You really have to admire people who donate their time and expertise to develop free tools for the community. The free part is great, but also is the sheer versatility of some of these tools that is pretty darn nice. We have Mark Russinovich and Dave Solomon of Sysinternals to thank for in this case, as it is they who developed a wide selection of freeware tools called PsTools. You can download them from here. All of the tools contained within PsTools are driven from the command line via a cmd.exe session. Do many of you think as I do when it comes to command line driven tools? When I think of command line tools I immediately think of mischief. It could be a hacker breaking into a system, or furthering their exploitation of an already compromised network. A good chunk of the good hacking tools are used via a command prompt. Well what we shall do in this article is explore the functionality of the PsTools suite and how it could impact you as a system administrator or practicing security professional.
Loved by both hackers and sys admins
Now the tools that are included in the PsTools suite are liked by both hackers and sys admins for several reasons. The tools are nice and small in size, and they are also quite functional. It is really handy to have a small program which will allow you to remotely reboot a computer, or list system information for example. What all of these things have in common is the manipulation of a computer, and typically remotely at that. That is where the thoughts of a hacker come to mind when I think of command line driven tools, and even more so when PsTools comes to mind. Bearing these thoughts in mind, it is likely a good idea to use these tools in a controlled lab environment to see how they work, and just what or why you would use them for.
Set the stage for PsTools
In an effort to give context to the usage of some of these tools I shall use them after having obtained system level access to a computer here in my lab. That way, you could see what a malicious hacker might use these tools for. In order to gain remote code execution privileges I shall use the Metasploit Framework. After all, why bother compiling my own code when it is already there for usage via the aforementioned program? Beyond Metasploit I shall also use VMware and tcpdump.exe for this lab exercise. So with these tools in place let's move onto the first tool within the PSTools suite.
The tool psexec is used to remotely execute programs on a computer. I have used this in the past to execute programs that I installed in an alternate data stream. Quite often when and if a hacker is able to gain access to one of the computers on the network that you work on, you will see psexec transferred over. Back when I wrote the above linked article psexec worked wonderfully well. Now that I am writing about it in this article there are some really odd quirks. It did not want to work and I had to spend an hour or so to try and figure out what went wrong. Well long story short I was able to get it working, but with a different syntax than in the article noted above. On that note, if any of you can tell me what is different here I would be most interested in knowing. With that said let's take a look at how to use psexec via a reverse shell as supplied by Metasploit.
We see in the above noted screenshot that psexec was invoked successfully. Although ipeye.exe (which is a command line port scanner I will write about in the future) does work, it kicks back an error code of 0. Odd really as it never did this before, however, the test does work and we were able to invoke an executable remotely using psexec. If you have system level access on a remote computer via a shell you can simply invoke a program directly as well. Play around with psexec, and get comfortable with it, as there are quite a few switches that are available for your usage.
This tool will allow you to see what files are opened remotely on the computer that you invoke this program on locally. By that I mean, if you invoke psfile on say 192.168.1.100 it will show you what files on 192.168.1.100 are presently being viewed by remote computers. It will not however show you the IP address of the computer which has remotely opened a file on your local computer. What it will allow you to do is close the file that is being viewed remotely if you so choose. That is a rather handy feature to have. Seeing is believing, so let's take a look at what the tool looks like when invoked.
As you can see in the screenshot above, running psfile as such will list files that have been opened remotely. Also listed is the path on the local system where the file that is being viewed resides. That can be a handy feature as well in case you see some new directories on your system that were not there before!
This tool will allow you to query a computer for its SID. This is rather handy to have unless you wish to go muck about in the registry where most people are loathe to go. This tool will also allow you to not only see a computer's SID, it will also allow you to specify an account name as well. For instance if you wanted to see the administrator accounts SID then you would simply do as shown in the below noted screenshot.
One of the best tools in the PsTools suite is psinfo. This little program will give you a list of most of the information that you would ever require. Specific examples of that would be the computer's uptime. A computer's uptime is really rather important as that could indicate if a computer has had a specific patch applied to it or not. If it has not then that computer would be ripe for exploitation via a specific vector. For example, a new remote code execution has been released for Microsoft Windows. Microsoft issued a patch for it two days ago. The computer uptime listed on this computer is four days however. That information would allow you to know that the computer was vulnerable to that exploit. Give the below noted screenshot a look.
Other key information available to you would be the operating system itself, the specific build number, and what service pack was installed, if any. As you can see from the above screenshot, this tool will output a tremendous amount of vital information. One could get this information through a variety of other ways, but having the ability to get it quickly and simply with psinfo is very, very handy.
Another pretty darn handy tool in this suite is pslist. This program will give you a list of exactly what is running on the computer you invoke it on. Can you think of a use that a malicious hacker would have for such a program? Well for one, they may want to see if you have an anti-virus solution running on that computer. That, or any other program of particular interest to them. Take a look at the screenshot below for the tool's output.
In other words, the information obtained via this program can provide a treasure trove for one with malicious intent. Conversely as well, the system administrator can also make use of this tool's output as well. One simple example is of a user complaining that a specific application is not running on their computer. A quick check of this tool's output on that person's computer will help the sys admin find the fault that much quicker.
The use of this tool is pretty easily guessed once you see its title. What this tool will do for you, is allow you to kill processes either locally on your computer, or on remote ones. The remote use of this tool is likely one of the reasons why a hacker would like it. Just as we saw above, pslist will give a very nice list of all running processes. From that list a person with malicious intent may decide to kill a process that would hamper their plans.
