Windows Scripting Utilities_net Commands

Table of Contents
net Commands ................................................................................................................................ 2

net Syntax ....................................................................................................................................... 3

net Commands -1 ............................................................................................................................ 4

net Commands -2 ............................................................................................................................ 6

net Commands -3 ............................................................................................................................ 7

net config ........................................................................................................................................ 8

net config workstation .................................................................................................................. 10

net share ....................................................................................................................................... 11

net view -1 .................................................................................................................................... 13

net view -2 .................................................................................................................................... 14

IPC$ ............................................................................................................................................... 15

net use -1 ...................................................................................................................................... 17

net use -2 ...................................................................................................................................... 18

net use -3 ...................................................................................................................................... 21

net use Examples .......................................................................................................................... 22

netsh ............................................................................................................................................. 23

netsh – Command Mode -1 .......................................................................................................... 24

netsh – Command Mode -2 .......................................................................................................... 26

netsh – Command Mode -3 .......................................................................................................... 27

netsh – Command Mode -4 .......................................................................................................... 28

netsh – Batch Mode ...................................................................................................................... 30

Notices .......................................................................................................................................... 32

Page 1 of 32
net Commands

net Commands

Used to update, fix and view basic computer and network settings

Run from the command prompt or in Batch files

Most useful for enumerating user accounts, groups and network

shares

22

**022 Okay. The net commands.

These are native to Windows.
They're essentially pretty much like
admin, administrator tools, used to
update, fix and view your basic
computer and your network settings
and scan. These all run from the
command-line interface and therefore
you can put them into your Batch file,
so that's great. And this says most
useful for enumerating the accounts
and groups and such, but actually,
there's a ton of things this can do, as
you'll see here shortly.

Page 2 of 32
net Syntax

net Syntax

To see the list of available options – “net /?”

Help for each net command – “net help command”

23

**023 So just starting out, if you

want to look up what it's NET and
something else, NET accounts, NET
computer. If you want to see that
list, you can do the /?. Yeah, similar
to xcopy. But you can also just do
NET actually, if you just type NET.
It'll do the exact same thing. It'll
give you that listing right there. And
then if you do the NET HELP, and
then you put the actual subtopic or
category that you'd like to get more
information on, like VIEW in this
case, it'll just, it'll give you the usage
and it'll also give you a little bit more
detail on what the options of the
flags might be. And there, as you
can see, there are quite a few of

Page 3 of 32
them, and they're very helpful.
They're meant to be for the
administrator to be able to see
things, to be able to adjust things,
change things. So very powerful in
taking the red/pentester side of me,
we can use these for many not so on
the up side things to do also, so...

net Commands -1

net Commands -1

Many of these require Elevated Permissions to view or modify!

net accounts – update user account database, modify passwords

and login requirements

net computer – adds or deletes computers from the domain

net file – display a list of open shared files

net group – add, delete, view groups (only works on Domain

Controllers)

24

**024 Okay. One thing about many

of these commands is that you will
need elevated privileges to do it
because they expect that an
administrator's the one who's going
to want to stop a process or see a list
of maybe group users or something
like that. Obviously someone that

Page 4 of 32
has those kind of privileges, so it kind
of defaults to that. So if you don't
have those, a lot of times if you go
back to your work computer back at
your office and you try some of these
commands, they'll say access denied
and you won't be able to get at
them, because your privileges aren't
high enough. So if you're going to
use these, especially in your
scripting, make sure that the user
account that you are running it from
has high enough privileges. Okay?

So accounts. Update user account

database, modify passwords and
login stuff. Net computer. This has
to be with computers on a domain.
So if you have a small non-domain,
there's no domain controller running
it, then this won't help you. It lets
you add and delete computers to and
from the domain. Net file displays
open file shares, which is pretty nice.
And net group lets you view groups
and lets you add or subtract from
that group. But once again, this is,
this one only works on domain
controllers itself, so you have to do it
on a DC.

Page 5 of 32
net Commands -2

net Commands -2

net localgroup – add, delete, view local and network groups

net session – display, delete sessions connected to the computer

net statistics – display network statistics

net time – display time and date of another network computer

25

**025 So the net localgroup, unlike

net group, will work on the local
machine. It'll also work on network
groups as well, if it is connected to a
domain. So you can add and delete.
Net session allows you to see all the
sessions connected to a particular
machine. And also lets you shut it
down if you have the privileges to do
so.

If you want to look at your network

statistics, that's available and there's
actual time server. Net time will let
you look at what it is. If you're just
sitting on a stand-alone, it'll just go
no time server, so can't get anything
from that.

