Speaker Deck

[HES2014] WMI Shell: A new way to get shells on remote Windows machines using only the WMI service by Andrei Dumitrescu

by HackitoErgoSum

Published April 24, 2014 in Research

The Windows Management Instrumentation (WMI) technology is included by default in all versions of Windows since Windows Millenium. The WMI technology is used by Windows administrators to get a variety of information concerning the target machine (like user account information, the list of running processes etc.) and to create/kill processes on the machine.

From a pentester’s point of view, WMI is just another method of executing commands remotely on target machines in a post-exploitation scenario. This can be achieved by creating processes on the remote machine using a WMI client. However, at the present time the output of the executed command cannot be easily recovered ; a potential solution would be write the output to a file and get these files using the SMB server on port 445, but this requires having remote file access on the target machine, which might not always be the case.

We have developed a tool that allows us to execute commands and get their output using only the WMI infrastructure, without any help from other services, like the SMB server. With the wmi-shell tool we can execute commands, upload files and recover Windows passwords remotely using just the WMI service that listens on port 135. During this talk we will quickly review current authenticated remote code execution methods available for Windows, we will explain the aspects of the WMI architecture that make the wmi-shell possible and we will present the tool itself (demo & links to the source code).

You can find the script here : http://www.lexsi.fr/wmi-shell.html

More information about Hackito Ergo Sum here : http://www.hackitoergosum.org