CYBV301 Fundamentals of Cybersecurity

Week 2

Introduction to the Command Line Interface

Agenda
 Introductions to the Command Line Interface
(CLI)
 Linux Command Line Interface
 File Structure
 Navigation related commands
 Control/Administrative related commands
 Security related commands
 Windows Command Line Interface
 File Structure
 Navigation related commands
 Control/Administrative related commands
 Security related commands
 Putting it all together
 References
GUI vs. CLI
 GUI = Graphic User Interface
 Desktop (Windows, MacOS, Linux)
 Point & Click, Drag & Drop
 More user friendly/intuitive
 Easier to navigate for beginners
 Less powerful

 CLI = Command Line Interface

 Terminal window access only
 Text entry only
 Less user friendly/intuitive
 Faster navigation for experienced
users
 More powerful
Why do I need/want the CLI?
 Most network/system administration tools use or offer the CLI
 Many security related applications and tasks will require the
CLI
 Linux is a critical operating system in security & networking
 Some versions of Linux do not have a GUI
 The CLI is typically a more powerful tool in Linux

 You can’t always access the functions you want via the GUI
 The GUI doesn't always tell the truth
 When you turn something off – it doesn't always go or stay off

 The CLI is almost always available on every system

 You will always have another way to attempt to do something.
Command Line Interfaces
Linux, UNIX, Mac OS
 BASH - Bash is the Bourne Again SHell. Bash is an sh-compatible shell that incorporates useful features from
the Korn shell (ksh) and C shell (csh). It offers functional improvements over sh for both programming and
interactive use. In addition, most sh scripts can be run by Bash without modification.
 The improvements offered by Bash include:
 Command line editing
 Unlimited size command history
 Job Control
 Shell Functions and Aliases
 Indexed arrays of unlimited size
 Integer arithmetic in any base from two to sixty-four

 DASH - the Almquist shell (also known as A Shell, ash and sh) is a lightweight Unix shell originally written
by Kenneth Almquist in the late 1980s. Initially a clone of the System V.4 variant of the Bourne shell, it
replaced the original Bourne shell in the BSD versions of Unix released in the early 1990s.

Windows
 Cmd.exe - Command Prompt, also known as cmd.exe or cmd (after its executable file name), is the command-
line interpreter on Windows operating systems.
 PowerShell - PowerShell (including Windows PowerShell and PowerShellCore) is a task automation and
configuration management framework from Microsoft, consisting of a command-line shell and associated
scripting language built on the .NET Framework.
Linux
Linux File Structure

 One root
 One tree
 Different distributions
 Slight variations
Navigation in Linux (1 of 7)
Some Important Linux Notes
 Linux is case sensitive - “Desktop” is not the same as “desktop”
 You can use tab autocomplete in Linux – typing is hard

 The Absolute Pathname tells about the complete path to a certain file or
directory
 Example: The shadow-sample-2.txt file on your system has an absolute pathname as follows:

/home/student/samples/shadow-sample-2.txt

 Absolute file names start with a slash because the slash indicates the root
directory followed by the filesystem tree directory by directory
 The slash is also used to separate the directories within a path

 The dot (.) and two dots (..) represent the working directory and the
parent directory respectively.
Navigation in Linux (2 of 7)
The Command Prompt

*Never type the Command Prompt when given an example

command*
 ~$
 Running as a user
 Least privilege
 Less dangerous – best practice
 May need to use sudo for certain commands
Running as a User

 ~#
 Running as root
 Full privileges
 Very dangerous
 Can run any command Running as root
 So can any malware or attacker! Running as root
Navigation in Linux (3 of 7)
 To see/print the current working
directory
 ~$ pwd Current working directory

 List directory contents and

file information
 ~$ ls

 List all files including hidden

Directories
files & Files
 ~$ ls -a

 List all files including hidden

files in a long listing format
 ~$ ls -la
Navigation in Linux (4 of 7)

 To change directories
 ~$ cd [directory name]
 ~$ cd Desktop

 To move back one directory

 ~$ cd ..

 To Move back to your home

directory from anywhere
 ~$ cd
Navigation in Linux (5 of 7)

 To clear the screen

 ~$ clear

 Not really a navigation

command
 Keep the terminal uncluttered

 No loss of data

 Command Prompt returns to the

top of the screen
 Can be run from any directory

 Can be run as a user or root

Navigation in Linux (6 of 7)

 Create a hash of a file

 ~$ md5sum

 Used to create a unique

“fingerprint” or “serial number”
of a file.
 Open a text file

 ~$ head

 ~$ less

 ~$ more

 ~$ vi (read & write)

Navigation in Linux (7 of 7)

 Using the Vi or (vim) command to

edit text
 ~$ vi Letter_01.txt

 Command mode vs insert mode

 Press “I” and enter insert mode

 Press Esc to enter command

mode
 :w writes to the file

 :q closes the file

Navigation in Linux Exercise
 Open a terminal window in your Linux desktop
 Identify your current working directory using the “pwd” command
 List the contents of your current working directory using the “ls” command
 Navigate to the “Letters” directory and identify the files it contains
 Clear your terminal window
 Navigate to the “Pictures” directory and identify the files it contains
 Navigate back to your “home/student” directory using its absolute pathname
 Use the “pwd” command to verify that you are in the correct directory
 Clear your terminal window
 If you have time, continue to explore your file system then navigate back to
your home directory via the “cd” and “cd ..” commands
Linux Admin (1 of 7)
 Man pages
 Displays information from
the online reference
manual about the specific
command.

 Example
 ~$ man ls
 Provides details on the
“ls” command
Linux Admin (2 of 7)
 To make a directory
 ~$ mkdir [directory name]

 To delete a directory
 ~$ rm [directory name]
 ~$ rm -r [directory name] (*Note: deletes directory and all subdirectories & files)

 To create a file
 ~$ touch [file name]

 To rename a file
 ~$ mv [old file name] [new file name]

 To move a file
 ~$ mv [file name] [directory name/]

 To delete a file
 ~$ rm [file name]
Linux Admin (3 of 7)
 To create a user account (Must use Virtualbox or VMWare)
 ~$ su –
 The system will prompt you for the admin password
 ~# useradd [user name]
 Then add the user’s password
 ~# passwd [user name]
 The system will prompt you for the user’s new password then you will have to verify it.

 To delete a user account (Must use Virtualbox or VMWare)

 ~$ su –
 The system will prompt you for the admin password
 ~# userdel [user name]
 ~# userdel -r [user name] (*Note: if you want to remove all of the files for the
user*)
Linux Admin (4 of 7)
 To change your account password
 ~$ passwd
 The system will prompt you for the current password
 The system will then prompt you for the new password - then you will have to verify it.
 Then the system will inform you that the password has been changed

 To change any account password when you are logged in as root

(Must use Virtualbox or VMWare)
 ~# passwd [user account name]
 The system will then prompt you for the new password
 The system will prompt you to retype the new password
 Then the system will inform you that the password has been changed
Linux Admin (5 of 7)
 To find your IP address
 ~$ sudo ifconfig

 This command will display the network interfaces

 eth0 is your Ethernet network interface that is used to
communicate externally
 lo is your loopback interface that is used by the system to communicate
with itself

 Depending upon system configuration, you could have

additional network interfaces (e.g. wlan0, eth1, eth2, etc.)
Linux Admin (6 of 7)
 To identify your firewall rules
 ~$ sudo iptables –L –n

 This command will display the current iptables firewall rules

 eth0 is your Ethernet network interface that is used to
communicate externally
 lo is your loopback interface that is used by the system to communicate
with itself
 Depending upon system configuration, you could have
additional network interfaces (e.g. wlan0, eth1, eth2, etc.)

 To clear all the configured firewall rules

 ~$ sudo iptables -F
Linux Admin (7 of 7)
 To check for network connectivity
 ~$ ping [IP address or URL]
 Example
 ~$ ping 8.8.8.8
 ~$ ping www.google.com

 The system will send a series of pings to the IP address

 You will see the bytes sent, the ttl values and the response times in ms.
 If you do not have network connectivity, an error message will appear

 Your system will continue to ping the target system until you quit
 ~$ CTRL + C
Linux Admin Exercise
 Open a terminal window in your Linux desktop
 Identify your system’s IP address using the “ifconfig” command
 Check the status of your firewall
 Clear your terminal window
 Create a user with a username of “test1” and a password of “!passWord1!”
 Delete the “test1” user account
 Clear your terminal window
 Ping the 8.8.8.8 IP address
 Clear your terminal then close the window.
Linux CLI & Security (1 of 7)
Linux Commands – Unusual Network Usage
 Look for promiscuous mode, which might indicate a sniffer:
 # ip link | grep PROMISC

 Look for unusual port listeners:

 # netstat –nap

 Get more details about running processes listening on ports:

 # lsof –i

 Look for unusual ARP entries, mapping IP address to MAC addresses that aren’t
correct for the LAN:
 # arp –a

 This analysis requires detailed knowledge of which addresses are supposed to be on

the LAN.
 On a small and/or specialized LAN (such as a DMZ), look for unexpected IP
addresses.
-SANS Intrusion Discovery Cheat Sheet
Linux CLI & Security (2 of 7)
Linux Commands – Unusual Processes and Services
 Look at all running processes:
 # ps –aux

 Get familiar with "normal" processes for the machine. Look for unusual processes. Focus
on processes with root (UID 0) privileges. If you spot a process that is unfamiliar,
investigate in more detail using:
 # lsof –p [pid]
* Note: This command shows all files and ports used by the running process.

 If your machine has it installed, run chkconfig to see which services are enabled at
various runlevels:
 # chkconfig --list

-SANS Intrusion Discovery Cheat Sheet

Linux CLI & Security (3 of 7)
Linux Commands – Unusual Files
 Look for unusual SUID root files:
 # find / -uid 0 –perm -4000 –print This requires knowledge of normal SUID files.

 Look for unusual large files (greater than 10 MegaBytes):

 # find / -size +10000k –print This requires knowledge of normal large files.

 Look for files named with dots and spaces ("...", ".. ", ". ", and " ") used to camouflage files:
 # find / -name " " –print
 # find / -name ".. " –print
 # find / -name ". " –print
 # find / -name " " –print

 Look for processes running out of or accessing files that have been unlinked (i.e., link count is zero).
An attacker may be hiding data in or running a backdoor from such files:
 # lsof +L1

 Pay special attention to changes associated with items in /sbin, /bin, /usr/sbin, and /usr/bin.

 In some versions of Linux, this analysis is automated by the built-in check-packages script.

-SANS Intrusion Discovery Cheat Sheet

Linux CLI & Security (4 of 7)
Linux Commands – Unusual Scheduled Tasks
 Look for cron jobs scheduled by root and any other UID 0 accounts:
 # crontab –u root –l

 Look for unusual system-wide cron jobs:

 # cat /etc/crontab # ls /etc/cron.*

-SANS Intrusion Discovery Cheat Sheet

Linux CLI & Security (5 of 7)
Linux Commands – Unusual Accounts

 Look in /etc/passwd for new accounts in sorted list by UID:

 # sort –nk3 –t: /etc/passwd | less

 Normal accounts will be there, but look for new, unexpected accounts, especially with
UID < 500. Also, look for unexpected UID 0 accounts:
 # egrep ':0+:' /etc/passwd

 On systems that use multiple authentication methods:

 # getent passwd | egrep ':0+:'

 Look for orphaned files, which could be a sign of an attacker's temporary account that
has been deleted.
 # find / -nouser -print

-SANS Intrusion Discovery Cheat Sheet

Linux CLI & Security (6 of 7)
Linux Commands – Log Entries

 Look through your system log files for suspicious events, including:
 "entered promiscuous mode"

 Large number of authentication or login failures from either local or remote access
tools (e.g., telnetd, sshd, etc.)

 Remote Procedure Call (rpc) programs with a log entry that includes a large number
(> 20) strange characters (such as ^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM)

 For systems running web servers: Larger than normal number of Apache logs saying
"error" Reboots and/or application restarts

-SANS Intrusion Discovery Cheat Sheet

Linux CLI & Security (7 of 7)
Linux Commands – Other Unusual
Items

 Sluggish system performance:

 $ uptime
 Look at "load average"

 Excessive memory use:

 $ free

 Sudden decreases in available disk space:

 $ df

-SANS Intrusion Discovery Cheat Sheet

Windows
Windows File Structure

 Many Roots
 Many Trees
Navigation in Windows (1 of 6)
Some Important Windows Notes
 Windows is generally not case sensitive - “Desktop” is the same as
“desktop”
 Windows tab autocomplete does not work well – typing is hard…type carefully

 Windows uses backslashes instead of forward slashes

 C:\Users\Administrator>

 The backslash is used to separate the directories within a path

 The dot (.) and two dots (..) represent the working directory and the parent
directory respectively.
Navigation in Windows (2 of 6)
The Command Prompt

*Never type the Command Prompt when given an example

command*

 C:\Users\Administrator>
 Running as a limited user whenever possible
 Least privilege
 Less dangerous – best practice
 When running as system or administrator
 Full privileges
 Very dangerous
 Can run any command
 So can any malware or attacker!

Command Prompt
Navigation in Windows (3 of 6)
 To see/print the current working directory
 C:\User\Administrator> cd

 List directory contents and file

information
 C:\User\Administrator> dir
Navigation in Windows (4 of 6)
 List all files and directories including hidden files and
directories
 C:\User\Administrator> dir /a
Navigation in Windows (5 of 6)
 To change directories
 C:\User\Administrator> cd [directory name]
 C:\User\Administrator> cd Desktop In the Administrator home Directory

 To move back/up one directory

 C:\User\Administrator> cd ..

 To jump to a specific directory

 C:\User\Administrator> cd [directory path]

Changed to the
Desktop Directory
Navigation in Windows (6 of 6)

 To clear the screen

 C:\User\Administrator> cls

 Not really a navigation

command
 Keep the terminal uncluttered
 No loss of data Clear the terminal screen

 Command Prompt returns to the top

of the screen
 Can be run from any directory

 Can be run as a user or admin

Navigation in Windows Exercise
 Open a terminal window in your Windows desktop
 Identify your current working directory using the “cd” command
 List the contents of your current working directory using the “dir” command
 Navigate to the ”Music” directory and identify if it contains any files
 Clear your terminal window
 Navigate back to your “Users\Administrator” directory using the “cd ..”
command
 Navigate back to the “\Users\” directory using its absolute pathname
 Use the “cd” command to verify that you are in the correct directory
 List the contents of your current working directory
 Navigate to the C:\ directory via using the “cd ..” command
 List the contents of your current working directory
 Clear your terminal window
 If you have time, continue to explore your file system then navigate back to your
home directory via the “cd” command
Windows Control & Admin (1 of 6)
 To make a directory (mkdir or md)
 C:\User\Administrator> mkdir [directory name]

 To delete a directory (rmdir or rd)

 C:\User\Administrator> rmdir [directory name]
 C:\User\Administrator> rd /s [directory name] (*Note: deletes directory and all
subdirectories & files)

 To create a file (empty file)

 C:\User\Administrator> copy nul > [file name]

 To rename a file (ren or rename)

 C:\User\Administrator> ren [old file name] [new file name]

 To move a file
 C:\User\Administrator> move\[file name]\[source directory]\[target directory name]

 To delete a file
 C:\User\Administrator> del [file name]
Windows Control & Admin (2 of 6)
 To create a user account
 C:\User\Administrator> net user /add [username] [password]
 The system will provide you a message to tell you if the command completed successfully or if
there was an error
 To delete a user account
 C:\User\Administrator> net user [username] /delete
 The system will provide you a message to tell you if the command completed successfully or if
there was an error
 To reset the local user password
 C:\User\Administrator> net user [user name] *
 The system will then prompt you for the new password
 The system will prompt you to retype the new password
 Then the system will inform you that the password has been changed

 To reset the administrator password

 C:\User\Administrator> net user administrator *
 The system will then prompt you for the new password
 The system will prompt you to retype the new password
 Then the system will inform you that the password has been changed
Windows Control & Admin (3 of 6)
 To add a user account to the Local Admin Group
 C:\User\Administrator> net localgroup administrators [username] /add
 The system will provide you a message to tell you if the command completed successfully or if
there was an error

 To delete a user account from the Local Admin Group

 C:\User\Administrator> net localgroup administrators [username] /delete
 The system will provide you a message to tell you if the command completed successfully or if
there was an error
Windows Control & Admin (4 of 6)

 To find your IP address

 C:\User\Administrator> ipconfig

 This command will display the Ethernet settings

 Connection Specific DNS Suffix
 Link-Local IPv6 Address
 IPv4 Address
 Subnet Mask
 Default Gateway
Windows Control & Admin (5 of
6)
 To identify your firewall rules
 C:\User\Administrator> netsh advfirewall show allprofiles
 The system will display the current firewall settings

 To turn on the Windows firewall

 C:\User\Administrator> netsh advfirewall set allprofiles state on
 The system should return an “Ok.” message if the command was
accepted

 To turn off the Windows firewall

 C:\User\Administrator> netsh advfirewall set allprofiles state off
 The system should return an “Ok.” message if the command was
accepted

 To clear all the configured firewall rules

 C:\User\Administrator> netsh advfirewall reset
 The system should return an “Ok.” message if the command was accepted
Windows Control & Admin (6 of 6)

 To check for network connectivity

 C:\User\Administrator> ping [IP address or URL]
 Example
 C:\User\Administrator> ping 8.8.8.8
 C:\User\Administrator> ping www.google.com

 The system will send a series of three pings to the IP address

 You will see the bytes sent, the ttl values and the response times in ms.
 If you do not have network connectivity, an error message will appear
Windows Control & Admin Exercise
 Open a terminal window in your Windows desktop
 Identify your system’s IP address using the “ipconfig” command
 Check the status of your firewall
 Clear your terminal window
 Create a user with a username of “test1” and a password of “!passWord1!”
 Add the “test1” user to the local administrator group
 Confirm that the “test1” user was added to the local administrator group
 Delete the “test1” user from the local administrator group
 Delete the “test1” user account
 Clear your terminal window
 Ping the 8.8.8.8 IP address
 Clear your terminal then close the window.
Windows CLI & Security (1 of 7)
Windows Commands – Unusual Network Usage
 Look at file shares, and make sure each has a defined business purpose:
 C:\User\Administrator> net view \\127.0.0.1
 Look at who has an open session with the machine:
 C:\User\Administrator> net session
 Look at which sessions this machine has opened with other systems:
 C:\User\Administrator> net use
 Look at NetBIOS over TCP/IP activity:
 C:\User\Administrator> nbtstat –S
 Look for unusual listening TCP and UDP ports:
 C:\User\Administrator> netstat –naob
 The –o flag shows the owning process id:
 The –b flag shows the executable name and the DLLs loaded for the network connection.
*Note that the –b flag uses excessive CPU resources.
 For continuously updated and scrolling output of this command every 5 seconds:
 C:\User\Administrator> netstat –naob 5
 Also check Windows Firewall configuration:
 C:\User\Administrator> netsh firewall show config

-SANS Intrusion Discovery Cheat Sheet

Windows CLI & Security (2 of 7)
Windows Commands – Unusual Processes and Services
 Look for unusual/unexpected processes, and focus on processes with User Name
“SYSTEM” or “Administrator” (or users in the Administrators' group).
 Using the GUI, run Task Manager:
 C:\User\Administrator> taskmgr.exe

 Using the command prompt:

 C:\User\Administrator> tasklist
 C:\User\Administrator> wmic process list full

 Also look for unusual services. Using the GUI:

 C:\User\Administrator> services.msc

 Using the command prompt:

 C:\User\Administrator> net start
 C:\User\Administrator> sc query

 For a list of services associated with each process:

 C:\User\Administrator> tasklist /svc

-SANS Intrusion Discovery Cheat Sheet

Windows CLI & Security (3 of 7)
Windows Commands – Unusual Files and Registry Keys
 Check file space usage to look for sudden major decreases in free space.
 Using the GUI (right-click on partition), or type:
 C:\User\Administrator> dir c:\
Look for unusually big files: Start > Search > For Files of Folders > Search Options > Size
> At Least 10000KB
 Look for strange programs referred to in registry keys associated with system start up:
 HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
 HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
*Note that you should also check the HKCU counterparts (replace HKLM with HKCU
above).

 Using the GUI:

 C:\User\Administrator> regedit
 Using the command prompt:
 C:\User\Administrator> reg query <reg key>

-SANS Intrusion Discovery Cheat Sheet

Windows CLI & Security (4 of 7)
Windows Commands – Unusual Scheduled Tasks
 Look for unusual scheduled tasks, especially those that run as a user in the
Administrators group, as SYSTEM, or with a blank user name.
 Using the GUI, run Task Scheduler:
 Start > Programs > Accessories > System Tools > Scheduled Tasks
 Using the command prompt:
 C:\User\Administrator> schtasks

 Check other autostart items as well for unexpected entries, remembering to check user
autostart directories and registry keys.
 Using the GUI, run msconfig and look at the Startup tab:
 Start > Run, msconfig.exe
 Using the command prompt:
 C:\User\Administrator> wmic startup list full

-SANS Intrusion Discovery Cheat Sheet

Windows CLI & Security (5 of 7)
Windows Commands – Unusual Accounts
 Look for new, unexpected accounts in the Administrators group:
 Using the GUI:
 C:\User\Administrator> lusrmgr.msc
 Click on Groups, Double Click on Administrators, then check members of
this group.

