{"id":806,"date":"2020-02-03T23:28:17","date_gmt":"2020-02-04T05:28:17","guid":{"rendered":"http:\/\/zewwy.ca\/?p=806"},"modified":"2020-02-03T23:28:17","modified_gmt":"2020-02-04T05:28:17","slug":"wmic-fun","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2020\/02\/03\/wmic-fun\/","title":{"rendered":"WMIC Fun!"},"content":{"rendered":"

I’ve blogged about WMI<\/a> before, more for setting up dedicated accounts for monitoring purposes.<\/p>\n

Today we are going to have some fun with WMIC, the command line interface for simple and quick query data.<\/p>\n

I got these ideas after reading this source blog<\/a>… and I was curious at what level these worked (admin or not)<\/p>\n

<\/span>Using WMI<\/span><\/h1>\n

Most WMIC commands are issued in the following format:<\/p>\n

wmic [Object Class] [Action] [Parameters]<\/pre>\n
For example, you can collect a list of groups or users on the local system and domain using the following commands:<\/p>\n
wmic group list brief\r\nwmic useraccount get name,sid<\/pre>\n
Yup, SIDs are no secret and you can pretty much query the whole domain if there’s been no hardening done. I haven’t tested this on a hardened domain but out of the box all users login name and SID are open for any standard user to query.<\/p>\n
You can also perform the same data collection over the network without ever logging into the remote machine provided you know have some administrative credentials that the remote system will accept.<\/p>\n
The same command issued against a remote system in another domain looks like this:<\/p>\n
wmic \/user:\"FOREIGN_DOMAIN\\Admin\" \/password:\"Password\" \/node:192.168.33.25 group list brief<\/pre>\n
I can’t test this in my lab as I don’t have an alternative domain to play with (yet), but let’s see if I can query a member server using a standard domain account:<\/p>\n
wmic \/node:subca.zewwy.ca group list brief<\/pre>\n
\"\"<\/a><\/p>\n
\"\"<\/a><\/p>\n
nope well that’s good…<\/p>\n
Processes
\nWMIC can collect a list of the currently running processes similar to what you\u2019d see in \u201cTask Manager\u201d using the following command:<\/p>\n
wmic process list\r\nwmic process get name<\/pre>\n
Note that some of the WMIC built-ins can also be used in \u201cbrief\u201d mode to display a less verbose output. The process built-in is one of these, so you could collect more refined output using the command:<\/p>\n
wmic process list brief<\/pre>\n
Yup, those all work, even as standard user.<\/p>\n
<\/span>Some examples<\/span><\/h2>\n
Start an Application<\/p>\n
wmic process call create \"calc.exe\"<\/pre>\n
Yeah… that worked…<\/p>\n
\"\"<\/a><\/p>\n
I decided to see if I could somehow exploit these to get elevated rights, so far no dice.. but I did find this randomly<\/a> while searching for a possible way…<\/p>\n
<\/p>\n
sure enough, if you add start cmd.exe \/k “net use” and name it net use.bat it will go into and endless loop. Mhmm interesting and easiest way to do a Denial Of Service attack.<\/p>\n
anyway moving on…<\/p>\n
<\/span>System Information and Settings<\/span><\/h2>\n
You can collect a listing of the environment variables (including the PATH) with this command: (standard User works)<\/p>\n
wmic environment list<\/pre>\n
OS\/System Report HTML Formatted<\/p>\n
wmic \/output:c:os.html os get \/format:hform<\/pre>\n
\"\"<\/a><\/p>\n
This was literally cause my standard account didn’t have access to C:\\temp cause I created the folder using my admin account at some earlier point in time.<\/p>\n
Products\/Programs Installed Report HTML Formatted<\/p>\n
wmic \/output:c:product.html product get \/format:hform<\/pre>\n
Turn on Remoted Desktop Remotely<\/p>\n
Wmic \/node:\"servername\" \/user:\"user@domain\" \/password: \"password\" RDToggle where ServerName=\"server name\" call SetAllowTSConnections 1<\/pre>\n
\"\"<\/a><\/p>\n
Get Server Drive Space Usage Remotely (any node commands require elevated permissions, standard user fails at these generally)<\/p>\n
WMIC \/Node:%%A LogicalDisk Where DriveType=\"3\" Get DeviceID,FileSystem,FreeSpace,Size \/Format:csv MORE \/E +2 >> SRVSPACE.CSV<\/pre>\n
Get PC Serial Number (works as standard user)<\/p>\n
wmic bios get serialnumber<\/pre>\n
Get PC Product Number (works as standard user)<\/p>\n
wmic baseboard get product<\/pre>\n
Find stuff that starts on boot (works as standard user)<\/p>\n
wmic STARTUP GET Caption, Command, User<\/pre>\n
Reboot or Shutdown (works as standard user)<\/p>\n
wmic os get buildnumber\r\nwmic os where buildnumber=\"2600\" call reboot<\/pre>\n
Get Startup List (works as standard user)<\/p>\n
wmic startup list full<\/pre>\n
Information About Harddrives (works as standard user)<\/p>\n
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber<\/pre>\n
Information about OS (works as standard user)<\/p>\n
wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory \/format:htable > c:osinfo.htm<\/pre>\n
<\/span>User and Groups<\/span><\/h2>\n
Local user and group information can be obtained using these commands:<\/p>\n
wmic useraccount list<\/pre>\n
wmic group list<\/pre>\n
wmic sysaccount list<\/pre>\n
For domain controllers, this should provide a listing of all user accounts and groups in the domain. The \u201csysaccount\u201d version provides you with system accounts built-in and otherwise,which is useful for any extra accounts that may have been added by rootkits.<\/p>\n
