I'm trying to understand all the methods available to execute remote commands on Windows through the impacket scripts:
https://www.coresecurity.com/corelabs-research/open-source-tools/impacket
https://github.com/CoreSecurity/impacket
I understand the high level explanation of psexec.py and smbexec.py, how they create a service on the remote end and run commands through cmd.exe -c but I can't understand how can you create a service on a remote windows host through SMB. Wasn't smb supposed to be mainly for file transfers and printer sharing? Reading the source code I see in the notes that they use DCERPC to create this services, is this part of the smb protocol? All the resources on DCERPC i've found were kind of confusing, and not focused on its service creating capabilities. Looking at the sourcecode of atexec.py, it says that it interacts with the task scheduler service of the windows host, also through DCERPC. Can it be used to interact with all services running on the remote box?
Thanks!
DCERPC (https://en.wikipedia.org/wiki/DCE/RPC) : the initial protocol, which was used as a template for MSRPC (https://en.wikipedia.org/wiki/Microsoft_RPC).
MSRPC is a way to execute functions on the remote end and to transfer data (parameters to these functions). It is not a way to directly execute remote OS commands on the remote side.
SMB (https://en.wikipedia.org/wiki/Server_Message_Block ) is the file sharing protocol mainly used to access files on Windows file servers. In addition, it provides Named Pipes (https://msdn.microsoft.com/en-us/library/cc239733.aspx), a way to transfer data between a local process and a remote process.
One common way for MSRPC is to use it via Named Pipes over SMB, which has the advantage that the security layer provided by SMB is directly approached for MSRPC.
In fact, MSRPC is one of the most important, yet very less known protocols in the Windows world.
Neither MSRPC, nor SMB has something to do with remote execution of shell commands.
One common way to execute remote commands is:
Copy files (via SMB) to the remote side (Windows service EXE)
Create registry entries on the remote side (so that the copied Windows Service is installed and startable)
Start the Windows service.
The started Windows service can use any network protocol (e.g. MSRPC) to receive commands and to execute them.
After the work is done, the Windows service can be uninstalled (remove registry entries and delete the files).
In fact, this is what PSEXEC does.
All the resources on DCERPC i've found were kind of confusing, and not
focused on its service creating capabilities.
Yes, It’s just a remote procedure call protocol. But it can be used to start a procedure on the remote side, which can just do anything, e.g. creating a service.
Looking at the sourcecode of atexec.py, it says that it interacts with
the task scheduler service of the windows host, also through DCERPC.
Can it be used to interact with all services running on the remote
box?
There are some MSRPC commands which handle Task Scheduler, and others which handle generic service start and stop commands.
A few final words at the end:
SMB / CIFS and the protocols around are really complex and hard to understand. It seems ok trying to understand how to deal with e.g. remote service control, but this can be a very long journey.
Perhaps this page (which uses Java for trying to control Windows service) may also help understanding.
https://dev.c-ware.de/confluence/pages/viewpage.action?pageId=15007754
Related
I have multiple windows servers in an internal network(meaning, not connected to the internet).
At the moment, I am pulling files from these servers using Windows Remote Desktop, for each server I have an IP address, login & password.
My goal is to use Python to automate this process, I want to be able to run a script that will access these internal servers and get files from them.
Is there any Python module that handles such tasks, or how should I approach this problem?
Windows' file sharing protocol is called SMB. There are some python libraries for this; the first google result for me was this one: https://pysmb.readthedocs.io/en/latest/
I have been interested in finding an alternative to the UI in SAS for quite some time now. We license SAS on our server instead of our desktops, so furthermore we have to launch a remote desktop application to execute code.
I was able to use a Telnet connection instead to remotely connect to the server, and batch execute SAS programs. Then I was interested in whether a python script could be made to connect remotely, and batch execute code, and this script could be executed in jEdit as a BeanShell script.
So far, I have Python code which successfully opens and closes the Telnet connection. It can do basic shell functions like call "dir". However, when I pass the exact same line that I use to execute SAS from command prompt on the remote server with a telnet connection in Python, nothing happens.
Is it possible the server is preventing me from executing code from a script? I use a "read_until" statement for the prompt before running any code.
Here's a few ideas...
The issue you are having above may be related to Local Security Policy settings in Windows (if it is running on a windows server). I'm far from an expert on that stuff but I remember older SAS/Intranet installations required some rumaging around in there to get them working.
As an alternative to the approach you are trying above you could also setup a SAS session on the server that listens for incoming socket requests as per this article:
http://analytics.ncsu.edu/sesug/2000/p-1003.pdf
And finally... Not sure if this helps or not by I remotely execute SAS jobs using PSEXEC. A description of how I set it all up can be found here:
http://www.runsubmit.com/questions/260/hide-sas-batch-jobs-winxp
Good luck
This paper outlines how you can use a Python script to connect to a Unix server using SSH, copy the SAS program written locally onto the server, batch submit it, and download the results back to your local machine, all using a BeanShell macro script for jEdit.
This is my scenario: I developed a Python desktop application which I use to probe the status of services/DBs on the very same machine it is running on.
My need is to monitor, using my application, two "brother" Window Server 2003 hosts (Python version is 2.5 for both). One of the hosts lies in my own LAN, the other one lies in another LAN which is reachable via VPN.
The application is composed by:
A Graphical User Interface (gui.py), which provides widgets to collect user inputs and launches the...
...business-logic script (console.py), which in turn invokes slave Python scripts that check the system's services and DB usage/accounts status/ecc. The textual output of those checks is then returned back to the GUI.
I used to execute the application directly on each the two machines, but it would be great to turn it into a client/server application, so that:
users will just be supposed to run the gui.py locally
the gui.py will be supposed to communicate parameters to some server remakes of console.py which will be running on both of the Windows hosts
the servers will then execute system checks and report back the results to the client GUIs which will display them.
I thought about two possible solutions:
Create a Windows service on each of the Windows hosts, basically executing console.py's code and waiting for incoming requests from the clients
Open SSH connections from any LAN host to the eliged Windows host and directly run console.py on it.
I am working on a corporate environment, which has some network and host constraints: many network protocols (like SSH) are filtered by our corporate firewall. Furthermore, I don't have Administration privileges onto the Windows hosts, so I can't install system services on them...this is frustrating!
I just wanted to ask if there is any other way to make gui.py and console.py communicate over the network and which I did not take into account. Does anyone have any suggestion? Please note that - if possible - I'm not going to ask ICT department to give me Administration privileges on the Windows hosts!
Thanks in advance!
Answer to myself: I found one possible solution..
I'm lucky because the console.py script is actually invoking many slave python scripts, each of them performing one single system check via standard third-party command-line tools which can be fired to check features on remote hosts.
Then, what I did was to modify the gui.py and console.py so that users can parametrically specify on which Windows host the checks must be carried out.
In this way, I can obtain a ditributed application...but I've been lucky, what if one or more of the third-party CL tools did not support remote host features checking?
I decided to tackle Python as a new language to learn. The first thing I want to do is code a script that will allow me to remotely restart services on other machines from my local machine. How would I accomplish this when the remote machine requires a username and password to log on? I don't need a full solution to be given to me but maybe some pointers on what libraries I should use or any issues I need to address when writing the script.
EDIT: All the remote machines are using Windows 2003
People usually recommend paramiko as a library to do ssh (and I'm assuming that you need ssh to get into the remote machine). There is a good tutorial for it.
Edit: On windows, the easiest way is probably to use SysInternals psservice utility, to be invoked with os.system; this can start a remote service, and accepts logon credentials.
If you want to do it directly in Python, you need win32service.StartService. Before that, you need to open the remote service manager, and then the remote service. Before that, you need to impersonate the user as which you want to perform the operation, see the example.
Take a look at Fabric wich is based on paramiko.
This is really a good tool to automate remote tasks with python.
Fabric Documentation will show you how easy it is to use.
What kind of OS is your remote machine running? If it's linux, run ssh(1) using the subprocess module.
If it's windows, then get the win32 extensions. They allow you to call Windows functions. There should be an API to allow to access services. If they don't, there is a tool called sc (docs) which you can run using the subprocess module.
Which OS for the target machines? If 'service' is 'Windows NT service', and your local machine is also Windows, I'd use IronPython as the Python language implementation and call straight into the WMI facilities in the .net System.Management namespace -- they're meant for remote admin like that.
On Windows, the wmi module is now fantastic for this.
I have written a Python TCP/IP server for internal use, using win32serviceutil/py2exe to create a Windows service.
I installed it on a computer running Windows XP Pro SP3. However, I can't connect to it when it's running as a service. I can confirm that it's binding to the address/port, because I get a conflict when I try to bind to that address/port with another application. Further, I have checked the Windows Firewall settings and have added appropriate exceptions. If I run the server as a simple console application, everything works as expected. However, when I run it as a service, it doesn't work.
I vaguely remember running into this problem before, but for the life of me can't remember any of the details.
Suggestions, anyone?
Possibly the program may be terminated just after initialization. Please check whether it is continuously listening to the requests.
netstat -an |find /i "listening"
And analyze the command line parsed to the programs. You may use procexp to do that.
First of all, whenever you implement a Windows service, be sure to add proper logging.
My worker threads were terminating because of the exception, "The socket operation could not complete without blocking."
The solution was to simply call sock.setblocking(1) after accepting the connection.
Check to see that the service is running under the Nertwork Service account and not the Local System account. The later doesn't have network access and is the default user to run services under. You can check this by going to the services app under administrative tool in the start menu and looking for your service. If you right-click the service you can go to properties and change the user that it is run under.