12. PSTools Use /? As argument to get help on specific PS command Save a list of computers to do an inventory of software installed As per the pre-requisites “remote registry” service should be started on remote machine
13. PSTools Use this to store the command output to a text file locally As per the pre-requisites “remote registry” service should be started on remote machine
14. Summary of PSTools PSExec- execute processes remotely PSFile- shows files opened remotely PSGetSid- display the SID of a computer or a user PSinfo - list information about a system PSKill- kill processes by name or process ID PSList - list detailed information about processes PSLoggedon - see who's logged on locally and via resource sharing (full source is included) PSLogList - dump event log records PSPasswd- changes account passwords PSService - view and control services PSShutdown - shuts down and optionally reboots a computer PSSuspent- suspends processes PsUptime- shows you how long a system has been running since its last reboot) As per the pre-requisites “remote registry” service should be started on remote machine
15.
16. Can be used to trace some really good information.
18. Yes, it’s in built windows tool but still useful.
19.
20. WMIC /? Switch will give you the help as usual.
21.
22.
23.
24. If you receive an attack alert on your IPS and the remedy information suggests that a particular security patch/service pack should be installed. So to find out whether that is installed on victim machine or not, just reach WMIC use the command“/node:victim_ipaddress qfe list”
25.
26. In such cases take remote shell of that machine through Psexec remotemachine_IP cmd.exe Use command like “REG Query” to fetch information from registry
29. To get more information I will run the following command on the remote cmd -:REG QUERY HKLMoftwareicrosoftindowsurrentVersionninstallittorrent I WAS REALLY NOT AWARE OF THIS COMMAND TILL I ATTENDED A SECURITY CONFERENCE ONLINE, THIS COMMAND CAN FETCH YOU TONS OF INFORMATION IF USED PROPERLY.
30.
31. Check what are the current process running on that machine (Remotely with WMIC)
32. Is any P2P client running on the machine ? If yes kill the process (WMIC/PSTools) and uninstall the software
33. If not, check the uninstalled list ? (WMIC) Has the user uninstalled the software recently.
34. If there is no trace of P2P software client, do netstat on the remote shell of machine and check where is traffic going.
36. If not, and you feel it is affected by Botnet/malware, collect the event logs(PSTools) kill the processes remotely and shutdown the machine (WMIC / PS) till its re-installed.
40. If you think a particular services is doing some remote connection, try to get more infoWMIC process get Name,ExecutablePath,CommandLine,ProcessID /param:list (when you get the information list for all services, and if you are checking for e.g. services.exe is the name of process but executable path is c:indowsi789r8.exe ) (it’s time to shout ooooopppppssss)
41.
42.
43. A simple attack vector throgh WMIC Re route DNS of a machine in two steps WMIC /node:remote_ip nicconfig list brief (note down the index number from the output) WMIC /node:remote_ip nicconfig where index=9 call SetDNSServerSearchOrder (“1.1.1.1”,”2.2.2.2”) You need patience of a saint after issuing this command…… Waaaaiiittt……..till you see the results
44. Downloads and Help Download a WMI Script generator from http://www.robvanderwoude.com/wmigen.php Find More WMIC examples at http://blogs.technet.com/b/jhoward/archive/2005/02/23/378726.aspx Books on Amazon http://www.amazon.com/Understanding-Scripting-Instrumentation-Mission-Critical-Infrastructures/dp/1555582664/ref=sr_1_1?ie=UTF8&s=books&qid=1304833283&sr=8-1