Page 6 of 32
net Commands -3

net Commands -3

net user – display, create, delete users on the computer or

domain

net start – lists running services or start Windows services

net pause – suspend a Windows service

net continue – resume a paused Windows service

net stop – stop a Windows service

26

**026 So if you're looking to

enumerate the users on a machine,
like you might if you're pentesting,
you can use the net user, and you
can also create, if you have enough
privileges, and delete.

So net start and net stop. This is for

checking services that are running.
If you just run net start it'll just show
other running services. And if you
put a particular service in there and
you have the privileges, it will start
that service from the command line
and the same is true for stopping.
Must have the privileges and it'll shut
it down for you right from the
command line. You can pause it, the

Page 7 of 32
Windows service as well, and of
course, continue is just resuming that
same service, so...

net config

net config

An extremely valuable net command for displaying configuration

information of the local computer
Has two options: Workstation or Server
• Workstation is the most useful since that service is almost
guaranteed to be running on the system.
– Great for finding
o OS Version
o Computer Name
o Domain
o User name

27

**027 So net config gives you quite

a bit of information, actually. And it
says extremely valuable, and that
may be extremely valuable to a
hacker. In addition to being an
administrator. If you're looking for
good information on a particular
machine, you can use the net config
command and you'll see a lot of the
configurations. It does have two
options. You can put in net config
workstation, and it'll give you the
information. Actually give you

Page 8 of 32
information about both workstation
and server, whether you have a
server or not. On the server side it'll
say number of connections, and it'll
be 0, because obviously no one--or
should be 0. Obviously if you're not
a server, for the most part, people
aren't connecting to you. So that
sort of server information will still be
available, it'll just show up as 0 or
whatever the case is.

So... And like it says, the workstation

for this particular command is most
likely to be running, so it'll get you
that information, the OS version,
computer name, domain, and the
user name that's logged in.

Page 9 of 32
net config workstation

net config workstation

28

**028 Okay. So you can see up top

net config workstation, and it gives
you the information there.

And a lot of this, if you're not an

admin and you're not keeping
statistics like this, it may be more
than what you need. But if you are
an admin, you may be very, very
interested in this.

Page 10 of 32
net share

net share
Without any options list information about all resources being
shared on the computer

Sharename will display further details

29

**029 So net share. Without any

options it'll show you all the
resources that are being shared with
that computer. So you can see from
previous, the nul session connection
that we had talked about, the IPC$
share, that is a hidden share. So you
see there, there's a C$, a hidden C:/
share, that pretty much mirrors the C
drive on your machine. The ADMIN$,
also a hidden share for
communication.

And then if you're looking for backup

share name of backup, it'll go and
give you the information about it.
Number of users maximum. In this
case, there's no limit. So

Page 11 of 32
permissions. FULL, everyone, which
is interesting, or everyone, FULL,
rather. Which is interesting, because
that means they can do anything to
that backup.

And again, taking advantage of the

error code or a findstr you can use
the same. You'll notice most of these
use when you complete them
successful, the command completed
successfully on both of these. So you
can use that as input into another
port, onto the command. Yes, Chris?

Instructor 2: I was going to add on this,

the, you see the permissions, excuse
me, that are listed there for the
shares. This is really cool for going
out and auditing file permission
shares. Now, you'd have to go an
extra step into this to get the NTFS
permissions as well, but if you're just
looking for share permissions in a
three or four line Batch file, you can
actually go grab the shares for all
your work stations and do an audit
across those permission levels very,
very easily. Just using that. You
don't need anything else specific or
particular in order to do that. There's
a lot of functionality exposed by the
NET commands that's really good for
administrative purposes.

Instructor: Okay. Thank you.

Page 12 of 32
net view -1

net view -1

Displays a list of domains and computers that are being shared by

the specified computer

Without any options, it displays a list of computers in your current

domain

Must have Admin Permissions

If the computer is a member of a domain, the domain controller will

be the last one listed.

30

**030 Okay. So net view. So this

display is a list of domains and
computers that are being shared by
the specific computer. If you run it
without options, it'll show you that
list of the current domain. This
explicitly must have admin
permissions to be able to run this,
which makes sense, because to get
this kind of information you should
have elevated privileges to be able to
do that. And again, if it's a member
of a domain, the domain controller
will be the last one on the list. So
that's nice, so you'll be able to figure
that out. That's something that
perhaps a hacker might want to be
interested in.

Page 13 of 32
net view -2

net view -2

net view \\computername /all – will show all the shares and other
resources (printers) that are available on computername
• Use this to find share on other computers that should or should not
be there!

