Posted by Jianpeng Mo / January 20, 2014

Monitoring and maintaining large-scale, complex, highly distributed and interconnected systems can be extremely challenging for network administrators. Traditional IT management approaches are ill-equipped to handle the complexity of today's application architectures and deployment environments. It's common that an IT admin would support hundreds of machines in an enterprise network daily, but having to physically run down to each machine individually in order to issue a simple command is not acceptable. Therefore, being able to execute system commands remotely without too much additional pre-configuration is always a welcomed and appreciated solution.

In this blog post, we are going to discuss how to use two remote command execution tools, PowerShell and PsExec. We will show how to use each of these tools to remotely execute command line tools, using two OPSWAT products, OESIS Diagnose and Metascan Client, for our examples.

OESIS Diagnose is a troubleshooting tool for the OESIS project. It leverages OESIS Local functionalities internally and provides necessary information and visibility to the OPSWAT engineering team. Metascan Client is a GUI based utility that connects to the Metascan server and performs on-demand scan function calls.

*These steps are provided under the assumption that the user domain is in a protected network and that the command is being triggered by the system administrator.

PowerShell

Introduction:

PowerShell is provided by Microsoft as a replacement of shell to bring advanced scripting to Windows. It provides full access to COM and WMI and enables administrator to perform system commands on both local and remote Windows systems. Previously, PowerShell was packaged as a separate add-on to Windows, marketed mainly to server administrators. Starting with Windows 7, PowerShell is now a built-in part of the operating system, giving this capability to all Windows users.

Step by step usage for OESIS Diagnose:

  1. On the remote machine, enable remote commands in PowerShell as instructed below:

    PS C:\Windows\system32> Enable-PSRemoting -force_

  2. On a local machine, add remote system to the trusted list in PowerShell as seen below:

    PS C:\Windows\system32> Set-Item wsman:\localhost\Client\TrustedHosts -value 10.0.X.X_

  3. On a local machine, set the execution policy to remote signed in PowerShell as below:

    PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned_

  4. Copy OESIS Local package (including the OESIS Diagnose.exe) into the remote machine.
  5. On a local machine, create PowerShell script "remoteLaunchOESISDiagnose.ps1" as seen below:

    #Predefine necessary information
    $Username = "10.0.X.X\username"
    $Password = "password"
    $ComputerName = "10.0.X.X"
    $Script = {C:\OESISLocalPackage\OesisDiagnose_V3.exe}

    #Create credential object
    $SecurePassWord = ConvertTo-SecureString -AsPlainText $Password -Force
    $Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $Username, $SecurePassWord

    #Create session object with this
    $Session = New-PSSession -ComputerName $ComputerName -credential $Cred

    #Invoke-Command
    $Job = Invoke-Command -Session $Session -Scriptblock $Script
    echo $Job

    #Close Session
    Remove-PSSession -Session $Session

  6. On a local machine, launch "“remoteLaunchOESISDiagnose.ps1” in PowerShell as seen below:

    PS C:\Windows\system32> ./remoteLaunchOESISDiagnose.ps1_

  7. The PowerShell script would be executed on the remote machine and launch OESIS Diagnose in the system. The result files would be generated on the remote machine.

Step by step usage for Metascan Client:

  1. The same setup process as step 1, 2 and 3 of the OESIS Diagnose example above.
  2. Copy Metascan Client package into the remote machine.
  3. On the local machine, create PowerShell script "remoteLaunchMetascanClient.ps1” as below:

    #Predefine necessary information
    $Username = "10.0.X.X\username"
    $Password = "password"
    $ComputerName = "10.0.X.X"
    $Script = {C:\MetascanClientPackage\MetascanClient.exe server="10.0.Y.Y:8008/metascan_rest" auto_start=1 allowed_scan_levels=1}

    #Create credential object
    $SecurePassWord = ConvertTo-SecureString -AsPlainText $Password -Force
    $Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $Username, $SecurePassWord

    #Create session object with this
    $Session = New-PSSession -ComputerName $ComputerName -credential $Cred

    #Invoke-Command
    $Job = Invoke-Command -Session $Session - Scriptblock $Script
    echo $Job

    #Close Session
    Remove-PSSession -Session $Session

  4. On the local machine, launch “remoteLaunchMetascanClient.ps1” in PowerShell as seen below:

    PS C:\Windows\system32> ./remoteLaunchMetascanClient.ps1_

  5. The PowerShell script will be executed on the remote machine and triggers Metascan Client to scan against the pre-setup Metascan server which is specified in the command line, with the scan result being generated on the remote machine.

Limitations:

Both the OESIS Diagnose and Metascan Client scan functions are able to be executed remotely via PowerShell, but PowerShell fails to launch Metascan Client UI from the remote machine. This is because when remotely accessing a machine via PowerShell, an interactive desktop session is not started. For security reasons, users can only see applications that are opened within their own interactive sessions. Basically every Windows operating system thinks it's a Terminal Server, but Windows does not want users opening applications that other users could possibly see. Windows assumes that multiple users will be using the machine, so it isolates these applications for a number of obvious security reasons.

