ipconfig.exe
- File Path:
C:\Windows\SysWOW64\ipconfig.exe
- Description: IP Configuration Utility
Hashes
Type | Hash |
---|---|
MD5 | B8CB2DFCA7379908B0605331A759AF4C |
SHA1 | A7128F925D4B95C074013F545102BBCD753A10BD |
SHA256 | B0832DEC07A4CB6228B7B392D6ABAFB79E9BF7327605AE3E86E1E617DE7495A5 |
SHA384 | 126EE417BFDE112AE2B12DF5B1E7906DB166C8444292BEF79279A2F1570ADF0060D124A6B3414970E71A42F4BCC97216 |
SHA512 | 91E672BD9DE4F5C08DF68B3FF64808B4267846F0A36C76E62DFEE4888FDFBCF295BCCECCD67DC4ACE5F444D4352B6E95601EAD6A1B3130FB339FFBDF25DD5FDD |
SSDEEP | 384:0STbXEOM7LqKYZHrWn5yu3Qso6uVCgXvtCZvE0zb4M8XG1tbyf9Wxyypvb976hWP:0fmKYZQQyJukgXvtCOeB83Wxymb9D |
IMP | 98CEEAF3EB55DE32686F14F2CF79FC6F |
PESHA1 | 86EAB569A85DCBD47611D73842E4073A3415D8D9 |
PE256 | 1CDE2A2549B76CF1FCF8096191A650F08A89C39768204386546A2F5246F4F096 |
Runtime Data
Usage (stdout):
Error: unrecognized or incomplete command line.
USAGE:
ipconfig [/allcompartments] [/? | /all |
/renew [adapter] | /release [adapter] |
/renew6 [adapter] | /release6 [adapter] |
/flushdns | /displaydns | /registerdns |
/showclassid adapter |
/setclassid adapter [classid] |
/showclassid6 adapter |
/setclassid6 adapter [classid] ]
where
adapter Connection name
(wildcard characters * and ? allowed, see examples)
Options:
/? Display this help message
/all Display full configuration information.
/release Release the IPv4 address for the specified adapter.
/release6 Release the IPv6 address for the specified adapter.
/renew Renew the IPv4 address for the specified adapter.
/renew6 Renew the IPv6 address for the specified adapter.
/flushdns Purges the DNS Resolver cache.
/registerdns Refreshes all DHCP leases and re-registers DNS names
/displaydns Display the contents of the DNS Resolver Cache.
/showclassid Displays all the dhcp class IDs allowed for adapter.
/setclassid Modifies the dhcp class id.
/showclassid6 Displays all the IPv6 DHCP class IDs allowed for adapter.
/setclassid6 Modifies the IPv6 DHCP class id.
The default is to display only the IP address, subnet mask and
default gateway for each adapter bound to TCP/IP.
For Release and Renew, if no adapter name is specified, then the IP address
leases for all adapters bound to TCP/IP will be released or renewed.
For Setclassid and Setclassid6, if no ClassId is specified, then the ClassId is removed.
Examples:
> ipconfig ... Show information
> ipconfig /all ... Show detailed information
> ipconfig /renew ... renew all adapters
> ipconfig /renew EL* ... renew any connection that has its
name starting with EL
> ipconfig /release *Con* ... release all matching connections,
eg. "Wired Ethernet Connection 1" or
"Wired Ethernet Connection 2"
> ipconfig /allcompartments ... Show information about all
compartments
> ipconfig /allcompartments /all ... Show detailed information about all
compartments
Loaded Modules:
Path |
---|
C:\Windows\SYSTEM32\ntdll.dll |
C:\Windows\System32\wow64.dll |
C:\Windows\System32\wow64cpu.dll |
C:\Windows\System32\wow64win.dll |
C:\Windows\SysWOW64\ipconfig.exe |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4
- Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: ipconfig.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/71
- VirusTotal Link: https://www.virustotal.com/gui/file/b0832dec07a4cb6228b7b392d6abafb79e9bf7327605ae3e86e1e617de7495a5/detection/
Possible Misuse
The following table contains possible examples of ipconfig.exe
being misused. While ipconfig.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | apt_silence_downloader_v3.yml | - '\ipconfig.exe' |
DRL 1.0 |
sigma | proc_creation_macos_system_network_discovery.yml | - '/usr/sbin/ipconfig' |
DRL 1.0 |
sigma | proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml | - 'ipconfig' |
DRL 1.0 |
sigma | proc_creation_win_multiple_suspicious_cli.yml | - ipconfig.exe |
DRL 1.0 |
sigma | proc_creation_win_susp_network_command.yml | - 'ipconfig /all' |
DRL 1.0 |
sigma | proc_creation_win_webshell_detection.yml | - '\ipconfig.exe' |
DRL 1.0 |
malware-ioc | misp_invisimole.json | "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", |
© ESET 2014-2018 |
malware-ioc | rtm | ipconfig /flushdns |
© ESET 2014-2018 |
malware-ioc | misp-turla-lightneuron-event.json | "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User", |
© ESET 2014-2018 |
atomic-red-team | T1016.md | <blockquote>Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route. | MIT License. © 2018 Red Canary |
atomic-red-team | T1016.md | ipconfig /all | MIT License. © 2018 Red Canary |
atomic-red-team | T1016.md | Upon successful execution, cmd.exe will spawn ipconfig /all , net config workstation , net view /all /domain , nltest /domain_trusts . Output will be via stdout. |
MIT License. © 2018 Red Canary |
atomic-red-team | T1018.md | Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. | MIT License. © 2018 Red Canary |
atomic-red-team | T1018.md | Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. | MIT License. © 2018 Red Canary |
atomic-red-team | T1018.md | $localip = ((ipconfig | findstr [0-9]..)[0]).Split()[-1] | MIT License. © 2018 Red Canary |
atomic-red-team | T1021.006.md | Upon successful execution, powershell will execute ipconfig on localhost using invoke-command . |