31

**031 So here's the syntax. You

use net view// either computername
or ip and then /all would show you all
the information that you're looking
for. So just like that last line says,
this is a tool if you're looking for
unauthorized shares that shouldn't be
there. You'll be able to enumerate
the shares. So that's something to
consider if you're doing that.

Page 14 of 32
IPC$

IPC$

Interprocess communication share

Often called the null sessions connection

Used by SMB and NetBios for temporary connections between

clients and servers

The $ indicates it is a hidden share.

Disabling will break most Windows Server functions that use RPC

Can be used to create unauthenticated connections (Anonymous

Credentials)

Can be used to create authenticated sessions for machines

outside the domain

32

**032 So kind of went over this little

bit earlier today, the interprocess
communication share. It's used by
the service message block, SMB, and
the NetBios for Windows, for
temporary connections between
clients and servers. So a lot of times
the nul sessions are discouraged,
meaning being able to attach with no
user and no password. Used to be
the default. Now they try to prevent
that from happening, but backward
compatibility is an issue, so you may
not be able to communicate with
some computers, if those are not set
the same for both. I'll just put it that
way.

Page 15 of 32
Course, the $, as I mentioned,
denotes a hidden share. And
disabling it generally breaks most
server functions. And then
Anonymous Credentials is what I was
saying. You can connect with just
the user being blank and the
password being blank for the null
connection. And you can do
authenticated sessions. And this is a
key where it says authenticated
sessions are authorized for machines
outside of the domain. So a
pentester might use this because
they don't have to be a part of the
domain and they can go in and reach
out and connect to a machine, if they
have some credentials, so...

Page 16 of 32
net use -1

net use -1

Connects or disconnects a computer from a shared resource

(share or printer) and can display information about the
connections
Without any options will display the local computer’s currently
mapped resources

33

**033 Okay. And the net use

command that we used earlier.
There's another way. If you use it
with no options, it'll just give you all
the current shared resources that are
out there which are connected to.

Page 17 of 32
net use -2

net use -2

net use [\\computername\sharename] [password]

[/user:username] [/persistant:yes|no] [/savecred] [/delete]
[/smartcard]

[\\computername\share] – the resource to connect to, if used

without share will connect to IPC$

[password] – use * to be prompted for password

[/user:username] – if not provided, will use the currently logged in

user, for domains use domainname\username

[/persistant:yes|no] – yes will restore the connection on next logon,

no is the default

34

**034 And there's quite a few

options available when you do the,
use the, net use command. It's quite
useful, especially for admins, being
able to reach out to a box, because
you can, once you, if you have the
proper credentials, if you're supposed
to be there, you can get at a lot of
things. You can pull down files, et
cetera, without having to worry about
how to connect to it and pulling
things back. So you have to have the
//computername or ip address for
that area, the /, the sharename that
you're trying to connect to, whether
it's the IPC$ or C or whatever it is.
You put the password there. If you
put an asterisk in where the

Page 18 of 32
password's supposed to be, it'll just
prompt you when it runs, and that
way you can just have it do the work
that way. Or you can actually place
the password right in there like we
did for the script that we ran earlier,
and then /user: and then the
username. And so you have the
option of making it a persistent
connection, so the next time you
reboot and come back up it'll try to
make that connection again. And as
long as the credentials and
everything else match, you'll all
automatically have that share.

And then it does, the savecred is

used with the /persistent to make
sure that you keep it, and that
/delete, or you can use /d like I did in
the script that we had. We were
cleaning up after ourselves and we
were disconnecting. So you would
use the /d. And if you happened to
use a smartcard that has the chip on
it, you can also use the /smartcard to
be able to use the credentials that
are on a smartcard, if that's got a
connection for it. So that makes that
part easier.

So if you don't provide a user at

all, it will use your current credentials
that you're running this command
from, so if you are already privileged
enough to use it, you don't even
have to put username or password.
It'll just use your current credentials
and that makes it a little easier if
you're administering the network with
that.

Page 19 of 32
Instructor 2: Want to comment on that.
Administrator on your local laptop is
different from administrator on
everybody else's laptop, which is
different from the domain
administrator account. So even
though you're using the same name,
excuse me, if you're using the
integrated authentication by not
specifying the username, Windows
will know the difference between
administrator here, administrator
there and domain administrator as
well. So sometimes it's best to be
very explicit about which
administrator or which account you're
actually using.

Instructor: Great. Very good.

Thank you.