PsExec

Introduction:

PsExec is a command line tool allowing the execution of processes on a remote system and transfer the results of operations to the local console. It has a long list of optional parameters that allow a great deal of flexibility for IT administrators. The key feature of PsExec is to allow users to run a script or application within the security context of either the currently logged on user or as a user provided during program initialization.

Step by step usage for OESIS Diagnose:

  1. Download PSTools from the below link, PsExec is part of the package.

  2. Copy OESIS Local package (including the OESIS Diagnose.exe) into the remote machine.
  3. On the local machine, open the command prompt (cmd), go to the directory where the PsExec file is located.
  4. On the local machine, execute the following command:

    C:\whereYouSavePsExec>PsExec.exe \\10.0.X.X -u username -p password C"\OESISLocalPackage\OesisDiagnose_V3.exe_

  5. PsExec will launch the OESIS Diagnose process on the remote machine using the credential which is provided above and generate the diagnose report in the system.

Step by step usage for Metascan Client:

  1. The same setup process as step 1 of OESIS Diagnose usage.
  2. Copy Metascan Client package into the remote machine.
  3. On the local machine, open command prompt (cmd), go to the directory where the PsExec file exists.
  4. On the local machine, execute the following command:

    C:\whereYouSavePsExec>PsExec.exe \\10.0.X.X -u username -p password C:\MetascanClientPackage\MetascanClient.exe server="10.0.Y.Y:8008/metascan_rest" auto_start=1 allowed_scan_levels=1_

  5. PsExec will launch the Metascan Client process on the remote machine using the credential which is provided above. This will bring up the Metascan Client UI and the scan result will be generated on the remote machine.

Limitations:

PsExec does not natively come with the Windows operating system, users have to download the PSTool package separately (an extra 1.6 Mb folder). PsExec does not provide an easy way for users to access network resources on the remote machine, due to the input argument being limited to 256 characters. Some older versions such as v1.73 and v1.82 have some serious problems with programmatic redirection of StdOut over named pipes.

Notes: On the Microsoft website, it mentions the below statement “some anti-virus engines report that one or more of the tools are infected with a ‘remote admin’ virus.” But, according to the latest scan result from Metascan Online, there were no antivirus engines detecting the PSTool package as a threat.

Summary:

Both PowerShell and PsExec have some advantages and disadvantages for network administrators. When it comes down to it, there is really no good or bad choice between PowerShell and PsExec, it largely depends on which system management tools IT administrators decide to select. The best option for novice users would be to use the PsExec option, considering it’s the easiest to start out with and allows you to run CLI based executables remotely and take advantage of the full feature set.

Announcement: Metascan Client is now Metadefender Client as part of our streamlined Metadefender Product Family. Check out the blog announcement to learn more. 

PowerShell vs. PsExec for Remote Command Execution的更多相关文章

  1. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  2. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  3. JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution

    CVE ID : CVE-2019-7727 JMX/RMI Nice ENGAGE <= 6.5 Remote Command Execution description=========== ...

  4. [EXP]Jenkins 2.150.2 - Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  5. [EXP]Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

  6. struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  7. struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  8. MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability

    catalogue . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 MyBB's unset_globals() function ca ...

  9. [EXP]Apache Spark - Unauthenticated Command Execution (Metasploit)

    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://gith ...

随机推荐

  1. shell 套用expect

    先用if 判断expect有没有安装 没有就yum install expect #!/bin/bash passwd='123456' /usr/bin/expect <<-EOF se ...

  2. Join函数 及Split函数精解示例

    '************************************************************************* '**模 块 名:Join函数 及Split函数精 ...

  3. 【30集iCore3_ADP出厂源代码(ARM部分)讲解视频】30-3 底层驱动之LED_蜂鸣器

    视频简介: 该视频介绍iCore3应用开发平台出厂源代码中GPIO的配置方法 及如何点亮LED和驱动蜂鸣器发声. 源视频包下载地址: http://pan.baidu.com/s/1nvpYMff   ...

  4. 3.线性表-cursor

    fatal.h #include <stdio.h> #include <stdlib.h> #define Error( Str ) FatalError( Str ) #d ...

  5. vim操作

    2.vi的基本操作 a) 进入vi    在系统提示符号输入vi及文件名称后,就进入vi全屏幕编辑画面: $ vi myfile 不过有一点要特别注意,就是您进入vi之后,是处于「命令行模式(comm ...

  6. uploadfile图片上传和ashx

    uploadify.swf需要是支持中文   $(function () {   //获取所有上传按钮id   $("div[id^='fileInput_']").each(fu ...

  7. pyspider 安装时 Could not run curl-config

    sudo aptitude install libcurl4-openssl-dev

  8. Eclipse汉化后切换回英文

    方法: 1.复制MyEclipse的快捷方式: 2.右键快捷方式->属性,在“目标”的后边加上 -nl "en" 之前的:"F:\Program Files\MyE ...

  9. lodash 替换 underscore

    不少知名项目都在用lodash替换underscore lodash  Lazy evaluation 英文原文:http://filimanjaro.com/blog/2014/introducin ...

  10. input只能输入数字并限制长度

    <style> /*在chrome下移除input[number]的上下箭头*/ input::-webkit-outer-spin-button,input::-webkit-inner ...