HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
WmicExec
Support HackTricks and get benefits!

How Does it works

Wmi allows to open process in hosts where you know username/(password/Hash). Then, Wmiexec uses wmi to execute each command that is asked to execute (this is why Wmicexec gives you semi-interactive shell).
dcomexec.py: This script gives a semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints (ShellBrowserWindow DCOM object). Currently, it supports MMC20. Application, Shell Windows and Shell Browser Window objects. (from here)

WMI Basics

Namespace

WMI is divided into a directory-style hierarchy, the \root container, with other directories under \root. These "directory paths" are called namespaces. List namespaces:
1
#Get Root namespaces
2
gwmi -namespace "root" -Class "__Namespace" | Select Name
3
โ€‹
4
#List all namespaces (you may need administrator to list all of them)
5
Get-WmiObject -Class "__Namespace" -Namespace "Root" -List -Recurse 2> $null | select __Namespace | sort __Namespace
6
โ€‹
7
#List namespaces inside "root\cimv2"
8
Get-WmiObject -Class "__Namespace" -Namespace "root\cimv2" -List -Recurse 2> $null | select __Namespace | sort __Namespace
Copied!
List classes of a namespace with:
1
gwmwi -List -Recurse #If no namespace is specified, by default is used: "root\cimv2"
2
gwmi -Namespace "root/microsoft" -List -Recurse
Copied!

Classes

The WMI class name eg: win32_process is a starting point for any WMI action. We always need to know a Class Name and the Namespace where it is located. List classes starting with win32:
1
Get-WmiObject -Recurse -List -class win32* | more #If no namespace is specified, by default is used: "root\cimv2"
2
gwmi -Namespace "root/microsoft" -List -Recurse -Class "MSFT_MpComput*"
Copied!
Call a class:
1
#When you don't specify a namespaces by default is "root/cimv2"
2
Get-WmiObject -Class win32_share
3
Get-WmiObject -Namespace "root/microsoft/windows/defender" -Class MSFT_MpComputerStatus
Copied!

Methods

WMI classes have one or more functions that can be executed. These functions are called methods.
1
#Load a class using [wmiclass], leist methods and call one
2
$c = [wmiclass]"win32_share"
3
$c.methods
4
#Find information about the class in https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-share
5
$c.Create("c:\share\path","name",0,$null,"My Description")
6
#If returned value is "0", then it was successfully executed
Copied!
1
#List methods
2
Get-WmiObject -Query 'Select * From Meta_Class WHERE __Class LIKE "win32%"' | Where-Object { $_.PSBase.Methods } | Select-Object Name, Methods
3
#Call create method from win32_share class
4
Invoke-WmiMethod -Class win32_share -Name Create -ArgumentList @($null, "Description", $null, "Name", $null, "c:\share\path",0)
Copied!

WMI Enumeration

Check WMI service

This how you can check if WMI service is running:
1
#Check if WMI service is running
2
Get-Service Winmgmt
3
Status Name DisplayName
4
------ ---- -----------
5
Running Winmgmt Windows Management Instrumentation
6
โ€‹
7
#From CMD
8
net start | findstr "Instrumentation"
Copied!

System Information

1
Get-WmiObject -ClassName win32_operatingsystem | select * | more
Copied!

Process Information

1
Get-WmiObject win32_process | Select Name, Processid
Copied!
From an attacker's perspective, WMI can be very valuable in enumerating sensitive information about a system or the domain.
1
wmic computerystem list full /format:list
2
wmic process list /format:list
3
wmic ntdomain list /format:list
4
wmic useraccount list /format:list
5
wmic group list /format:list
6
wmic sysaccount list /format:list
Copied!
1
Get-WmiObject Win32_Processor -ComputerName 10.0.0.182 -Credential $cred
Copied!

Manual Remote WMI Querying

For example, here's a very stealthy way to discover local admins on a remote machine (note that domain is the computer name):
1
wmic /node:ordws01 path win32_groupuser where (groupcomponent="win32_group.name=\"administrators\",domain=\"ORDWS01\"")
Copied!
Another useful oneliner is to see who is logged on to a machine (for when you're hunting admins):
1
wmic /node:ordws01 path win32_loggedonuser get antecedent
Copied!
wmic can even read nodes from a text file and execute the command on all of them. If you have a text file of workstations:
1
wmic /node:@workstations.txt path win32_loggedonuser get antecedent
Copied!
We'll remotely create a process over WMI to execute a Empire agent:
1
wmic /node:ordws01 /user:CSCOU\jarrieta path win32_process call create "**empire launcher string here**"
Copied!
We see it executed successfully (ReturnValue = 0). And a second later our Empire listener catches it. Note the process ID is the same as WMI returned.
Support HackTricks and get benefits!