Jump to content

PSEXEC


karencho

Recommended Posts

over a VPN for the same domain and subnet, yes. house to house, through NAT, not really.

Link to comment
Share on other sites

pwnat is a client server setup, you install the server on the machine you want to control, and use the client to connect to it, which essentially is just a form of tunnel or vpn in itself. Think of it more like team viewer if you will, only without the third party proxy. I've never used pwnat though. look at the source code though to see what it does. personally I'd just go with a VPN, so my traffic is encrypted to my home network, and from there you can remote into the machine to do whatever you need. 

Link to comment
Share on other sites

psexec requires only an IP address to a server that has SMB listening on port 445.  It then binds to ADMIN$ or C$ and makes a bunch of RPC calls to the "Service Control Manager" (SCM).  It does not care if you are targeting LAN or WAN.  And port forwarding works just fine provided you set it up correctly.

If you want to know if psexec will work on IP address x.x.x.x simple open up a Windows explorer window and navigate to \\x.x.x.x\blah.  If you get prompted for credentials psexec will work.  If not, the system is not broadcasting SMB (at least as far as you are concerned).

additionally you could try 'smbclient -L \\x.x.x.x -U ""' from a *nix machine to see if its broadcasting any smb shares.

Have a look at these slides for additional information.  http://www.slideshare.net/RoyceDavis1/owning-computers-without-shell-access-dark

Link to comment
Share on other sites

7 hours ago, pentestgeek said:

psexec requires only an IP address to a server that has SMB listening on port 445.  It then binds to ADMIN$ or C$ and makes a bunch of RPC calls to the "Service Control Manager" (SCM).  It does not care if you are targeting LAN or WAN.  And port forwarding works just fine provided you set it up correctly.

If you want to know if psexec will work on IP address x.x.x.x simple open up a Windows explorer window and navigate to \\x.x.x.x\blah.  If you get prompted for credentials psexec will work.  If not, the system is not broadcasting SMB (at least as far as you are concerned).

additionally you could try 'smbclient -L \\x.x.x.x -U ""' from a *nix machine to see if its broadcasting any smb shares.

Have a look at these slides for additional information.  http://www.slideshare.net/RoyceDavis1/owning-computers-without-shell-access-dark

Problem with port forwarding 445 opens up the machine to SMB attacks from the web and potentially the rest of the network and other machines. There is a reason for using a VPN in this instance(or other secure network access methods) vs letting someone have access to your internal network directly via the web. Might as well put it in a DMZ if you want 445 open. Let NAT serve its purpose and use proper tools to do what you want without compromising your machine. I can't see a safe reason to open this port up on the router.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...