| jtokach |
| (Seasoned Scripter) |
| 2002-05-16 01:18 AM |
|
Remote Execution - Driving me insane!
|
Hi there!
With WMI:
-I can, run a process remotely as myself[impersonate].
-I can, run a process remotely as another user.
-I CANNOT run a process remotely as anyone that interacts with any resources outside of the remote box! My head hurts!
![[Mad]](images/icons/mad.gif){kind=icon}
*Remotely as myself
code:*Remotely as any user with local admin rights
Break On
$RemoteBox = "your remote hostname here" ;No \\
$ServerShr = "\\Server\share"
$RCommand = "cmd /c Dir C:\>c:\output.txt & pause" ;Local Command
;$RCommand = "cmd /c Dir C:\>$ServerShr\output.txt & pause" ;Remote Command Fails
$Connect = GetObject("winmgmts:{impersonationLevel=impersonate}!//$RemoteBox/root/cimv2:Win32_Process")
? @serror
$Process = $Connect.Create($RCommand)
? @serror
If NOT $Process
? "Process executed successfully!"
Else
? "Process failed..."
EndIf
$Connect=""
$Process=""
:END
code:Switch the $Commands, in both cases the remote fails... I have been upside down the SDK and the MSDN. I beg of someone, anyone, please, please, please, provide me with the answer!
Break On
$RemoteBox = "your remote hostname here" ;No \\
$ServerShr = "\\Server\share"
$ID = "Domain\UserID" ; Use any account with local admin rights
$PW = "Password" ; Obvious security concerns
$RCommand = "cmd /c Dir C:\>c:\output.txt & pause" ;Local Command works
;$RCommand = "cmd /c Dir C:\>$ServerShr\output.txt & pause" ;Remote Command fails
$Connect = CreateObject("WbemScripting.SWbemLocator")
? @serror
$Con2 = $Connect.ConnectServer("$remotebox","root\cimv2","$ID","$PW")
? @serror
$Con3 = $Con2.Get("Win32_Process")
? @serror
$Process = $Con3.Create($RCommand)
? @serror
If NOT $Process
? "Process executed successfully!"
Else
? "Process failed..."
EndIf
$Connect=""
$Process=""
$Con2=""
$Con3=""
:END
![[Frown]](images/icons/frown.gif){kind=icon}
I will consider naming my first born after you! (My wife probably wont agree though... ![[Smile]](images/icons/smile.gif){kind=icon}
I'm desperate!
-Jim
Note: I will UDF these after I figure this last one out.
| Sealeopard |
| (KiX Master) |
| 2002-05-16 01:23 AM |
|
Re: Remote Execution - Driving me insane!
|
Have you thought of using the Task Scheduler for this? The Task Scheduler can execute under a defined username and can be scheduled remotely. Please take a look at the ScheduleTask() UDF. Oh, and take a look at this thread: http://kixtart.org/cgi-bin/ultimatebb.cgi?ubb=get_topic&f=1&t=003208
I know, it's not COM but it would solve your problem
![[Wink]](images/icons/wink.gif){kind=icon}
[ 16 May 2002, 01:26: Message edited by: sealeopard ]
| jtokach |
| (Seasoned Scripter) |
| 2002-05-16 01:27 AM |
|
|
|
Re: Remote Execution - Driving me insane!
|
There's actually a freeware that does this exact thing - PSEXEC.EXE (www.sysinternals.com). I'm looking for a com version or scriptable version.
SO CLOSE...
Also, someone has reverse eng it, it temporarily installs a service...
PSEXEC reverse
| jtokach |
| (Seasoned Scripter) |
| 2002-05-17 11:58 PM |
|
|
Re: Remote Execution - Driving me insane!
|
Anyone out there acctually interested in this?
Shawn
|
| (KiX Supporter) |
| 2002-05-18 01:49 AM |
|
|
Re: Remote Execution - Driving me insane!
|
Crap !
Jim, I was interested in this. I read it last night at home thinking to myself I would try it first thing when I got into work today. Guess there's no way to "fake" this on one lonely home workstation eh ?
-Shawn
[ 18 May 2002, 01:50: Message edited by: Shawn ]
| BrianTX |
| (Korg Regular) |
| 2002-05-20 04:00 PM |
|
Re: Remote Execution - Driving me insane!
|
I'm interested in this as well...
Brian
| jtokach |
| (Seasoned Scripter) |
| 2002-05-20 05:21 PM |
|
|
Re: Remote Execution - Driving me insane!
|
Glad to see you're on board for this guys! I was beginning to think I was all alone on this one...
Some keywords that I have been focusing on:
RevertToSelf
coImpersonateClient
coSetProxyBlanket
Delegate -> Possibly the ans. I think this requires Kerberos though...
