Nmap Development mailing list archives
Thoughts about writing a psexec script
From: Ron <ron () skullsecurity net>
Date: Tue, 25 Aug 2009 20:55:06 -0500
Hi all,I'm planning on writing smb-psexec in the near future, but because of the sheer number of ways to implement this, I'm hoping to get some feedback/direction on what you guys would prefer.
First, a bit about how to run a program remotely. It's basically this: - Upload the .exe- Create a remote service pointing at that .exe, using the Win32 call CreateServiceA() or CreateServiceW()
- Start the remote service using StartServiceA() or StartServiceW() - Poll the service till it's finished, using QueryServiceStatus() - Delete the service - Get the resultsI'm thinking that the best thing to do is to create a wrapper program, which will have to be compiled for Windows (not sure how you handle that with a source distribution? How does Metasploit?). This wrapper program will take a list of parameters, each of which is a program to run, with parameters (not exactly sure how), or maybe run the program multiple times, once/remote program? Not sure yet. Maybe it should use a config file, that can be uploaded alongside it? Likely encrypted/obfuscated, to prevent spying.
Ideally, the wrapper program will run the other program(s) it's told to, and save the results, encrypted (or, at least, obfuscated) to a file. Once it's finished, Nmap can download that file, decrypt it, and display it.
So that leaves a few questions: - How do we compile/distribute this wrapper?- What should the interface be to this wrapper? Should it run multiple times, or just one time for all the scripts? Should it be all commandline parameters, or use a config file? - What should the interface be on Nmap? A text file of programs to run + a directory of executables to upload? What if the user wants to add non-Nmap licensed executables? Should it be just a matter of dropping them in nselib/data/psexec/ and running the script (easiest)? If so, will the script just read that directory and upload/run everything? And consult a textfile for arguments, if it needs some?
The last question is the big one to me. What would be the best interface? To summarize a bit, how would you picture the user running both: a) "psexec -h localhost" (requires psexec.exe to be uploaded first), andb) "arp -a" (arp is already on Windows, it's just a matter of passing it a parameter)
At the same time?The technical details, I can generally handle no problem.. but I don't have a clue how I should make the interface. :)
Ron -- Ron Bowes http://www.skullsecurity.org/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Thoughts about writing a psexec script Ron (Aug 25)