Shulou(Shulou.com)06/02 Report--

This article will explain in detail how to understand the command of the infiltration system after WMIC. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

We will discuss how to use WMIC (Windows Management InstrumentationCommand Line) during the post-penetration utilization phase of an attack. When attackers get a meterpreter session on a remote PC, they can enumerate a large amount of system information and use WMI command-line tools to do more in-depth operations.

First, we will show you how to get the meterpreter session of the remote PC. After we get the session, we will also tell you how to raise the rights to administrator privileges.

The WMIC command line can be accessed through Windows CMD by typing "shell" directly in meterpreter shell. Next, let's take a look at the WMIC command and how it works.

WMIC

The following command can view the global options of the WMIC command, and the WMIC global option can be used to set various properties of the WMIC environment. By combining various global options and parameters, we can manage the entire system through the WMIC environment.

Wmic /?

Get the system role, user name, and manufacturer

The operating system instructions of the bronze drum WMIC command, we can enumerate a lot of information about the target system, including hostname, domain name, manufacturer, device model, and so on.

We can also add the following filters to get more accurate scan results:

Roles: it can provide us with the role of the target device in the entire network system, such as workstations, servers, personal PC, and so on.

Manufacturer: it can provide us with the manufacturer and device model of the target system, because certain models of devices produced by certain manufacturers will have specific vulnerabilities, so we can use this information to find vulnerable devices.

UserName: it can give us the user name of the system, and we can use this information to distinguish who is the administrator and who is the ordinary user.

[/ format:list]: output data in list format and arrange it.

Wmic computersystem get Name, Domain, Manufacturer, Model, Username, Roles/format:list

Get SID

To enumerate the SID, we need to use the group option of WMIC:

Wmic group get Caption, InstallDate, LocalAccount, Domain, SID, Status

As shown in the following figure, we have found the account name, domain name, local group member status, SID and corresponding status:

Create a process

The process option of the WMIC command can help us create various processes on the target user's system. This feature can help us create backdoors or take up a lot of memory on the target system:

Wmic process call create "[Process Name]" wmic process call create "taskmgr.exe"

As you can see from the following figure, this command not only creates a process, but also assigns the corresponding process ID, so we can modify the process information according to our needs.

Note: if the process creates a window like Task Manager and CMD, this command will open the window on the target system, which will arouse suspicion among the target users.

Modify process priority

The process option of the WMIC command can also help us modify the priority of running processes on the target system, which is a very useful feature. Lowering the priority of a process may cause a specific application to crash, while raising the priority of a process may even cause the entire system to crash.

Wmic process where name= "explorer.exe" call set priority 64

Terminate the process

The WMIC command can also help us terminate the processes that are running on the target system:

Wmic process where name= "explorer.exe" call terminate

Get a list of executable files

The following command enumerates the path addresses of all executables in the entire system:

Wmic process where "NOT ExecutablePath LIKE'% Windows%'" GET ExecutablePath

Get directory properties

The fsdir option of the WMIC command extracts basic information about the file directory on the target system, including compression method, creation date, file size, read / write, system file, encryption status, encryption type, and so on:

Wmic fsdir where= "drive='c:' and filename='test'" get / format:list'

Get file properties

The datafile option of the WMIC command gets basic information about files on the target system, including compression method, creation date, file size, read / write, system file, encryption status, encryption type, and so on:

Wmic datafile where=' [Path of File] 'get / format:listwmic datafile where name='c:\\ windows\\ system32\\ demo\\ demo.txt' get / format:list

Locate system files

WMIC can extract the paths to all important system files, such as the temp directory and win directory, and so on:

Wmic environment get Description, VariableValue

Get the list of installed applications wmic product get name

Get a list of running services

After getting the list of running services, WMIC can also provide startup modes for services, such as "automatic", "manual" and "running":

Wmic service where (state= "running") get caption, name, startmode

Get system driver details

The sysdrive option enumerates data such as the name, path and service type of the driver:

Wmic sysdriver get Caption, Name, PathName, ServiceType, State, Status / format:list

Get operating system details

The os option lists the last boot time of the target system, the number of registered users, the number of processors, physical / virtual memory information, the type of operating system installed, and so on:

Wmic os get CurrentTimeZone, FreePhysicalMemory, FreeVirtualMemory, LastBootUpdate,NumberofProcesses, NumberofUsers, Organization, RegisteredUsers, Status/format:list

Get motherboard information and BIOS serial number wmic baseboard, get Manufacturer, Product, SerialNumber, Version

Wmic bios, get serialNumber

Get memory cache data

The memcache option allows you to obtain information such as memory cache name and block size:

Wmic memcache get Name, BlockSize, Purpose, MaxCacheSize, Status

Get memory chip information

The memorychip option allows you to get information about RAM, such as serial number and so on:

Wmic memorychip get PartNumber, SerialNumber

Determine whether the target system is a virtual machine

We can determine whether the target system is a real host operating system or a virtual machine (VMware or Virtual Box) based on the information returned by the onboarddevice option:

Wmic onboarddevice get Desciption, DeviceType, Enabled, Status / format:list

User account management locks user account

We can use the useraccount option to lock down local user accounts:

Wmic useraccount where name='demo' set disabled=false

Rename wmic useraccount where name='demo' rename hacker for user account

Restrict users from changing passwords

We can also restrict password changes for local users:

Wmic useraccount where name='hacker' set passwordchangeable=false

Get details of antivirus products

We can enumerate the antivirus product information installed on the target system, including the installation location and version:

Wmic / namespace:\\ root\ securitycenter2 path antivirusproduct GET displayName,productState, pathToSignedProductExe

Clean up the system log

The nteventlog option of the WMIC command also clears the log of the system, which can help you cover your tracks of attack when you invade a system:

Wmic nteventlog where filename=' [logfilename] 'cleareventlogwmic nteventlog where filename='system' cleareventlog

On how to understand WMIC infiltration after the use of system commands to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.