Some of these tools are very much complimentary. This is a perfect case where pslist and pskill are a natural fit. They can be used for legitimate purposes as well as nefarious ones. Quite a few advanced trojans out there have this type of functionality built into them. Those trojans will check running processes on a victim computer and automatically kill any anti-virus and firewall solutions running on them. Not only that but the trojans will also continually check to see if the security software has restarted, and if so, will kill it again. Rather robust isn't it! Should you wish to see an example of such a trojan then please give this article series a read.
Another handy little tool in this excellent toolkit is psloggedon. Can any of you think of why this might be handy to a malicious hacker? Let's take a look at the screenshot below to see if anything bubbles up idea wise.
Well if I was someone who had just broken into a computer either remotely, or locally for that matter, I would want to know who is logged in, beyond myself that is. If you invoked this tool on a remote computer that you had just TFTP'd this program over to, then I for one would certainly be disconcerted to see the administrator logged in! That administrator would prompt me to disconnect immediately and come back at a later time. Loitering about on a computer whilst the sys admin is logged in would be akin to breaking the law in front of a policemen. Not a good idea at all, as you are just asking to get caught. Lastly, the timestamp listed for the logged on user can be helpful as well, as this would tell you if someone logged in after you had breached that computer or if they had been there all along.
psloglist is a very handy little tool and is one of my favorites. What this tool will do for you is dump a list of event logs for either the machine you are on or a remote one. The information contained within an event log can be of interest to a sys admin obviously, and also the malicious hacker. As always, the advantages of using a tool will quite often cut both ways. Let's take a look at the screenshot below.
We see in the screenshot that the way to invoke psloglist is simple enough, simply type it in and hit enter. From there you may want to pipe the output through the "|more" command. That way the input won't go flying past you, and you can then go through it page by page. Noted in the screenshot is the system whose logs you are looking at ie: \\WIN2K2 and the remaining fields are pretty straightforward. Much as you can see here, psloglist is a rather handy little tool that will allow you to access event logs, which contain a good deal of information.
I can imagine that this tool would get a fair amount of use by malicious hackers who have gained a presence on a computer. After all, a sys admin can easily change passwords via their terminal. As you will soon see, this handy little tool works quite well.
Shown above is the command line syntax used to actually change the administrator password on the computer you are invoking this tool on. Quite simple isn't it! Though an attacker may not want to make such an obvious change, the option does exist. Trying to log in as administrator the next day only to find out your password doesn't work would be a nasty shock indeed.
This tool will allow you to both list and control the services on not only the local, but also the remote computer. There are semblances to the tool pslist, in that it will list the services running on a computer. Though what psservice will also allow you to do is stop, pause, and start these very same services. Let's take a look at the screenshot below.
Listed above is the help menu for the tool itself. Within it we can clearly see the various options for psservice. It is a fairly extensive list of things that can be done for you. We saw earlier that pskill will kill a process for you, however, this tool can do much more than simply kill something. It will allow you to stop and then restart a specific service. That is fairly handy for a sys admin as often certain services can just hang, and will need to be restarted.
Have you ever been sitting there at your computer working away diligently only to see a little window pop up saying that the computer was going to shutdown in X amount of seconds? Crap! I better save my work! Well you too can have the power of the mighty sys admin by using the tool psshutdown.
The screenshot above has had the help menu truncated as it is fairly extensive and to show them all would have made for a rather large screenshot. Here is a question for you out there. Can any of you think of a reason why you would want to shutdown a computer and also have it reboot? Well if any of you remember reading this article series the answer is contained within it. A fairly good reason to reboot a computer would be if you had broken into it via an exploit and wanted to safeguard that computer. You would need to patch the box for the very exploit that you used to get in, and then would need to reboot the computer so that the patch took effect. Kind of clever isn't it? Remember attacks don't have to be at the cutting edge to work. After all, why reinvent the wheel. I would recommend that you try to take some time and recreate what I wrote about in the article I linked to above.
The last tool that we will look at in the PsTools suite is pssuspend. You might recall that I commented earlier that many of the tools are complimentary in nature. This last tool is an excellent example of that. To use this tool effectively you would need to invoke another tool; pslist.
If you recall, what pslist will do for you is to give a listing of all running processes. It will also supply you with another much needed nugget of information ie: the Pid aka process id. With that Pid in hand you can then use pssuspend to either suspend or resume a specific process. This tool is another excellent example of not only the versatility of the PsTools suite, but also their simple functionality.
There is a lot of excellent freeware tools out there to be had. All that you need to do is spend a little quality time with them in order to leverage their usefulness. I have written before that when it comes to computer security or system administration, that many of the tools can be used for either good or bad. The end state of most malicious hackers is to have the ability to control a computer. A clear design goal of many sys admin tools is the very same; the ability to control a computer. Bearing this in mind it makes sense to look at specific tools with another point of view.
The PsTools suite is a perfect example of this double-edged functionality that most computer tools have. As we have seen, the tools in this suite perform very well and also do so from the command line. The bulk of computer network breaches result in the attacker having a reverse shell. After all, it is not as if the majority of attackers get an explorer.exe shoveled back to them. This is why it is very important to get comfortable with the cmd.exe session for most hacking tools will be controlled via one. Well as always I hope this article series was of use to you, and I welcome your feedback. Till next time!