BatchPatch Forums Home › Forums › BatchPatch Support Forum › Credentials in clear text
- This topic has 5 replies, 2 voices, and was last updated 5 years, 6 months ago by doug.
-
AuthorPosts
-
June 13, 2019 at 2:52 pm #9371atesserParticipant
Good Morning! I was alerted by a coworker that our credentials are being sent in the clear text when we use BatchPatch/PsExec. Cisco AMP has alerted us to this fact.
I did some quick searching and found the following article from 2014: psexec-v2-1-all-network-communication-is-now-encrypted
I’ve verified that we are using PsExec v 2.11, and then I searched the forum here and was not able to find anyone specifying any additional steps that need to be taken to force PsExec to use encrypted creds. Am I missing a step? Is there a way in BatchPatch or PsExec to specify that all creds should be encrypted before being passed to the machines?
June 13, 2019 at 3:07 pm #11632dougModeratorPsExec v2.11 and newer version automatically encrypt credentials. There is nothing additional that needs to be done. It would seem to me that you have the following possible things happening:
— Maybe you’re not actually using the version of PsExec that you think you’re using? Maybe you have multiple copies of PsExec on the computer and BP is not using the one you expect?
— Maybe credentials are encrypted but you are getting a false alert from Cisco AMP. I’m not sure how Cisco AMP would be able to know whether or not credentials are encrypted. That to me seems like something only a human would be able to know. I don’t know what the alert looks like that you are getting from Cisco AMP, but is it possible that you are simply misinterpreting the alert? Or it is possible that the alert is misrepresenting the actuality? Maybe it’s warning that PsExec is being used but it’s not specifically stating that it detected clear text credentials?
In any case it’s quite easy to verify that there are no clear text credentials being sent by simply capturing traffic with Wireshark and reviewing it. If you have concerns then you should fire up wireshark and review the packet capture.
-Doug
June 13, 2019 at 4:52 pm #11633atesserParticipantGreat insights as usual Doug, thank you. Please help me clarify something; I believe that my BatchPatch system is the only one that needs to have PsExec 2.11. Each time I tell my BatchPatch system to run commands on a remote system, my BatchPatch system copies its own version of PsExec 2.11 over to the remote system, runs PsExec there on the remote system and executes the commands I have specified. Is that all correct?
Or do I need to make sure that all systems in my environment have PsExec 2.11 sitting at C:Windows?
Cisco AMP was letting us know that PsExec was running as Admin, and it also included the command line arguments as follows (transcribed and sanitized): C:WindowsPsExec.exe \SV-XYZ-01 -s -u SV-XYZ-01admin -p #password# C:ProgramFilesBatchPatchBatchPatchRemoteAgent.exe…
I have verified that #password# is indeed the correct password for that account on that server.
June 13, 2019 at 5:10 pm #11634dougModeratorPsExec only needs to be present on the BatchPatch computers. Do not put it on target computers. When it runs it copies psexesvc.exe (this is embedded in the PsExec.exe) to the target. It installs that exe as a service. When done with each operation it then removes the service that it previously installed.
OK, so Cisco AMP is capturing command line text. This has nothing to do with what is being sent across the network by PsExec. On the BP system the credentials have to be sent from the BatchPatch.exe process to PsExec.exe in clear text. This would be equivalent to you running PsExec yourself at the cmd prompt and submitting credentials to it. Then when PsExec performs the remote execution, it encrypts everything before transmitting over the network.
All that said, if you want to avoid the use of credentials altogether, then just run BP with integrated security. Use option 1 or 2 at the following link:
batchpatch-authentication-in-domain-and-workgroup-non-domain-environments
Using alternate credentials in the way that you are currently using does not pose a threat as far as network capture is concerned because the psexec network transmissions will be encrypted. However, if malicious software got installed on the BP computer, then of course it could capture pre-network data or in-memory data or on-disk data or keyboard strokes etc just like Cisco AMP can. At that point though of course any usage of that computer is a problem, not just BP usage.
June 13, 2019 at 5:47 pm #11635atesserParticipantGot it! We misunderstood what Cisco AMP was telling us. Thanks again for the awesome explanation.
June 13, 2019 at 6:14 pm #11636dougModeratorYou’re very welcome.
-
AuthorPosts
- You must be logged in to reply to this topic.