|
|
|||||||
Hey, I know remote execution has been discussed a lot in the forum. I have seen udf’s RemoteExec() and fnRemoteExec()… So I decided to use the methods to execute commands on a remote client. Something likes Radimus’s REM. Some remote DOS console which could execute commands on the remote machine. Due to the fact remoteexec process has no network permissions, I followed the suggestion to include the commands in a batch file, copy it to the remote machine and then execute the batch file using remoteexec. The Environment is W2K Sp4 on both local and remote client. Same user with local admin right is logged on both clients. Client are member of AD domain. The Kix 4.52 Code:
Well, the batch file was copied, but nothing seems happen after that I was hopping a CMD windows was pop up on the remote client and performed the content of the batch file. What could be wrong or missing? |
||||||||
|
|
|||||||
it runs within the system-account, and therefore nothing pops up. |
||||||||
|
|
|||||||
OK, Now I changed the RMTEXEC with fnRemoteExec and provided domain user and password. Code:
Should this work? Cause it don’t! Same behavior, no action nothing happens. If I want it to pop up, what should I do then? |
||||||||
|
|
|||||||
Seems that i missed something.. I found this comment by Radimus: The remoteExec acct is SYSTEM, so it has local admin, but doesn't interact with the user at all ... If you want a method of starting apps or files remotely in the user context, the best bet is to make a client script the starts from STARTUP or HKCU\...\run (runs as current user) that monitors a special folder, where you can remotely push commands / scripts If I have understood this right it means that the RemoteExe is limited to some local & silent commands... like "net send". If so, then is it possible to remotely change/create a process on remote client to interact with user/desktop, and then use the remotexe? Could you explain what/how this means, any sample? "...that monitors a special folder, where you can remotely push commands / scripts" |
||||||||
|
|
|||||||
Appreciate if some could put attention on this… |
||||||||
|
|
|||||||
what you would want to do is make a "special folder" on the user's machine. make a script that is launched from HKCU\..\run on the user's pc that monitors that folder for the presence of a specificaly named bat file (pushed.bat or whatever). If exist, run the bat then delete the contents of the special folder. |
||||||||
|
|
|||||||
Ok, I got it. Although it’s not a remote execution procedure. Radimus your comment that the RemotExe() udf is limited to local & silent commands... Is there any list of which command could be performed by remotexe() udf? |
||||||||
|
|
|||||||
it can do any command. The issue is whether the command requires interaction, which it cannot receive nor will the current user see or interact with it. If you are passing a name and password, it can have access to network resources, otherwise the resources must be local. When you remoteexec, it is then running in a seperate user context and as such will have it's own environment (think of a terminal server session). The issue is what you are trying to make it do. To be of more help, what is it that you are trying to do? Are you trying to make the user respond to a prompt of some sort? Or are you trying to run a command that requires input from the user. |
||||||||
|
|
|||||||
Glad to have your response Rad. My early intention was to create a console which could remotely execute any DOS/Batch command on remote client. This could be very useful. It could remotley execute setup or uninstalling procedure for software on remote client. e.g. sending and executing this would run the uninstall for ASE "C:\Program Files\iTripoli\AdminScriptEditor\unins000.exe" Ofcurse uninstall window would pop up and user have to choose to continue uninstalling or abort it. Or deliver a batch file containing necessary data for software setup, then remotely execute the batch file on remote client. Or creating a local account on remote client using “net localgroup”, adding it to local admin group etc… Depended on what and how the remote execution is preformed, it would require user respond or input, or just silent without user notice anything. Appreciate your feedback! |
||||||||
|
|
|||||||
many of the installers today have silent switches for scripting purposes... for example MSI installers have uninstall commands in the uninstall key in HKLM\...\uninstall, append a "/q" or "/qb" to the cmd line and away it goes with no prompting. So my point is, the remote execute works fine, it is the command that is executed that needs some work. |
||||||||
|
|
|||||||
Ok, that’s what I’m trying to achieve. I have done a simple test. Created a batch file continuing UninstallString from HKLM\...\uninstall: MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040} This will generate the uninstall process for J2SE Runtime, which is installed on target machine. I pushed the batch file to target machine C:\Winnt\Temp Then I used remotexec to run the batch file remotely on that target machine. If I understood your point, it won’t work because it wants to interact with user desktop on target. But it may work if it’s run silently using run MsiExec.exe "/q" or "/qb". Or is it the batch file which must run under different circumstances? How would you do to make it run on remote machine? Any samples? |
||||||||
|
|
|||||||
Well looking here it would appear that others are having trouble silently removing JAVA as well. http://forum.java.sun.com/thread.jspa?threadID=692662&messageID=4025805 Try searching Google or the Sun site to see if you can find any assistance on what command line to use. It has noting to do with KiXtart or the RemoteExec UDF, they can only run the items for you, but you need to find the correct code to do the silent non-interactive removal process. |
||||||||
|
|
|||||||
Doc, thanks for your input. That was only an example. I have tested this for other installed software too. But same symptoms. I need also figure out the possible ways to execute CMD commands on remote machine. |
||||||||
|
|
|||||||
Hi Jazz, I think maybe you're not seeing the overall bigger picture here. The RemoteExec UDF does not support ANY command that requires user interaction either physically or visibly. If you have a list of 10 software titles that you want to remove then you have to find the EXACT proper code to perform the removal silently otherwise it will not work. If you want to have some type of interaction then you might be able to use the tools from http://www.sysinternals.com but unless you have someone sitting on the other side to work with you it wouldn't work either. That is the whole idea of doing remote work is that you can do it on your own without user intervention. Now, something that you "might" be able to do is use RemoteExec to create an INTERACTIVE scheduled application. Again though that sort of defeats the purpose of doing a remote admin script in the first place. If you're going to need interactive then why not just manually do the removal on your own while you're at the desktop. |
||||||||
|
|
|||||||
Thanks for your feedback Radimus and Doc. I think/hope finally I begun understand the difference between interactive and none-interactive. Once again I managed to make the subject unnecessary complex to understand the main point correctly. But happy that I’m hopefully learned some about the difference of executing mode, and how it works. Got admit that I found the “Remote exec” and “Remote install/uinstall” from Rads SIM project very attractive and useful. Just thought, wow remotely executing whatever on an remote client… But now I now what the condition is for such operations. However, if I missed something, happy to receive more of your feedback. BR |
||||||||
|
|
|||||||
Btw, for some time ago I did a quick test of sysinternals PSEXEC. That was to remotely log of user... But I found using WMI more interesting... Please do advice if you have done similar operations such remote execution, installing/uninstalling using psexec. |
||||||||
|
|
|||||||
MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040} /q msiexec.exe /update OUTLOOKff.msp /qb-! WindowsMedia10-KB911565-x86-enu /passive J2SE_Runtime5.0_Update1.msi /qb-! WEBSTARTICON=0 SYSTRAY=0 JAVAUPDATE=0 IEXPLORER=0 REBOOT=Suppress msiexec /x $setup\ess\setup.msi /qb-! |
||||||||
|
|
|||||||
Wow Rad, That’s how the none-interactive silent mode could be executed remotley on remote machine. Have to test all these. U R D Man |
||||||||
|
|
|||||||
http://www.msfn.org/board/index.php?s=b9c8e180627730363494a2b7c02aa3cc&showforum=80 http://www.msfn.org/board/index.php?showtopic=20502 |
||||||||
|
|
|||||||
Very useful links indeed, thanx a lot Rad…. The uninstall works very good, as it should…. I have one more silly Q: Bellow will not work because the application to be installed on remote client, is located on network share. Msiexec.exe /I \\Appserv\StandardApps\Acdsee\Acdess.msi /quiet Will it work if the network share is mapped as network drive on remote machine Any suggestion/recommendations? |
