RE: problems to start a task with at.exe

["Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>]

Try using psexec. If you can map drives, or submit "at" jobs, PSExec should
also work.

That will give you a remote command shell on the machine directly.

e.g. From cmd on the DMZ box:

psexec \\computer [-u user [-p psswd]] [-s] [-c] [-d] program [arguments]

psexec \\target -u system -p passwd cmd.exe

Gives you access to the cmd shell on the target computer.

Rogan

PsExec v1.11 - execute processes remotely
Copyright (C) 2001 Mark Russinovich
www.sysinternals.com

PsExec executes a program on a remote system, where remotely executed
console
applications execute interactively.

Usage: psexec \\computer [-u user [-p psswd]] [-s] [-c] [-d] program
[arguments]

     -u         Specifies optional user name for login to remote
                computer.
     -p         Specifies optional password for user name. If you omit this
                you will be prompted to enter a hidden password.
     -s         Run the remote process in the System account.
     -c         Copy the specified program to the remote system for
                execution. If you omit this option the application
                must be in the system path on the remote system.
     -d         Don't wait for process to terminate (non-interactive).
     program    Name of application to execute.
     arguments  Arguments to pass (note that file paths must be
                absolute paths on the target system).

You can enclose applications that have spaces in their name with
quotation marks e.g. psexec \\marklap "c:\long name app.exe".
Input is only passed to the remote system when you press the enter
key, and typing Ctrl-C terminates the remote process.

If you omit a user name the process will run in the context of your
account on the remote system, but will not have access to network
resources (because it is impersonating). Specify a valid user name
in the Domain\User syntax if the remote process requires access
to network resources or to run in a different account. Note that
the password is transmitted in clear text to the remote system.

> -----Original Message-----
> From: otaner () gmx ch [mailto:otaner () gmx ch]
> Sent: 14 November 2001 03:50
> To: pen-test () securityfocus com
> Subject: problems to start a task with at.exe
>
>
> Hi,
>
> I'm doing a pen test and I found a way over a system in the 
> DMZ to establish
> NBT-connections in the internal network (net use and stuff). 
> My goal is to
> get shell access to the internal network. So, my plan is to 
> establish a
> connection from the internal network to my system in the 
> internet with netcat. They
> don't use a proxy, only a firewall that allows outgoing http 
> and https. I
> have local administrator rights on the pdc. So, I was able to 
> copy pwdump.exe
> to the pdc and now, I want to execute it (adding a job with 
> at.exe). I can see
> the new job in the queue, but if the time is reached, the 
> batch file was not
> executed. I'm sure, the path is correct. I have the same 
> problem with a
> system in my lab. What can I do?
>
> My commands:
>
> at \\target 18:00 "c:\test.bat"
> or
> at \\target 18:00 /every:date "c:\test.bat"
>
> Any help would be appreciated
>
> Regards
> Renato
>
> -- 
> GMX - Die Kommunikationsplattform im Internet.
> http://www.gmx.net
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security 
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security 
> vulnerabilities please see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/