Windows wmic
WMI command-line (WMIC) är ett verktyg för att interagera mot WMI-subsystemet i Windows. Genom kommandot wmic så kan du således göra en hel del intressanta saker när du genomför en säkerhetsgranskning eller RedTeaming-uppdrag.
Det är även ofta som wmic.exe också glöms bort när det gäller konfigurering av AppLocker eller uppsäkring av systemet med Group Policys. Sökvägen till wmic.exe är C:\Windows\System32\wbem\wmic.exe
Nedan följer en lista över några kommandon du kan köra för att kartlägga information om ett system. Exempel på kommando:
wmic group list brief
Du kan även använda wmic till att starta upp nya processer med:
wmic process call create “calc.exe”
Även så kan du ställa frågor mot ett fjärrsystem med inloggning på följande sätt:
wmic /user:"DOMAIN_Adminuser" /password:"Lösenord" /node:192.168.1.1 group list brief
Och om du vill spara undan utdata i HTML-format så går det också:
wmic /output:os.html os get /format:hform
Se en lista med installerade patchar:
wmic qfe list brief
Visa installerad säkerhetsprodukt:
wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName, productState, pathToSignedProductExe
För att visa en katalog eller söka efter en fil:
wmic DATAFILE where "path='\\Users\\test\\Documents\\'" GET Name,readable,size wmic DATAFILE where "drive='C:' AND Name like '%password%'" GET Name,readable,size /VALUE
Lista alla datorer:
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname
Eller
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname
Och om du bara skriver wmic så får du en prompt likt denna:
Och vill du ha hjälp så skriver du /? och får upp detta:
Och tittar vi på mer information om hur man startar upp en process och sedan startar den:
Sist men inte minst så kan vi även starta upp en process såsom calc.exe på ett fjärrsystem (i detta fall 127.0.0.1) på följande sätt:
WMIC Argument
| baseboard | get Manufacturer, Model, Name, PartNumber, slotlayout, serialnumber, poweredon |
| bios | get name, version, serialnumber |
| bootconfig | get BootDirectory, Caption, TempDirectory, Lastdrive |
| cdrom | get Name, Drive, Volumename |
| computersystem | get Name, domain, Manufacturer, Model, NumberofProcessors, PrimaryOwnerName,Username, Roles, totalphysicalmemory /format:list |
| cpu | get Name, Caption, MaxClockSpeed, DeviceID, status |
| datafile | where name=’c:\boot.ini’ get Archive, FileSize, FileType, InstallDate, Readable, Writeable, System, Version |
| dcomapp | get Name, AppID /format:list |
| desktop | get Name, ScreenSaverExecutable, ScreenSaverActive, Wallpaper /format:list |
| desktopmonitor | get screenheight, screenwidth |
| diskdrive | get Name, Manufacturer, Model, InterfaceType, MediaLoaded, MediaType |
| diskquota | get User, Warninglimit, DiskSpaceUsed, QuotaVolume |
| environment | get Description, VariableValue |
| fsdir | where name=’c:\windows’ get Archive, CreationDate, LastModified, Readable, Writeable, System, Hidden, Status |
| group | get Caption, InstallDate, LocalAccount, Domain, SID, Status |
| idecontroller | get Name, Manufacturer, DeviceID, Status |
| irq | get Name, Status |
| job | get Name, Owner, DaysOfMonth, DaysOfWeek, ElapsedTime, JobStatus, StartTime, Status |
| loadorder | get Name, DriverEnabled, GroupOrder, Status |
| logicaldisk | get Name, Compressed, Description, DriveType, FileSystem, FreeSpace, SupportsDiskQuotas, VolumeDirty, VolumeName |
| memcache | get Name, BlockSize, Purpose, MaxCacheSize, Status |
| memlogical | get AvailableVirtualMemory, TotalPageFileSpace, TotalPhysicalMemory, TotalVirtualMemory |
| memphysical | get Manufacturer, Model, SerialNumber, MaxCapacity, MemoryDevices |
| netclient | get Caption, Name, Manufacturer, Status |
| netlogin | get Name, Fullname, ScriptPath, Profile, UserID, NumberOfLogons, PasswordAge, LogonServer, HomeDirectory, PrimaryGroupID |
| netprotocol | get Caption, Description, GuaranteesSequencing, SupportsBroadcasting, SupportsEncryption, Status |
| netuse | get Caption, DisplayType, LocalName, Name, ProviderName, Status |
| nic | get AdapterType, AutoSense, Name, Installed, MACAddress, PNPDeviceID,PowerManagementSupported, Speed, StatusInfo |
| nicconfig | get MACAddress, DefaultIPGateway, IPAddress, IPSubnet, DNSHostName, DNSDomain |
| nicconfig | get MACAddress, IPAddress, DHCPEnabled, DHCPLeaseExpires, DHCPLeaseObtained, DHCPServer |
| nicconfig | get MACAddress, IPAddress, DNSHostName, DNSDomain, DNSDomainSuffixSearchOrder, DNSEnabledForWINSResolution, DNSServerSearchOrder |
| nicconfig | get MACAddress, IPAddress, WINSPrimaryServer, WINSSecondaryServer, WINSEnableLMHostsLookup, WINSHostLookupFile |
| ntdomain | get Caption, ClientSiteName, DomainControllerAddress, DomainControllerName, Roles, Status |
| ntevent | where (LogFile=’system’ and SourceName=’W32Time’) get Message, TimeGenerated |
| ntevent | where (LogFile=’system’ and SourceName=’W32Time’ and Message like ’%timesource%’) get Message, TimeGenerated |
| ntevent | where (LogFile=’system’ and SourceName=’W32Time’ and EventCode!=’29’) get TimeGenerated, EventCode, Message |
| onboarddevice | get Description, DeviceType, Enabled, Status |
| os | get Version, Caption, CountryCode, CSName, Description, InstallDate, SerialNumber, ServicePackMajorVersion, WindowsDirectory /format:list |
| os | get CurrentTimeZone, FreePhysicalMemory, FreeVirtualMemory, LastBootUpTime, NumberofProcesses, NumberofUsers, Organization, RegisteredUser, Status |
| pagefile | get Caption, CurrentUsage, Status, TempPageFile |
| pagefileset | get Name, InitialSize, MaximumSize |
| partition | get Caption, Size, PrimaryPartition, Status, Type |
| printer | get DeviceID, DriverName, Hidden, Name, PortName, PowerManagementSupported, PrintJobDataType, VerticalResolution, Horizontalresolution |
| printjob | get Description, Document, ElapsedTime, HostPrintQueue, JobID, JobStatus, Name, Notify, Owner, TimeSubmitted, TotalPages |
| process | get Caption, CommandLine, Handle, HandleCount, PageFaults, PageFileUsage, PArentProcessId, ProcessId, ThreadCount |
| product | get Description, InstallDate, Name, Vendor, Version |
| qfe | get description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect |
| quotasetting | get Caption, DefaultLimit, Description, DefaultWarningLimit, SettingID, State |
| recoveros | get AutoReboot, DebugFilePath, WriteDebugInfo, WriteToSystemLog |
| Registry | get CurrentSize, MaximumSize, ProposedSize, Status |
| scsicontroller | get Caption, DeviceID, Manufacturer, PNPDeviceID |
| server | get ErrorsAccessPermissions, ErrorsGrantedAccess, ErrorsLogon, ErrorsSystem, FilesOpen, FileDirectorySearches |
| service | get Name, Caption, State, ServiceType, StartMode, pathname |
| share | get name, path, status |
| sounddev | get Caption, DeviceID, PNPDeviceID, Manufacturer, status |
| startup | get Caption, Location, Command |
| sysaccount | get Caption, Domain, Name, SID, SIDType, Status |
| sysdriver | get Caption, Name, PathName, ServiceType, State, Status |
| systemenclosure | get Caption, Height, Depth, Manufacturer, Model, SMBIOSAssetTag, AudibleAlarm, SecurityStatus, SecurityBreach, PoweredOn, NumberOfPowerCords |
| systemslot | get Number, SlotDesignation, Status, SupportsHotPlug, Version, CurrentUsage, ConnectorPinout |
| tapedrive | get Name, Capabilities, Compression, Description, MediaType, NeedsCleaning, Status, StatusInfo |
| timezone | get Caption, Bias, DaylightBias, DaylightName, StandardName |
| useraccount | get AccountType, Description, Domain, Disabled, LocalAccount, Lockout, PasswordChangeable, PasswordExpires, PasswordRequired, SID |
| memorychip | get BankLabel, Capacity, Caption, CreationClassName, DataWidth, Description, Devicelocator, FormFactor, HotSwappable, InstallDate, InterleaveDataDepth, InterleavePosition, Manufacturer, MemoryType, Model, Name, OtherIdentifyingInfo, PartNumber, PositionInRow, PoweredOn, Removable, Replaceable, SerialNumber, SKU, Speed, Status, Tag, TotalWidth, TypeDetail, Version |
