Windows Command Line cheatsheet (part 2): WMIC
This command-line tool is really useful for both penetration testing and forensics tasks
The previous article has raised interest in readers regarding WMIC.
So I decided to write an article dedicated to this tool.
If you’ve done any scripting for the Windows platform, you’ve probably bumped into the Windows Management Instrumentation (WMI) scripting API, which can be used to enumerate all kinds of information.
The WMIC command-line tool is basically another front-end to access the WMI framework, with the added bonus that numerous queries are pre-defined.
The pre-defined queries mean that you won’t necessarily need to spend any time learning the WMI Query Language (WQL), which is syntactically similar to SQL.
WMIC is included in the default installation of Windows XP (excluding Home edition) and Windows Server 2003. Although WMIC is not included on Windows 2000, you can still usea Windows XP or Server 2003 client to remotely query Windows 2000 systems and receive similar results.
The first time you run WMIC you’ll see a message that WMIC is beinginstalled, but no media is required for installation, nor will anything appear in the Add/Remove Programs list.
Basic WMIC Usage
Most WMIC commands are issued in the following format:
wmic [credentials] [area] [querystring]
For example, you can collect a list of groups on the local system using the following command:
wmic group list brief
which will return output similar to this:
Caption Domain Name SID Lab7\Administrators Lab7 Administrators S-1–5–32–544 Lab7\Backup Operators Lab7 Backup Operators S-1–5–32–551 Lab7\Guests Lab7 Guests S-1–5–32–546 Lab7\Network Configuration Operators Lab7 Network Configuration Operators S-1–5–32–556 Lab7\Power Users Lab7 Power Users S-1–5–32–547 Lab7\Remote Desktop Users Lab7 Remote Desktop Users S-1–5–32–555 Lab7\Replicator Lab7 Replicator S-1–5–32–552 Lab7\Users Lab7 Users S-1–5–32–545 Lab7\Debugger Users Lab7 Debugger Users S-1–5–21–577561410–1864853564–3972553872–1006
You can also perform the same data collection over the network without ever logging into the remote machine provided you know have some administrative credentials that the remote system will accept.
The same command issued against a remote system in another domain looks like this:
wmic /user:"FOREIGN_DOMAIN\Admin" /password:"Password" /node:192.168.33.25 group list brief
and the output is
Caption Domain Name SID REMOTE-DESK\Administrators REMOTE-DESK Administrators S-1–5–32–544 REMOTE-DESK\Backup Operators REMOTE-DESK Backup Operators S-1–5–32–551 REMOTE-DESK\Guests REMOTE-DESK Guests S-1–5–32–546 REMOTE-DESK\Network Configuration Operators REMOTE-DESK Network Configuration Operators S-1–5–32–556 REMOTE-DESK\Power Users REMOTE-DESK Power Users S-1–5–32–547 REMOTE-DESK\Remote Desktop Users REMOTE-DESK Remote Desktop Users S-1–5–32–555 REMOTE-DESK\Replicator REMOTE-DESK Replicator S-1–5–32–552 REMOTE-DESK\Users REMOTE-DESK Users S-1–5–32–545 REMOTE-DESK\HelpServicesGroup REMOTE-DESK HelpServicesGroup S-1–5–21–789336058–1078081533–839522115–1001 REMOTE-DESK\__vmware__ REMOTE-DESK __vmware__ S-1–5–21–789336058–1078081533–839522115–1004 FOREIGN_DOMAIN\Cert Publishers FOREIGN_DOMAIN Cert Publishers S-1–5–21–1948120765- 2568877423–583830540–517 FOREIGN_DOMAIN\RAS and IAS Servers FOREIGN_DOMAIN RAS and IAS Servers S-1–5–21–1948120765- 2568877423–583830540–553 FOREIGN_DOMAIN\HelpServicesGroup FOREIGN_DOMAIN HelpServicesGroup S-1–5–21–1948120765- 2568877423–583830540–1000 FOREIGN_DOMAIN\TelnetClients FOREIGN_DOMAIN TelnetClients S-1–5–21–1948120765-2568877423–583830540–1002 FOREIGN_DOMAIN\DnsAdmins FOREIGN_DOMAIN DnsAdmins S-1–5–21–1948120765-2568877423–583830540–1117 FOREIGN_DOMAIN\DnsUpdateProxy FOREIGN_DOMAIN DnsUpdateProxy S-1–5–21–1948120765-2568877423–583830540–1118 FOREIGN_DOMAIN\Domain Admins FOREIGN_DOMAIN Domain Admins S-1–5–21–1948120765-2568877423–583830540–512 FOREIGN_DOMAIN\Domain Computers FOREIGN_DOMAIN Domain Computers S-1–5–21–1948120765-2568877423–583830540–515 FOREIGN_DOMAIN\Domain Controllers FOREIGN_DOMAIN Domain Controllers S-1–5–21–1948120765-2568877423–583830540–516 FOREIGN_DOMAIN\Domain Guests FOREIGN_DOMAIN Domain Guests S-1–5–21–1948120765-2568877423–583830540–514 FOREIGN_DOMAIN\Domain Users FOREIGN_DOMAIN Domain Users S-1–5–21–1948120765-2568877423–583830540–513 FOREIGN_DOMAIN\Enterprise Admins FOREIGN_DOMAIN Enterprise Admins S-1–5–21–1948120765-2568877423–583830540–519 FOREIGN_DOMAIN\Group Policy Creator Owners FOREIGN_DOMAIN Group Policy Creator Owners S-1–5–21–1948120765-2568877423–583830540–520 FOREIGN_DOMAIN\Schema Admins FOREIGN_DOMAIN Schema Admins S-1–5–21–1948120765-2568877423–583830540–518 FOREIGN_DOMAIN\Shared FOREIGN_DOMAIN Shared S-1–5–21–1948120765-2568877423–583830540–1113
Note that you can issue ANY of the of the WMIC commands over the network in this fashion as a means of gathering information about the host. Now that we’ve seen the basics, let’s move to specific applications.
WMIC in Vulnerability and Penetration Testing
In vulnerability and penetration testing, system footprinting is key. The more information that can be collected about a specific system or group of systems, the greater the likelihood that those systems can be compromised.
Granted, using WMIC requires administrative access on the remote host, but since most IT departments maintain standard images for each collection or group of workstations and servers, information you can obtain from one host is likely to be applicable to other similar systems.
Furthermore, for default configurations of the event log and auditing processes, WMIC requests won’t be logged, so all of your enumerations can be undertaken in stealth mode.
The following are examples of useful information we can collect through WMIC.
WMIC can collect a list of the currently running processes similar to what you’d see in “Task Manager” using the following command:
wmic process list
Note that some of the WMIC built-ins can also be used in “brief” mode to display a less verbose output. The process built-in is one of these, so you could collect more refined output using the command:
wmic process list brief
- Start an Application
wmic process call create "calc.exe"
- Terminate an Application
wmic process where name="calc.exe" call terminate
- Change Process Priority
wmic process where name="explorer.exe" call setpriority 64
- Get List of Process Identifiers
wmic process where (Name='svchost.exe') get name,processid
- Find a specific Process
wmic process list brief find "cmd.exe"
System Information and Settings
You can collect a listing of the environment variables (including the PATH) with this command:
wmic environment list
- OS/System Report HTML Formatted
wmic /output:c:os.html os get /format:hform
- Products/Programs Installed Report HTML Formatted
wmic /output:c:product.html product get /format:hform
- Turn on Remoted Desktop Remotely
Wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1
- Get Server Drive Space Usage Remotely
WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV
- Get PC Serial Number
wmic /node:"HOST" bios get serialnumber
- Get PC Product Number
wmic /node:"HOST" baseboard get product
- Find stuff that starts on boot
wmic STARTUP GET Caption, Command, User
- Reboot or Shutdown
wmic os where buildnumber="2600" call reboot
- Get Startup List
wmic startup list full
- Information About Harddrives
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
- Information about os
wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:osinfo.htm
- Information about files
wmic path cim_datafile where "Path='\windows\system32\wbem\' and FileSize>1784088" > c:wbemfiles.txt
User and Groups
Local user and group information can be obtained using these commands:
wmic useraccount list
wmic group list
wmic sysaccount list
For domain controllers, this should provide a listing of all user accounts and groups in the domain. The “sysaccount” version provides you with system accounts built-in and otherwise,which is useful for any extra accounts that may have been added by rootkits.
