【转】An alternative way to do “psexec” on Backtrack-WinExec

【转】An alternative way to do “psexec” on Backtrack

If you need a way of issuing remote commands to a Windows system (where you have a username and password) you could use the popular psexec.exe tool.

Here I discuss an alternative you can easily install on Backtrack, which gives very similar functionality to the psexec.exe tool, but natively in Linux.

First, install the wmi-client and winexe tools with the following command:

apt-get install wmi-client

Running winexe

These are the options for winexe

Code:winexe version 0.80This program may be freely redistributed under the terms of the GNU GPLUsage: winexe [-?|--help] [--usage] [-d|--debuglevel DEBUGLEVEL][--debug-stderr] [-s|--configfile CONFIGFILE] [--option=name=value][-l|--log-basename LOGFILEBASE] [--leak-report] [--leak-report-full][-R|--name-resolve NAME-RESOLVE-ORDER][-O|--socket-options SOCKETOPTIONS] [-n|--netbiosname NETBIOSNAME][-W|--workgroup WORKGROUP] [--realm=REALM] [-i|--scope SCOPE][-m|--maxprotocol MAXPROTOCOL] [-U|--user [DOMAIN\]USERNAME[%PASSWORD]][-N|--no-pass] [--password=STRING] [-A|--authentication-file FILE][-S|--signing on|off|required] [-P|--machine-pass][--simple-bind-dn=STRING] [-k|--kerberos STRING][--use-security-mechanisms=STRING] [-V|--version] [--uninstall][--reinstall] [--system] [--runas=[DOMAIN\]USERNAME%PASSWORD][--interactive=INT] //host command

As you can see, you get very similar functionality to the psexec tool (this tool uses the same interfaces and methods)

Here are a couple of examples; ipconfig output, and an interactive shell

Code:winexe --user Administrator --password=mypassword //192.168.1.52 ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . :IPv4 Address. . . . . . . . . . . : 192.168.1.52Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.1.254

This runs the command and exits, where as the shell below is fully interactive:

Another interesting thing you can do (if the account you have has the appropriate privileges) is to run commands as system, here for example is a system shell:

Code:winexe --system --user Administrator --password=mypassword //192.168.1.52 cmd.exeMicrosoft Windows [Version 6.0.6001]Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoamiwhoamint authority\system C:\Windows\system32>

Running wmic

I’ve not been able to get the wmic working effectively on many systems, with my limited testing (I’m guessing there is a non-default setting to enable this functionality on the target systems)

Here are the options:

Example: wmic -U [domain/]adminuser%password //host “select * from Win32_ComputerSystem”

Here are a couple of example test wmi database queries:

And here, looking at high-priority process information:

Code:wmic -U Administrator --password=password234 //192.168.1.53 "Select Caption,ProcessId From Win32_Process Where Priority > 8 " CLASS: Win32_ProcessCaption|Handle|ProcessIdsmss.exe|164|164csrss.exe|188|188WINLOGON.EXE|184|184services.exe|236|236LSASS.EXE|248|248LLSSRV.EXE|664|664VMwareService.e|892|892

… and you could also use these methods to run remote processes (though this is rather complex to go into detail on here)

So, what are the differences between these tools?
wmic uses RPC – TCP port 135 (and 1025) and winexe uses SMB – TCP port 139

With winexe, you are basically issuing standard command line tools and options, this is a very easy tool to use.

wmic is a bit more complex to use for issuing commands, but could be useful in some circumstances, and can certainly be used to gain information about the target system (many network monitoring tools use the WMI interface to monitor an manage remote hosts)