full screen background image
Search
Sunday 18 February 2018
  • :
  • :

Post Exploitation Using WMIC (System Command)

This article is about Post Exploitation using the WMIC (Windows Management Instrumentation Command Line). When an Attacker gain a meterpreter session on a Remote PC, then he/she can enumerate a huge amount of information and make effective changes using the WMI Command Line.

To do this, we will first get the meterpreter session on the Remote PC which you can learn from here. After gaining the session, escalate its privilege to Administrator which you can learn from here.

WMIC command line can be accessed through the windows cmd. To access that type “shell” in the meterpreter shell.

Now let’s look at the wmic commands and their working

WMIC

This command shows the global options which are used in the wmic command. WMIC Global Options are used to set properties of the WMIC environment. With the combination of global options and the aliases than we can manage the system through the wmic environment.

Syntax/Example: wmic /?

Get System Roles, User Name, and Manufacturer

We can enumerates lots of information about the Victim System including its Name, Domain, Manufacturer, Model Number and Much more through the computer system alias of wmic command.

We are adding following filters to get specific result.

Roles: It gives all the roles that the victim system play like Workstation, Server, Browser etc.

Manufacturer: It give the manufacturer of the system, sometimes there are certain vulnerabilities in a particular model of a particular model. So we can use this information to search for any direct vulnerabilities.

UserName: It gives the username of the system which is proven very helpful as we can differentiate between administrators and normal users

[/format:list]: To sort the output in a list format.

Example: wmic computersystem get Name, Domain, Manufacturer, Model, Username, Roles /format:list

Get the SIDs

To enumerate these SIDs we will use group alias of wmic.

Syntax/Example: wmic group get Caption, InstallDate, LocalAccount, Domain, SID, Status

As shown in the below image here we have found the Account Name, Domain, Local Group Member status, SID and their status.

Create a process

We can create many process on the victim’s system using the process alias of wmic command.

This is helpful in running any backdoor or fill up the memory of the victim’s system.

Syntax: wmic process call create “[Process Name]”

Example:  wmic process call create “taskmgr.exe”

As you can see in the below screenshot that this command not only create a process but also gives the “process id” so that we can manipulate that process according to our need.

Note: if the process creates a window like Task Manager, cmd, etc. then this command will open up that window on victim’s system and create suspicion in the mind of victim.

Change Priority of a Process

We can change priority of any process running on the victim’s system with the help of process alias of wmic command.

This is an important feature because it can be used manipulate processes as we can increase the priority of any process of our choice or decrease priority of any process. Decreasing the priority of any process can result in crashing of that particular application and increasing may crash the overall system.

Example: wmic process where name=”explorer.exe” call set priority 64

Terminate a process

We can terminate process running on the victim’s system with the help of process alias of wmic command.

Example: wmic process where name=”explorer.exe” call terminate

Get a list of Executable Files

We can get a list which contains the location of the executable files other than that of windows.

Example: wmic process where “NOT ExecutablePath LIKE ‘%Windows%’” GET ExecutablePath

Get Folder Properties

To extract the basic information about a folder on the victim’s system we can use fsdir alias of wmic command line.

It can enumerate following information about a folder:

Compressed, CompressionMethod, Creation Date, File Size, Readable, Writable, System File or not, Encrypted, Encryption Type and much more.

Example: wmic fsdir where=”drive=’c:’ and filename=’test’” get /format:list’

Get File Properties

To extract the basic information about a file on the victim’s system we can use datafile alias of wmic command line.

It can enumerate following information about a file:

Compressed, CompressionMethod, Creation Date, File Size, Readable, Writable, System File or not, Encrypted, Encryption Type and much more.

Syntax: wmic datafile where=’[Path of File]’ get /format:list

Example: wmic datafile where name=’c:\\windows\\system32\\demo\\demo.txt’ get /format:list

Locate System Files

Extract paths of all the important system files like temp folder, win directory and much more.

Example: wmic environment get Description, VariableValue

From given below image you can read variablevalue with their given description.

 

 

Read more…



Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Part-Time Hacker || Child Pornography & Sexual Abuse Combat


Leave a Reply

Your email address will not be published. Required fields are marked *