Remote control programs and other similar utilities can be used to execute programs remotely. However they are not that easy to set up since you need to install client software. PsExec is a tool that allows you to accomplish processes on remote systems, and you don’t have to install any type of client software manually to use it. You can easily launch command-prompts on the remote systems. PsExec helps to enable tools such as IpConfig that do not possess the capability to display the details about the remote systems by default.
Before you install PsExec, you need to note one thing. Some of the anti-virus programs might report it to be affected by a “remote admin” virus, which is not the case in reality. It was used by some viruses and that is the major reason for the anti-virus programs to prompt you with virus alerts.
PsExec was proposed to be a part of PsTools suite which was developed by Mark Russinovich. Microsoft has bought it now. This particular tool will let you to manage devices divided by domain and site frontiers. It can also help to transmit console input and output between the systems and this particular process will help you to utilize interactive tools remotely.
Most of the inner functions and operations of the software associated with Microsoft will be kept as a secret. However this is not the case of PsExec. It permits to redirect both input and output of a remotely on track executable by using SMB and hidden $ADMIN share on remote system. PsExec will use Windows Service control Manager API to commence the PsExecsvc service on remote system that will craft a pipe with whichPsExec will correspond. This particular pipe is the thing that will permit input/output redirection in return to the system that started PsExec.
Various uses of PsExec
You can use PsExec to accomplish lots of helpful and functional things.
Using PsExec to launch ipconfig on a remote system
You will be able to find only the DNS name and not the precise IP configuration settings. You can use IpConfig tool on your system to discover this particular detail. However, you would need to go to another place or borrow any other user’s computer to know this detail. IpConfig does not have the ability to run alongside a non-local machine and here is where you can use PsExec to commence it lucratively. The remote computer will be authorized after double slash, followed by IpConfig command. It will default to %SYSTEM% directory over the remote system that you are trying to run the command. The /all switch is indicated to show all the accessible ipconfig details.
Launching an executable patch remotely
You can also use PsExec to deploy updated, hotfixes and patches. Whenever you are left with very little time to set up a high-priority security patch, you can make use of PsExec to deploy it. You can see two computer names in the command picture. They are split by commas after double slash. PsExec permits you to specify a file that includes a list of address and device name or instead specify numerous target devices. There is a /c switch that is utilized when you would like to state a file on local system that needs to be accomplished on the remote system.
Malevolent things that PsExec can do
There are certain nasty things that can be done using PsExec.
Launching a malicious executable remotely
For instance, if an attacker gets the credentials of a system and does not possess direct access, the main aim of the attacker would be to get GUI or the system’s command line control. Since the usage of the credentials is limited, the attacker might not be able to use it. The attacker can now use PsExec in order to operate a backdoor executable on the system.
The attacker will use the /c switch to operate the local file on the remote system. The attacker will also use –u and –p switches to indicate the username and password in order to execute the file with root level benefit. The victim will not know about this ongoing process since the file is executed silently on the backdoor that will permit the attacker to link to the system and get the administrative command prompt.
Accessing the registry of the victim
Another trick that PsExec allows is the capability to again access files and processes using the SYSTEM built-in account. The SYSTEM account permits access to mostly everything including certain files that cannot be accessed using the administrator and user created accounts. You can see the command that is run on the local system in the below image. But it indicates –s switch to utilize the local SYSTEM account. This when joined with –l [interactive] alternative that runs regedit in interactive mode, will launch regedit along with SYSTEM access. Now this will offer supplementary access to other files. For instance, it will offer access to SAM file that includes the password hashes of the user. The attacker will be able to easily get all the password hashes from the system in this manner.
PsExec Commands and Examples
Get to know the various commands and examples of PsExec from this link.
You can download PsExec v1.98 from this link.
This article was last updated on June 10th, 2012 in Security