If you missed the other parts in this article series please go to:
PsTools and you Part III
Shown to you in Part II of this article series on PsTools was a variety of very handy command line tools. Hopefully by now you can see just how useful these tools are to not only you as a system administrator, but also to those with malicious intent. For those who still prefer not to use a tool such as this via the command line then you may want to take a look at this free graphical user interface. This GUI will allow you to control the various parts of the PsTools suite. I have not personally tried it myself so if any of you do, feel free to drop me a line. On that note let’s carry on with looking at the remaining tools within PsTools.
psloglist
psloglist is a very handy little tool and is one of my favorites. What this tool will do for you is dump a list of event logs for either the machine you are on or a remote one. The information contained within an event log can be of interest to a sys admin obviously, and also the malicious hacker. As always, the advantages of using a tool will quite often cut both ways. Let’s take a look at the screenshot below.
Figure 1
We see in the screenshot that the way to invoke psloglist is simple enough, simply type it in and hit enter. From there you may want to pipe the output through the “|more” command. That way the input won’t go flying past you, and you can then go through it page by page. Noted in the screenshot is the system whose logs you are looking at ie: \\WIN2K2 and the remaining fields are pretty straightforward. Much as you can see here, psloglist is a rather handy little tool that will allow you to access event logs, which contain a good deal of information.
pspasswd
I can imagine that this tool would get a fair amount of use by malicious hackers who have gained a presence on a computer. After all, a sys admin can easily change passwords via their terminal. As you will soon see, this handy little tool works quite well.
Figure 2
Shown above is the command line syntax used to actually change the administrator password on the computer you are invoking this tool on. Quite simple isn’t it! Though an attacker may not want to make such an obvious change, the option does exist. Trying to log in as administrator the next day only to find out your password doesn’t work would be a nasty shock indeed.
psservice
This tool will allow you to both list and control the services on not only the local, but also the remote computer. There are semblances to the tool pslist, in that it will list the services running on a computer. Though what psservice will also allow you to do is stop, pause, and start these very same services. Let’s take a look at the screenshot below.
Figure 3
Listed above is the help menu for the tool itself. Within it we can clearly see the various options for psservice. It is a fairly extensive list of things that can be done for you. We saw earlier that pskill will kill a process for you, however, this tool can do much more than simply kill something. It will allow you to stop and then restart a specific service. That is fairly handy for a sys admin as often certain services can just hang, and will need to be restarted.
psshutdown
Have you ever been sitting there at your computer working away diligently only to see a little window pop up saying that the computer was going to shutdown in X amount of seconds? Crap! I better save my work! Well you too can have the power of the mighty sys admin by using the tool psshutdown.
Figure 4
The screenshot above has had the help menu truncated as it is fairly extensive and to show them all would have made for a rather large screenshot. Here is a question for you out there. Can any of you think of a reason why you would want to shutdown a computer and also have it reboot? Well if any of you remember reading this article series the answer is contained within it. A fairly good reason to reboot a computer would be if you had broken into it via an exploit and wanted to safeguard that computer. You would need to patch the box for the very exploit that you used to get in, and then would need to reboot the computer so that the patch took effect. Kind of clever isn’t it? Remember attacks don’t have to be at the cutting edge to work. After all, why reinvent the wheel. I would recommend that you try to take some time and recreate what I wrote about in the article I hyperlinked to above.
pssuspend
The last tool that we will look at in the PsTools suite is pssuspend. You might recall that I commented earlier that many of the tools we have seen over the past several articles are complimentary in nature. This last tool is an excellent example of that. To use this tool effectively you would need to invoke another tool; pslist.
Figure 5
If you recall, what pslist will do for you is to give a listing of all running processes. It will also supply you with another much needed nugget of information ie: the Pid aka process id. With that Pid in hand you can then use pssuspend to either suspend or resume a specific process. This tool is another excellent example of not only the versatility of the PsTools suite, but also their simple functionality.
Wrapup
advertisement
There is a lot of excellent freeware tools out there to be had. All that you need to do is spend a little quality time with them in order to leverage their usefulness. I have written before that when it comes to computer security or system administration, that many of the tools can be used for either good or bad. The end state of most malicious hackers is to have the ability to control a computer. A clear design goal of many sys admin tools is the very same; the ability to control a computer. Bearing this in mind it makes sense to look at specific tools with another point of view.
The PsTools suite is a perfect example of this double-edged functionality that most computer tools have. As we have seen, the tools in this suite perform very well and also do so from the command line. The bulk of computer network breaches result in the attacker having a reverse shell. After all, it is not as if the majority of attackers get an explorer.exe shoveled back to them. This is why it is very important to get comfortable with the cmd.exe session for most hacking tools will be controlled via one. Well as always I hope this article series was of use to you, and I welcome your feedback. Till next time!
If you missed the other parts in this article series please go to: