Try using psexec. If you can map drives, or submit "at" jobs, PSExec should
also work.
That will give you a remote command shell on the machine directly.
e.g. From cmd on the DMZ box:
psexec \\computer [-u user [-p psswd]] [-s] [-c] [-d] program [arguments]
psexec \\target -u system -p passwd cmd.exe
Gives you access to the cmd shell on the target computer.
Rogan
PsExec v1.11 - execute processes remotely
Copyright (C) 2001 Mark Russinovich
www.sysinternals.com
PsExec executes a program on a remote system, where remotely executed
console
applications execute interactively.
Usage: psexec \\computer [-u user [-p psswd]] [-s] [-c] [-d] program
[arguments]
-u Specifies optional user name for login to remote
computer.
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.
-s Run the remote process in the System account.
-c Copy the specified program to the remote system for
execution. If you omit this option the application
must be in the system path on the remote system.
-d Don't wait for process to terminate (non-interactive).
program Name of application to execute.
arguments Arguments to pass (note that file paths must be
absolute paths on the target system).
You can enclose applications that have spaces in their name with
quotation marks e.g. psexec \\marklap "c:\long name app.exe".
Input is only passed to the remote system when you press the enter
key, and typing Ctrl-C terminates the remote process.
If you omit a user name the process will run in the context of your
account on the remote system, but will not have access to network
resources (because it is impersonating). Specify a valid user name
in the Domain\User syntax if the remote process requires access
to network resources or to run in a different account. Note that
the password is transmitted in clear text to the remote system.
> -----Original Message-----
> From: otanerat_private [mailto:otanerat_private]
> Sent: 14 November 2001 03:50
> To: pen-testat_private
> Subject: problems to start a task with at.exe
>
>
> Hi,
>
> I'm doing a pen test and I found a way over a system in the
> DMZ to establish
> NBT-connections in the internal network (net use and stuff).
> My goal is to
> get shell access to the internal network. So, my plan is to
> establish a
> connection from the internal network to my system in the
> internet with netcat. They
> don't use a proxy, only a firewall that allows outgoing http
> and https. I
> have local administrator rights on the pdc. So, I was able to
> copy pwdump.exe
> to the pdc and now, I want to execute it (adding a job with
> at.exe). I can see
> the new job in the queue, but if the time is reached, the
> batch file was not
> executed. I'm sure, the path is correct. I have the same
> problem with a
> system in my lab. What can I do?
>
> My commands:
>
> at \\target 18:00 "c:\test.bat"
> or
> at \\target 18:00 /every:date "c:\test.bat"
>
> Any help would be appreciated
>
> Regards
> Renato
>
> --
> GMX - Die Kommunikationsplattform im Internet.
> http://www.gmx.net
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security
> vulnerabilities please see:
> https://alerts.securityfocus.com/
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Nov 15 2001 - 10:49:42 PST