SANS Penetration Testing

Pen Test Poster: "White Board" - CMD.exe - C:\> wmic process

Board Elements_clean_CMD.exe KUNG-FU! 4

By Matthew Toussain, Grant Curell

 

If Windows Management Instrumentation (WMI) is the Matrix then its console (WMIC) is Neo.

wmic_01

 

WMI is the Microsoft variant of Web Based Enterprise Management (WBEM) and Common Information Model (CIM). Essentially, it forms the connective tissue that defines application specific characteristics to enable cohesive interactivity between systems from differing sources. For the information security practitioner, WMI provides a mechanism to query an underlying system with a massive amount of capability and information built in. In this post we explore the robust set of features available within WMIC.

 

Methods Covered in this Section

wmic to get a full listing of the running processes:

wmic process list full

wmic print to a HTML formatted list of processes:

wmic /output:wmic.html process list full /format:hform

wmic query running services:

sc query type= service

wmic startup programs:

wmic startup list brief

wmic remote command execution:

wmic /node:10.0.0.1 /user:Administrator process call create "cmd.exe /c calc.exe"

 

The wmic process list full command displays all the information available for a process. Output data here is substantial and frequently overwhelming. Here is what the output (for one process) looks like:

 

wmic to get a full listing of the running processes:
wmic process list full

wmic_02

From the information listed, the key fields that may require additional investigation include:

 

1. CommandLine - If run with any options, for example nc -l -p 4444, it would appear here.
2. ExecutablePath - This is where the binary executes from
3. ParentProcessId - At times there may be a child/parent relationship which may be exploited
4. ProcessId - The PID of the process

 

Process list full provides an excessive amount of data. Data handling is advised. Consider leveraging more or storing stdout into a text file:

wmic process list full | more

wmic process list full > output.txt

It is also possible to format wmic output as HTML:

wmic print to a HTML formatted list of processes:
wmic /output:wmic.html process list full /format:hform

wmic_03

 

Command Breakdown

wmic process list full

1. wmic - Windows Management Instrumentation Command-Line
2. process - WMIC can work with virtually all aspects of a system. This tutorial only covers processes, but WMIC displays a full list of potential objects with wmic /?
3. list - List all of the processes within the process object
4. full - List all aspects of the process. Different display options are available including brief, instance, IO, and many others. 
Each displays a different subset of process information.

 

wmic /output:wmic.html process list full /format:hform

1. /output:wmic.html - Print the output of WMIC to an HTML file
2. /format:hform - Options include table, list, csv, xml, htable, and hform. hform prints the WMIC output in HTML format.

 

Bonus - Services, Autoruns, and Remote Command Execution, oh my!

Wmic is a critical component in any information security professional's bag of tricks, and we would be remiss not to discuss some of its extended features. For instance, a particularly useful technique for detecting network intrusions is to target common persistence mechanisms utilized by threat actors. Wmic can be used to quickly identify applications that run on system reboot.

wmic startup programs:
wmic startup list brief

wmic_04

 

wmic remote command execution:
wmic /node:10.0.0.1 /user:Administrator process call create "cmd.exe /c calc.exe"

 

Finally, when moving laterally, wmic provides a tried and true method for leveraging network credentials to perform remote command execution and establish sessions on an endless stream of hosts. In this fashion, wmic functions much like psexec, but it has the added benefit of existing by default on all windows operating systems from Windows Me and NT onwards.

 

Conclusion

WMIC is a great tool for moving within and manipulating the environment with native capability. Not only is it incredibly powerful, but will likely draw less attention than many other more distinct and well known pentesting tools. Only the shallowest depths of its functionality are explored here, but the potential is nearly endless. Try, explore, and learn!

 

Print Your Own:

Get all of the CMD.exe tips from the SANS Pen Test Poster: "White Board of Awesome Command Line Kung-Fu!"

Board Elements_fung-fu

PDF: https://blogs.sans.org/pen-testing/files/2017/03/Board-Elements_fung-fu.pdf

Matthew Toussain
https://twitter.com/0sm0s1z

 

Upcoming SANS Special Event - 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge - KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • "On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team." - @mikehodges
  • "#SANSHolidayHack Confession — I have never used python or scapy before. I got started with both today because of this game! Yay!" - @tww2b
  • "Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa" - @dnlongen
kringle_02

Post a Comment






Captcha


* Indicates a required field.