Unfortunately, I don't think that any of these methods are Kix friendly, except the delegate prop of impersonate. I'm not a programmer by trade either, so it's been 'learn as you go'. From what I have gathered, it seems as though VBS may be a better platform for this.
Booooo!Maybe we need start think outside of the bun?
Perhaps create/remove a temp service like the PSEXEC?
| BrianTX |
| (Korg Regular) |
| 2002-05-20 11:06 PM |
|
Re: Remote Execution - Driving me insane!
|
Here is a link I found to another utility.. haven't tested it out, yet:
http://www.maxcode.com/nuke/article.php?sid=141
| jtokach |
| (Seasoned Scripter) |
| 2002-05-20 11:27 PM |
|
|
Re: Remote Execution - Driving me insane!
|
Sweet, but that link is bad... Same app diff location.
http://www.codeguru.com/network/xCmd.html
BTW,
This doesn't work either...
quote:Thought that might apply...
The service is run under the built-in 'SystemAccount'.
MSDN gives an alternative:
"You could add the REG_DWORD value named "RestrictNullSessAccess" to the following registry key and set it to 0 to allow all null sessions to access all pipes and shares created on that machine. "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
LanmanServer\Parameters\
[ 20 May 2002, 23:35: Message edited by: jtokach ]
|
Shawn
|
| (KiX Supporter) |
| 2002-05-23 04:51 PM |
|
|
|
Re: Remote Execution - Driving me insane!
|
Jim,
Any revelations on this ? Can't see why this isn't working to be totally honest, everything seems to be in place. When you look at the owner or username attached to the remote process, it shows up as the same credentials as supplied in the script... it doesn't seem to be running under the system context anyways, hmmm.... any more thoughts ?
-Shawn
p.s. i was hoping this would have helped matters, its an object we can pass as part of the create method:
Win32_ProcessStartup
but it doesn't seem to hold any answers to the problem ...
-Shawn
[ 23 May 2002, 16:57: Message edited by: Shawn ]
| jtokach |
| (Seasoned Scripter) |
| 2002-05-23 05:13 PM |
|
|
Re: Remote Execution - Driving me insane!
|
Shawn,
When I was reviewing your previous post I came accross Win32_PrivilegesStatus. We may be able to use this to at least find out why access is denied...
http://msdn.microsoft.com/library/en-us/wmisdk/r_32os4_27cj.asp
-Jim
|
Shawn
|
| (KiX Supporter) |
| 2002-05-24 04:52 AM |
|
|
|
Re: Remote Execution - Driving me insane!
|
Jim,
I looked at this quite a bit today - with no luck. You know, the issues surrounding this whole remote process thingy reminds me of the same issues we get when running a batch file under the AT scheduler, you know - no user context. Having said that (and don't laugh) I tried chnaging the Windows Management Instrumentation service to have it run under a Domain User Account, but it wouldn't stick - something about dependencies with other WMI services. I know this sounds drastic, but was just trying to perform a test, have you tried giving the WMI service itself some credentials ?
-Shawn
| jtokach |
| (Seasoned Scripter) |
| 2002-05-24 03:44 PM |
|
|
|
Re: Remote Execution - Driving me insane!
|
Shawn,
LOL! I've been down that road already! I didn't want to bring it up in fear that I would be laughed off the board!
Here's our problem... I tried setting the $RCommand to "cmd /c net use z: \\server\share /persistent:no & pause" and sure enough... System Error 1312
This MSKB describes and also hints towards delegation. Unfortunately, without kerberos, this is worthless.
This is beginning to look like an exercise in futility...
quote:http://support.microsoft.com/default.aspx?scid=kb;en-us;Q214726
When you use Telnet to map a drive letter to a network share, the procedure may not work and the following error message may be displayed:
A specified logon session does not exist. It may already have been terminated.
NOTE : This problem does not affect Telnet sessions for which the user authentication method is clear text.
CAUSE
This issue occurs when you open a Telnet session to a computer running Windows NT Server using the NTLM authentication method. You cannot then, from within the Telnet session, connect to network resources using your implied user credentials. You must explicitly specify your credentials when making network connections from within the Telnet session.
There is no mechanism in Windows NT to perform delegation of security (pass through) for network logon attempts.
