Recently i was trying to research deeper into running remote commands from windows to windows. It can be easy with ssh, ftp - but I wanted it to run the commands without knowing the password either username, just local ip and computer name and maybe some opened firewall ports.
I used couple commands that some people suggested me to:
- wmic
- powershell remote commands
- winrs
- psexec
However some errors appeared and now i can't continue my work.
WMIC
When trying to run node wmic command this error often appeared
ERROR:
Description = RPC server is unavailable
It happened every time when i was trying to run this command. I've even tested this on couple computers. Let me know if i have to use some setup commands on remote computer for this to work
Powershell
I've did everything microsoft docs said. Even though i didn't work. I've tried getting the ps session, entering it etc.
This is the command that i used for invoking a command:
Invoke-Command -ComputerName DHEB -ScriptBlock {Get-UICulture}
It executed this error:
[DHEB] Connecting to remote server DHEB failed with the following error message : WinRM cannot process the request.
The following error with errorcode 0x8009030e occurred while using Negotiate authentication: A specified logon session
does not exist. It may already have been terminated.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or
use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more
information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (DHEB:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : 1312,PSSessionStateBroken
WinRS
Winrs command also didn't turn out well. Desktop-VAPJUPI is online and winrs is installed on the pc. However it still didn't work
Command:
winrs -r:"DESKTOP-VAPJUPI" cmd.exe
Output:
Winrs error:
C:\Users\matis>The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config.
PsExec
The last command that i used is psexec. It is very stable and very useful, however it didn't work for me.
Command:
PsExec.exe \DESKTOP-VAPJUPI -e -i -nobanner cmd.exe
Output:
Couldn't access DESKTOP-VAPJUPI:
The network path was not found.
Make sure that the default admin$ share is enabled on DESKTOP-VAPJUPI.
I tried sharing whole C:\ disk on Desktop-VAPJUPI, but it still didn't work. Let me know how do I share the default
for admin$
As you can see non of the commands worked. I don't know if I'm doing everything wrong either my pcs are retarted, or maybe the whole thing that i want to do is impossible.
And yes I know that I can setup anonymous login for ftp or ssh keys for passwordless login, however I don't want to do that for some reason.
Also I would be happy if someone told me if there are any more ways to open unauthorized access to pc
Any answers are appreciated, thanks
You cannot run remote commands without using an account and password from the remote machine. Of course, in a windows domain, you are allowed to use a domain account for all machines, but still, it has to be admin at the remote end. If you want that, all ways should work and documentation for setting that up exists at Microsoft Technet. However, I would urge you to share why you want this. In a managed environment (a windows domain for example), there are much safer ways to make a remote machine run what you want than direct remoting, which always opens ports. You could for example establish a pull mechanism, so that every machine looks (for example every 10 minutes) into a share if there are jobs to be executed.