It is amaizing how often new processes are launched on your computer, all of them doing their own thing and a lot of times you have no idea they are doing it.  This can be a dangerious thing if your friends have been learning about office warfare and are startring to install things on your computer.  However it does us little good to just watch the task manager since there are a lot of processes that start when your computer starts up and it can be hard to sort it all out. 

However monitoring new processes can be quite useful since that will show you what new things are cropping up all the time.  Fortunately for all of us there is a great scripting language that comes pre built into windows machines called Windows Management Instrumentation (WMI) that when coupled with the Visual Basic Scripting language (vbs) will allow us to monitor new processes. 

Lets look at the code after the break. Read more

1 comment

You may not be as paranoid as I am … but you probably should be.  One thing that bothers me is that on a domain system is that my files are accessible to anyone with admin privileges on the domain.  They can read my emails, my documents, see my pictures, pretty much access anything they want. 

Fortunately for the paranoid there is a solution.  You can encrypt your files.  The easiest way to go about this is to surf on over to truecrypt.org and download their software package.  True Crypt is free of course, all you do is download it and follow their tutorial and you will have yourself an encrypted drive volume in no time flat.  Then anything you stick into that drive is encrypted and only decrypted on the fly when you ask for it.  The best part about True Crypt is that you are the only person who knows the password and it uses such great encryption algorithms that, with a sufficiently long password, it would take years to break.

No comments

This is a fun ploy; you jump on your co-workers computer and find a shortcut on their desktop to Word or something.  You right click on it and change the target to something more amusing.  A few things come to mind like

Shutdown –f –s –t 0
Which will shutdown the computer right after they click it.

Or try choosing any of the rundll32 command from http://www.dx21.com/SCRIPTING/INDEX.ASP a great site for reference when you are doing any scripting.  A couple of my favorite rundll32 commands are

RunDll32.exe user32.dll,LockWorkStation
which locks the workstation or

RunDll32.exe USER32.DLL,SwapMouseButton
which will swap their mouse buttons (effectively making their mouse left handed)

Use your imagination on this one, you can run any program on the computer, if you come up with a clever one make sure you post it to the comments.  Also if you have any office warfare ideas you think should be posted on the site send them to tips@officewarfare.net.

  

1 comment

Welcome back kiddies for the second installment in our series. Today we are going to look at another easy to use tool for interfering in the productivity of those around you.  Today’s tool brought to us by the fantastic chums over at SysInternals, is psexec.  Psexec is a step up from last article, the general principle of psexec is that it allows you to run any command line application that is on your neighbor’s computer from your computer and pass in flags.  Ok so psexec does not come preinstalled here is a link to the site where you can get it.  Come right back after you have it.

Good now that we got that out of the way if we run psexec without any flags we get the help pasted here for your blessed convenience.

PsExec v1.72 - Execute processes remotely

Copyright (C) 2001-2006 Mark Russinovich

Sysinternals - www.sysinternals.com

 

PsExec executes a program on a remote system, where remotely executed console

applications execute interactively.

 

Usage: psexec [\\computer[,computer2[,...] | @file][-u user [-p psswd]][-n s][-

][-s|-e][-x][-i][-c [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [aruments]

     -a         Separate processors on which the application can run with

                commas where 1 is the lowest numbered CPU. For example,

                to run the application on CPU 2 and CPU 4, enter:

                “-a 2,4″

     -c         Copy the specified program to the remote system for

                execution. If you omit this option the application

                must be in the system path on the remote system.

     -d         Don’t wait for process to terminate (non-interactive).

     -e         Loads the specified account’s profile.

     -f         Copy the specified program even if the file already

                exists on the remote system.

     -i         Run the program so that it interacts with the desktop on the

                remote system.

     -l         Run process as limited user (strips the Administrators group

                and allows only priviliges assigned to the Users group).

     -n         Specifies timeout in seconds connecting to remote computers.

     -p         Specifies optional password for user name. If you omit this

                you will be prompted to enter a hidden password.

     -s         Run the remote process in the System account.

     -u         Specifies optional user name for login to remote

                computer.

     -v         Copy the specified file only if it has a higher version number

                or is newer on than the one on the remote system.

     -w         Set the working directory of the process (relative to

                remote computer).

     -x         Display the UI on the Winlogon secure desktop (local system only).

     -priority  Specifies -low, -belownormal, -abovenormal, -high or

                -realtime to run the process at a different priority.

     computer   Direct PsExec to run the application on the remote

                computer or computers specified. If you omit the computer

                name PsExec runs the application on the local system,

                and if you specify a wildcard (\\*), PsExec runs the

                command on all computers in the current domain.

     @file      PsExec will execute the command on each of the computers listed

                in the file.

     program    Name of application to execute.

     arguments  Arguments to pass (note that file paths must be

                absolute paths on the target system).

 

You can enclose applications that have spaces in their name with

quotation marks e.g. psexec \\marklap “c:\long name app.exe”.

Input is only passed to the remote system when you press the enter

key, and typing Ctrl-C terminates the remote process.

 

If you omit a user name the process will run in the context of your

account on the remote system, but will not have access to network

resources (because it is impersonating). Specify a valid user name

in the Domain\User syntax if the remote process requires access

to network resources or to run in a different account. Note that

the password is transmitted in clear text to the remote system.

 

Error codes returned by PsExec are specific to the applications you

execute, not PsExec.

Ok now as I said this is a step up so bear with me.  The important command line switches (in order of appearance) are

/c as you can see (if you can read) /c copies the command in question over to the destination computer.  This is useful in case the program is not already stored on the destination.  However in most instances the command we are running will already be there so this will not be needed.

/f is related to /c and basically forces a copy even if the file already exists.  I recommend using this every time you use /c

/i is one of the most important switches.  This causes the application to show itself to the user that is currently logged in.  Why is this important you ask? Because one of the main ways we will use psexec is to pop up windows on the remote computer that annoy the user visually.

Those three switches make up the really important set; other ones can be used but are not necessary.  So let’s put it together and see about doing something annoying to our friends next door.  Lets run a RUNDLL32 command on a computer that will switch the mouse buttons.  Quick side note, rundll32 is basically a program that allows you to call functions in dlls. Anyways we will have a full article on rundll32 later down the road but for now lets try.

Psexec /i \\hr-JanetLee RunDll32.exe USER32.DLL,SwapMouseButton

So to break this one down, we are using psexec (obviously since the article is about psexec) and we want the command to run interactively. We are doing this to the imaginary remote computer hr-JannetLee and the command we want to run is RunDll32.exe USER32.DLL,SwapMouseButton.

The net effect is that Janet will have no idea that anything has happened until she tries to click on things and keeps getting context menus.  That about sums it up for psexec for this week, try to think of other great uses for this application and we will give you some more as we go along too.  Look forward to the rundll32 article as it will be chock full of fun toys we can use with psexec.

1 comment

Well this is my first article in what I hope is going to be a series teaching you how to fight the good fight, digital office warfare.  In this article we are going to start out with the basics of offence because a good offence is … well a good offence.  Basic offence includes using built in tools (or easily downloadable power tools) to attack your neighbors whose computers you have admin privileges on.

Let’s get started, I hope you have read the Geneva Convention of office warfare. The first tool we are going to look at is shutdown.

C:\Users\joshp>shutdown /?

Usage: shutdown [/i | /l | /s | /r | /g | /a | /p | /h | /e] [/f]

    [/m \\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]]

 

    No args    Display help. This is the same as typing /?.

    /?         Display help. This is the same as not typing any options.

    /i         Display the graphical user interface (GUI).

               This must be the first option.

    /l         Log off. This cannot be used with /m or /d options.

    /s         Shutdown the computer.

    /r         Shutdown and restart the computer.

    /g         Shutdown and restart the computer. After the system is

               rebooted, restart any registered applications.

    /a         Abort a system shutdown.

               This can only be used during the time-out period.

    /p         Turn off the local computer with no time-out or warning.

               Can be used with /d and /f options.

    /h         Hibernate the local computer.

               Can be used with the /f option.

    /e         Document the reason for an unexpected shutdown of a computer.

    /m \\computer Specify the target computer.

    /t xxx     Set the time-out period before shutdown to xxx seconds.

               The valid range is 0-600, with a default of 30.

               Using /t xxx implies the /f option.

    /c “comment” Comment on the reason for the restart or shutdown.

               Maximum of 512 characters allowed.

    /f         Force running applications to close without forewarning users.

               /f is automatically set when used in conjunction with /t xxx.

    /d [p|u:]xx:yy  Provide the reason for the restart or shutdown.

               p indicates that the restart or shutdown is planned.

               u indicates that the reason is user defined.

                 if neither p nor u is specified the restart or shutdown is unplanned.

               xx is the major reason number (positive integer less than 256).

               yy is the minor reason number (positive integer less than 65536).

 

Shutdown has a fairly obvious use.  Basically using the parameters available to us we can shutdown the computers of those poor souls around us.  Here is the general use for that.

Shutdown /f /r /m \\enemycomp /t 30

So what are we doing here?  The first flag we see if /f.  This is force, what this means is that your coworkers apps will be closed forcefully if they don’t close nicely.   The second flag /r is reboot, you can also use /s which will shut the computer down and not start it back, this makes little difference.  The next flag is an important one /m. This is where we give the computer name of our target.  Syntax is /m \\computername. The final flag we show above is /t.  This flag is a way of throwing your coworkers a bone, it is the countdown timer.  If left out the shutdown happens right away but if you put it in they get a countdown timer first allowing them a little time to try to either save stuff or abort the shutdown if they know what they are doing (link to defense article).  The only other flag that you may be interested in at this point is /c.  /c allows you to add a comment to the shutdown timer dialog, this is mostly used to taunt your coworkers and the syntax is /c “Haha, I pwns ju kthxbye”. So all put together you can use a command like this to shutdown the imaginary computer dev-BobHunington giving Bob a 10 second chance to save his day with the taunting message “Don’t Mess With TESTERS BOB!” like this.

Shutdown /f /s /m \\dev-BobHunington  /t 10 /c “Don’t Mess With TESTERS BOB!”

 

That is all we have for this week, go forth and reboot! Remember kids save your work, you never know if the person next to you is reading this same article right now.

No comments