Digital Forensics Blog 04 — Windows Forensics Tools Part 2: Net Command
Net is a cmd command that you can use on Command Prompt or Windows Powershell. Net is used to manage and configure the operating system from the command line and primarily used to manage network resources. I suggest you to use Net command as an administrator to use the full functionality of it. This command is available for every windows operating system to manage networking settings of a windows system.
How to use
- Run Command Prompt or Windows Powershell, i recommend to run as administrator
- Inside the command line interface (CLI), type net [commands]
- To get further details of the net commands, type net help [command] | more
Syntax
The following conventions are used to indicate command syntax:
- Capital letters represent words that must be typed as shown. Lower-
case letters represent names of items that may vary, such as filenames. - The [ and ] characters surround optional items that can be supplied
with the command. - The { and } characters surround lists of items. You must supply one
of the items with the command. - The | character separates items in a list. Only one of the items can
be supplied with the command.
For example, in the following syntax, you must type NET COMMAND and
either SWITCH1 or SWITCH2. Supplying a name is optional.
NET COMMAND [name] {SWITCH1 | SWITCH2} - The […] characters mean you can repeat the previous item. Separate items with spaces.
- The [,…] characters mean you can repeat the previous item, but you must separate items with commas or semicolons, not spaces.
- When typed at the command prompt, service names of two words or more must be enclosed in quotation marks. For example, NET START “COMPUTER BROWSER” starts the computer browser service.
Services
These are list of services available for net command, including:
- BROWSER — The Browser service supports browsing computers on the network and being browsed by other “computers on the network.
- DHCP CLIENT
- EVENTLOG — starts the event logging service, which logs events on the local computer. This service must be started prior to using the Event Viewer to view the logged events.
- FILE REPLICATION
- NETLOGON — starts the Windows NetLogon service, which verifies logon requests and controls replication of the user accounts database.
- PLUG AND PLAY
- REMOTE ACCESS CONNECTION MANAGER
- ROUTING AND REMOTE ACCESS
- RPCSS
- SCHEDULE — starts the Windows Schedule service. The Schedule service must be running to schedule events using the Scheduled Tasks folder or the AT command.
- SERVER — starts the Windows Server service, which controls access to resources.
- SPOOLER
- TCP/IP NETBIOS HELPER
- UPS — starts the Windows UPS service, which provides uninterrupted power service to your computer. The UPS service must be configured before starting.
- WORKSTATION — starts the Windows Workstation service, which enables your computer to use shared resources on the network.
Names
The following types of names are used with Windows:
- Computername — A unique name that identifies a computer on the local-area network.
- Devicename — The name by which Windows identifies a disk resource
or printer. A disk resource is identified by a drive letter followed by a colon (for example, D:). A printer is identified by a port name followed by a colon (for example, LPT1:). - Workgroup — A group of computers on the network. Each workgroup
has a unique name. - Localgroup — A group of names in a Workgroup that are granted the
same rights. - Domain — A group of Windows Servers, Windows Workstations and other computers on the network. A domain has a unique name. Usually, you must log on in a domain to gain access to the network. Domains are created and managed with Windows Server.
- Global group — A group of names in a domain that are granted the same rights.
- Filename — The name of a file. Under the file allocation table (FAT) file system, a filename can have as many as eight characters, followed by a period (.) and an extension of as many as three characters. Under NTFS and HPFS, a filename can have as many as 254 characters.
- Network path — A description of the location of a shared resource, consisting of a computer’s computername followed by the sharename of the resource. The computername is preceded by two backslashes, and the sharename is preceded by one backslash (for example, \\SERVER1\RESOURCE).
- Path — The location of a directory. A path can consist of a devicename and one or more directory names. A backslash (\) precedes each directory name (for example, C:\CUSTOMER\CORP\ACCT).
- Pathname — A path and a filename. The filename is preceded by a backslash (\) (for example, C:\CUSTOMER\CORP\REPORT.DOC).
- Sharename — A name that identifies a shared resource on a computer. A sharename is used with the computer’s computername to form a network path (as in \\SERVER\RESOURCE).
- Username — The name a person supplies when logging on at a computer.
Service Related Commands (Like a CLI Task Manager?)
As the name suggests, those subcommands control the state of a service. The NET START [service] command is used to start a network service if provided with service name or list running network services.
NET STOP service stops windows services which also cancels any network connections the service is using. Also, some services are dependent on others. Stopping one service may lead to stopping other dependent service(s).
NET PAUSE service suspends a service and puts it on hold. You can activate paused service with NET CONTINUE service.
Then, you can use NET VIEW [\\computername [/CACHE] | [/ALL] | /DOMAIN[:domainname]] which displays a list of resources being shared on a computer. When used without options, it displays a list of computers in the current domain or network.
- If provided \\computername, you can view shared resources of a computer inside a network.
- If provided /DOMAIN:domainname, you can view shared resources by domains in a LAN or under that domain name
- If provided /CACHE, it displays the offline client caching settings for the resources on the specified computer
- If provided /ALL, it displays all the shares including the $ shares.