||||||||
|
|
|||||||
how it will not work? if you type it in start menu -> run, it doesn't work? |
||||||||
|
|
|||||||
Yes of course it will work, if you run it on manually on remote machine…. I’m using RemoteExec to execute it remotely on a remote client. Rad comment is: “If you are passing a name and password, it can have access to network resources; otherwise the resources must be local.” So Im trying to find how to execute it using remoteexec() on remote client |
||||||||
|
|
|||||||
k, you gave a username and password for it that has access to network? and the error the udf returns is? |
||||||||
|
|
|||||||
No error! Returned 0 Code:
|
||||||||
|
|
|||||||
I played hell trying to get it to access network resources remotely... and I couldn't get much love at all. Therefore I push the files to remote machine and execute it 'local' on the remote PC |
||||||||
|
|
|||||||
Ok, then not much love for me either … So the result success conditions using RemoteExec() udf depends on: - Commands which can be used in Silent, and None-Interactive mode. - Commands that NOT requires or calls for network resources. Until Windows truns to Unix! |
||||||||
|
|
|||||||
Sure you can do it now. Push a tokenized script and batch file with Shawn's RUNNAS with an encrypted command to go out to the network and grab or run what you want, then when done delete those files. All is hidden and silent so unless someone is actively snooping on the system the risk of locting or using the credentials is very low. |
||||||||
|
|
|||||||
Quote: Now there is a huge security hole if I ever saw one! |
||||||||
|
|
|||||||
eh, someone spanking the runnas ? |
||||||||
|
|
|||||||
I don't know why DOC is pimping your RUNNAS for insecure use. It's fine for EXEs where you can apply the CRC check, but it does no good to check CRC on KiX32.exe and then let the hacker subvert the process by sub'ing out the script. |
||||||||
|
|
|||||||
Well you tell me who you have working there at your work Les who is sniffing and scanning his/her box 24/7 for remote access like that. Potentially if someone knew you were going to do it maybe, in real life probably a million to one chance that someone would see or know it was happening. If you're that paranoid you could even use a network account that was specific for that task and disable that account after using it to cut down the time window even, and remotely ACL the folder so that the user has DENY on it, but that's is still being really PARANOID. But to each his or her own I suppose. As with anything in life there are often risks and one has to judge for themselves what those risks are and if they're willing to take them. |
||||||||
|
|
|||||||
Quote: Me, myself and I... all three of us monitor all traffic on the WAN pipe. I am not a domain admin and if a domain admin were exposing vulnerabilities like you propose, that would soon change because I would leverage the opportunity and elevate myself just to prove a point and to get someone fired. |
||||||||
|
|
|||||||
Gotta admit with Doc... in this particular case, Im more then willing to take the chance ... So lets do it. How can Shawn's RUNNAS help me. I want to execute this remotly on a remote client (using RemoteExec() udf). MsiExec.exe /i \\Appserv\StandardApps\Acdsee\Acdess.msi /quiet Where do I get Shawn's RUNNAS? What is tokenized script? |
||||||||
|
|
|||||||
I don't see why you would need to RUNNAS KiX and a tokenized script anyway. Just RUNNAS the installer with the CRC check. Much safer. Seek and you shall find RUNNAS. |
||||||||
|
|
|||||||
Eh, if you subscribe to DOC's security model, then you may as well just use PSExec and make it real easy. |
||||||||
|
|
|||||||
I find the RUNNAS... reading the conversations... Seems that dear Les is into security even there... Well I don’t need the RUNNAS the whole kix… I just need RUNNAS for this part of the script… But first I would like to understand what I’m doing, before doing… could be a good idea… hehehe |
||||||||
|
|
|||||||
Ey don’t get me wrong ... Its good to have security brains around which could time to time remind us about the real world around... But just for this particular case, I found the risk very low in the environment it will be used... If dear Shawn has done a cool RUNNAS, then I certainly will test that instead of PSExec... |
||||||||
|
|
|||||||
Quote: Okay, sure you do Les. It's like a needle in a haystack. If you have 1,000 machines plus servers and you think you can monitor the Gigabytes of traffic to that level then I think you've just elevated yourself to a GOD like status. Sorry, but unless you wrote a for purpose monitor and knew when this was going to happen it's just impossible to know when a remote call is valid or not and what it's doing. The point here is that Jazz and ONLY Jazz knows he is doing it and when he is doing it. It's not like another Admin or user has a sniffer or protocol analyzer running specifically looking for a packet that contains RUNNAS. Just not realistic for anyone to perform such a task out of the blue without prior knowledge. |
||||||||
|
|
|||||||
ehhh... Why is Shawn suddenly surrounded by monsters, losing his hat!!! And Doc… look suspicious… smells Linux at the corner … Is this because Les is monitoring the Wan … |
||||||||
|
|
|||||||
… ok dudes … back to the subject, if you don’t mind… Now I’m completely lost…. Don’t really know how to use remoteexec() and RUNNAS together …. Doc suggested to “Pushing a tokenized script and batch file with Shawn's RUNNAS…” I tired and done some tests.. no success so far… getting dizzy on this… Could some give me a hand to solve this? The subject is still to remotely execute this: “MsiExec.exe /i \\Appserv\StandardApps\Acdsee\Acdess.msi /quiet” - on a remote client using both remoteexec() udf and Shawn’s RUNNAS. The “msi.bat” contains this: “MsiExec.exe /i \\Appserv\StandardApps\Acdsee\Acdess.msi /quiet” $computer = "172.60.10.10" $RemotePath = “\\172.60.10.10\c$\winnt\temp\” Copy "msi.bat" $RemotePath /C $rc = RemoteExec('cmd /c c:\Winnt\Temp\msi.bat', $computer) |
||||||||
|
|
|||||||
While it goes against my principles, I will offer some suggestions. Don't use a BATch file! You need to create a token file for RUNNAS. Copy both RUNNAS and the generated token file to the local PC. RemoteExec RUNNAS and pass the tokenfile as a parm. |
||||||||
|
|
|||||||
Ja, I was just just going to pipe-up here as well. Copy the RUNNAS.exe to the remote machine, but I would suggest you leave the tokenization as a last step - get it working with a simple command-line first. |
||||||||
|
|
|||||||
by the way - accessing the remote share using the "pure" remote command strategies (like WMI) does not work - we went down that road before (not sure where the thread is) ... One of the guys we were working with at the time, went to MS with the issue. They came back saying that Windows does not support "passthrough authentication" - which means, a network resource will not trust the credentials from a source that is (really) remoted in from somewhere else. Maybe a bad description but I hope you get my meaning. |
||||||||
|
|
|||||||
Ok, let’s see if I got your point…. First I created a tok file as this: runnas /user:domain\clientadm "MsiExec.exe /i \\Appserv\StandardApps\Acdsee\Acdess.msi /quiet" /password:silentadm /tok:Test.tok /allowargs Now I have Test.tok. I copied both Runnas.exe and Test.tok to target PC root. Then I execute it with RemoteExec() $rc = RemoteExec('cmd /c c:\Runnas.exe Test.tok’, $computer) Should this work? It doesn’t. I tried to perform it manually on target PC console: c:\Runnas.exe Test.tok It’s not working! What I’m doing wrong? |
||||||||
|
|
|||||||
After you run it by hand, if you ECHO %ERRORLEVEL%, whats it say ? |
||||||||
|
|
|||||||
If not using %comspec% /c, might want to add the /wait switch too. |
||||||||
|
|
|||||||
it say: 0 The Runnas I got i version 1.14.0.0 Environment W2K SP4 |
||||||||
|
|
|||||||
Try that /wait switch |
||||||||
|
|
|||||||
humm... same ... not working... I put the wait switch like this: runnas /user:domain\clientadm "MsiExec.exe /i \\Appserv\StandardApps\Acdsee\Acdess.msi /quiet" /password:silentadm /tok:Test.tok /wait /allowargs the msi reports in event viewer, says Product Acdsee - installation operation completed succesfully.... the %ERRORLEVEL% gives a 0 ...and still no Acdess has been installed.... |
||||||||
|
|
|||||||
What happens if you mangle the path to the msi - does it report a failure ? |
||||||||
|
|
|||||||
I would try the old %comspec% /c in front of the msiexe.exe too. |
||||||||
|
|
|||||||
path to the msi ... %comspec% /c in front of the msiexe.exe ... all the same ... just wont working... runnas /user:domain\clientadm "%comspec% /c c:\winnt\system32\MsiExec.exe /i \\Appserv\StandardApps\Acdsee\Acdess.msi /quiet" /password:silentadm /tok:Test.tok /wait /allowargs |
||||||||
|
|
|||||||
Take this off: /tok:Test.tok |
||||||||
|
|
|||||||
nop... none of this works .... jazz will give this up for now ... not much fun out of this ... |
||||||||
|
|
|||||||
Quote: ROFLMAO Yes, scripting can be both FUN and FRUSTRATING at the same time. |