- Identify any local system accounts that are enabled (guest, etc.)
wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name
- Number of Logons Per USERID
wmic netlogin where (name like "%skodo") get numberoflogons
- Get Domain Names And When Account PWD set to Expire
WMIC UserAccount GET name,PasswordExpires /Value
Need to know if there are any missing patches on the system? WMIC can help you find out with this command:
wmic qfe list
The QFE here stands for “Quick Fix Engineering”.
The results also include the dates of install should that be needed from an auditing standpoint.
Enumeration of all of the local shares can be collected using the command:
wmic share list
The result will also include hidden shares (named with a $ at the end).
- Find user-created shares (usually not hidden)
wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path
Use the following command to extract a list of network adapters and IP address information:
wmic nicconfig list
- Get Mac Address:
wmic nic get macaddress
- Update static IP address:
wmic nicconfig where index=9 call enablestatic("192.168.16.4"), ("255.255.255.0")
- Change network gateway:
wmic nicconfig where index=9 call setgateways("192.168.16.4", "192.168.16.5"),(1,2)
- Enable DHCP:
wmic nicconfig where index=9 call enabledhcp
- Get List of IP Interfaces
wmic nicconfig where IPEnabled='true'
WMIC can list all of the installed services and their configurations using this command:
wmic service list
The output will include the full command used for starting the service and its verbose description.
- Service Management
wmic service where caption="DHCP Client" call changestartmode "Disabled"
- Look at services that are set to start automatically
wmic SERVICE WHERE StartMode="Auto" GET Name, State
- Services Report on a Remote Machine HTML Formatted:
wmic /output:c:services.htm /node:server1 service list full / format:htable
- Get Startmode of Services
Wmic service get caption, name, startmode, state
- Change Start Mode of Service:
wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled
- Get Running Services Information
Wmic service where (state="running") get caption, name, startmode, state
Of course, these are just samplings of the dozens of predefined aliases within WMIC.
You can also go beyond the predefined aliases using WQL queries to collect and set any of themany thousands of parameters accessible through WMI.
WMIC in Forensics
In forensics, it’s often important to get as much information about the running system as possible before the system can be shut down.
You’d also like to collect that information while keeping close records that account for your own actions and leave the smallest footprint possible on the system.
Though WMIC wa sn’t really designed with this in mind, it certainly works.
Since WMIC is included by default on most Windows systems and can be executed remotely, that makes it all the more desirable.
Another interesting feature of WMIC is its ability to record the run-time command executed and runtime configuration all in one XML file. A recorded session might look something like this:
wmic /record:users_list.xml useraccount list
Of course, since WMIC wasn’t designed as a recording device, there are some caveats to using the XML. First, you can only use XML output, there are no other formats defined.
- Obtain a Certain Kind of Event from Eventlog
wmic ntevent where (message like "%logon%") list brief
- Clear the Eventlog
wmic nteventlog where (description like "%secevent%") call cleareventlog
Retrieve list of warning and error events not from system or security logs
WMIC NTEVENT WHERE “EventType < 3 AND LogFile != ‘System’ AND LogFile != ‘Security’” GET LogFile, SourceName, EventType, Message, TimeGenerated /FORMAT:”htable.xsl”:” datatype = number”:” sortby = EventType” > c:appevent.htm