mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-28 23:51:29 +00:00
181 lines
7.2 KiB
Markdown
181 lines
7.2 KiB
Markdown
|
|
|
|
<details>
|
|
|
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
|
|
|
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
|
|
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
|
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
|
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
|
|
|
</details>
|
|
|
|
|
|
# How Does it works
|
|
|
|
Wmi allows to open process in hosts where you know username/\(password/Hash\). Then, Wmiexec uses wmi to execute each command that is asked to execute \(this is why Wmicexec gives you semi-interactive shell\).
|
|
|
|
**dcomexec.py:** This script gives a semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints \(ShellBrowserWindow DCOM object\). Currently, it supports MMC20. Application, Shell Windows and Shell Browser Window objects. \(from [here](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)\)
|
|
|
|
# WMI Basics
|
|
|
|
## Namespace
|
|
|
|
WMI is divided into a directory-style hierarchy, the \root container, with other directories under \root. These "directory paths" are called namespaces.
|
|
List namespaces:
|
|
|
|
```bash
|
|
#Get Root namespaces
|
|
gwmi -namespace "root" -Class "__Namespace" | Select Name
|
|
|
|
#List all namespaces (you may need administrator to list all of them)
|
|
Get-WmiObject -Class "__Namespace" -Namespace "Root" -List -Recurse 2> $null | select __Namespace | sort __Namespace
|
|
|
|
#List namespaces inside "root\cimv2"
|
|
Get-WmiObject -Class "__Namespace" -Namespace "root\cimv2" -List -Recurse 2> $null | select __Namespace | sort __Namespace
|
|
```
|
|
|
|
List classes of a namespace with:
|
|
|
|
```bash
|
|
gwmwi -List -Recurse #If no namespace is specified, by default is used: "root\cimv2"
|
|
gwmi -Namespace "root/microsoft" -List -Recurse
|
|
```
|
|
|
|
## **Classes**
|
|
|
|
The WMI class name eg: win32\_process is a starting point for any WMI action. We always need to know a Class Name and the Namespace where it is located.
|
|
List classes starting with `win32`:
|
|
|
|
```bash
|
|
Get-WmiObject -Recurse -List -class win32* | more #If no namespace is specified, by default is used: "root\cimv2"
|
|
gwmi -Namespace "root/microsoft" -List -Recurse -Class "MSFT_MpComput*"
|
|
```
|
|
|
|
Call a class:
|
|
|
|
```bash
|
|
#When you don't specify a namespaces by default is "root/cimv2"
|
|
Get-WmiObject -Class win32_share
|
|
Get-WmiObject -Namespace "root/microsoft/windows/defender" -Class MSFT_MpComputerStatus
|
|
```
|
|
|
|
## Methods
|
|
|
|
WMI classes have one or more functions that can be executed. These functions are called methods.
|
|
|
|
```bash
|
|
#Load a class using [wmiclass], leist methods and call one
|
|
$c = [wmiclass]"win32_share"
|
|
$c.methods
|
|
#Find information about the class in https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-share
|
|
$c.Create("c:\share\path","name",0,$null,"My Description")
|
|
#If returned value is "0", then it was successfully executed
|
|
```
|
|
|
|
```bash
|
|
#List methods
|
|
Get-WmiObject -Query 'Select * From Meta_Class WHERE __Class LIKE "win32%"' | Where-Object { $_.PSBase.Methods } | Select-Object Name, Methods
|
|
#Call create method from win32_share class
|
|
Invoke-WmiMethod -Class win32_share -Name Create -ArgumentList @($null, "Description", $null, "Name", $null, "c:\share\path",0)
|
|
```
|
|
|
|
# WMI Enumeration
|
|
|
|
## Check WMI service
|
|
|
|
This how you can check if WMI service is running:
|
|
|
|
```bash
|
|
#Check if WMI service is running
|
|
Get-Service Winmgmt
|
|
Status Name DisplayName
|
|
------ ---- -----------
|
|
Running Winmgmt Windows Management Instrumentation
|
|
|
|
#From CMD
|
|
net start | findstr "Instrumentation"
|
|
```
|
|
|
|
## System Information
|
|
|
|
```bash
|
|
Get-WmiObject -ClassName win32_operatingsystem | select * | more
|
|
```
|
|
|
|
## Process Information
|
|
|
|
```bash
|
|
Get-WmiObject win32_process | Select Name, Processid
|
|
```
|
|
|
|
From an attacker's perspective, WMI can be very valuable in enumerating sensitive information about a system or the domain.
|
|
|
|
```text
|
|
wmic computerystem list full /format:list
|
|
wmic process list /format:list
|
|
wmic ntdomain list /format:list
|
|
wmic useraccount list /format:list
|
|
wmic group list /format:list
|
|
wmic sysaccount list /format:list
|
|
```
|
|
|
|
```bash
|
|
Get-WmiObject Win32_Processor -ComputerName 10.0.0.182 -Credential $cred
|
|
```
|
|
|
|
# **Manual Remote WMI Querying**
|
|
|
|
For example, here's a very stealthy way to discover local admins on a remote machine \(note that domain is the computer name\):
|
|
|
|
```bash
|
|
wmic /node:ordws01 path win32_groupuser where (groupcomponent="win32_group.name=\"administrators\",domain=\"ORDWS01\"")
|
|
```
|
|
|
|
Another useful oneliner is to see who is logged on to a machine \(for when you're hunting admins\):
|
|
|
|
```text
|
|
wmic /node:ordws01 path win32_loggedonuser get antecedent
|
|
```
|
|
|
|
`wmic` can even read nodes from a text file and execute the command on all of them. If you have a text file of workstations:
|
|
|
|
```text
|
|
wmic /node:@workstations.txt path win32_loggedonuser get antecedent
|
|
```
|
|
|
|
**We'll remotely create a process over WMI to execute a Empire agent:**
|
|
|
|
```bash
|
|
wmic /node:ordws01 /user:CSCOU\jarrieta path win32_process call create "**empire launcher string here**"
|
|
```
|
|
|
|
We see it executed successfully \(ReturnValue = 0\). And a second later our Empire listener catches it. Note the process ID is the same as WMI returned.
|
|
|
|
All this information was extracted from here: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
|
|
|
|
|
|
|
|
<details>
|
|
|
|
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
|
|
|
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
|
|
|
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
|
|
|
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|
|
|
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
|
|
|
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
|
|
|
</details>
|
|
|
|
|