Pin Me

Pen Testing with PsTools

written by: Lee Clemmer•edited by: Bill Bunter•updated: 5/5/2010

Sometimes during a penetration test we find that we need more than what our vulnerability scanner provides, but less than coding a full exploit. On Windows systems command line network administrative tools haven't always been available. There are some tools developed that we can use.

  • slide 1 of 2

    PsTools for Pen Testing

    Often a vulnerability scanner will only get you so far. A scanning tool such as nmap or others may tell quite a bit about the systems you've scanned, but without manually testing with specific tools and utilities it can be hard to verify that a vulnerability is real and that a system can be penetrated and exploited. Some tools such as Nessus have very well developed plugins for testing, but they still will not break all the way into a system unless you configure a plugin or script to do so.

    Usually you will want to use a separate tool to confirm that there is a problem. Often you can do so with an everyday administrative utility. On Windows networks often the GUI tools are not effective for this. If you want to check remote machines using tools in scripts or test a configuration and output the results to a text file, the provided tools may not be enough.

    Fortunately, Mark Russinovich has created PsTools. Mark named these Windows system tools with the prefix "ps" after the ps command on Unix-like systems. Let's take a look at how some of these may be useful in penetration testing.


    This tool changes passwords locally or for our interests, on a remote system. You can use a file list to try to change the password for a group of computers. Since you can look for usernames, this combination of options lets you see if a user account is present on any number of machines.


    This is a hacker's swiss army knife type of tool. PsExec lets you execute a program on a remote computer, with numerous options including copying the program to the remote computer, running the program interactively or non-interactively, running the program as System or with limited rights. The possibilities are almost limitless.


    PsLoggedOn shows who is connected to a remote (or local) computer. You can see whether connections are local to the computer or via the network to shares. This can give a list of user names to work with, and suggest which shares might be interesting.


    This tool lists and controls services. You can query the status of a service, stop, start, restart, and the other service commands are possible as well. Interestingly you can use the "find" option to search for an instance of a service on the network.

  • slide 2 of 2

    It's Not the Tool, It's How You Use It

    If the target being pen tested is configured securely, most of these tools won't provide much traction in penetrating. You might get some information that all Windows systems offer, but most of the functions that an attacker would want require an account with administrative rights' username and password to be provided when running the command. If the attacker has that username and password, they're in already. Granted, with these tools they could spread their control and wreak havoc. You can probably find other uses for these and the rest of the PsTools as well as in Windows penetration testing.