Best source for Debian derivatives: https://software.opensuse.org/package/winexe
Best source for RH derivatives: https://pkgs.org/search/?q=winexe
I often use sysinternals' psexec during my windows management routines; however, i'd often wish i could do such from my linux desktop rather than my windows vm. Thanks to an updated "winexe" hosted at http://sourceforge.net/p/winexe/wiki/Home/ "psexec in linux" is possible.
In your debian, or ubuntu based distro add the following repository to /etc/apt/sources.list :
deb http://repo.openpcf.org/repository/ext/openpcf/ubuntu/ precise main
Then add the repo's public key and update/install: (As of this writing, it is version 1.00 and they are developing v1.1)
wget http://repo.openpcf.org/repository/ext/openpcf/openpcf.org-repo-public-key-C6E91526.asc
sudo apt-key add ./openpcf.org-repo-public-key-C6E91526.asc
sudo apt-get update
sudo apt-get install winexe
As with the windows utility psexec.exe, the target must be configured appropriately. Specifically read the following if necessary:
1) http://forum.sysinternals.com/psexec-could-not-start_topic3698_post11962.html#11962
2) http://jamesrayanderson.blogspot.com/2010/04/psexec-and-ports.html
Lets test it by listing processes on the target:
winexe -U USERNAME //HOSTNAMEorIP "tasklist"
The utility should ask for the password and display results:
Password for [WORKGROUP\USERNAME]:
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 72 K
smss.exe 712 Console 0 268 K
csrss.exe 800 Console 0 1,488 K
winlogon.exe 824 Console 0 4,892 K
services.exe 868 Console 0 2,228 K
lsass.exe 880 Console 0 1,876 K
vmacthlp.exe 1084 Console 0 152 K
svchost.exe 1100 Console 0 2,328 K
PresentationFontCache.exe 1168 Console 0 1,024 K
svchost.exe 1196 Console 0 1,676 K
svchost.exe 1320 Console 0 32,768 K
svchost.exe 1412 Console 0 2,576 K
svchost.exe 1436 Console 0 368 K
svchost.exe 1508 Console 0 1,440 K
svchost.exe 1568 Console 0 1,368 K
svchost.exe 1912 Console 0 272 K
alg.exe 1956 Console 0 280 K
svchost.exe 584 Console 0 384 K
ramaint.exe 1296 Console 0 424 K
SntpClient.exe 2796 Console 0 1,416 K
dllhost.exe 2892 Console 0 360 K
vmtoolsd.exe 3260 Console 0 2,708 K
vmware-usbarbitrator.exe 3368 Console 0 388 K
vssvc.exe 3436 Console 0 188 K
SDUpdSvc.exe 3488 Console 0 800 K
dllhost.exe 2472 Console 0 1,040 K
logon.scr 4080 Console 0 252 K
csrss.exe 4024 1 2,340 K
winlogon.exe 404 1 5,684 K
[etc]
When running programs that take parameters, remember to use quotes.
Lets test this by running a ping-to-self on the target. Execute the utility including quotation marks:
winexe -U USERNAME //HOSTNAMEorIP "ping -n 1 127.0.0.1"
The above produces:
Password for [WORKGROUP\USERNAME]:
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms ttl=128
Ping statistics for 127.0.0.1:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
For domain accounts, i've found that you need to escape your domain username in this fashion: (notice the double-slashed username )
winexe -U DOMAIN\\username //HOSTNAMEorIP "commandline"
Be warned though, as also true with psexec, your password may be passed as plain text over the network.
~~~
As always, Good Luck!
Please consider crypto tipping:
You may also want to look into https://sourceforge.net/projects/smbexec/ , but i haven't.
ReplyDeleteWORKS! THX!!!!
ReplyDeleteIf you prefer compiling from source code: http://www.aldeid.com/wiki/Winexe
ReplyDeleteand http://www.room362.com/blog/2014/04/19/executing-code-via-smb-without-psexec/
ReplyDeleteand http://www.lexsi.fr/wmi-shell.html
ReplyDeleteHi There,
ReplyDeleteI'm not sure wheter this is the right place to ask this question, if it is I apologize in advance...
My situation is as follows, I'm trying to start programs on a remote win7 machine from my raspberry pi using winexe. This works fine for programs that not require a GUI, but (for example) when I want to start XBMC winexe a 'Interactive Services Detection' message pops up. If I open this message it states that XBMC was unable to create GUI. When I try to open Notepad, same thing happens except that opening the ISD-message shows an opened notepad after which I can return to my desktop environment.
I'm using version 1.0 with the following command:
./bin/winexe -U Username%password //192.168.2.108 -d 4 --ostype=0 --interactive=1 --system 'c:\program files\xbmc\xbmc.exe'
Does anyone know what I'm doing wrong? Any suggestion would be verry much appreciated!
debug shows:
adding hidden service IPC$
adding hidden service ADMIN$
failed to get principal from default ccache: No such file or directory: open(/tmp/krb5cc_1000): No such file or directory
winexe version 1.00
This program may be freely redistributed under the terms of the GNU GPLv3
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'ntlmssp' registered
Using binding ncacn_np:192.168.2.108
Mapped to DCERPC endpoint \pipe\svcctl
added interface ip=192.168.2.1 nmask=255.255.255.0
added interface ip=192.168.2.1 nmask=255.255.255.0
ERROR: Cannot connect to svcctl pipe. NT_STATUS_RESOURCE_NAME_NOT_FOUND.
added interface ip=192.168.2.1 nmask=255.255.255.0
added interface ip=192.168.2.1 nmask=255.255.255.0
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
IN: async_open(\pipe\ahexec, 2)
IN: async_open_recv
CTRL: Sending command: get version
CTRL: Sending command: set system 1
run c:\program files\xbmc\xbmc.exe
CTRL: Recieved command: std_io_err 0DEC002B
IN: async_open(\pipe\ahexec_stdin0DEC002B, 2)
IN: async_open(\pipe\ahexec_stdout0DEC002B, 2)
IN: async_open(\pipe\ahexec_stderr0DEC002B, 2)
IN: async_open_recv
IN: async_open_recv
IN: async_open_recv
After this winexe hangs, obviously because it's awaiting a response from the win7 machine. After CTRL+C debug shows:
ERROR: smb_raw_read_recv - NT_STATUS_PIPE_DISCONNECTED
ERROR: smb_raw_read_recv - NT_STATUS_PIPE_DISCONNECTED
ERROR: smb_raw_read_recv - NT_STATUS_PIPE_DISCONNECTED
ERROR: smb_raw_read_recv - NT_STATUS_PIPE_DISCONNECTED
ERROR: on_ctrl_pipe_error - NT_STATUS_PIPE_DISCONNECTED
i just don't know, i've reviewed this question several times. i'm not the authority on this. i suspect the xbmc is awaiting some interaction on the remote computer. sorry.
Deletemore stuffs:
ReplyDeletehttp://passing-the-hash.blogspot.com/2013/07/WMIS-PowerSploit-Shells.html
https://www.kali.org/penetration-testing/pass-the-hash-toolkit-winexe-updates/
https://github.com/byt3bl33d3r/pth-toolkit