Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Thoughts about writing a psexec script

From: Ron <ron () skullsecurity net>
Date: Tue, 25 Aug 2009 20:55:06 -0500
Hi all,
I'm planning on writing smb-psexec in the near future, but because of the sheer number of ways to implement this, I'm hoping to get some feedback/direction on what you guys would prefer. 

First, a bit about how to run a program remotely. It's basically this:
- Upload the .exe
- Create a remote service pointing at that .exe, using the Win32 call CreateServiceA() or CreateServiceW() 
- Start the remote service using StartServiceA() or StartServiceW()
- Poll the service till it's finished, using QueryServiceStatus()
- Delete the service
- Get the results
I'm thinking that the best thing to do is to create a wrapper program, which will have to be compiled for Windows (not sure how you handle that with a source distribution? How does Metasploit?). This wrapper program will take a list of parameters, each of which is a program to run, with parameters (not exactly sure how), or maybe run the program multiple times, once/remote program? Not sure yet. Maybe it should use a config file, that can be uploaded alongside it? Likely encrypted/obfuscated, to prevent spying.
Ideally, the wrapper program will run the other program(s) it's told to, and save the results, encrypted (or, at least, obfuscated) to a file. Once it's finished, Nmap can download that file, decrypt it, and display it. 

So that leaves a few questions:
- How do we compile/distribute this wrapper?
- What should the interface be to this wrapper? Should it run multiple times, or just one time for all the scripts? Should it be all commandline parameters, or use a config file? - What should the interface be on Nmap? A text file of programs to run + a directory of executables to upload? What if the user wants to add non-Nmap licensed executables? Should it be just a matter of dropping them in nselib/data/psexec/ and running the script (easiest)? If so, will the script just read that directory and upload/run everything? And consult a textfile for arguments, if it needs some? 

The last question is the big one to me. What would be the best interface?

To summarize a bit, how would you picture the user running both:
a) "psexec -h localhost" (requires psexec.exe to be uploaded first), and
b) "arp -a" (arp is already on Windows, it's just a matter of passing it a parameter) 

At the same time?
The technical details, I can generally handle no problem.. but I don't have a clue how I should make the interface. :) 

Ron

--
Ron Bowes
http://www.skullsecurity.org/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: