{"id":908,"date":"2021-03-31T19:13:37","date_gmt":"2021-03-31T19:13:37","guid":{"rendered":"https:\/\/feralpacket.org\/?p=908"},"modified":"2021-04-28T14:59:01","modified_gmt":"2021-04-28T14:59:01","slug":"windows-cli-network-troubleshooting","status":"publish","type":"post","link":"https:\/\/feralpacket.org\/?p=908","title":{"rendered":"Windows CLI Network Troubleshooting"},"content":{"rendered":"\n

Just the commands. Some are CMD commands. Some are PowerShell commands.<\/p>\n\n\n\n

! computer name
hostname
echo %computername%
[System.NET.DNS]::GetHostByName(\u2018\u2018)
    ! – two single quotes
$env:COMPUTERNAME
get-ciminstance -classname Win32_ComputerSystem
    ! – computer model number<\/p>\n\n\n\n

! date \/ time
date \/t
echo %date%
time \/t
echo %time%
get-date
date
    ! \n – this works in powershell<\/p>\n\n\n\n

! MAC addresses
getmac \/v
ipconfig \/all
get-netadapter
wmic nic where physicaladapter=true get name,macaddress
get-ciminstance win32_networkadapterconfiguration | select description, macaddress<\/p>\n\n\n\n

! interfaces and IP addresses
netsh interface show interface
get-netadapter
    ! – link speed
get-netadapter | ft Name, Status, LinkSpeed, VlanID
get-netadapteradvancedproperty
    ! – VLAN ID, wake on magic packet
netsh interface ipv4 show addresses
ipconfig
get-netipconfiguration
(Get-WmiObject Win32_NetworkAdapterConfiguration | where { (($_.IPEnabled -ne $null) -and ($_.DefaultIPGateway -ne $null)) } | select IPAddress -First 1).IPAddress[0]
get-ciminstance win32_networkadapterconfiguration | select description, ipaddress
[System.NET.DNS]::GetHostAddresses(\u2018\u2018)
    ! – two single quotes<\/p>\n\n\n\n

! routing table
netsh interface ipv4 show route
netstat -r
route PRINT
get-netroute<\/p>\n\n\n\n

! ARP table
arp -a
get-netneighbor
get-netneighbor -addressfamily ipv4<\/p>\n\n\n\n

! DHCP
netsh dhcp show server
ipconfig \/release
ipconfig \/renew
ipconfig \/registerdns
get-ciminstance win32_networkadapterconfiguration | select description, dhcpleaseobtained, dhcpserver
    ! – DHCP server<\/p>\n\n\n\n

! DNS
netsh interface ipv4 show dnsservers
ipconfig \/all
    ! – lists DNS servers
get-dnsclientserveraddress
ipconfig \/registerdns
ipconfig \/displaydns
nslookup cnn.com
resolve-dnsname -name cnn.com
get-dnsclientcache
nslookup cnn.com
resolve-dnsname -name cnn.com
get-ciminstance win32_networkadapterconfiguration | select description, dnsserversearchorder<\/p>\n\n\n\n

! MTU
netsh interface ipv4 show subinterfaces
netsh interface ipv4 show interfaces level=verbose
get-netipinterface
ping -f -l 1400 192.0.2.1
    ! – adjust as necessary<\/p>\n\n\n\n

! path MTU
netsh interface ipv4 show destinationcache<\/p>\n\n\n\n

! discards, header errors, fragments, mtu
netsh interface ipv4 show subinterfaces level=verbose
get-ciminstance Win32_PerfRawData_Tcpip_NetworkInterface<\/p>\n\n\n\n

! windows firewall
netsh advfirewall show currentprofile
get-netfirewallprofile
get-netfirewallprofile -name public | get-netfirewallrule
get-netfirewallportfilter
get-netfirewalladdressfilter<\/p>\n\n\n\n

! connections and listening ports
netsh interface ipv4 show tcpconnections
netstat -a
netstat -an
get-nettcpconnection
netstat -ab | findstr “LISTENING”
    !  – lists the executable that is responsible for the listening port
netstat -ano
    !  – lists the owning process ID
netstat -ano | find `”LISTENING`”
    !  – ` escapes the “
    !  – needed with powershell
netstat -ano | find “””LISTENING”””
    !  – works with powershell
netstat -ano | find “LISTENING”
    !  – works with cmd.exe
tasklist | find “8076”
    !  – use the PID from the above netstat command
tasklist \/FI “PID eq 8076”
tasklist \/APPS \/FI “PID eq 8076”
tasklist \/SVC \/FI “PID eq 8076”
tasklist \/FI “STATUS eq RUNNING”
tasklist \/FI “STATUS eq NOT RESPONDING”<\/p>\n\n\n\n