Networking Related Commands
There are several subcommands for networking related commands under net command.
NET ACCOUNTS
[/FORCELOGOFF:{minutes | NO} [/MINPWLEN:length] [/MAXPWAGE:{days | UNLIMITED}] [/MINPWAGE:days [/UNIQUEPW:number] [/DOMAIN]
NET ACCOUNTS updates the user accounts database and modifies password and logon requirements for all accounts. When used without options, NET ACCOUNTS displays the current settings for password, logon limitations, and domain information.
Two conditions are required in order for options used with NET ACCOUNTS to take effect:
- The password and logon requirements are only effective if user accounts have been set up (use User Manager or the NET USER command).
- The NetLogon service must be running on all servers in the domain that verify logon. NetLogon is started automatically when Windows starts.
- /FORCELOGOFF:{minutes | NO} Sets the number of minutes a user has before being forced to log off when the account expires or valid logon hours expire. NO, the default, prevents forced logoff.
- /MINPWLEN:length Sets the minimum number of characters for
a password. The range is 0–14 characters; the default is 6 characters. - /MAXPWAGE:{days | UNLIMITED} Sets the maximum number of days that a password is valid. No limit is specified by using UNLIMITED. /MAXPWAGE can’t be less than /MINPWAGE. The range is 1–999; the default is to leave the value unchanged.
- /MINPWAGE:days Sets the minimum number of days that must pass before a user can change a password. A value of 0 sets no minimum time. The range is 0–999; the default is 0 days. /MINPWAGE can’t be more than /MAXPWAGE.
- /UNIQUEPW:number Requires that a user’s passwords be unique through the specified number of password changes. The maximum value is 24.
- /DOMAIN Performs the operation on a domain controller of the current domain. Otherwise, the operation is performed on the local computer.
NET COMPUTER
\\computername {/ADD | /DEL}
NET COMPUTER adds or deletes computers from a domain database. This command is available only on Windows NT Servers.
- \\computername Specifies the computer to add or delete from the domain.
- /ADD Adds the specified computer to the domain.
- /DEL Removes the specified computer from the domain.
NET CONFIG
[SERVER | WORKSTATION]
NET CONFIG displays configuration information of the Workstation or Server service. When used without the SERVER or WORKSTATION switch, it displays a list of configurable services. To get help with configuring a service, type NET HELP CONFIG service.
- SERVER Displays information about the configuration of the Server service.
- WORKSTATION Displays information about the configuration of the Workstation service.
NET FILE
[id [/CLOSE]]
NET FILE closes a shared file and removes file locks. When used without options, it lists the open files on a server. The listing includes the identification number assigned to an open file, the pathname of the file, the username, and the number of locks on the file.
This command works only on computers running the Server service.
- id Is the identification number of the file.
- /CLOSE Closes an open file and removes file locks. Type this command
from the server where the file is shared.
NET GROUP or NET LOCALGROUP
[groupname [/COMMENT:”text”]] [/DOMAIN]
groupname {/ADD [/COMMENT:”text”] | /DELETE} [/DOMAIN]
groupname username […] {/ADD | /DELETE} [/DOMAIN]
NET GROUP adds, displays, or modifies global groups on servers. Used without parameters, it displays the groupnames on the server. NET LOCALGROUP modifies local groups on computers. When used without
options, it displays the local groups on the computer.
- groupname Is the name of the group to add, expand, or delete. Supply only a groupname to view a list of users in a group.
- /COMMENT:”text” Adds a comment for a new or existing group. Enclose the text in quotation marks.
- /DOMAIN Performs the operation on a domain controller of the current domain. Otherwise, the operation is performed on the local computer.
- username[ …] Lists one or more usernames to add to or remove from a group. Separate multiple username entries with a space.
- /ADD Adds a group, or adds a username to a group.
- /DELETE Removes a group, or removes a username from a group.
NET SESSION
[\\computername] [/DELETE] [/LIST]
NET SESSION lists or disconnects sessions between the computer and other computers on the network. When used without options, it displays information about all sessions with the computer of current focus.
This command works only on servers.
- \\computername Lists the session information for the named computer.
- /DELETE Ends the session between the local computer and computername, and closes all open files on the computer for the session. If computername is omitted, all sessions are ended.
- /LIST Displays information in a list rather than a table.
NET SHARE
NET SHARE makes a server’s resources available to network users.
When used without options, it lists information about all resources being
shared on the computer. For each resource, Windows reports the devicename(s) or pathname(s) and a descriptive comment associated with it.
sharename Is the network name of the shared resource. Type NET SHARE with a sharename only to display information about that share.
- drive:path Specifies the absolute path of the directory to be shared.
- /GRANT:user,perm Creates the share with a security descriptor that gives the requested permissions to the specified user. This option may be used more than once to give share permissions to multiple users.
- /USERS:number Sets the maximum number of users who can simultaneously access the shared resource.
