\system32> pktmon.exe
! configure filters
pktmon filter add -p 20
pktmon filter add -p 21
pktmon filter add -i 192.0.2.1
pktmon filter add -t ICMP
pktmon filter add -d IPv4
pktmon filter list
! list the NICs
pktmon comp list
! start and stop the capture
pktmon start -etw -p 0 -c 12
pktmon stop
! delete any filters
pktmon filter remove
! output to ASCII or .pcap
! default output file is PktMon.etl
pktmon format PktMon.etl -o ftp.txt
pktmon pcapng log.etl -o log.pcapng
! capture in real-time
pktmon start -etw -p 0 -l real-time
! sshd
get-windowscapability -online | ? name -like “openssh*”
! – install if necessary
get-service “sshd”
get-service sshd | select -property name,status,starttype
start-service sshd -whatIf
set-service -name sshd -startuptype ‘Automatic’
set-service sshd -startuptype “Manual”
start-service sshd
start-service sshd -Confirm
get-netfirewallrule -name *ssh*
get-service | ? status -like “Stopped”
get-service | ? status -like “Running”
get-service | ? status -notlike “Running”
get-service
! – status
! – name
! – displayname
get-service sshd | select -property name,status,starttype
get-service sshd | select-object *
get-service | select -property name,status,starttype | ? starttype -like “Manual”
get-service | select -property name,status,starttype | ? starttype -like “Disabled”
get-service “s*” | sort-object status