An alternative way to do "psexec" on Backtrack 4

If you need a way of issuing remote commands to a Windows system (where you have a username and password) you could use the popular psexec.exe tool.

Here I discuss an alternative you can easily install on Backtrack, which gives very similar functionality to the psexec.exe tool, but natively in Linux.

First, install the wmi-client and winexe tools with the following command:

apt-get install wmi-client

Running winexe

These are the options for winexe

winexe version 0.80

This program may be freely redistributed under the terms of the GNU GPL

Usage: winexe [-?|--help] [--usage] [-d|--debuglevel DEBUGLEVEL]

        [--debug-stderr] [-s|--configfile CONFIGFILE] [--option=name=value]

        [-l|--log-basename LOGFILEBASE] [--leak-report] [--leak-report-full]

        [-R|--name-resolve NAME-RESOLVE-ORDER]

        [-O|--socket-options SOCKETOPTIONS] [-n|--netbiosname NETBIOSNAME]

        [-W|--workgroup WORKGROUP] [--realm=REALM] [-i|--scope SCOPE]

        [-m|--maxprotocol MAXPROTOCOL] [-U|--user [DOMAIN\]USERNAME[%PASSWORD]]

        [-N|--no-pass] [--password=STRING] [-A|--authentication-file FILE]

        [-S|--signing on|off|required] [-P|--machine-pass]

        [--simple-bind-dn=STRING] [-k|--kerberos STRING]

        [--use-security-mechanisms=STRING] [-V|--version] [--uninstall]

        [--reinstall] [--system] [--runas=[DOMAIN\]USERNAME%PASSWORD]

        [--interactive=INT] //host command

As you can see, you get very similar functionality to the psexec tool (this tool uses the same interfaces and methods)

Here are a couple of examples; ipconfig output, and an interactive shell


winexe --user Administrator --password=mypassword //192.168.1.52  ipconfig


Windows IP Configuration


Ethernet adapter Local Area Connection:


   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.1.52
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.254

This runs the command and exits, where as the shell below is fully interactive:

winexe --user Administrator --password=mypassword //192.168.1.52 cmd.exe

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.


C:\Windows\system32>  


Another interesting thing you can do (if the account you have has the appropriate privileges) is to run commands as system, here for example is a system shell:


winexe --system --user Administrator --password=mypassword //192.168.1.52 cmd.exe
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.


C:\Windows\system32>whoami
whoami
nt authority\system


C:\Windows\system32>



Running wmic

I've not been able to get the wmic working effectively on many systems, with my limited testing (I'm guessing there is a non-default setting to enable this functionality on the target systems)

Here are the options:

wmic
Usage: [-?|--help] [--usage] [-d|--debuglevel DEBUGLEVEL] [--debug-stderr]
        [-s|--configfile CONFIGFILE] [--option=name=value]
        [-l|--log-basename LOGFILEBASE] [--leak-report] [--leak-report-full]
        [-R|--name-resolve NAME-RESOLVE-ORDER]
        [-O|--socket-options SOCKETOPTIONS] [-n|--netbiosname NETBIOSNAME]
        [-W|--workgroup WORKGROUP] [--realm=REALM] [-i|--scope SCOPE]
        [-m|--maxprotocol MAXPROTOCOL] [-U|--user [DOMAIN\]USERNAME[%PASSWORD]]
        [-N|--no-pass] [--password=STRING] [-A|--authentication-file FILE]
        [-S|--signing on|off|required] [-P|--machine-pass]
        [--simple-bind-dn=STRING] [-k|--kerberos STRING]
        [--use-security-mechanisms=STRING] [-V|--version] [--namespace=STRING]
        //host query


Example: wmic -U [domain/]adminuser%password //host "select * from Win32_ComputerSystem"

Here are a couple of example test wmi database queries:


wmic -U Administrator --password=password234 //192.168.1.53 "select * from Win32_ComputerSystem"


CLASS: Win32_ComputerSystem
AdminPasswordStatus|AutomaticResetBootOption|AutomaticResetCapability|BootOptionOnLimit|BootOptionOnWatchDog|BootROMSupported|
...etc...


And here, looking at high-priority process information:


wmic -U Administrator --password=password234 //192.168.1.53 "Select Caption,ProcessId From Win32_Process Where Priority > 8 "


CLASS: Win32_Process
Caption|Handle|ProcessId
smss.exe|164|164
csrss.exe|188|188
WINLOGON.EXE|184|184
services.exe|236|236
LSASS.EXE|248|248
LLSSRV.EXE|664|664
VMwareService.e|892|892

... and you could also use these methods to run remote processes (though this is rather complex to go into detail on here)

So, what are the differences between these tools?

wmic uses RPC - TCP port 135 (and 1025) and winexe uses SMB - TCP port 139

With winexe, you are basically issuing standard command line tools and options, this is a very easy tool to use.

wmic is a bit more complex to use for issuing commands, but could be useful in some circumstances, and can certainly be used to gain information about the target system (many network monitoring tools use the WMI interface to monitor an manage remote hosts)