Solved

PSExec runs with any or no credentials after running once.

Posted on 2007-11-22
7
1,128 Views
Last Modified: 2013-12-04
Hi,

After a fair amount of hassles and great advice from EE users, I was able to run a vbscript on a remote server. ( http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_22789041.html )

It works so wel now that it'll work with any username and pasword or even no username & password.

C:\Windows\System32\PSExec.exe \\192.168.10.111 wscript \\192.168.10.111\Export$\Export.vbs -accepteula -e -u 666666666666666 -p 9999999999999999999999

This code works even though the user doesn't exist. ?!?!?!?

PSExec seems to have locked the credentials or is using the system account.
The import results in Exact shows that it worked.

I have tried stopping the psexec service on the remote Win2K3 server and tried running the command again. This gave me the same result.
I am connected via a Cisco VPN client, which users different credentials than the ones the script should be using.

Anyone know what's happening?

0
Comment
Question by:DennisPost
  • 3
  • 2
  • 2
7 Comments
 
LVL 8

Assisted Solution

by:ubig
ubig earned 250 total points
ID: 20334615
Run at command line command NET USE. If you see connection to \\RemoteServer\IPC$ or to any RemoteServer disk drive, remove it by typing net use \\RemoteServer\IPC$ /del. Could be that somehow interprocess communication channel is created so you have to deactivate it.
0
 
LVL 2

Author Comment

by:DennisPost
ID: 20334735
Hi,

Thanks for commenting. :-)

Net use doesn't display any \IPC$

It does display \\192.168.10.111\Export$. I run "net use \\192.168.10.111\Export$ /del" and successfully removed it.
Windows explorer no longer allows me to connect to it. It cannot find it or I might not have permissions to it. It does not promt me to enter a username and password.

When I run the command again I get:
Couldn't access 192.168.10.111:
The specified user does not exist
This is also returned when using the administrators account and another non-admin account.

The VPN connection is still open.
I can ping the remote machine.
RDP to the remote machine works fine.
0
 
LVL 8

Assisted Solution

by:ubig
ubig earned 250 total points
ID: 20334893
Check if PSEXEC command works locally on the LAN to find out if that could be a VPN problem or local computer problem. If it works locally then it is very likely that your VPN connection somehow blocks Windows authentication. Try to open up everything for your VPN connection on router side and locally. If you are using domain accounts then you have to ensure you can reach all your domain controllers as they provide authentication and you can't tell in advance which one will. You could also try PSEXEC with remote server local account if that is not a domain controller (they don't have local accounts).
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 2

Author Comment

by:DennisPost
ID: 20404328
Sorry for the delay.

PSEXEC works fine on the lan.
I have no rights to do anything ith the VPN box.
All DCs are available.

I just used Process Monitor to find out what is going on.
The file I am starting imports financial data into a financal system.
The information does go into the system but does not save the XML with failed invoices in the right place.
For some reason it is saving it in the my documents folder of Default User. Instead of the my documents folder of the user used with PSExec.
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 250 total points
ID: 20522834
Hi Dennis, would it be possible that you have some sort of cached credentials for the 192.168.10.111 resource?  Check in Control Panel --> User Accounts --> Manage User Accounts and see if there are any cached credentials for that resource.  If there is, remove them and try again.

Secondly, I would check the share and NTFS permissions on the Export$ share on 192.168.10.111.
The Share permissions should be Everyone at Full Control, and the NTFS permissions should be set as restrictive as you need it.  My guess would be that the share may be allowing even non-authenticated users to access it.

Lastly, if that is still not an issue, I'll take a look again at the export.vbs file and see if that may be somehow writing to a non-explicit folder (resulting in the Default User thing).

Regards,

Rob.
0
 
LVL 2

Author Comment

by:DennisPost
ID: 20523922
Hi Rob,

Thanks for the idea's.
I have indeed check both share & ntfs permissions. I have also used Process Monitor to monitor everything on the server. I could see that the script was being run as the expected user but Exact was still dumping the xml in the wrong place.

I have decided to work with this problem instead of against it.
Exact version 380 will allow me to place the xml file with failed invoices in any location I choose.
In the meantime I will just pick up the failed invoices xml from the unexcpected location.

I will close and accept your answers because of the very usefull troubleshooting tips. :-)

Thanks again guys !!
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 20526719
No problem.  I hope you can make it run smoothly.

Regards,

Rob.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Transparency shows that a company is the kind of business that it wants people to think it is.
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now