When people new to hacking think of establishing command and control of a Windows system, the first thing that pops up in their minds would be Metasploit and Meterpreter. As a tried and true method of establishing command and control, it requires that a malicious Meterpreter payload is put on the Windows system and then executed. The problem with this is that most Meterpreter payloads are detected either when they are copied over to the Windows system or when the Meterpreter payload is executed. This is obviously problematic for beginner hackers and penetration testers.
The next thing they may try is PSExec, which is a program that allows you to run commands remotely on Windows systems (which I talk about at https://www.smithsec.net/posts/lateral-movement-101-with-psexec ). However, using PSExec leaves a trace within the Windows Event Log which is one of the first places defenders look for malicious activity. This is also problematic.
How can we execute commands remotely without using these two well known methods? Let’s look at WMI, or Windows Management Instrumentation. Without going too far into the weeds for WMI, it can be another means of controlling Windows systems remotely. The benefit of WMI is that it isn’t commonly monitored (unless you know what to look for), and the Windows system has to explicitly monitor it for it to show up in logs.
There’s a Python library called Impacket that allows you to do a lot of cool stuff on Windows systems using pure Python. One of these things is execution of commands over WMI using the impacket-wmiexec script that can be found on Kali Linux systems. In order to use it, you will need either the username/password or username/password hash of a user that has admin privileges of the Windows system. I talk about password hashes at https://www.smithsec.net/posts/beginner-mimikatz-part-1-accessing-windows-credentials , so feel free to take a look if you want to have a better understanding of password hashes.
First, let’s verify that we have a valid username/password for a user that has admin privileges on the Windows system. I’ll use Metasploit for this, specifically the smb_login module:
Verification that I have the credentials of an admin user of the Windows system
Notice the green plus symbol in the screenshot, letting me know that I have a valid username/password with admin privileges. Now on my Kali system, let’s use the /usr/bin/impacket-wmiexec script:
Executing the “dir” command on the Windows system using the impacket-wmiexec script
All I do is supply the script the name of the domain that the user is found under, assuming there is a domain (for me, it’s “smithsec”), the name of the user (“ryan”), as well as the IP address of the Windows system (172.31.4.129). Next, I type the name of the command that I want to execute (“dir”, which shows you a listing of the files of the directory you’re currently in). Assuming you have the right credentials, the script should run and execute the command you supplied on the command line on the Windows system. If you want to see this in action, check out the following video:
If you want to try this out yourself, feel free to subscribe to the SmithSec Cyber Range!