170 Chapter 7 ■ Gaining Access to a System
Let’s take a look at some of the commands you can use with PsExec:
■ The following command launches an interactive command prompt on a system named
\\zelda: psexec \\zelda cmd.
■ This command executes ipconfig on the remote system with the /all switch, and dis-
plays the resulting output locally: psexec \\zelda ipconfig /all.
■ This command copies the program rootkit.exe to the remote system and executes it
interactively: psexec \\zelda -c rootkit.exe.
■ This command copies the program rootkit.exe to the remote system and executes it
interactively using the administrator account on the remote system: psexec \\zelda
-u administrator -c rootkit.exe.
As these commands illustrate, it is possible for an attacker to run an application on a
remote system quite easily. The next step is for the attacker to decide what to do or what
to run on the remote system. Some of the common choices are Trojans, rootkits, and
backdoors.
Other utilities that may prove helpful in attaching to a system remotely are the
following:PDQ Deploy This utility is designed to assist with the deployment of software to a single
system or to multiple systems across a network. The utility is designed to integrate with
Active Directory as well as other software packages.RemoteExec This utility is designed to work much like PsExec, but it also makes it easy to
restart, reboot, and manipulate folders on the system.Da meWa re This is a set of utilities used to remotely administer and control a system.
Much like the other utilities on this list, it is readily available and may not be detected by
antivirus utilities. DameWare also has the benefit of working across platforms such as Win-
dows, OS X, and Linux.Covering Your Tracks
Once you have penetrated a system and installed software or run some scripts, the next
step is cleaning up after yourself or covering your tracks. The purpose of this phase is to
prevent your attack from being easily discovered by using various techniques to hide the red
flags and other signs. During this phase, you seek to eliminate error messages, log files, and
other items that may have been altered during the attack process.Disabling Auditing
One of the best ways to prevent yourself from being discovered is to leave no tracks at all.
And one of the best ways to do that is to prevent any tracks from being created or at least
minimize the amount of evidence. When you’re trying not to leave tracks, a good starting
point is altering the way events are logged on the targeted system.