 Using the command prompt:

 C:\User\Administrator> net user
 C:\User\Administrator> net localgroup administrators

-SANS Intrusion Discovery Cheat Sheet

Windows CLI & Security (6 of 7)
Windows Commands – Unusual Log Entries
 Check your logs for suspicious events, such as:
 “Event log service was stopped.”
 “Windows File Protection is not active on this system.”
 “The protected System file [file name] was not restored to its original, valid
version because the Windows File Protection..."
 “The MS Telnet Service has started successfully.”

 Look for large number of failed logon attempts or locked out accounts.
 Using the GUI, run the Windows event viewer:
 C:\User\Administrator> eventvwr.msc

 Using the command prompt:

 C:\User\Administrator> eventquery.vbs | more
 Or, to focus on a particular event log:
 C:\User\Administrator> eventquery.vbs /L security
-SANS Intrusion Discovery Cheat Sheet
Windows CLI & Security (7 of 7)
Windows Commands – Other Unusual Items
 Look for unusually sluggish performance and a single unusual process hogging the CPU:
 Task Manager > Process and Performance tabs

 Look for unusual system crashes, beyond the normal level for the given system.

-SANS Intrusion Discovery Cheat Sheet

Windows CLI & Security Exercises (1 of 4)
Network Connections
1) Open your VLE Windows Desktop
2) Open your Chrome browser and clear the Internet history (all history)
3) Close your browser
4) Open a terminal window
5) Type the C:\User\Administrator> netstat –noab command and review the results
1) What Local addresses are listed?
2) What Foreign addresses are list?
3) What States are listed?
4) What PIDs are listed?
6) Leave your terminal window open and reopen your Chrome browser
1) Navigate to www.google.com
2) Open a second tab and navigate to www.cnn.com
7) Go back to your terminal window and rerun the C:\ netstat –noab command
1) Have your Local addresses changed?
2) What new Foreign addresses do you have?
3) What States do you now have?
4) Do you have new PIDs?
5) How many new connections did you get?
Windows CLI & Security Exercises (2 of 4)
Running Processes
1) Open a terminal window
2) Type the C:\User\Administrator> tasklist /v command and review the results
1) What processes are listed?
2) What PIDs are listed?
3) What Session Names are list?
4) How many Sessions are running for each process?
5) Examine the Memory Usage and Process Status.
6) What User names are associated with each process?
3) Leave your terminal window open and reopen your Chrome browser
4) Go back to your terminal window and rerun the C:\User\Administrator> tasklist /v
command
1) What new processes do you have?
2) What is the PID for your Chrome browser?
3) Have any other new PIDs appeared?
4) How many new processes were spawned?
Windows CLI & Security Exercises (3 of 4)
Scheduled Tasks
1) Open a terminal window
2) Type the C:\User\Administrator> schtasks | more command and review the results
1) Are there many scheduled tasks listed?
2) Did you expect to see more or less scheduled tasks?
3) Examine the Task names, Next Run Times, and Statuses.
1) What differences do you see?
2) How hard would it be for an attacker to change these scheduled tasks
without being noticed?
3) Would the addition of new scheduled tasks be easily noticed?
4) What could an attacker accomplish by adding new scheduled tasks?
Windows CLI & Security Exercises (4 of 4)
Unusual Accounts
1) Open a terminal window
2) Type the C:\User\Administrator> net localgroup administrators command and review
the results
1) How many administrator accounts are listed?
2) Which accounts are list?
3) How hard would it be to detect if an attacker added an account with administrator privileges?
4) What could an attacker do if he could successfully add an account to this group?
3) Type the C:\User\Administrator> net localgroup command and review the results
1) How many types of localgroup accounts are listed?
2) Do any of the localgroups look like they could present a security concern?
3) How hard would it be to detect if an attacker added a new localgroup and accounts?
4) What could an attacker do if he could successfully add a new localgroup with accounts?
Putting it all Together
 GUI vs. CLI

 Linux vs Windows File Systems

 CLI Strengths and Weaknesses

 Using the CLI

 CLI and the Security Profession

 Questions?

Coming Up Next Week

Malware
References
 Pfleeger, C., & Pfleeger, S. (2011). Analyzing Computer Security: A
Threat/Vulnerability/Countermeasure Approach. Pearson Education.
 Pfleeger, C., Pfleeger, S., & Margulies, J. (2015) Security in Computing – Fifth Edition.
Prentice Hall
 SANS Institute. (2015). Intrusion Discovery Cheat Sheet v2.0. www.sans.org
 Skoudis, E., Strand, J. (2015). Incident Handling. SANS, www.sans.org