Euh Mark...I think you're talking about something else here :-) We chatted about a remote check (agent based) and what you're describing looks like that. What I'm talking about is/was a option to execute a command on a remote system (as an alert that is).
Dirk. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Bradshaw Sent: Wednesday, November 24, 2004 1:30 PM To: [EMAIL PROTECTED] Subject: RE: [SA-list] Remote command as alert Let's step back and consider what an agent might be capable of that psexec isn't. An agent is capable of advanced checks and logic to check process, states, etc. Psexec is just a method of executing remote processes. Now, either way you go, someone still has to build an agent capable of doing a useful check, however going the agent route allows more flexibility in how data is returned after the check completes via a structure command and response language that SA would understand. Another thing to note, psexec is a windows technology, whereas the agent methodology could be used in linux, solaris, atari, Xbox, etc. I know there are other mechanisms to achieve the same result in *nix world, but I think there's an inherent benefit in keeping it with one centralized methodology. I would vote agent. . . . If this were a democracy. :o) Mark Bradshaw Director of Online Services DREAM3 http://www.dream3.org (866) 7DREAM3 -----Original Message----- From: Alistair Francis [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 3:48 AM To: [EMAIL PROTECTED] Subject: RE: [SA-list] Remote command as alert >From what I'm picking up off the list, psexec sounds very similar to >the hacking tool "netcat". Instantiating a remote command prompt on an NT/2000 system, that is basically accessible to anyone who knows it's there, should give everyone the willies. It takes about 10 seconds to fire off an LSASS injector to dump the SAM into a txt which you can then password crack offline, at your leisure! Be very scared! Ideally, the client/server setup would be more secure in that the listener/agent would only accept connections from the appropriate server (as Dirk mentioned, specified IP, username, password, etc). Nothing is 100% safe but this is a hell of a lot safer. IMHO. Alistair Francis Systems Administrator Comm Express Services SA (PTY) LTD TEL: +27 (0)11 475-5567 FAX: +27 (0)11 475-6238 CELL: +27 (0)84 607-7325 The information contained in this electronic mail message is confidential to the Matragon group of companies and may enjoy legal privilege. The contents are intended solely for the addressee and access thereto by anyone else is unauthorised. Should you not be the intended recipient, kindly delete the message and inform us. Any disclosure, copying or distribution is prohibited and may be unlawful. Please also note that any action taken, or omitted to be taken in reliance on the information contained herein is done at your own risk. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dirk Bulinckx Sent: 24 November 2004 09:10 To: [EMAIL PROTECTED] Subject: RE: [SA-list] Remote command as alert The way psexec (probably) works isn't therefore something great. >From my understanding: it copies it self (or part) to the remote system install it as a service starts the service service executes the "commandline" service stops service removes itself service file is deleted For this to work you need not only admin access to the remote system but you also need netbios access to the remote system. With an agent approche all would be done via ONE port (TCP probably) and as such will not require the use of Netbios. Dirk. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Buff Sent: Wednesday, November 24, 2004 1:59 AM To: '[EMAIL PROTECTED]' Subject: RE: [SA-list] Remote command as alert Wouldn't necessarily require an agent. See http://sysinternals.com for their psexec utility. All you need is admin rights on the remote box. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Alistair Francis > Sent: Tuesday, November 23, 2004 03:58 > To: [EMAIL PROTECTED] > Subject: RE: [SA-list] Remote command as alert > > > Yup, it would be useful, even though it requires an agent on the > target machine. The only problem I can see is security. It would need > to be seriously tight, possibly some sort of encrypted key between > server and agent. If it was as simple as telneting to a certain port > on the target mac and issuing commands... (shudder!) imagine what a IT > savvy disgruntled employee could do! Are you thinking of a restricted > command set or something along the lines of a remote command prompt > type thing? > > Alistair Francis > Systems Administrator > Comm Express Services SA (PTY) LTD > TEL: +27 (0)11 475-5567 > FAX: +27 (0)11 475-6238 > CELL: +27 (0)84 607-7325 > > The information contained in this electronic mail message is > confidential to the Matragon group of companies and may enjoy legal > privilege. The contents are intended solely for the addressee and > access thereto by anyone else is unauthorised. Should you not be the > intended recipient, kindly delete the message and inform us. Any > disclosure, copying or distribution is prohibited and may be unlawful. > Please also note that any action taken, or omitted to be taken in > reliance on the information contained herein is done at your own risk. > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Dirk Bulinckx > Sent: 23 November 2004 13:28 > To: [EMAIL PROTECTED] > Subject: [SA-list] Remote command as alert > > > Is the possibility to execute a command on a remote system (currently > only possible on the system running SA), something that would be of > any help knowing that for that you would have to have a > "remotecommand" service installed on the system(s) that need to > execute those commands. > > Dirk. > > > > > > > ------------------------- > > [This E-mail scanned for viruses by Declude Virus] > > To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] > With the following in the body of the message: > unsubscribe SAlive > > > > > ------------------------- > > [This E-mail scanned for viruses by Declude Virus] > > To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] > With the following in the body of the message: > unsubscribe SAlive > ------------------------- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive ------------------------- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive ------------------------- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive ------------------------- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive ------------------------- [This E-mail scanned for viruses by Declude Virus] To unsubscribe from a list, send a mail message to [EMAIL PROTECTED] With the following in the body of the message: unsubscribe SAlive
