May 17, 2013

psexec via linux



Best source for Debian derivatives: https://software.opensuse.org/package/winexe
Best source for RH derivatives: https://pkgs.org/search/?q=winexe

I often use sysinternals'  psexec during my windows management routines; however, i'd often wish i could do such from my linux desktop rather than my windows vm.  Thanks to an updated "winexe" hosted at http://sourceforge.net/p/winexe/wiki/Home/ "psexec in linux" is possible.

In your debian, or ubuntu based distro add the following repository to /etc/apt/sources.list :
deb http://repo.openpcf.org/repository/ext/openpcf/ubuntu/ precise main

Then add the repo's public key and update/install: (As of this writing, it is version 1.00 and they are developing v1.1)
wget http://repo.openpcf.org/repository/ext/openpcf/openpcf.org-repo-public-key-C6E91526.asc
sudo apt-key add ./openpcf.org-repo-public-key-C6E91526.asc
sudo apt-get update
sudo apt-get install winexe

As with the windows utility psexec.exe, the target must be configured appropriately.  Specifically read the following if necessary:
1) http://forum.sysinternals.com/psexec-could-not-start_topic3698_post11962.html#11962
2) http://jamesrayanderson.blogspot.com/2010/04/psexec-and-ports.html

Lets test it by listing processes on the target:
winexe -U USERNAME //HOSTNAMEorIP "tasklist"

The utility should ask for the password and display results:
Password for [WORKGROUP\USERNAME]:

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         28 K
System                         4 Console                 0         72 K
smss.exe                     712 Console                 0        268 K
csrss.exe                    800 Console                 0      1,488 K
winlogon.exe                 824 Console                 0      4,892 K
services.exe                 868 Console                 0      2,228 K
lsass.exe                    880 Console                 0      1,876 K
vmacthlp.exe                1084 Console                 0        152 K
svchost.exe                 1100 Console                 0      2,328 K
PresentationFontCache.exe   1168 Console                 0      1,024 K
svchost.exe                 1196 Console                 0      1,676 K
svchost.exe                 1320 Console                 0     32,768 K
svchost.exe                 1412 Console                 0      2,576 K
svchost.exe                 1436 Console                 0        368 K
svchost.exe                 1508 Console                 0      1,440 K
svchost.exe                 1568 Console                 0      1,368 K
svchost.exe                 1912 Console                 0        272 K
alg.exe                     1956 Console                 0        280 K
svchost.exe                  584 Console                 0        384 K
ramaint.exe                 1296 Console                 0        424 K
SntpClient.exe              2796 Console                 0      1,416 K
dllhost.exe                 2892 Console                 0        360 K
vmtoolsd.exe                3260 Console                 0      2,708 K
vmware-usbarbitrator.exe    3368 Console                 0        388 K
vssvc.exe                   3436 Console                 0        188 K
SDUpdSvc.exe                3488 Console                 0        800 K
dllhost.exe                 2472 Console                 0      1,040 K
logon.scr                   4080 Console                 0        252 K
csrss.exe                   4024                         1      2,340 K
winlogon.exe                 404                         1      5,684 K
[etc]

When running programs that take parameters, remember to use quotes.
Lets test this by running a ping-to-self on the target.  Execute the utility including quotation marks:
winexe -U USERNAME //HOSTNAMEorIP "ping -n 1 127.0.0.1"

The above produces:
Password for [WORKGROUP\USERNAME]:

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms ttl=128
Ping statistics for 127.0.0.1:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

For domain accounts, i've found that you need to escape your domain username in this fashion: (notice the double-slashed username )
winexe -U DOMAIN\\username //HOSTNAMEorIP "commandline"

Be warned though, as also true with psexec, your password may be passed as plain text over the network.

~~~
As always, Good Luck!

Please consider crypto tipping:
  

8 comments:

  1. You may also want to look into https://sourceforge.net/projects/smbexec/ , but i haven't.

    ReplyDelete
  2. If you prefer compiling from source code: http://www.aldeid.com/wiki/Winexe

    ReplyDelete
  3. and http://www.room362.com/blog/2014/04/19/executing-code-via-smb-without-psexec/

    ReplyDelete
  4. and http://www.lexsi.fr/wmi-shell.html

    ReplyDelete
  5. Hi There,
    I'm not sure wheter this is the right place to ask this question, if it is I apologize in advance...
    My situation is as follows, I'm trying to start programs on a remote win7 machine from my raspberry pi using winexe. This works fine for programs that not require a GUI, but (for example) when I want to start XBMC winexe a 'Interactive Services Detection' message pops up. If I open this message it states that XBMC was unable to create GUI. When I try to open Notepad, same thing happens except that opening the ISD-message shows an opened notepad after which I can return to my desktop environment.
    I'm using version 1.0 with the following command:
    ./bin/winexe -U Username%password //192.168.2.108 -d 4 --ostype=0 --interactive=1 --system 'c:\program files\xbmc\xbmc.exe'
    Does anyone know what I'm doing wrong? Any suggestion would be verry much appreciated!
    debug shows:
    adding hidden service IPC$
    adding hidden service ADMIN$
    failed to get principal from default ccache: No such file or directory: open(/tmp/krb5cc_1000): No such file or directory
    winexe version 1.00
    This program may be freely redistributed under the terms of the GNU GPLv3
    GENSEC backend 'krb5' registered
    GENSEC backend 'fake_gssapi_krb5' registered
    GENSEC backend 'schannel' registered
    GENSEC backend 'spnego' registered
    GENSEC backend 'gssapi_spnego' registered
    GENSEC backend 'gssapi_krb5' registered
    GENSEC backend 'gssapi_krb5_sasl' registered
    GENSEC backend 'ntlmssp' registered
    Using binding ncacn_np:192.168.2.108
    Mapped to DCERPC endpoint \pipe\svcctl
    added interface ip=192.168.2.1 nmask=255.255.255.0
    added interface ip=192.168.2.1 nmask=255.255.255.0
    ERROR: Cannot connect to svcctl pipe. NT_STATUS_RESOURCE_NAME_NOT_FOUND.
    added interface ip=192.168.2.1 nmask=255.255.255.0
    added interface ip=192.168.2.1 nmask=255.255.255.0
    Got challenge flags:
    Got NTLMSSP neg_flags=0x628a8215
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_NTLM2
    NTLMSSP_NEGOTIATE_TARGET_INFO
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
    NTLMSSP: Set final flags:
    Got NTLMSSP neg_flags=0x60088215
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_NTLM2
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
    IN: async_open(\pipe\ahexec, 2)
    IN: async_open_recv
    CTRL: Sending command: get version
    CTRL: Sending command: set system 1
    run c:\program files\xbmc\xbmc.exe
    CTRL: Recieved command: std_io_err 0DEC002B
    IN: async_open(\pipe\ahexec_stdin0DEC002B, 2)
    IN: async_open(\pipe\ahexec_stdout0DEC002B, 2)
    IN: async_open(\pipe\ahexec_stderr0DEC002B, 2)
    IN: async_open_recv
    IN: async_open_recv
    IN: async_open_recv
    After this winexe hangs, obviously because it's awaiting a response from the win7 machine. After CTRL+C debug shows:
    ERROR: smb_raw_read_recv - NT_STATUS_PIPE_DISCONNECTED
    ERROR: smb_raw_read_recv - NT_STATUS_PIPE_DISCONNECTED
    ERROR: smb_raw_read_recv - NT_STATUS_PIPE_DISCONNECTED
    ERROR: smb_raw_read_recv - NT_STATUS_PIPE_DISCONNECTED
    ERROR: on_ctrl_pipe_error - NT_STATUS_PIPE_DISCONNECTED

    ReplyDelete
    Replies
    1. i just don't know, i've reviewed this question several times. i'm not the authority on this. i suspect the xbmc is awaiting some interaction on the remote computer. sorry.

      Delete
  6. more stuffs:
    http://passing-the-hash.blogspot.com/2013/07/WMIS-PowerSploit-Shells.html
    https://www.kali.org/penetration-testing/pass-the-hash-toolkit-winexe-updates/
    https://github.com/byt3bl33d3r/pth-toolkit

    ReplyDelete

Comments, Suggestions or "Thank you's" Invited! If you have used this info in any way, please comment below and link/link-back to your project (if applicable). Please Share.
I accept Bitcoin tips of ANY amount to: 1GS3XWJCTWU7fnM4vfzerrVAxmnMFnhysL
I accept Litecoin tips of ANY amount to: LTBvVxRdv2Lz9T41UzqNrAVVNw4wz3kKYk