PS Tools Kit
It is a collection of 13 very nice tools developed by Mark Russinovich. These tools are command-line tool till yet that lets you execute processes on remote systems and redirect console applications’ output to the local system so that these applications appear to be running locally. All of these are special tools that are compatible with the NT windows version or later. As these are a console application, these tools can work on both local computer and remote host. These tools require no manual installation of software on the remote system, and they let you specify alternative credentials to access the remote system. The “Ps” prefix in PsList relates to the fact that the standard UNIX process listing command-line tool is named “ps”, so this prefix has been adopted for all the tools in order to tie them together into a suite of tools named "PsTools".
Download Pstools kit form this link which also give a brief about these tools
The tools included in the PsTools suite, which are downloadable as a package, are:
- PsExec - execute processes remotely
- PsFile - shows files opened remotely
- PsGetSid - display the SID of a computer or a user
- PsInfo - list information about a system
- PsPing - measure network performance
- PsKill - kill processes by name or process ID
- PsList - list detailed information about processes
- PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)
- PsLogList - dump event log records
- PsPasswd - changes account passwords
- PsService - view and control services
- PsShutdown - shuts down and optionally reboots a computer
- PsSuspend - suspends processes
- PsUptime - shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo
1.PsExec -
The tool psexec is used to remotely execute programs on a computer. I have used this in the past to execute programs that I installed in an alternate data stream. Quite often when and if a hacker is able to gain access to one of the computers on the network that you work on, you will see psexec transferred over. Back when I wrote the above linked article psexec worked wonderfully well. Now that I am writing about it in this article there are some really odd quirks. It did not want to work and I had to spend an hour or so to try and figure out what went wrong. Well long story short I was able to get it working, but with a different syntax than in the article noted above. On that note, if any of you can tell me what is different here I would be most interested in knowing. With that said let's take a look at how to use psexec via a reverse shell as supplied by Metasploit.
it is important tool is PsExec64.exe which takes us directly in the shell of victim’s PC. Its command is:
PsExec64.exe \192.168.1.4 -u administrator -p forever cmd
2.PsFile-
This tool will allow you to see what files are opened remotely on the computer that you invoke this program on locally. By that I mean, if you invoke psfile on say 192.168.1.100 it will show you what files on 192.168.1.100 are presently being viewed by remote computers. It will not however show you the IP address of the computer which has remotely opened a file on your local computer. What it will allow you to do is close the file that is being viewed remotely if you so choose. That is a rather handy feature to have. Seeing is believing, so let's take a look at what the tool looks like when invoked.
command:
psfile64.exe \192.168.1.4 -u administrator -p server@123
3.PsGetSid-
This tool will allow you to query a computer for its SID. This is rather handy to have unless you wish to go muck about in the registry where most people are loathe to go. This tool will also allow you to not only see a computer's SID, it will also allow you to specify an account name as well. For instance if you wanted to see the administrator accounts SID then you would simply do as shown in the below noted screenshot.
commands:
PSGetsidc64.exe \192.168.1.104 -u administrator -p server@123
Here,
192.168.1.104 –> our victim’s IP
-u –> denotes username
Administrator –> username
-p –> denotes password
server@123 –> password
4.PsInfo-
One of the best tools in the PsTools suite is psinfo. This little program will give you a list of most of the information that you would ever require. Specific examples of that would be the computer's uptime. A computer's uptime is really rather important as that could indicate if a computer has had a specific patch applied to it or not. If it has not then that computer would be ripe for exploitation via a specific vector. For example, a new remote code execution has been released for Microsoft Windows. Microsoft issued a patch for it two days ago. The computer uptime listed on this computer is four days however. That information would allow you to know that the computer was vulnerable to that exploit. Give the below noted screenshot a look.
commands:
psinfo.exe \192.168.1.4 -u administrator -p server@123
5.PsPing-
As the name tells it is used to ping the server to check the connection with any website or server on while the remote enumeration this is quite handy to use.
