Sunday, April 14, 2013

Missing PTH Tools Writeup - WMIC / WMIS / CURL

Looking back over my blog, I realized I never did a writeup on the wmi / wmis / curl with the PTH functionality.  so, I'm going to do that now while I'm thinking about it ;-)


Windows Management Instrumentation (WMI) is officially defined by Microsoft as "the infrastructure for management data and operations on Windows-based operating systems".  You can Google more, but the TLDR version is that it uses a subset of ANSI SQL to query the operating the system for various things that might be of value.  You can also also interact with the Windows OS by accessing methods that are exposed by the various WMI providers.  More on this in a few.

Somewhere along the way, a WMI client appeared on the net.  I'm not sure from whence it came, but for a while it was being used by Zenoss to monitor Windows machines.  The problem is that it was written based on an old version of Samba 4 with some additional functionality that has since been removed from the Samba 4 source tree.  So, in essence, it's unsupported and getting it to work with newer versions of Samba would be painful, as one would need to recreate the functionality that got removed a few years ago.

The first tool I'm going to talk about is "wmic".  This tool can be used to issue WMI queries to a Windows computer.  Note, this tool is only for queries.  For example:

root@bt:/opt/rt/bin# wmic  -U demo/administrator%hash // "select csname,name,processid,sessionid from win32_process"

This query will list process names and PIDS for running processes on as seen in this picture:

The next tool is a little more interesting.  I mentioned earlier that there were ways of accessing 'methods' of various underlying windows functionality.  One of the most interesting ones is  the "create" method from the win32_process class.  This allows WMI to create a process on the remote system.  It will return whether or not the process was created, so one would need to redirect output to a file and grab it somehow.  The WMIS tool takes advantage of this behavior to start processes on the remote computer.

For example, running the command:

wmis -U demo/administrator%hash // 'cmd.exe /c dir c:\ > c:\windows\temp\blog.txt'

runs the command 'cmd.exe /c dir c:\ > c:\windows\temp\blog.txt'.  Note the "cmd.exe /c" is required to actually execute the command.

We can then use something like smbget to dump the output IE:

smbget -w demo -u demo\\administrator -O -p <hash> smb://$/windows/temp/blog.txt

And, we can see from this screenshot that it worked as expected....

What sorts of evil things can you do from the commandline?  Aside from piecing together an asynchronous shell, there's a lot of interesting things you can do...  I'll let @obscuresec answer that one in a guest post here soon....  It's nice and evil, trust me...


Curl is a useful command line web utility that also has support for several other protocols, such as ftp, smtp, pop3, and others.   I patched PTH functionality in as a quick method to access some of these other protocols if they prompted for NTLM authentication.  The easiest example is grabbing info from a sharepoint server....

For example, if we want to log in with bob.franklin and grab his default sharepoint page we can do something like this:

curl --ntlm -u bob.franklin:<hash> http://intranet.demo.local/Pages/Default.aspx

And you see we get a bunch of html back from the server in the image.

No comments:

Post a Comment