Wednesday, December 15, 2010

live process priority changing

 

Today I wanted to lower the priority of a McAfee Full Scan going on my system, as it was seriously hosing my work PC.  Yes I could have used the old AT trick to get system priv. but my work pc is fairly locked down w/o Task Scheduler running.  Yes, I could have killed the process and restarted it with a low priority with the start command.  The only problem was that it was about 1/4 of the way through, and I did not feel like starting over.  I tried going into task manager and adjusting the priority, but of course I got an “Access Denied” message.  What to do?

psexec /s /i /d taskmgr

This will launch task manager with SYSTEM privileges, so you can go ahead and change that process priority.  /s gives it system powers, /I makes it interactive so you can see it in the same session, and /d detaches the psexec from your cmd to free it up from your console.  You’re going to need admin privileges for this psexec switch, so don’t go thinking it’s a “hack”.  However with LSA powers you can do a lot of interesting stuff that even an Admin cannot. 

Thursday, November 18, 2010

network enumeration

 

 

OK, just wanted to go over some Windows Active Directory tools found in the Windows 2003 Admin Pack.  These are basic tools that often get overlooked in favor of massive VB scripts.  I use them daily to pull reports on users, groups, or computers.  The Active Directory tool in Windows is very limited, and with these commands you can pipe, output, parse, and loop to your heart's content.   So lets just start off with some one-liners. 

Need a list of all the PC’s in the Domain?

dsquery computer –limit 0 | dsget computer –name

What we are doing here is using dsquery to query the Domain Controller for computers with no limit on the results, chaining it to dsget, which is used for grabbing specific bits of information, this time a computer’s name.  If we were to omit the dsget command, it would return the Fully Qualified Domain Name of all the computers in the domain, which is nice for some things, like chaining dsmod commands, but not for human readable results. 

Working in the registry and need a SID?

dsquery user –name “*NAME*” | dsget user –sid –display

Here we are querying for user information, and using the wild cards (*) to allow for information to the left or right of the name variable, which could be a first name, last name or both.  Using dsget switches we are grabbing the user’s SID as well as the display name.  Grabbing the display name as well helps us to differentiate any false positiees you may have if you are using just a First Name in the query command.

Does your boss need all the users of a group in a text file with their telephone number?

dsquery group -name "GROUP_NAME" | dsget group –members | dsget user –display –tel>c:\file-for-boss.txt

Here we are querying for the group information, notice no wild cards.  This would be the case if we new exactly what group we are looking for.  Chaining the query to dsget, we grab the members, but remember since we are looking for user information and not group, we pipe once more into a dsget user, grabbing display name and telephone number which will actually output very nicely.

Most of these one liners I wrap into small shell scripts so I can fire them off with little typing involved.  Here’s one that takes care of a pet peeve of mine; AD’s refusal to perform wildcard searches, i.e. having to know the exact spelling of a group in order to search for it.  This will allow you to search for a group name with just a partial keyword:

for /f “tokens=1,2 delims==,” %%i in (‘dsquery group -name “*%1*” ^| sort’) do @echo %%j

Here I am wrapping the command that’s in the parenthesis around a for loop to parse it out nicely.  The %1 allows you to run the script with an argument, in this case the name of the group you are looking for. So if I were calling this script from the Command Line, I would do this:

script_name [group name]

So far I’ve only talked about using these tools for reporting, but there are also dsmod, dsadd, and dsrm.  Using dsmod and dsadd, I’ve written scripts to build PC’s that mirror other workstations already in the domain, and used dsrm to perform bulk removes of stale accounts.

 

Monday, October 18, 2010

starting off with a push

This trick is going to allow you to log in to a locked Windows machine with your own GUI, and under your own credentials, or even under the system account.  It requires a bit of a setup, but it does not require any files to be copied to the target machine.  It relies on the sysinternals tool, psexec, a Linux box running Samba with an open share, and admin credentials on the machine in question.  Psexec needs to be on both the Linux share and the host computer from which you will initiate the command.  The command I came up with is:

psexec \\TARGET_MACHINE cmd /c "pushd \\LINUX_SHARE$\ && psexec.exe /accepteula /i /x /d explorer.exe"

OK, so we use psexec against the target machine, but since we can't immediately start explorer with  /x we are going to get cmd going and then immediately use pushd to UNC to the linux box.

I'm using && as a logic gate so that if the first command fails, the second won't try and run. Once we have the target machine mapped to the Linux box, we kick off psexec with the switches /accepteula /i /x /d, starting the explorer process.  The /i switch allows us to see the results on-screen, the /x switch is the linchpin that allows us to launch the command in question on a locked PC, and the /d switch will release the shell after the command is run so we can continue to run commands.  The command will also stall out if /accepteula isn't thrown in, because the EULA would be hidden to the GUI.

A nice side-effect of using the pushd command to map to the Linux share is that it leaves you with a link to the target machine, so you can browse the share from your command-prompt as well.  Whenever you want to get back to your own PC, you can popd back.

Once you've logged into the locked computer, a couple of interesting things happens.  For one, Group Policy (if you are on a domain) does not seem to apply to the second session.  Also, the second or first session can be logged on or off without touching the other session.  Note, sometimes Windows Themes can become screwy on the first session, but a restart will fix it.

This trick can come in handy for many reasons, I like to use it as a last resort when I need to access the GUI on a locked computer; install software, or configure settings when the user is unavailable to unlock the computer.