command:
psping.exe 192.168.1.4
6.Pskill-
As the name tells it is used to kill process running on the remote computer which you are enemerating.While enemeration this is used very much when the process of any command is too slow so that the system become faster to execute the new command given from the command prompt using Pstools
command:
pskill.exe -pid
7.Pslist-
it give us Process Information.its another pretty darn handy tool in this suite is pslist. This program will give you a list of exactly what is running on the computer you invoke it on. Can you think of a use that a malicious hacker would have for such a program? Well for one, they may want to see if you have an anti-virus solution running on that computer. That, or any other program of particular interest to them. Take a look at the screenshot below for the tool's output.
In other words, the information obtained via this program can provide a treasure trove for one with malicious intent. Conversely as well, the system administrator can also make use of this tool's output as well. One simple example is of a user complaining that a specific application is not running on their computer. A quick check of this tool's output on that person's computer will help the sys admin find the fault that much quicker.
commands:
pslist64.exe \192.168.1.104 -u administrator -p Ignite@123
8.Psloggedon
Another handy little tool in this excellent toolkit is psloggedon. Can any of you think of why this might be handy to a malicious hacker? Let's take a look at the screenshot below to see if anything bubbles up idea wise.
commands:
psloggedon
9.Psloglist-
psloglist is a very handy little tool and is one of my favorites. What this tool will do for you is dump a list of event logs for either the machine you are on or a remote one. The information contained within an event log can be of interest to a sys admin obviously, and also the malicious hacker. As always, the advantages of using a tool will quite often cut both ways. Let's take a look at the screenshot below.
We see in the screenshot that the way to invoke psloglist is simple enough, simply type it in and hit enter. From there you may want to pipe the output through the "|more" command. That way the input won't go flying past you, and you can then go through it page by page. Noted in the screenshot is the system whose logs you are looking at ie: \WIN2K2 and the remaining fields are pretty straightforward. Much as you can see here, psloglist is a rather handy little tool that will allow you to access event logs, which contain a good deal of information.
commands:
psloglist | more
10.Pspasswd-
I can imagine that this tool would get a fair amount of use by malicious hackers who have gained a presence on a computer. After all, a sys admin can easily change passwords via their terminal. As you will soon see, this handy little tool works quite well.
In the command line syntax used to actually change the administrator password on the computer you are invoking this tool on. Quite simple isn't it! Though an attacker may not want to make such an obvious change, the option does exist. Trying to log in as administrator the next day only to find out your password doesn't work would be a nasty shock indeed.
command: pspasswd username newpassword
11.Psservice
This tool will allow you to both list and control the services on not only the local, but also the remote computer. There are semblances to the tool pslist, in that it will list the services running on a computer. Though what psservice will also allow you to do is stop, pause, and start these very same services. Let's take a look at the screenshot below.
Listed above is the help menu for the tool itself. Within it we can clearly see the various options for psservice. It is a fairly extensive list of things that can be done for you. We saw earlier that pskill will kill a process for you, however, this tool can do much more than simply kill something. It will allow you to stop and then restart a specific service. That is fairly handy for a sys admin as often certain services can just hang, and will need to be restarted.
commands: refer image
PsService64.exe \192.168.4 -u administrator -p server@123
12.Psshutdown-
Have you ever been sitting there at your computer working away diligently only to see a little window pop up saying that the computer was going to shutdown in X amount of seconds? Crap! I better save my work! Well you too can have the power of the mighty sys admin by using the tool psshutdown.
command:
psshutdown.exe \192.168.1.104 -u administrator -p forever
13.Pssuspend-
The last tool that we will look at in the PsTools suite is pssuspend. You might recall that I commented earlier that many of the tools are complimentary in nature. This last tool is an excellent example of that. To use this tool effectively you would need to invoke another tool; pslist.
command:
pssuspend \192.168.1.4 -u administrator -p server@123 1014
command:
pssuspend \192.168.1.4 -u administrator -p server@123 1014
No comments:
Post a Comment