Page 20 of 32
net use -3

net use -3

[/savecred] – stores the password and username provided to

connect, used with /persistant

[/delete] – remove a current connection, use * to remove all

connections

[/smartcard] – use credentials of an available CAC

35

**035 Okay. And that's just a

continuation of the information that
that was on the other one, the
savecred, the delete and the
smartcard. And if you've not heard
of a CAC, a CAC, it's the common
access card that the government
uses, is the CAC.

Page 21 of 32
net use Examples

net use Examples

net use z: \\server\data *

/user:mydomain\joeuser /savecred /p:yes
• This will map the share data on server with the account
mydomain\joeuser.
• It will also prompt me for a password the first time I connect and save
it for future use.
• The connection will be restored the next time I login.
net use z: /delete
• Removes the connection that was established above
• Will not be restored at reboot

36

**036 Okay. So when you specify

before the server and the data a
drive and that drive is available, it will
map it to that particular drive for you.
So that's kind of nice. You can also
put an asterisk there and it will grab
the next available drive. But if you
want to make sure you know what
that share is connected to or what
drive it's attached to, then you go
ahead and explicitly put the z or
whatever letter you'd like.

The star will prompt you again for

the password, and in this case the
user. If you are on a domain, you
want to make sure you put a domain
in front of your username. This one

Page 22 of 32
you're saving the credentials to make
it persistent.

And once again, this is a cleanup.

And even with the--or this will
remove the persistent connections as
well, if you explicitly do the delete or
a /d. So if you do disconnect your
connections, if you had it persistent
before, don't think that it'll come
right back. This will stop that portion
of it, it'll remove, if you will, the
persistent piece of it, so...

netsh

netsh

Network shell

Command-line scripting utility to access many high-level network

functions on local or remote computers
• Network Interfaces
• Windows Firewall
• Routing & Remote Access
Can be used from the command-line (Command Mode) or as a
shell or with scripts (Batch Mode)

37

**037 Okay, netsh or netshell.

This is a CLI scripting utility that
gives you a lot of high-level network

Page 23 of 32
functionality. It's good across the
network, gives you access to network
interfaces. Like it says, Windows
firewall routing and remote access
capability. So there's I guess,
essentially two modes. There's the
command-line mode, and then you
can actually run it with a Batch using
a script.

netsh – Command Mode -1

netsh – Command Mode -1

Functions like a standard command where options are entered on

one line
Can be used in batch files
netsh [context] [sub-context] command
• [context] options are the part of the network to access
– dhcpclient, firewall, interface, show
• [sub-context] usually the action to perform
– add, delete, set
• command is the details of the action
– the ip address, the route, server name
Use netsh help or netsh [context] help or netsh [context] list for
possible options.

38

**038 So in command mode, these

are all entered right at the command
line. The construct for this is
context, sub-context and command.
It's kind of different, and I'll show
you as we get to the example on how
that works. It's not quite the same

Page 24 of 32
way you would use, like, netuse or
some of the other ones. So netsh
has a slightly different format that
you have to follow.

So the context piece, you know, like

dhclient, firewall, interface, show.
Sub-context, usually an action to be
performed, like either adding or
deleting. And the command is the
detail of the action. If you're looking
for a specific IP address, a route, a
server name. So you can see these
aren't quite like semantically what
you think they are. Command really
shouldn't be the detailed part, or you
wouldn't think of that as the detailed
part. You would probably think it
might be a subcontext or something,
and that's kind of what I meant by
it's not quite the format that you're
used to with the other command. So
if you are going to use netshell, it's
very powerful, but you, you really
kind of have to do your homework
before you start using it in your
scripts.

And there is netsh help. That'll give

you some information.

Page 25 of 32
netsh – Command Mode -2

netsh – Command Mode -2

Use netsh help or netsh [context] help or netsh [context] list for
possible options.

39

**039 So similar to the other. If

you do a netsh dhcphelp it gives you
exactly what sorts of things you need
to put in. It doesn't really explain
which ones you need to be putting in
as a context or a subcontext or the
command, so that part of this help
isn't quite as helpful as you might
think. So some of it kind of have to
do a little bit of trial and error to use
it. They do have a list so you can
see what all the commands available
within, like, dhcp here are. Add
server, add securitygroups, et cetera.
So it does give you information about
what you can do, but it's a little bit,
like I said, more difficult to get the
syntax right to make it work right.

Page 26 of 32
netsh – Command Mode -3

netsh – Command Mode -3

netsh dhcp show server

• Will list the dhcp server the local server is using
netsh interface show interface
• Will list all the network interfaces
netsh interface ip show dnsservers
• List the DNS servers for all the connections
netsh interface ip set dns name=“Local Area
Connection” source=static addr=192.168.0.2
• Set the interface “Local Area Connection” to static DNS

40

**040 So here's the construct that I

was kind of talking about. Netsh
dhcp show server. So most of these
are pretty straightforward, but
sometimes you don't know whether
you want to do interface show ip
dnsservers. In this case it's
supposed to be ip first, interface ip,
then show, then dnsservers.

Some of them are redundant but do

what they need to do. The interface
show interface, you wouldn't think
you needed to explain both of those
but it's a requirement, so again, you'll
have to, if you decide to use this for
your scripting, you want to do a little

Page 27 of 32
bit more research and make sure you
get the way these constructs work.

And this one here, you're looking at

setting the interface, the local area
connection, to a static DNS address.
So as you can see, that's a pretty
powerful thing to be able to do just
from the command line. So netsh
can be your friend. I just think it'll
just take a little bit of research since
it's a little bit different than a lot of
the commands that we've shown
today.

netsh – Command Mode -4

netsh – Command Mode -4

netsh dump interface > c:\IntConfig.dat

• Will backup the current interface config to a file
• Exports all the interfaces and network settings
netsh exec c:\Intconfig.dat
• Will restore the current interface config from a file
• Restores all the interfaces and network settings
Use the –r options to run any of the commands against a remote
server – need appropriate permissions!
• netsh –r lab-dc-01 –u lab\Administrator –p *
dump interface > c:\IntConfig.dat

41

**041 So you can do backups of

current interface configurations to a

Page 28 of 32
file like the top line there. You're
redirecting that to a .dat file. So
that's something that's a little bit
different from just copying or finding
a string or whatever. This is more
administrative type of work you can
do with this tool.

Then you can also restore based on

that previous configuration file if you
use the exec command along with
the netsh. And you can take the
configuration and restore a previous
copy of it. So that's very powerful as
well.

And then the -r option. Run any of

the commands against a remote
server, but you do need administrator
permissions, and that's why it's kind
of looking for the user to be
administrator and it'll ask you for that
password for you to be able to do
these. Especially because you're
changing, if you're putting the, if
you're grabbing interface information
from a DC, a domain controller, it's
kind of important. You don't want
just anybody to be able to do that.

Page 29 of 32
netsh – Batch Mode

netsh – Batch Mode

Functions like an interactive shell

• Run netsh with no options, gives a netsh shell prompt
Can be fed a text file to execute a series of command, use –r to
run against a remote machine
• Run netsh exec filename

42

**042 Okay. And as I said at the

beginning of this, there is a second
mode. You can do a Batch. So
instead of doing it individually at the
command line, same thing as
Windows Batch and netshell has
Batch mode as well and you can just
create a text file. And then put your
commands that you'd like to have run
and then just use the exec and then
the filename that has the list of all
the commands that you would like to
have covered.

Instructor 2: There were two other

functions within netsh that I thought
worthwhile to bring up here. This
only just scratched the surface of

Page 30 of 32
what netsh can do. Netsh really
exposes the entire network
subsystem within Windows to you.
So you can script with it, you can
change things with it. If you look at
the netsh trace command it actually
gives you the ability to do traffic
sniffing. So similar to what you can
do with wireshark or tcpdump or
something like that, you can actually
capture network packets and look at
them, capture them, with netsh. And
then you can export that file and
convert it, pull it into, you know, any
pcap-compliant packet program. So
you actually have a built-in network
sniffer in Windows through netsh,
which I find really, really cool.

The next one is if you are familiar

with Linux and using ssh to do port
redirection or remote and local port
forwarding, you actually have the
exact same capability within Windows
through the netsh command to set
up port forwarding so that you could,
again, if you were using this for evil
purposes, you could actually bounce
through a Windows box, you know,
direct an attack through a Windows
box somewhere else, and have it
relay that attack for you or relay that
traffic for you. So netsh is truly a
powerful and probably, I think,
underappreciated program, because
a lot of that functionality is absolutely
buried in there. And so you really
got to dig into it. But pretty much
anything with the network subsystem
in Windows, you've got access to
from that one program.

Page 31 of 32
Notices

Notices
© 2015 Carnegie Mellon University
This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their
own individual study.
Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or
used in any other manner without requesting formal permission from the Software Engineering Institute at
[email protected].
This material was created in the performance of Federal Government Contract Number FA8721-05-C-
0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally
funded research and development center. The U.S. government's rights to use, modify, reproduce,
release, perform, display, or disclose this material are restricted by the Rights in Technical Data-
Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in
the above identified contract. Any reproduction of this material or portions thereof marked with this
legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S.
government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY
AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO,
WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF
THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 32 of 32