For example, if you log on to the network using NTLM from computer A to computer B, and then type "net use" at a command prompt to connect to computer C from computer B, the connection is not made. The reason is that computer B has an incomplete user token (it does not have your password), so the logon attempt to computer C does not work. This behavior is rooted in NTLM being a challenge/response protocol, and as such, it avoids sending your password across the network.
| Netsuper |
| (Getting the hang of it) |
| 2002-06-18 07:51 AM |
|
|
Re: Remote Execution - Driving me insane!
|
Hello Jim,
I posted this a while back, it's a script that loads when the user logs on(dunno if that's a limitation for you or not), allowing you to make them run ANY script at ANY time. Don't know if it's what you're looking for or not? You could execute a RUNAS script from this and have it authenticate to the domain?
http://81.17.37.55/cgi-bin/ultimatebb.cgi?ubb=get_topic&f=2&t=001695&p=
| cj |
| (MM club member) |
| 2002-06-18 09:24 AM |
|
|
Re: Remote Execution - Driving me insane!
|
jtokach said:
...From what I have gathered, it seems as though VBS may be a better platform for this. Booooo!...
If you get this working in VBScript, please let me know. I have spent all day on this and am about to s(h)ell out to dos?!
cj
|
Lonkero
|
| (KiX Master Guru) |
| 2002-06-18 09:27 AM |
|
Re: Remote Execution - Driving me insane!
|
ceej,
don't be so mad...
if everyone else (vbs/js) gives you up, your old friends (kix/dos) never!
You can allways go to them!
| jtokach |
| (Seasoned Scripter) |
| 2002-06-18 04:29 PM |
|
|
|
Re: Remote Execution - Driving me insane!
|
See posts 20-22 of this thread:
WSHPIPE related
I haven't started looking into it again yet, but I will when I get some free time...
-Jim
| JSchroeder |
| (Fresh Scripter) |
| 2002-06-25 12:17 AM |
|
Re: Remote Execution - Driving me insane!
|
I'm in this thing about 6 Month now ... wohoo ... i scripted everything for my company, but this thing is hard work.
Maybe following Tool will help you out :
http://www.stefan-kuhr.de/supsu/main.php3
It's a rewriten Version of Microsofts SU ... i think you don't need it installed as service ... maybe some of you can test it out and post me Success or not ...8)
Greetings
J.S.
| jtokach |
| (Seasoned Scripter) |
| 2002-07-18 10:49 PM |
|
|
|
Re: Remote Execution - Driving me insane!
|
Hurray, put this topic to rest!
I contacted Keith Brown, author of Programming Windows Security.
Excerpts:
JIM
quote:KEITH
I am seeking a solution using any scripting language, (KIX, VBS, JS with WMI or WSH or any other means) to connect to a remote box and access the network through that box, without using tools like SU.EXE or PSEXEC.EXE. I have managed to connect via all languages and means, but I keep running into the dreaded ERROR 1312 - A specified logon session does not exist. It may already have been terminated. Is there any way around this using a scripting language?
quote:JIM
So you wish to establish something like a remote console on the target machine? Kind of like a telnet session? Or are you simply trying to access the file system on the remote machine?
quote:KEITH
I can already connect to the remote machine using the impersonate method in WMI or the WSHController object in WSH, unfortunately when I am connected, I do not have access to network resources through the remote box. It is like a Telnet session already...
quote:JIM
Ahh. You are running into the classic delegation problem. You are trying to make two network hops with your credentials. This won’t work by default, and I’m not sure you even *want* it to work unless you really trust that remote box to which you’d delegate your credentials.
quote:KEITH
You hit it on the nose. Unfortunately, delegation, from what I understand, will only work under Kerberos authentication supplied by AD. ...I don't think VBS or Kix are capable enough to handle any other required means...
quote:
If you’re using NTLM, then the only way to delegate your credentials would be to send your password to the remote machine, using an encrypted link. NTLM does support encryption, but you won’t be doing this via scripting languages anytime soon, as you’ve pointed out.
|
Lonkero
|
| (KiX Master Guru) |
| 2002-07-18 11:17 PM |
|
Re: Remote Execution - Driving me insane!
|
mm...
I have used two tools.
other one remote administrator (works with license even though I got my boss to buy it),
and other rcmd.
remote administrator users current users credentials and rcmd the ones you put in...
which way you actually want it to be?
| Chris S. |
| (MM club member) |
| 2002-08-22 11:05 PM |
|
|
Re: Remote Execution - Driving me insane!
|
Jim (and others)...
I found something that works. I just tested this program ( Tqc Runas ) and installed two programs (IE6 and Project 2000) located on a share on a remote PC using an UNC path. It also includes a DLL that is scriptable, in fact the helpfile specifically mentions KiX!
quote:
Includes the new scriptable objects that will make administrator's life more easy. TqcRunas objects can be used in any scripting language that supports ActiveX (COM) objects, for example JavaScript, VBScript and KiXtart.
|
Lonkero
|
| (KiX Master Guru) |
| 2002-11-24 01:36 AM |
|
Re: Remote Execution - Driving me insane!
|
just searched the board for supsu link and found your response...
I think the reason why there is kix mentioned is that they eat the bread from scriptlogics hand