Menu
Script types:hostrule
Categories: intrusive Download: https://svn.nmap.org/nmap/scripts/smb-psexec.nse
User Summary
Implements remote process execution similar to the Sysinternals' psexectool, allowing a user to run a series of programs on a remote machine andread the output. This is great for gathering information about servers,running the same tool on a range of system, or even installing a backdoor ona collection of computers.
File smb-psexec. Script types: hostrule Categories: intrusive Download: User Summary. Implements remote process. Is cross-platform script writing software with story planning and screenplay formatting features ideal for the novice writer who is learning the craft of screenwriting.
This script can run commands present on the remote machine, such as ping ortracert, or it can upload a program and run it, such as pwdump6 or abackdoor. Additionally, it can read the program's stdout/stderr and returnit to the user (works well with ping, pwdump6, etc), or it can read a filethat the process generated (fgdump, for example, generates a file), or itcan just start the process and let it run headless (a backdoor might runlike this).
To use this, a configuration file should be created and edited. Severalconfiguration files are included that you can customize, or you can writeyour own. This config file is placed in
nselib/data/psexec (ifyou aren't sure where that is, search your system fordefault.lua ), then is passed to Nmap as a script argument (forexample, myconfig.lua would be passed as--script-args=config=myconfig .
The configuration file consists mainly of a module list. Each module isdefined by a lua table, and contains fields for the name of the program, theexecutable and arguments for the program, and a score of other options.Modules also have an 'upload' field, which determines whether or not themodule is to be uploaded. Here is a simple example of how to run , which returns a list of users in the'administrators' group (take a look at the
examples.lua configuration file for these examples):
mod.upload is false , meaning the program shouldalready be present on the remote system (since 'net.exe' is on every versionof Windows, this should be the case). mod.name defines the namethat the program will have in the output. mod.program andmod.args obviously define which program is going to be run. Theoutput for this script is this:
That works, but it's really ugly. In general, we can use
mod.find , mod.replace , mod.remove ,and mod.noblank to clean up the output. For this example, we'regoing to use mod.remove to remove a lot of the useless lines,and mod.noblank to get rid of the blank lines that we don'twant:
We can see that the output is now much cleaner:
For our next command, we're going to run Windows' ipconfig.exe, whichoutputs a significant amount of unnecessary information, and what we do wantisn't formatted very nicely. Absinthe jailbreak tool for mac. All we want is the IP address and MAC address,and we get it using
mod.find and mod.replace :
This module searches for lines that contain 'IP Address', 'PhysicalAddress', or 'Ethernet adapter'. In these lines, a '. ' is replaced withnothing, a '-' is replaced with a colon, and the term 'Physical Address' isreplaced with 'MAC Address' (arguably unnecessary). Run ipconfig /allyourself to see what we start with, but here's the final output:
Smb Mac Os
Another interesting part of this script is that variables can be used in anyscript fields. There are two types of variables: built-in and user-supplied.Built-in variables can be anything found in the
config table,most of which are listed below. The more interesting ones are:
User-supplied arguments are given on the commandline, and can be controlledby
mod.req_args in the configuration file. Arguments are givenby the user in --script-args; for example, to set $host to '1.2.3.4', theuser would pass in --script-args=host=1.2.3.4. To ensure the user passes inthe host variable, mod.req_args would be set to{'host'} .
Here is a module that pings the local ip address:
And the output:
And this module pings an arbitrary address that the user is expected togive: Free download textpad for mac.
And the output (note that we had to up the timeout so this would complete;we'll talk about override values later):
For the final example, we'll use the
upload command to uploadfgdump.exe , run it, download its output file, and clean up itslogfile. You'll have to put fgdump.exe in the same folder asthe script for this to work:
The
-l argument for fgdump supplies the name of the logfile.That file is listed in the mod.tempfiles field. Macos sierra download for pc. What, exactly,does mod.tempfiles do? It simply gives the service a list offiles to delete while cleaning up. The cleanup process will be discussedlater.
mod.url is displayed to the user if mod.program isn't found in nselib/data/psexec/ . And finally,mod.outfile is the file that is downloaded from the system.This is required because fgdump writes to an output file instead of tostdout (pwdump6, for example, doesn't require mod.outfile .
https://zeeyellow762.weebly.com/download-notability-free-for-mac.html. Now that we've seen a few possible combinations of fields, I present acomplete list of all fields available and what each of them do. Many of themwill be familiar, but there are a few that aren't discussed in the examples:
Any field in the configuration file can contain variables, as discussed.Here are some of the available built-in variables:
In addition to modules, the configuration file can also contain overrides.Most of these aren't useful, so I'm not going to go into great detail.Search
smb-psexec.nse for any reference to theconfig table; any value in the config table can beoverridden with the overrides table in the module. The mostuseful value to override is probably timeout .
Before and after scripts are run, and when there's an error, a cleanup isperformed. in the cleanup, we attempt to stop the remote processes, deleteall programs, output files, temporary files, extra files, etc. A lot ofeffort was put into proper cleanup, since making a mess on remote systems isa bad idea.
Now that I've talked at length about how to use this script, I'd like tospend some time talking about how it works.
Running a script happens in several stages:
And that's how it works!
Please post any questions, or suggestions for better modules, [email protected].
And, as usual, since this tool can be dangerous and can easily be viewed asa malicious tool -- use this responsibly, and don't break any laws with it.
Some ideas for later versions (TODO):
Script Argumentsnohide
Don't set the uploaded files to hidden/system/etc.
cleanup
Set to only clean up any mess we made (leftover files, processes, etc. on the host OS) on a previous run of the script. This will attempt to delete the files from every share, not just the first one. This is done to prevent leftover files if the OS changes the ordering of the shares (there's no guarantee of shares coming back in any particular order) Note that cleaning up is still fairly invasive, since it has to re-discover the proper share, connect to it, delete files, open the services manager, etc.
nocipher
Set to disable the ciphering of the returned text (useful for debugging).
sharepath
The full path to the share (eg,
'c:windows' ). This is required when creating a service.
config
The config file to use (eg, default). Config files require a .lua extension, and are located in
nselib/data/psexec . How to download game clips from xbox one app.
time
The minimum amount of time, in seconds, to wait for the external module to finish (default:
15 )
nocleanup
Set to not clean up at all; this leaves the files on the remote system and the wrapper service installed. This is bad in practice, but significantly reduces the network traffic and makes analysis easier.
keyDownload Script From Smb Mac Os
Script uses this value instead of a random encryption key (useful for debugging the crypto).
share
Set to override the share used for uploading. This also stops shares from being enumerated, and all other shares will be ignored. No checks are done to determine whether or not this is a valid share before using it. Reqires
sharepath to be set.
randomseed, smbbasic, smbport, smbsignSee the documentation for the smb library.smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameDownload Script From Smb MacbookSee the documentation for the smbauth library.Example UsageMac Smb PathScript OutputRequiresMac Smb Server
Author:
Mac Smb Connection
License: Same as Nmap--See https://nmap.org/book/man-legal.html
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2020
Categories |