'PsExec'에 해당되는 글 2건

  1. 2011.11.04 Run POST Modules On All Sessions (1)
  2. 2010.08.28 PsExec, RunAs Tools (1)
2011. 11. 4. 20:48

Run POST Modules On All Sessions

Jcran recently blogged about an easy way to run a post module on all sessions:


msf> use post/windows/gather/enum_domain_tokens
msf enum_domain_tokens> irb
framework.sessions.count.each do |session|
  run_single("set SESSION #{session.first}")
  sleep 1

You use the POST module, drop to IRB and run those 4 lines, and bam, you win. With resource files we can automate this a bit more and have it so that we do this effortlessly with any post module.

Thinking back to http://blog.metasploit.com/2010/03/automating-metasploit-console.html and my rapid file PSEXEC resource file, we know we can run ruby inside of resource files with the <ruby> tag.

Save the following as runall.rc somewhere where you'll remember:

framework.sessions.count.each do |session|
  run_single("set SESSION #{session.first}")
  print_status("Running #{active_module.fullname} against session #{session.first}")
  sleep 1

Then when you want to run a POST module against every session you have you simply do:

msf> use post/windows/gather/enum_domain_tokens
msf enum_domain_tokens> resource runall.rc
[*] Running post/windows/gather/enum_domain_tokens on session 1

출처 : Room362.com

Trackback 0 Comment 1
  1. Favicon of http://emailmarketingblasts.net/business-info/money-mutual-cash-advance-the-be.. cash advance money 2011.11.05 05:06 address edit & del reply

    You use the POST module, drop to IRB and run those 4 lines, and bam, you win. With resource files we can automate this a bit more and have it so that we do this effortlessly with any post module.

2010. 8. 28. 09:21

PsExec, RunAs Tools

PsExec (part of PsTools - download PsExec)

Execute a command-line process on a remote machine.

      psexec \\computer[,computer[,..] [options] command [arguments]

      psexec @run_file [options] command [arguments]


   computer   The computer on which psexec will run command. Default = local system 
              To run against all computers in the current domain enter "\\*"
   @run_file  Run command on every computer listed in the text file specified.

   command    Name of the program to execute

   arguments  Arguments to pass (file paths must be absolute paths on the target system)

   -a n,n,... Set processor affinity to n. Processors are numbered as 1,2,3,4 etc
              so to run the application on CPU 2 and CPU 4, enter: "-a 2,4"

   -c         Copy the program (command)to the remote system for execution.
   -c -f      Copy even if the file already exists on the remote system.
   -c -v      Copy only if the file is a higher version or is newer than the remote copy.

   If you omit the -c option then the application must be in the system path on the remote system.

   -d         Don't wait for the application to terminate.
              Only use for non-interactive applications.

   -e         Load the user account's profile, don't use with the system account (-s)

   -i         Interactive - Run the program so that it interacts with the desktop on the remote system.

   -l         Limited - Run process as limited user. Only allow privs assigned to the Users group.

   -n s       Specify a timeout s seconds for connecting to the remote computer.

   -p psswd   Specify a password for user (optional). Passed as clear text.
              If omitted, you will be prompted to enter a hidden password.

   -s         Run remote process in the System account.

   -u user    Specify a user name for login to remote computer(optional).

   -w directory Set the working directory of the process (relative to the remote computer).

   -x         Display the UI on the Winlogon desktop (local system only).

  -low, -belownormal, -abovenormal, -high or -realtime
              These options will run the process at a different priority.

Psexec can also be used to start GUI applications, but in that case the GUI will appear on the remote machine.

Input is passed to the remote system when you press the enter key - typing Ctrl-C will terminate the remote process.

When you specify a username the remote process will execute in that account, and will have access to that account's network resources.

If you omit username the remote process will run in the same account from which you execute PsExec, but because the remote process is impersonating it will not have access to network resources on the remote system.

PsExec does not require you to be an administrator of the local filesystem this can allow UserA to run commands as UserB - a Runas replacement.

Surround any long filenames "with quotation marks"


Launch an interactive command prompt on \\workstation64:

psexec \\workstation64 cmd

Execute IpConfig on the remote system, and display the output locally:

psexec \\workstation64 ipconfig /all

Copy the program test.exe to the remote system and execute it interactively:

psexec \\workstation64 -c test.exe

Execute a program that is already installed on the remote system:

psexec \\workstation64 "c:\Program Files\test.exe"

Run Internet Explorer on the local machine but with limited-user privileges:

psexec -l -d "c:\program files\internet explorer\iexplore.exe"


Execute a program under a different user account.

      RUNAS [/profile] [/env] [/netonly] /user:user Program

   /profile   Option to load the user's profile (registry)
   /env       Use current environment instead of user's.
   /netonly   Use the credentials specified only for remote connections.
   /user      Username in form USER@DOMAIN or DOMAIN\USER
              (USER@DOMAIN is not compatible with /netonly)
   Program    The command to execute

Enter the password when prompted.

When you start a program with RunAs /netonly, the program will execute on your local computer as the user you are currently logged on as, but any connections to other computers on the network will be made using the user account specified.

Without /netonly everything will run under the user account specified.

RunAs from Windows Explorer
Select an executable file, Shift-Right-click and select Run As..
This option can be hidden by setting

The error level (%ERRORLEVEL%) returned by RunAs in Windows XP and above: success=0, failure=1


   Runas /user:SCOT_DOMAIN\jDoe "mycommand.exe"

   Runas /profile /user:mymachine\administrator CMD

   Runas /profile /env /user:SCOT_DOMAIN\administrator NOTEPAD

   Runas /env /user:jDoe@swest.ss64.com "NOTEPAD \"my file.txt\""

RunAs Reqires the "Secondary Logon" service to be running.

“He who reigns within himself, and rules passions, desires, and fears, is more than a king” - Milton

Trackback 1 Comment 1
  1. Favicon of https://blog.pages.kr 날으는물고기 2010.08.28 09:23 신고 address edit & del reply

    go to run > type "psexec -sid cmd.exe" > in cmd type "services.msc"