Running WMIC in a Command Shell
WMIC is one of those Windows command that you just love do to it's flexibility but sadly when you have a shell you are not able to run it because it breaks the shell losing possible hours of work to achieve the shell and possibly by running the attack again one might bring down the target server. I found that the best way to run WMIC is with Metasploit Meterpreter by executing the command in the following way in Meterpreter:
e execute -H -f cmd.exe -a "/c wmic /append:c:\windows\temp\34des34.txt process get name,processid,commandline"
When not using Meterpreter and running from a simple command shell like from netcat I use to use in the past SC to create a service that would execute a script with all of my wmic commands or use schtasks or at to schedule the command and then collect the output but this proved to be very time consuming and prone to error. So I changed my approach and started using WSH scripting to execute wmic for me. It works in the following manner, I first create a vb script for executing my wmic commands, it can be even used to execute Powershell!!!
echo CreateObject("Wscript.Shell").Run Wscript.Arguments(0), 0, False > execcmd.vbs
cscript //nologo execcmd.vbs "wmic /append:c:\windows\temp\34des34.txt process get name,processid,commandline"
type c:\windows\temp\34des34.txt
we can even script out entire enumeration by doing something like this:
echo wmic /append:c:\windows\temp\34des34.txt computersystem list >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt useraccount list >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt group list >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt service list brief >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt volume list brief >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt process list brief >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt startup list full >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt rdtoggle list >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt qfe >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt logicaldisk get description,filesystem,name,size >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt logicaldisk get description,name,freespace,size >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt volume get label,freespace,filesystem,capacity,driveletter >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt netlogin get name,lastlogon >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt netlogin get name,badpasswordcount >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt desktop get screensaversecure,screensavertimeout >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt logon get authenticationpackage >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt netclient get name >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt netuse get name,username,connectiontype,localname >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt nteventlog get path,filename,writeable >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt os get name,servicepackmajorversion >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt service get name,startmode,state,status >> c:\windows\temp\sdcx.cmd
echo wmic /append:c:\windows\temp\34des34.txt product get name,version >> c:\windows\temp\sdcx.cmd
cscript //nologo execcmd.vbs "cmd /c c:\windows\temp\sdcx.cmd"
Reader Comments