- /UNLIMITED Specifies an unlimited number of users can simultaneously access the shared resource
- /REMARK:”text” Adds a descriptive comment about the resource. Enclose the text in quotation marks.
- devicename Is one or more printers (LPT1: through LPT9:) shared by sharename.
- /DELETE Stops sharing the resource.
- /CACHE:Manual Enables manual client caching of programs and documents from this share
- /CACHE:Documents Enables automatic caching of documents from this share
- /CACHE:Programs Enables automatic caching of documents and programs from this share
- /CACHE:BranchCache Manual caching of documents with BranchCache enabled from this share
- /CACHE:None Disables caching from this share
NET STATISTICS
[WORKSTATION]
NET STATISTICS displays the statistics log for the local Workstation service. Used without parameters, NET STATISTICS displays the services for which statistics are available. WORKSTATION Displays the Workstation service statistics.
NET TIME
[\\computername | /DOMAIN[:domainname] | /RTSDOMAIN[:domainname]] [/SET]
NET TIME synchronizes the computer’s clock with that of another computer or domain, or displays the time for a computer or domain. When used without options on a Windows Server domain, it displays the current date and time at the computer designated as the time server for the domain.
- \\computername Is the name of the computer you want to check or
synchronize with. - /DOMAIN[:domainname] Specifies to synchronize the time from the Primary Domain Controller of domainname.
- /RTSDOMAIN[:domainname] Specifies to synchronize with a Reliable Time Server from domainname.
- /SET Synchronizes the computer’s time with the time on the specified computer or domain.
NET USE
NET USE connects a computer to a shared resource or disconnects a computer from a shared resource. When used without options, it lists the computer’s connections.
- devicename Assigns a name to connect to the resource or specifies the device to be disconnected. There are two kinds of devicenames: disk drives (D: through Z:) and printers (LPT1: through LPT3:). Type an asterisk instead of a specific devicename to assign the next available devicename.
- \\computername Is the name of the computer controlling the shared resource. If the computername contains blank characters, enclose the double backslash (\\) and the computername in quotation marks (“ “). The computername may be from 1 to 15 characters long.
- \sharename Is the network name of the shared resource.
- \volume Specifies a NetWare volume on the server. You must have Client Services for Netware (Windows Workstations) or Gateway Service for Netware (Windows Server) installed and running to connect to NetWare servers.
- password Is the password needed to access the shared resource. * Produces a prompt for the password. The password is not displayed when you type it at the password prompt.
- /USER Specifies a different username with which the connection is made. domainname Specifies another domain. If domain is omitted, the current logged on domain is used.
- username Specifies the username with which to logon.
- /SMARTCARD Specifies that the connection is to use credentials on a smart card.
- /SAVECRED Specifies that the username and password are to be saved. This switch is ignored unless the command prompts for username and password.
- /HOME Connects a user to their home directory.
- /DELETE Cancels a network connection and removes the connection from the list of persistent connections.
- /REQUIREINTEGRITY Requires a signed connection to the share. The operation will fail if the provider does not support signed connections.
- /REQUIREPRIVACY Requires an encrypted connection to the share. The operation will fail if the provider does not support encrypted connections.
- /PERSISTENT Controls the use of persistent network connections. The default is the setting used last.
- YES Saves connections as they are made, and restores them at next logon.
- NO Does not save the connection being made or subsequent connections; existing connections will be restored at next logon. Use the /DELETE switch to remove persistent connections.
NET USER
NET USER creates and modifies user accounts on computers. When used without switches, it lists the user accounts for the computer. The user account information is stored in the user accounts database.
- username Is the name of the user account to add, delete, modify, or view. The name of the user account can have as many as 20 characters.
- password Assigns or changes a password for the user’s account. A password must satisfy the minimum length set with the /MINPWLEN option of the NET ACCOUNTS command. It can have as many as 14 characters. * Produces a prompt for the password. The password is not
displayed when you type it at a password prompt. - /DOMAIN Performs the operation on a domain controller of the current domain.
- /ADD Adds a user account to the user accounts database.
- /DELETE Removes a user account from the user accounts database.
Net Use Cases for Forensics?
- You can use net command line for monitoring running services inside a network, and by extension controls it.
- You can also use NET FILE command to see a list of files opened by remote connection sessions.
- You can also list shared files using NET SHARE
- You can use NET commands to make a BAT file. You can also exploit this CLI nature of NET command to control a computer or system with your third-party application.
- NET SESSION lists logged user inside a system under a common network.
- NET USE could connect to a shared resource from a live computer across the network. Using this, you can access said resource by command line.
- You can inspect server and workstation configuration on a specified network.
Conclusion
Net is one of the numerous CLI command provided by windows. Though it may seems clunky and there are other GUI based app like Service.exe by windows to manage services, This net commands may be invoked programmatically by other custom-made application. This is one of the older command that are available on older, non-GUI systems. You can perform monitoring and collecting evidence if used correctly.