Monday, June 5, 2017

WMI Command Shell Wrapper: WMIcmd

10:10 AM Leave a Reply

WMI Command Shell Wrapper

     When doing low impact investigations and other similar activities you may want to minimize what is written to disk / obvious. This tool allows us to execute commands via WMI and get information not otherwise available via this channel.





Purpose

A small utility which only uses WMI to

execute command shell commands
capture stdout from these commands and write to the registry
read and then delete from the registry
print to local stdout


Design

The tool us comprised of:

a very small subset of the NCC Group internal core library (WMICore)
command execution (WMIcmd)


Usage

C:\Data\NCC\!Code\Git.Public\WMIcmd\WMIcmd\bin\Debug>WMIcmd.exe --help
NCC Group WMIcmd 1.0.0.0
Released under AGPL

  -h, --host            Host (IP address or hostname - default: localhost)

  -u, --username        Username to authenticate with

  -p, --password        Password to authenticate with

  -d, --domain          Domain to authenticate with

  -v, --Verbose         (Default: False) Prints all messages to standard
                        output.

  -c, --Command         (Default: ) Command to run e.g. "nestat-ano"

  -s, --CommandSleep    (Default: 10000) Command sleep in milliseconds -
                        increase if getting truncated output

  --help                Display this help screen.


Example – a non domain joined machine

Note: use administrative credentials

WMIcmd.exe -h 192.168.1.165 -d hostname -u localadmin -p theirpassword -c "netstat -an"


Example – domain joined machine

Note: use administrative credentials

WMIcmd.exe -h 192.168.1.165 -d domain -u domainadmin -p theirpassword -c "netstat -an"


Example expected output

Note: use administrative credentials

C:\Data\NCC\!Code\Git.Public\WMIcmd\WMIcmd\bin\Debug>WMIcmd.exe -d win10host -h win10host -u superuser -p password -c "netstat -an"
[!] Connecting with superuser
[i] Connecting to win10host
[i] Connected
[i] Command: netstat -an
[i] Running command...
[i] Getting stdout from registry from SOFTWARE\
[i] Full command output received
Active Connections
Proto  Local Address          Foreign Address        State
TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING
TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING
TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING
TCP    0.0.0.0:18800          0.0.0.0:0              LISTENING
TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49671          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49713          0.0.0.0:0              LISTENING
.. snip .

Download

0 comments :