MIT License. © 2018 Red Canary |
atomic-red-team | T1021.006.md | | remote_command | Command to execute on remote Host | String | ipconfig| | MIT License. © 2018 Red Canary |
signature-base | apt_oilrig.yar | $s1 = “whoami & hostname & ipconfig /all” ascii | CC BY-NC 4.0 |
signature-base | apt_volatile_cedar.yar | $s1 = “command = "ipconfig /all"” fullword | CC BY-NC 4.0 |
signature-base | gen_cn_webshells.yar | $s6 = “secparam(‘IP Configurate’,execute(‘ipconfig -all’));” fullword ascii | CC BY-NC 4.0 |
signature-base | gen_recon_indicators.yar | /* ipconfig /all */ | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s5 = “//——- [netstat -an] and [ipconfig] and [tasklist] ————” fullword | CC BY-NC 4.0 |
stockpile | e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml | ipconfig |
Apache-2.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
ipconfig
Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays Internet Protocol version 4 (IPv4) and IPv6 addresses, subnet mask, and default gateway for all adapters.
Syntax
ipconfig [/allcompartments] [/all] [/renew [<adapter>]] [/release [<adapter>]] [/renew6[<adapter>]] [/release6 [<adapter>]] [/flushdns] [/displaydns] [/registerdns] [/showclassid <adapter>] [/setclassid <adapter> [<classID>]]
Parameters
Parameter | Description |
---|---|
/all | Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. |
/displaydns | Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. The DNS Client service uses this information to resolve frequently queried names quickly, before querying its configured DNS servers. |
/flushdns | Flushes and resets the contents of the DNS client resolver cache. During DNS troubleshooting, you can use this procedure to discard negative cache entries from the cache, as well as any other entries that have been added dynamically. |
/registerdns | Initiates manual dynamic registration for the DNS names and IP addresses that are configured at a computer. You can use this parameter to troubleshoot a failed DNS name registration or resolve a dynamic update problem between a client and the DNS server without rebooting the client computer. The DNS settings in the advanced properties of the TCP/IP protocol determine which names are registered in DNS. |
/release [<adapter>] |
Sends a DHCPRELEASE message to the DHCP server to release the current DHCP configuration and discard the IP address configuration for either all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter disables TCP/IP for adapters configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters. |
/release6[<adapter>] |
Sends a DHCPRELEASE message to the DHCPv6 server to release the current DHCP configuration and discard the IPv6 address configuration for either all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter disables TCP/IP for adapters configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters. |
/renew [<adapter>] |
Renews DHCP configuration for all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters. |
/renew6 [<adapter>] |
Renews DHCPv6 configuration for all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IPv6 address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters. |
/setclassid <adapter>[<classID>] |
Configures the DHCP class ID for a specified adapter. To set the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place of adapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. If a DHCP class ID is not specified, the current class ID is removed. |
/showclassid <adapter> |
Displays the DHCP class ID for a specified adapter. To see the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place of adapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. |
/? | Displays Help at the command prompt. |
Remarks
-
This command is most useful on computers that are configured to obtain an IP address automatically. This enables users to determine which TCP/IP configuration values have been configured by DHCP, Automatic Private IP Addressing (APIPA), or an alternate configuration.
-
If the name you supply for adapter contains any spaces, use quotation marks around the adapter name (for example, “adapter name”).
-
For adapter names, ipconfig supports the use of the asterisk (*) wildcard character to specify either adapters with names that begin with a specified string or adapters with names that contain a specified string. For example,
Local*
matches all adapters that start with the string Local and*Con*
matches all adapters that contain the string Con.
Examples
To display the basic TCP/IP configuration for all adapters, type:
ipconfig
To display the full TCP/IP configuration for all adapters, type:
ipconfig /all
To renew a DHCP-assigned IP address configuration for only the Local Area Connection adapter, type:
ipconfig /renew Local Area Connection
To flush the DNS resolver cache when troubleshooting DNS name resolution problems, type:
ipconfig /flushdns
To display the DHCP class ID for all adapters with names that start with Local, type:
ipconfig /showclassid Local*
To set the DHCP class ID for the Local Area Connection adapter to TEST, type:
ipconfig /setclassid Local Area Connection TEST
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.