! tcp \/ udp \/ ip \/ icmp statistics
netsh interface ipv4 show tcpstats
netsh interface ipv4 show udpstats
netsh interface ipv4 show ipstats
netsh interface ipv4 show icmpstats
netsh interface ipv4 show icmpstats | findstr \/v ” 0$”
    ! – do not display entries with a zero count<\/p>\n\n\n\n

! wireless
netsh wlan show wlanreport
    ! – save report as an .html file
    ! – error message0x2 if you have both LAN & WLAN connected
netsh wlan show networks
netsh wlan show all<\/p>\n\n\n\n

! ECN capability
netsh interface tcp show global
get-nettcpsetting<\/p>\n\n\n\n

! IPSec
netsh ipsec dynamic show all<\/p>\n\n\n\n

! test reachability
nslookup cnn.com
ping 192.0.2.1
ping 192.0.2.1 -t
test-netconnection 192.0.2.1
1..10 | % { test-netconnection 192.0.2.$_ } | ft -AutoSize
    ! – ping sweep
telnet 192.0.2.1 80
test-netconnection 192.0.2.1 -port 80
tracert 192.0.2.1
tracert -d 192.0.2.1
test-netconnection 192.0.2.1 -traceroute
pathping 192.0.2.1<\/p>\n\n\n\n

! nmap
    ! -sT – TCP connect scan
    ! -sV – version scan, try to identify the what is running on any open ports
    ! -F – fast mode
nmap -sT -sV -F 192.0.2.1
    ! aggressive scan, throw everything at it, including the kitchen sink
    ! -T4 enables aggressive timing to speed up the scan, otherwise it will take forever to run
nmap -A -T4 192.0.2.1
    ! scan a subnet, but only send ICMP echo requests
    ! exclude the network address, the broadcast address, and the local honeypot the “infosec” team is proud of
    ! -n to disable DNS lookups
    ! -sn to disable port scan
    ! -PE to specify ICMP echo request packets
nmap -n -sn -PE 192.0.2.0\/24 –exclude 192.0.2.0,192.0.2.69,192.0.2.255
    ! run a script to determine what SSL ciphers are available
    ! https:\/\/nmap.org\/nsedoc\/scripts\/ssl-enum-ciphers.html
nmap -sV –script .\\ssl-enum-ciphers -p 443 192.0.2.1
    ! display the packets being sent and received
    ! -n disables DNS lookup
    ! -sT runs a TCP connect scan
    ! -F enables fast mode, only scan 100 ports
    ! -Pn disables host discovery, with the TCP connect scan no ICMP packets will be sent
nmap -n -sT -F -Pn –packet-trace 192.0.2.1<\/p>\n\n\n\n

! run CMD command in powershell
invoke-command -scriptblock {ipconfig \/all}<\/p>\n\n\n\n

! username
echo %username%
whoami<\/p>\n\n\n\n

! active directory
get-addomain
get-addomaincontroller
get-aduser -identity feralpacket
get-aduser -identity feralpacket -properties *
\u00a0\u00a0\u00a0\u00a0! – LockedOut, PasswordExpired, PasswordLastSet
get-aduser -identity feralpacket -properties * | format-list LockedOut
get-adprincipalgroupmembership feralpacket | select name
get-adcomputer -identity heimdallr
\u00a0\u00a0\u00a0\u00a0! – Enabled
get-adcomputer -identity heimdallr -properties *
echo %logonserver%
$env:LOGONSERVER
\u00a0\u00a0\u00a0\u00a0! – LOGONSERVER
get-adcomputer heimdallr -properties memberof |
\u00a0\u00a0\u00a0\u00a0foreach-object{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$_.memberof | %{get-adobject $_ }
\u00a0\u00a0\u00a0\u00a0 } |
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0select name
get-aduser feralpacket -properties memberof |
\u00a0\u00a0\u00a0\u00a0foreach-object{
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0$_.memberof | %{get-adobject $_ }
\u00a0\u00a0\u00a0\u00a0 } |
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0select name<\/p>\n\n\n\n

