WmiExec
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Processes can be opened on hosts where the username and either password or hash are known through the use of WMI. Commands are executed using WMI by Wmiexec, providing a semi-interactive shell experience.
dcomexec.py: Utilizing different DCOM endpoints, this script offers a semi-interactive shell akin to wmiexec.py, specifically leveraging the ShellBrowserWindow DCOM object. It currently supports MMC20. Application, Shell Windows, and Shell Browser Window objects. (source: )
Structured in a directory-style hierarchy, WMI's top-level container is \root, under which additional directories, referred to as namespaces, are organized. Commands to list namespaces:
Classes within a namespace can be listed using:
Knowing a WMI class name, such as win32_process, and the namespace it resides in is crucial for any WMI operation. Commands to list classes beginning with win32
:
Invocation of a class:
Methods, which are one or more executable functions of WMI classes, can be executed.
Commands to verify if the WMI service is operational:
Gathering system and process information through WMI:
For attackers, WMI is a potent tool for enumerating sensitive data about systems or domains.
Remote querying of WMI for specific information, such as local admins or logged-on users, is feasible with careful command construction.
Stealthy identification of local admins on a remote machine and logged-on users can be achieved through specific WMI queries. wmic
also supports reading from a text file to execute commands on multiple nodes simultaneously.
To remotely execute a process over WMI, such as deploying an Empire agent, the following command structure is employed, with successful execution indicated by a return value of "0":
This process illustrates WMI's capability for remote execution and system enumeration, highlighting its utility for both system administration and penetration testing.
:
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.