![]() This is also a significant risk, though not as commonly exploited. We clearly don't want to do this on an untrusted host!Īn important side note here is to be aware that both logon methods for PsExec have the potential of creating the delegate-level access token, if the remote system is trusted for delegation. This has the benefit of allowing a user to authenticate to another system from the remote host, but it also carries the significant drawback of exposing NT & LM hashes, Kerberos Ticket Granting Ticket (TGT), and clear-text passwords to malware on the remote host. While this is often convenient, it provides more than just convenience?it also provides a full interactive logon, which loads all the user's credentials on the remote host. This would commonly be a user with higher privileges than your currently logged-on account. This allows you to authenticate to the remote machine as a different user. The second method is to specify an alternate account using the "-u" switch and optionally the "-p" switch (if you don't supply "-p", it behaves the same but will prompt you for the password). As we'll see in a moment, this results in a network logon to the remote machine. It simply uses the logged-on account to authenticate to the remote machine. This requires no special switches or specification of an account. The first method is to run PsExec under the context of the currently logged-on user. It's easy to overlook that fact that there are two distinct ways to logon to a remote host with PsExec. Finally, since attackers have been known to use this tool for lateral movement, I'll follow up the logon discussion with a brief forensic analysis of the artifacts you will typically find from PsExec usage. I'll also discuss possible workarounds to the second, more dangerous logon. In other words, could it lead to your credentials being compromised? In this article, I'll discuss the two "native" methods of logging onto a remote machine with PsExec and why you should always avoid one of the two. Given its power, you might wonder what the ramifications are of using this tool on a compromised machine. ![]() ![]() Attackers utilize it for the same reasons, providing a convenient way to move laterally and interact with remote machines using compromised credentials. Systems administrators and incident responders use it for its flexibility in interacting with remote machines, including a telnet-like ability to run command-line tools on remote machines and receive the output on their local console. PsExec is an extremely powerful tool and is used commonly in enterprise networks, for both good and evil.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |