Remote Windows PC Enumeration using PSTools

PS Tools Kit is a collection of 13 tools developed by Mark Russinovich. These tools are command-line tool that lets you execute processes on remote systems and redirect console applications’ output to the local system so that these applications appear to be running locally. All of these are special tools that are compatible with the NT windows version or later. Being a console application, these tools can work on both local computer and remote host. These tools require no manual installation of software on the remote system, and they let you specify alternative credentials to access the remote system. The “Ps” prefix in PsList relates to the fact that the standard UNIX process listing command-line tool is named “ps”, so this prefix has been adopted for all the tools in order to tie them together into a suite of tools named PsTools.

You can download PSTool Kit from –> https://technet.microsoft.com/en-us/sysinternals/pstools.aspx

Listed below are all tools in the said tool kit:

  • PsExec – execute processes remotely
  • PsFile – shows files opened remotely
  • PsGetSid – display the SID of a computer or a user
  • PsInfo – list information about a system
  • PsPing – measure network performance
  • PsKill – kill processes by name or process ID
  • PsList – list detailed information about processes
  • PsLoggedOn – see who’s logged on locally and via resource sharing (full source is included)
  • PsLogList – dump event log records
  • PsPasswd – changes account passwords
  • PsService – view and control services
  • PsShutdown – shuts down and optionally reboots a computer
  • PsSuspend – suspends processes

Let us now learn how we will use these through command prompt one bye one

Firstly, let us open PSTool Kit and to do so open your command prompt and open PSTool kit using cd command as shown below :

Get SID

Once you have open PSTool kit, run dir command so that you can see the list of al tools.

Now, we run a command that will help us use PSGetsid tool in the Tool Kit. The command is:

PSGetsidc64.exe \\192.168.1.104 -u administrator -p [email protected]

Here,

192.168.1.104 –> our victim’s IP

-u –> denotes username

Administrator –> username

-p –> denotes password

[email protected] –> password

System Information

Executing these commands for system information  of  remote PC.

Next, we will learn about psinfo.exe tool which gives us all the necessary information of the remote PC. To make this tool work type:

psinfo.exe \\192.168.1.104 -u administrator -p [email protected]

Share Folder

After this command has been run, it will give you the information as you can see above.

Moving forward, we will now make psfile tool work by typing the following command:

psfile64.exe \\192.168.1.104  -u administrator -p [email protected]

Process Information

Execution of this command will help us to see every file and directories that are remotely open on the PC of victim.

Our next tool is pslist and to make it work type:

pslist64.exe \\192.168.1.104 -u administrator -p [email protected]

Services

This command lets us see the list of all the files on our remote PC as seen above.

Our next command is Psservice.exe which lets us know about all the services running on our victims’ PC. The command is:

PsService64.exe \\192.168.1.104 -u administrator -p [email protected]

Log List

You can result in the above pic.

One of these tools helps us to see the logs of victim PC. That tool is psloglist.exe and the command to run this tool is:

psloglist.exe \\192.168.1.104 -u administrator -p [email protected]

Change Password

So, like this our command is successful as we have our desired result.

Now, pspasswd64.exe is the most important tool as it lets us to change the password of a PC. And the command to achieve this is:

pspasswd64.exe \\192.168.1.104 -u administrator -p [email protected] administrator forever

Here,

192.168.1.104 –> our victim’s IP

-u –> denotes username

Administrator –> username

-p –> denotes password

[email protected] –> password

Administrator –-> username (which we have to give again to specify that which user’s password we want to change)

This can successfully change the password as shown in above image.

Remote Connect Shell

Another important tool is PsExec64.exe which takes us directly in the shell of victim’s PC. Its command is:

PsExec64.exe \\192.168.1.104 -u administrator -p forever cmd

Shutdown

Lastly our next tool helps us to shutdown remote PC. And for that just type:

psshutdown.exe \\192.168.1.104 -u administrator -p forever

And as shown in the image above the remote PC will shutdown in 20 seconds.

So, these were tools in the PSTool kit and the commands to run them. These tools make our work a lot easy and come in handy.

PS –> If you come across such dialogue box then always click on AGREE or else the above commands will not work. The image of dialogue box is shown below

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Pentest Lab Setup for Windows Server 2008 R2

To install Windows server 2008 R2 click this link

To install active directory in the windows server, assign static IP address.

Such as        IP Address   :    192.168.0.101

                       Subnet mask   :  255.255.255.0

                     Default Gateway   :  192.168.0.101

                     Preferred DNS Server : 192.168.0.101

                     Click OK

To install Active Directory, Type DCPROMO (Domain Controller Promotion) in Run Command With Run as Administrator. Click OK.

To start the installation click on “Next

Click next to move on

We going to install new domain Controller in new forest please select the option “Create a new domain in new forest” option and click on “Next”

Now we have to provide the name for new domain. It must be FQDN. In our case I used hackingarticles.in as the domain. Please click “Next” after it.

Select forest functional level to Server 2008 R2 to add domain controller of Windows server 2008 R2 or later.

In next window since it’s the first DC we should make it as DNS server too. Leave the default selection and click on “Next

If the wizard cannot create a delegation for the DNS server, it displays a message to indicate that you can create the delegation manually. To continue, click “Yes

In next window it will show up the database location. If you want to change it physical location Click browse and do the changes or click on “Next” to proceed.

Choose a Strong Active Directory Restore Mode Password and click next twice to kick off the configuration.

Next window is giving you a brief of the installation. Click on “Next”

Then it will start the installation of the AD. It will take some time to complete.

When its done you will be notified and required to reboot your PC.

Related Posts Plugin for WordPress, Blogger...