There may be times on a penetration test where you run into a locked down environment and you can’t use cmd.exe
This is done in a few different ways.
Via the registry:
REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
Or, like the screenshot, set via the GUI:
Start -> Run -> gpedit.msc -> User Configuration -> Administrative Templates -> System -> Prevent access to the command prompt
The above settings restrict the user access to cmd.exe. Now, we need to take one thing into consideration. Windows XP has two command line processors; cmd.exe and command.com. Command.com is a very stripped down version of the command line processor from DOS. It lacks most of the features that are available in cmd.exe (such as long file name support).
Now that that is out of the way, start up command.com (because cmd.exe is now restricted):
Start -> Run -> command
Ok, so far so good. Unfortunately, it looks like the commands we want to run are restricted… How do we bypass this? Simple, run a command that isn’t restricted and pipe a restricted command in. Let’s look at an example:
In the above screenshot we can see that both ipconfig and dir are restricted. Using the technique just discussed, lets bypass the restrictions:
Done! Of course, you could have just changed the registry key via the run prompt to re-enable cmd.exe:
Start -> Run
REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f
Via the registry:
REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
Or, like the screenshot, set via the GUI:
Start -> Run -> gpedit.msc -> User Configuration -> Administrative Templates -> System -> Prevent access to the command prompt
The above settings restrict the user access to cmd.exe. Now, we need to take one thing into consideration. Windows XP has two command line processors; cmd.exe and command.com. Command.com is a very stripped down version of the command line processor from DOS. It lacks most of the features that are available in cmd.exe (such as long file name support).
Now that that is out of the way, start up command.com (because cmd.exe is now restricted):
Start -> Run -> command
Ok, so far so good. Unfortunately, it looks like the commands we want to run are restricted… How do we bypass this? Simple, run a command that isn’t restricted and pipe a restricted command in. Let’s look at an example:
In the above screenshot we can see that both ipconfig and dir are restricted. Using the technique just discussed, lets bypass the restrictions:
Done! Of course, you could have just changed the registry key via the run prompt to re-enable cmd.exe:
Start -> Run
REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f
0 comments:
Post a Comment