5

The Ps Tools from Mark Russinovich are very handy remote administration utilities. However, they all come with one big caveat.

Note that the password is transmitted in clear text to the remote system.

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Does this only happen when a credential is provided to the tool, like when the account being used locally does not have privileges on the remote system? Or is some form of authenticator (password, token, or hash) always being sent in the clear? If I'm logged in locally with an account that has the necessary privileges on the remote system (and, therefore, don't have to provide my password to the Ps Tool), are my credentials still at risk?

How can I demonstrate this to myself or someone else, like with Wireshark? What filters can I use to isolate the critical packets, and which properties should be shown?

Iszi
  • 26,997
  • 18
  • 98
  • 163

3 Answers3

3

I believe most of the answers you seek are in the analysis by Mike Pilkington presented at SANS Forensics and IR Summit – June, 2011:

Blog posts: http://www.dshield.org/diary.html?storyid=11173 and http://computer-forensics.sans.org/blog/2010/06/01/protecting-admin-passwords-remote-response-forensics/

PDF of presentation slides: http://securityscaper.com/Protecting%20Privileged%20Domain%20Accounts%20during%20Live%20Response%20-%20June%202011.pdf

The blog posts and presentation discuss the technologies in detail, explain his investigative methodology, and recommend safer ways to use the tools.

The general theme is to use alternate authentication methods to avoid exposing passwords to the network but with care taken so these accounts are insulated from compromise by malware on the suspect system.

In the DFIR blog post above Mike says: "First, there is an easy workaround you can employ with PsExec to avoid sending your password in clear text. The trick is to first mount the IPC$ share of the remote computer and then use PsExec. Jean-Baptiste Marchand has written an excellent article about this technique, as well as several other remote administration tips." linking to an detailed article by JBM from 2005: http://www.governmentsecurity.org/forum/topic/28152-windows-built-in-remote-administration-tools/

hth, adric

adric
  • 380
  • 2
  • 10
  • Thanks for the links. Could you paste some of the more critical details so that this answer can stand on its own? – Iszi Aug 09 '12 at 20:58
1

The version of PSExec released in May 2014 - version 2.1 - closes this security gap by encrypting all communications:

http://batchpatch.com/psexec-v2-1-all-network-communication-is-now-encrypted

You can get the secure version here: http://msdn.microsoft.com/en-us/library/bb897553.aspx

Lizz
  • 121
  • 1
  • 4
0

Filters on packet capture software will easily sort the data you need.

Filter by:

  • Sending IP address
  • Receiving IP address
  • Protocol
  • Port number

From there you will be able to find if information is being sent in clear text.

ponsfonze
  • 1,332
  • 11
  • 13
  • I understand these filters would be useful, but how should they be set? SRC/DST is pretty straightforward. What protocols/ports? – Iszi Aug 10 '12 at 17:50