! logged in users
(Get-WmiObject -Class win32_computersystem | Select-Object -ExpandProperty username).split(‘\\’)[1]
(Get-WmiObject -Class win32_computersystem | Select-Object -ExpandProperty username)
quser
query user
query session
qwinsta
query process
qprocess<\/p>\n\n\n\n

! group policy
gpresult \/r<\/p>\n\n\n\n

! environment variables
set
get-item env:*
ls env:<\/p>\n\n\n\n

! path
echo %PATH%
echo $env:path
$env:path-split’;’<\/p>\n\n\n\n

! everything and the kitchen sink
wmic nic where physicaladapter=true list full
get-ciminstance win32_networkadapter -property *
get-ciminstance win32_networkadapterconfiguration -property *
get-ciminstance Win32_OperatingSystem -property *
get-ciminstance Win32_PerfRawData_Tcpip_ICMP -property *
get-ciminstance Win32_PerfRawData_Tcpip_ICMPv6 -property *
get-ciminstance Win32_PerfRawData_Tcpip_IPv4 -property *
get-ciminstance Win32_PerfRawData_Tcpip_IPv6 -property *
get-ciminstance Win32_PerfRawData_Tcpip_UDPv4 -property *
get-ciminstance Win32_PerfRawData_Tcpip_UDPv6 -property *
get-ciminstance Win32_PerfRawData_TCPIPCounters_TCPIPPerformanceDiagnostics -property *<\/p>\n\n\n\n

! windows 10 builtin packet capture tool
    ! run CMD as Administrator
c:\\WINDOWS\\system32> pktmon.exe<\/p>\n\n\n\n

! configure filters
pktmon filter add -p 20
pktmon filter add -p 21
pktmon filter add -i 192.0.2.1
pktmon filter add -t ICMP
pktmon filter add -d IPv4
pktmon filter list<\/p>\n\n\n\n

! list the NICs
pktmon comp list<\/p>\n\n\n\n

! start and stop the capture
pktmon start -etw -p 0 -c 12
pktmon stop<\/p>\n\n\n\n

! delete any filters
pktmon filter remove<\/p>\n\n\n\n

! output to ASCII or .pcap
! default output file is PktMon.etl
pktmon format PktMon.etl -o ftp.txt
pktmon pcapng log.etl -o log.pcapng<\/p>\n\n\n\n

! capture in real-time
pktmon start -etw -p 0 -l real-time<\/p>\n\n\n\n

! sshd
get-windowscapability -online | ? name -like “openssh*”
    !  – install if necessary
get-service “sshd”
get-service sshd | select -property name,status,starttype
start-service sshd -whatIf
set-service -name sshd -startuptype ‘Automatic’
set-service sshd -startuptype “Manual”
start-service sshd
start-service sshd -Confirm
get-netfirewallrule -name *ssh*
get-service | ? status -like “Stopped”
get-service | ? status -like “Running”
get-service | ? status -notlike “Running”
get-service
    !  – status
    !  – name
    !  – displayname
get-service sshd | select -property name,status,starttype
get-service sshd | select-object *
get-service | select -property name,status,starttype | ? starttype -like “Manual”
get-service | select -property name,status,starttype | ? starttype -like “Disabled”
get-service “s*” | sort-object status<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Just the commands. Some are CMD commands. Some are PowerShell commands. ! computer namehostnameecho %computername%[System.NET.DNS]::GetHostByName(\u2018\u2018)    ! – two single quotes$env:COMPUTERNAMEget-ciminstance -classname Win32_ComputerSystem    ! – computer model number ! date \/ timedate \/techo %date%time \/techo %time%get-datedate    ! – this works in powershell ! MAC addressesgetmac \/vipconfig \/allget-netadapterwmic nic where physicaladapter=true get name,macaddressget-ciminstance win32_networkadapterconfiguration | select description, macaddress ! interfaces […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-908","post","type-post","status-publish","format-standard","hentry","category-ccie"],"_links":{"self":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts\/908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=908"}],"version-history":[{"count":32,"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts\/908\/revisions"}],"predecessor-version":[{"id":952,"href":"https:\/\/feralpacket.org\/index.php?rest_route=\/wp\/v2\/posts\/908\/revisions\/952"}],"wp:attachment":[{"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/feralpacket.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}