WmiExec
How It Works Explained
Processes can be opened on hosts where the username and either password or hash are known through the use of WMI. Commands are executed using WMI by Wmiexec, providing a semi-interactive shell experience.
dcomexec.py: Utilizing different DCOM endpoints, this script offers a semi-interactive shell akin to wmiexec.py, specifically leveraging the ShellBrowserWindow DCOM object. It currently supports MMC20. Application, Shell Windows, and Shell Browser Window objects. (source: Hacking Articles)
WMI Fundamentals
Namespace
Structured in a directory-style hierarchy, WMI's top-level container is \root, under which additional directories, referred to as namespaces, are organized. Commands to list namespaces:
Classes within a namespace can be listed using:
Classes
Knowing a WMI class name, such as win32_process, and the namespace it resides in is crucial for any WMI operation. Commands to list classes beginning with win32
:
Invocation of a class:
Methods
Methods, which are one or more executable functions of WMI classes, can be executed.
WMI Enumeration
WMI Service Status
Commands to verify if the WMI service is operational:
System and Process Information
Gathering system and process information through WMI:
For attackers, WMI is a potent tool for enumerating sensitive data about systems or domains.
Remote querying of WMI for specific information, such as local admins or logged-on users, is feasible with careful command construction.
Manual Remote WMI Querying
Stealthy identification of local admins on a remote machine and logged-on users can be achieved through specific WMI queries. wmic
also supports reading from a text file to execute commands on multiple nodes simultaneously.
To remotely execute a process over WMI, such as deploying an Empire agent, the following command structure is employed, with successful execution indicated by a return value of "0":
This process illustrates WMI's capability for remote execution and system enumeration, highlighting its utility for both system administration and penetration testing.
References
Automatic Tools
Last updated