如何使用Psexec工具运行命令并获取Shell远程Windows系统？

最新推荐文章于 2024-11-11 21:07:40 发布

cunjiu9486

最新推荐文章于 2024-11-11 21:07:40 发布

阅读量2.2k

点赞数 1

文章标签： linux java python windows git

原文链接：https://www.poftut.com/use-psexec-tools-run-commands-get-shell-remote-windows-systems/

版权

Windows operating system provides different ways to manage remote systems. Telnet, RDP, VNC are some of them. But these options are generally bound to a graphical user interface. If we prefer a command-line interface there is an alternative named Psexec.

Windows操作系统提供了管理远程系统的不同方法。 Telnet，RDP，VNC就是其中一些。但是这些选项通常绑定到图形用户界面。如果我们更喜欢命令行界面，则有一个替代名称为Psexec。

Psexec is actually a toolset consisting of following tools.

Psexec实际上是一个由以下工具组成的工具集。

PSexec used to execute commands at remote or get a shell from a remote system
PSexec用于在远程执行命令或从远程系统获取外壳
PsFile used to list file and folders at remote system
PsFile用于列出远程系统上的文件和文件夹
PsGetSid used to display security identifier for remote computer or user
PsGetSid用于显示远程计算机或用户的安全标识符
PsInfo used to get detailed information about the remote system
PsInfo用于获取有关远程系统的详细信息
PsKill used to kill process at the remote system according to name or ID
PsKill用于根据名称或ID杀死远程系统上的进程
PsList used to list processes in detail at the remote system
PsList用于详细列出远程系统上的进程
PsLoggedOn used to list logged on users in the remote systems
PsLoggedOn用于列出远程系统中的登录用户
PsLogList used to list event logs resides on the remote systems
用于列出事件日志的PsLogList驻留在远程系统上
PsPasswd used to change given user password on the remote system
PsPasswd用于更改远程系统上的给定用户密码
PsPing used to ping from remote system
PsPing用于从远程系统ping
PsServervice used to list and manage Windows services on the remote system
PsServervice用于列出和管理远程系统上的Windows服务
PsShutdown used to shutdown, log off, suspend and restart remote Windows system
PsShutdown用于关闭，注销，挂起和重新启动远程Windows系统
PsSuspend used to suspend and resume processes on the remote Windows system.
PsSuspend用于挂起和恢复远程Windows系统上的进程。
PsUptime used to display remote system uptime
PsUptime用于显示远程系统的正常运行时间

Most of the these tools are provided in 32 and 64 bit architecture. The binaries can be used accordingly.

这些工具大多数以32位和64位体系结构提供。可以相应地使用二进制文件。

下载Psexec工具 (Download Psexec Tools)

PStools is developed by Mark Russinovich and can be downloaded from the following link. PStools is part of the “Sysinternals” suite which provides a lot of tools for system management and internal features. PStools can be downloaded from the Sysinternals web site.

PStools由Mark Russinovich开发，可以从以下链接下载。 PStools是“ Sysinternals”套件的一部分，该套件提供了许多用于系统管理和内部功能的工具。可以从Sysinternals网站下载PStools。

https://download.sysinternals.com/files/PSTools.zip

运行命令远程系统 (Run Command Remote System)

Most basic usage of the Psexec command is just running simply command on the remote system. In order to run a command on the remote system, we should provide a user name and password with the command to be run on a remote system. The syntax of the Ps exec is like below.

Psexec命令的最基本用法只是在远程系统上简单地运行命令。为了在远程系统上运行命令，我们应该提供用户名和密码以及要在远程系统上运行的命令。 Ps exec的语法如下。

psexec [Computer_name or IP] [options] [command] [command_arguments]

In this example we will run ipconfig command on the remote system where its IP address is 192.168.122.66 . The username is Administrator and password is 123456Ww .

在此示例中，我们将在IP地址为192.168.122.66的远程系统上运行ipconfig命令。用户名是Administrator ，密码是123456Ww 。

$ psexec \\192.168.122.66 -u Administrator -p 123456Ww ipconfig

As we can see the command is executed in the remote system without any problem.

如我们所见，命令在远程系统中执行没有任何问题。

重定向Psexec命令输出 (Redirect Psexec Command Output)

After running the command on the remote system, the command output will be printed into the current standard output, which is our current shell. This output can be redirected into a file with >. If we have a lot of remote systems to run the command this option will be very useful.

在远程系统上运行命令后，命令输出将被打印到当前的标准输出中，这是我们当前的shell。可以使用>将输出重定向到文件中。如果我们有很多远程系统要运行该命令，则此选项将非常有用。

$ psexec \\192.168.122.66 -u Administrator -p 123456Ww ipconfig > 192.168.122.66_ifconfig

In this example the ipconfig command output is saved into file named 192.168.122.66_ipcopnfig .

在此示例中， ipconfig命令输出保存到名为192.168.122.66_ipcopnfig文件中。

LEARN MORE Difference Between Korn Shell (ksh) and Bash

了解更多Korn Shell(ksh)和Bash之间的区别

通过哈希(Pass The Hash)

In the previous example, we have provided the user password. The only option is not the clear text user password. We can also provide the hash value of the user token. Following the example, we provide the hash of the user token.

在前面的示例中，我们提供了用户密码。唯一的选择不是明文用户密码。我们还可以提供用户令牌的哈希值。按照示例，我们提供用户令牌的哈希值。

$ psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t ipconfig

将命令从本地复制到远程系统 (Copy Command From Local To The Remote System)

Running commands on the remote system is a very useful feature but there is another useful feature that will easy system administrators and pen-testers jobs. Psexec can be used to copy the command from the local system to the remote system. We will use the option -c to copy. Once the commands finished the remote instance will be deleted.

在远程系统上运行命令是非常有用的功能，但是还有另一个有用的功能可以简化系统管理员和笔测试人员的工作。可以使用Psexec将命令从本地系统复制到远程系统。我们将使用-c选项进行复制。命令完成后，远程实例将被删除。

In this example we will copy the cmd.exe . After copy operation is finished cmd.exe will be started on the remote system.

在此示例中，我们将复制cmd.exe 。复制操作完成后，将在远程系统上启动cmd.exe。

$ psexec \\192.168.122.66 -u Administrator -p 123456Ww -c cmd.exe

Copy Command From Local To The Remote System

As we can see we get a cmd shell on the remote system.

如我们所见，我们在远程系统上获得了一个cmd shell。

以系统用户身份运行命令 (Run Command As System User)

While running commands on the remote system the privileges and process owner will be the provided user. If we need to change the remote commands owner user to the System user we will provide -s option.

在远程系统上运行命令时，特权和进程所有者将是提供的用户。如果需要将远程命令所有者用户更改为System用户，我们将提供-s选项。

In this example we will use regedit.exe

在此示例中，我们将使用regedit.exe

$ psexec \\192.168.122.66 -u Administrator -p 123456Ww -s regedit.exe

在远程系统上运行GUI应用程序 (Run GUI Application On the Remote System)

Windows operating systems provide GUI by default. Psexec can be used to open GUI application on the remote system in the specified user console. User console simply means user desktop.

Windows操作系统默认提供GUI。可以使用Psexec在指定的用户控制台中打开远程系统上的GUI应用程序。用户控制台仅表示用户桌面。

In this application, we will start notepad.exe on the remote system. The remote system Administrator user can interact with this notepad.

在此应用程序中，我们将在远程系统上启动notepad.exe 。远程系统Administrator用户可以与此记事本进行交互。

$ psexec \\192.168.122.66 -u Administrator -p 123456Ww -i notepad.exe

Run GUI Application On the Remote System

We will get our local shell after the remote user closes the notepad. After close the exit code will be printed to the psexec console.

远程用户关闭记事本后，我们将获得本地外壳。关闭后，退出代码将被打印到psexec控制台。

在远程系统上创建交互式Shell (Create Interactive Shell On The Remote System)

Up to now, we have run commands remotely. After the execution of the command finished the remote system connection is closed. This is like a session connection. Psexec provides a remote shell or command line. Psexec connects remote and gives us an MS-DOS shell. In order to get a remote shell, we will provide cmd.exe command in the remote system.

到目前为止，我们已经远程运行命令。执行完命令后，将关闭远程系统连接。这就像会话连接。 Psexec提供了一个远程Shell或命令行。 Psexec连接远程，并为我们提供了MS-DOS Shell。为了获得远程外壳，我们将在远程系统中提供cmd.exe命令。

$ psexec \\192.168.122.66 -u Administrator -p 123456Ww cmd.exe

Create Interactive Shell On The Remote System

使用系统特权运行Regedit (Run Regedit with System Privileges)

Windows registry can be managed with the GUI tool named “Regedit”. Regedit can be accessed with the current user but in some cases editing the local system registry with the “System” privileges can be required. We can open the “Regedit” with system privileges with the following psexec command.

Windows注册表可以使用名为“ Regedit”的GUI工具进行管理。可以使用当前用户来访问Regedit，但是在某些情况下，可能需要使用“系统”特权来编辑本地系统注册表。我们可以使用以下psexec命令以系统特权打开“ Regedit”。

$ psexec -s -i regedit.exe

Psexec工具 (Psexec Tools)

Up to now generally, we provided commands to run remote systems. As a system administrator daily operations do not change frequently. Psexec toolkit provides some simple commands to run directly without adding command as a parameter. We will look at these tools below.

到目前为止，总体而言，我们提供了运行远程系统的命令。作为系统管理员，日常操作不会经常更改。 Psexec工具包提供了一些直接运行的简单命令，而无需添加命令作为参数。我们将在下面查看这些工具。

LEARN MORE Linux fuser Command Tutorial With Examples

了解更多Linux融合器命令教程和示例

使用PsFile在远程系统上列出文件(List File On the Remote System With PsFile)

PsFile command can be used to to list or close opened files. The syntax is very similar to the PSexec command. In this example we will list files located at C:\Users\ on the remote system.

PsFile命令可用于列出或关闭打开的文件。语法与PSexec命令非常相似。在此示例中，我们将列出位于远程系统上C:\Users\文件。

$ psfile \\192.168.122.66 -u Administrator -p 123456Ww

List File On the Remote System With PsFile

使用PsGetSid列出远程系统上的SID(List SID’s On The Remote System With PsGetSid)

SID is used to identify Windows users in a more detailed fashion. We can list provided users SID with PsGetSid command like below.

SID用于更详细地标识Windows用户。我们可以使用PsGetSid命令列出提供的用户SID，如下所示。

$ psgetsid \\192.168.122.66 -u Administrator -p 123456Ww

List SID's On The Remote System With PsGetSid — List SID’s On The Remote System With PsGetSid

使用PSInfo获取远程系统信息 (Get Remote System Information With PSInfo)

PsInfo is a tool used to get remote system information like Uptime, Version, Windows variant etc.

PsInfo是用于获取远程系统信息(如正常运行时间，版本，Windows变体等)的工具。

$ psinfo \\192.168.122.66 -u Administrator -p 123456Ww

Get Remote System Information With PSInfo

Following information about the remote system is provided by PsInfo

PsInfo提供了有关远程系统的以下信息

Uptime shows how many days and hours the system is running
Uptime显示系统正在运行多少天和几小时
Kernel Version shows operating system kernel
Kernel Version显示操作系统内核
Product Type shows the version of the operating system
Product Type显示操作系统的版本
Product Version
Product Version
Kernel Build Number
Kernel Build Number
Registered Organization
Registered Organization
Registered Owner
Registered Owner
IE Version shows Internet Explorer version
IE Version显示Internet Explorer版本
System Root show where is operation system is installed
System Root显示安装操作系统的位置
Processor shows processor or thread count
Processor显示处理器或线程数
Processor Speed
Processor Speed
Processor Type` shows detailed processor version and name
处理器类型`显示详细的处理器版本和名称
Physical Memory
Physical Memory
Video Driver shows currently loaded driver name
Video Driver显示当前加载的驱动程序名称

使用PsList在远程系统上列出进程(List Process At The Remote System With PsList)

Processes running on the remote system can be easily listed with PsList command.

可以使用PsList命令轻松列出在远程系统上运行的PsList 。

$ pslist \\192.168.122.66 -u Administrator -p 123456Ww

List Process At The Remote System With PsList

The output will provide following information about remote system processes.

输出将提供有关远程系统进程的以下信息。

Name is the executable file name
Name是可执行文件的名称
Pid is the processes ID which identifies processes
Pid是标识进程的进程ID
Pri is priority which effects process performance in heavyload times
Pri是优先事项，可在重载时间内影响过程性能
Thd is thread number
Thd是线程号
Hnd is opened file handler count
Hnd打开的文件处理程序数
CPU Time is total used CPU resource as time
CPU Time是已使用的CPU资源的总时间
Elapsed Time is time from start of the process.
Elapsed Time是指从流程开始的时间。

LEARN MORE HMAC (Hach-based Message Authentication Code) Tutorial

了解更多HMAC(基于哈希的消息身份验证代码)教程

使用PsKill杀死远程系统上的进程(Kill Process At The Remote System With PsKill)

Processes running on the remote system can be easily killed with the PsKill command. In order to kill process we should provide the process id or process name as argument. We will kill remote process with process id 2064 .

使用PsKill命令可以轻松杀死远程系统上运行的进程。为了终止进程，我们应该提供进程ID或进程名称作为参数。我们将2064进程ID为2064远程进程。

$ pskill \\192.168.122.66 -u Administrator -p 123456Ww  2064

Kill Process At The Remote System With PsKill

We get message saying Process 2064 on 192.168.122.66 killed....

我们收到消息说Process 2064 on 192.168.122.66 killed....

使用PsLogList列出远程系统上的事件日志 (List Event Logs On The Remote System With PsLogList)

Remote system logs can be dumped into local system easily with PsLogList command. If we use this command without any extra parameter it will dump all event logs from remote system which will fill out command line. So for the example we will limit for last 5 minutes event logs with -m option.

可以使用PsLogList命令轻松地将远程系统日志转储到本地系统中。如果我们不带任何额外参数使用此命令，它将从远程系统转储所有事件日志，这将填写命令行。因此，对于本示例，我们将使用-m选项限制最近5分钟的事件日志。

$ psloglist  \\192.168.122.66 -u Administrator -p 123456Ww -m 5

List Event Logs On The Remote System With PsLogList

使用PsPasswd在远程系统上更改密码(Change Password On The Remote System With PsPasswd)

Remote system users passwords can be changed easily with PSPasswd command. In this example we will change user Administrator password to the 123456Aa .

可以使用PSPasswd命令轻松更改远程系统用户密码。在此示例中，我们将用户Administrator密码更改为123456Aa 。

$ pspasswd  \\192.168.122.66 -u Administrator -p 123456Ww Administrator 123456Aa

Change Password On The Remote System With PsPasswd

用PsPing Ping(Ping With PsPing)

Another useful tool is PsPing which will create ICMP packets to ping . This command will run local system.

另一个有用的工具是PsPing ，它将创建要ping的ICMP数据包。此命令将在本地系统上运行。

$ psping google.com

使用PsService管理远程系统上的服务 (Manage Service On The Remote System With PsService)

PsService command is used to list, start, stop services on the remote system.

PsService命令用于列出，启动，停止远程系统上的服务。

清单服务 (List Services)

We can list remote service with query option.

我们可以使用query选项列出远程服务。

$ psservice \\192.168.122.66 -u Administrator -p 123456Aa query

远程启动服务(Start Service Remotely)

Remote service can be started with start option. In this example we will start the service named ALG service.

可以使用start选项启动远程服务。在此示例中，我们将启动名为ALG服务的服务。

$ psservice \\192.168.122.66 -u Administrator -p 123456Aa start ALG

After service started the information about the service is printed.

服务启动后，将打印有关服务的信息。

远程停止服务 (Stop Service Remotely)

We will stop the ALG service in the following example.

在以下示例中，我们将停止ALG服务。

$ psservice \\192.168.122.66 -u Administrator -p 123456Aa stop ALG

使用PSShutdown关机，重新引导，挂起远程系统(Shutdown, Reboot, Suspend Remote System With PSShutdown)

Remote system can be shut down with PSShutdown command like below.

可以使用如下的PSShutdown命令关闭远程系统。

$ psshutdown \\192.168.122.66 -u Administrator -p 123456Aa -k

翻译自: https://www.poftut.com/use-psexec-tools-run-commands-get-shell-remote-windows-systems/