Identify any local system accounts that are enabled (guest, etc.)<\/p>\n
wmic USERACCOUNT WHERE \"Disabled=0 AND LocalAccount=1\" GET Name<\/pre>\n
Number of Logons Per USERID<\/p>\n
wmic netlogin where (name like \"%skodo\") get numberoflogons<\/pre>\n
Get Domain Names And When Account PWD set to Expire<\/p>\n
WMIC UserAccount GET name,PasswordExpires \/Value<\/pre>\n
<\/span>Patch Management<\/span><\/h2>\n
Need to know if there are any missing patches on the system? WMIC can help you find out with this command:<\/p>\n
wmic qfe list<\/pre>\n
The QFE here stands for \u201cQuick Fix Engineering\u201d.
\nThe results also include the dates of install should that be needed from an auditing standpoint.<\/p>\n
<\/span>Shares<\/span><\/h2>\n
Enumeration of all of the local shares can be collected using the command:<\/p>\n
wmic share list<\/pre>\n
The result will also include hidden shares (named with a $ at the end).<\/p>\n
Find user-created shares (usually not hidden)<\/p>\n
wmic SHARE WHERE \"NOT Name LIKE '%$'\" GET Name, Path<\/pre>\n
so far all these are working as standard user, but that doesn’t mean anything.<\/p>\n
<\/span>Networking<\/span><\/h2>\n
Use the following command to extract a list of network adapters and IP address information:<\/p>\n
wmic nicconfig list<\/pre>\n
Get Mac Address:<\/p>\n
wmic nic get macaddress<\/pre>\n
Update static IP address:<\/p>\n
wmic nicconfig get description, index\r\nwmic nicconfig where index=9 call enablestatic(\"192.168.16.4\"), (\"255.255.255.0\")<\/pre>\n
\"\"<\/a><\/p>\n
Yup got to be an admin for that one<\/p>\n
Change network gateway:<\/p>\n
wmic nicconfig where index=9 call setgateways(\"192.168.16.4\", \"192.168.16.5\"),(1,2)<\/pre>\n
Enable DHCP:<\/p>\n
wmic nicconfig where index=9 call enabledhcp<\/pre>\n
Get List of IP Interfaces<\/p>\n
wmic nicconfig where IPEnabled='true'<\/pre>\n
<\/span>Services<\/span><\/h2>\n
WMIC can list all of the installed services and their configurations using this command:<\/p>\n
wmic service list<\/pre>\n
The output will include the full command used for starting the service and its verbose description.<\/p>\n
<\/span>Other examples<\/span><\/h2>\n
Service Management<\/p>\n
 wmic service where caption=\"DHCP Client\" call changestartmode \"Disabled\"<\/pre>\n
Look at services that are set to start automatically<\/p>\n
wmic SERVICE WHERE StartMode=\"Auto\" GET Name, State<\/pre>\n
Services Report on a Remote Machine HTML Formatted:<\/p>\n
wmic \/output:c:services.htm \/node:server1 service list full \/ format:htable<\/pre>\n
Get Startmode of Services<\/p>\n
Wmic service get caption, name, startmode, state<\/pre>\n
Change Start Mode of Service:<\/p>\n
wmic service where (name like \"Fax\" OR name like \"Alerter\") CALL ChangeStartMode Disabled<\/pre>\n
Get Running Services Information<\/p>\n
Wmic service where (state=\"running\") get caption, name, startmode, state<\/pre>\n
Another interesting feature of WMIC is its ability to record the run-time command executed and runtime configuration all in one XML file. A recorded session might look something like this:<\/p>\n
wmic \/record:users_list.xml useraccount list<\/pre>\n
Of course, since WMIC wasn\u2019t designed as a recording device, there are some caveats to using the XML. First, you can only use XML output, there are no other formats defined.<\/p>\n
<\/span>Event logs<\/span><\/h2>\n
Obtain a Certain Kind of Event from Eventlog<\/p>\n
wmic ntevent where (message like \"%logon%\") list brief<\/pre>\n
Clear the Eventlog<\/p>\n
wmic nteventlog where (description like \"%secevent%\") call cleareventlog<\/pre>\n
Retrieve list of warning and error events not from system or security logs<\/p>\n
WMIC NTEVENT WHERE \u201cEventType < 3 AND LogFile != \u2018System\u2019 AND LogFile != \u2018Security\u2019\u201d GET LogFile, SourceName, EventType, Message, TimeGenerated \/FORMAT:\u201dhtable.xsl\u201d:\u201d datatype = number\u201d:\u201d sortby = EventType\u201d > c:appevent.htm<\/pre>\n
Thanks Andrea!<\/p>\n","protected":false},"excerpt":{"rendered":"
I’ve blogged about WMI before, more for setting up dedicated accounts for monitoring purposes. Today we are going to have some fun with WMIC, the command line interface for simple and quick query data. I got these ideas after reading this source blog… and I was curious at what level these worked (admin or not) … <\/p>\n
Continue reading “WMIC Fun!”<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[8,197],"tags":[273],"class_list":["post-806","post","type-post","status-publish","format-standard","hentry","category-server-administration","category-windows","tag-wmic"],"_links":{"self":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/comments?post=806"}],"version-history":[{"count":3,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/806\/revisions"}],"predecessor-version":[{"id":809,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/806\/revisions\/809"}],"wp:attachment":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/media?parent=806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/categories?post=806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/tags?post=806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}