We left off in part 1 of this article series having covered only a small portion of the tools available in the PsTools suite. What we shall now do is carry on with looking at the remainder of this wonderful tool set. I will not be using Metasploit in this article, but rather running the tools natively on a computer via a cmd.exe session. So on that note let’s get back to it. To get in the mood we now need to begin thinking like the opposition ie: the malicious hacker. What type of things does a malicious hacker want to know about your network or a particular computer? Well one of the very first things that comes to mind is system information. Once that person with ill intent has found a way onto a computer in your network, they would like to gather some preliminary information. Of great interest to them are system details. One way for them to do so quickly and easily is to use the psinfo tool.

psinfo

One of the best tools in the PsTools suite is psinfo. This little program will give you a list of most of the information that you would ever require. Specific examples of that would be the computer's uptime. A computer's uptime is really rather important as that could indicate if a computer has had a specific patch applied to it or not. If it has not then that computer would be ripe for exploitation via a specific vector. For example, a new remote code execution has been released for Microsoft Windows. Microsoft issued a patch for it two days ago. The computer uptime listed on this computer is four days however. That information would allow you to know that the computer was vulnerable to that exploit. Give the below noted screenshot a look.

Figure 1

Other key information available to you would be the operating system itself, the specific build number, and what service pack was installed, if any. As you can see from the above screenshot, this tool will output a tremendous amount of vital information. One could get this information through a variety of other ways, but having the ability to get it quickly and simply with psinfo is very, very handy.

Pslist

Another pretty darn handy tool in this suite is pslist. This program will give you a list of exactly what is running on the computer you invoke it on. Can you think of a use that a malicious hacker would have for such a program? Well for one, they may want to see if you have an anti-virus solution running on that computer. That, or any other program of particular interest to them. Take a look at the screenshot below for the tool's output.

Figure 2

In other words, the information obtained via this program can provide a treasure trove for one with malicious intent. Conversely as well, the system administrator can also make use of this tool's output as well. One simple example is of a user complaining that a specific application is not running on their computer. A quick check of this tool's output on that person's computer will help the sys admin find the fault that much quicker.

pskill

The use of this tool is pretty easily guessed once you see its title. What this tool will do for you, is allow you to kill processes either locally on your computer, or on remote ones. The remote use of this tool is likely one of the reasons why a hacker would like it. Just as we saw above, pslist will give a very nice list of all running processes. From that list a person with malicious intent may decide to kill a process that would hamper their plans.

Figure 3

Much as I alluded to earlier in part 1 of this series is that some of these tools are very much complimentary. This is a perfect case where pslist and pskill are a natural fit. They can be used for legitimate purposes as well as nefarious ones. Quite a few advanced trojans out there have this type of functionality built into them. Those trojans will check running processes on a victim computer and automatically kill any anti-virus and firewall solutions running on them. Not only that but the trojans will also continually check to see if the security software has  restarted, and if so, will kill it again. Rather robust isn’t it! Should you wish to see an example of such a trojan then please give this article series a read.

psloggedon

Another handy little tool in this excellent toolkit is psloggedon. Can any of you think of why this might be handy to a malicious hacker? Let’s take a look at the screenshot below to see if anything bubbles up idea wise.

Figure 4

Well if I was someone who had just broken into a computer either remotely, or locally for that matter, I would want to know who is logged in, beyond myself that is. If you invoked this tool on a remote computer that you had just TFTP’d this program over to, then I for one would certainly be disconcerted to see the administrator logged in! That administrator would prompt me to disconnect immediately and come back at a later time. Loitering about on a computer whilst the sys admin is logged in would be akin to breaking the law in front of a policemen. Not a good idea at all, as you are just asking to get caught. Lastly, the timestamp listed for the logged on user can be helpful as well, as this would tell you if someone logged in after you had breached that computer or if they had been there all along.

Wrapup

Well so far we have seen that some of the tools within the PsTools suite are quite complimentary in nature. That functionality appeals to both the sys admin and malicious hacker alike. This is the very reason why learning how to use them and also predict their possible use is of enormous benefit to you as a sys admin who is trying to keep your network secure from both remote and local threats. Should you be worried about local threats, as I sincerely hope you are, then it would be a very good idea to deny users access to the cmd.exe on their workstation. While this isn’t a complete solution it certainly goes a long way towards protecting your network from the threat of the disgruntled employee who is looking for some payback. You can definitely help lockdown access to troublespots such as a command prompt via the use of group policy objects aka GPO’s. For a good article on GPO and the security settings available to you then please give the following article by Derek Melber a read. On that note, I will break the article here and in part 3 will finish looking at the remaining tools in the PsTools suite.

If you missed the other parts in this article series please go to: