Tuesday, March 17, 2009

Windows Commandline KungFu Part 2

If you check out wmic has many good feature that we never use. Since I like commandline very much I am always upto commands and keybord shortcuts. :D

Now some more info about wmic...
If you use command

C:\> wmic /?
Then you would get a list of attributes and all the settings for given alias.

For example type

C:\>wmic share list full

Description=Remote IPC

Good ? not enough but there is more wmic is object oriented , so you've got attributes and methods. Attributes are cool, letting you get info about your box and tweak it a bit, but methods let you take action on a box, giving you real power.

For example

C:\> wmic process where name="cmd.exe" call getowner

Or, even:

C:\> wmic process where name="cmd.exe" call getownersid

Nice ! isnt it ?

Second Example : We want a built in command to reboot or shutdown windows box accross the network. Try this

C:\> wmic os where buildnumber="2600" call reboot

Third example get parameter (Atrribute of object)

C:\>wmic nic get macaddress,name

You want interface-related methods? Check these out:

C:\> wmic nicconfig call setdefaultttl 200
C:\> wmic nicconfig call settcpwindowsize 3212

Those change the IP TTL and TCP Window size from default settings to something else, possibly fooling some forms of passive OS fingerprinting. Be careful with them, though... changing those settings could hose your network performance, make your system ugly, and make your hair fall out. You have been warned!

Now how about some nasty example :D
Like from POST Exploitation ;)

you could:

C:\> wmic nteventlog where (description like "%secevent%") call cleareventlog

Guess what it would do ????

or events like those associated with logging onto the box:

C:\> wmic ntevent where (message like "%logon%") list brief

Fifth, here is one that could be useful for handlers:

C:\>wmic netlogin where (name like "%neo%") get numberoflogons

Where neo is username offcourse.

you can use methods associated with "wmic service" to change the service configuration, as in:

C:\> wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled

//Spot odd executables
C:\> wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath

//Look at services that are set to start automatically
C:\> wmic SERVICE WHERE StartMode="Auto" GET Name, State

//Find user-created shares (usually not hidden)
C:\> wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path

//Find stuff that starts on boot
C:\> wmic STARTUP GET Caption, Command, User

//Identify any local system accounts that are enabled (guest, etc.)
C:\> wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"


No comments: