Sunday, April 14, 2013

Missing PTH Tools Writeup - WMIC / WMIS / CURL

Looking back over my blog, I realized I never did a writeup on the wmi / wmis / curl with the PTH functionality.  so, I'm going to do that now while I'm thinking about it ;-)


Windows Management Instrumentation (WMI) is officially defined by Microsoft as "the infrastructure for management data and operations on Windows-based operating systems".  You can Google more, but the TLDR version is that it uses a subset of ANSI SQL to query the operating the system for various things that might be of value.  You can also also interact with the Windows OS by accessing methods that are exposed by the various WMI providers.  More on this in a few.

Somewhere along the way, a WMI client appeared on the net.  I'm not sure from whence it came, but for a while it was being used by Zenoss to monitor Windows machines.  The problem is that it was written based on an old version of Samba 4 with some additional functionality that has since been removed from the Samba 4 source tree.  So, in essence, it's unsupported and getting it to work with newer versions of Samba would be painful, as one would need to recreate the functionality that got removed a few years ago.

The first tool I'm going to talk about is "wmic".  This tool can be used to issue WMI queries to a Windows computer.  Note, this tool is only for queries.  For example:

root@bt:/opt/rt/bin# wmic  -U demo/administrator%hash // "select csname,name,processid,sessionid from win32_process"

This query will list process names and PIDS for running processes on as seen in this picture:

The next tool is a little more interesting.  I mentioned earlier that there were ways of accessing 'methods' of various underlying windows functionality.  One of the most interesting ones is  the "create" method from the win32_process class.  This allows WMI to create a process on the remote system.  It will return whether or not the process was created, so one would need to redirect output to a file and grab it somehow.  The WMIS tool takes advantage of this behavior to start processes on the remote computer.

For example, running the command:

wmis -U demo/administrator%hash // 'cmd.exe /c dir c:\ > c:\windows\temp\blog.txt'

runs the command 'cmd.exe /c dir c:\ > c:\windows\temp\blog.txt'.  Note the "cmd.exe /c" is required to actually execute the command.

We can then use something like smbget to dump the output IE:

smbget -w demo -u demo\\administrator -O -p <hash> smb://$/windows/temp/blog.txt

And, we can see from this screenshot that it worked as expected....

What sorts of evil things can you do from the commandline?  Aside from piecing together an asynchronous shell, there's a lot of interesting things you can do...  I'll let @obscuresec answer that one in a guest post here soon....  It's nice and evil, trust me...


Curl is a useful command line web utility that also has support for several other protocols, such as ftp, smtp, pop3, and others.   I patched PTH functionality in as a quick method to access some of these other protocols if they prompted for NTLM authentication.  The easiest example is grabbing info from a sharepoint server....

For example, if we want to log in with bob.franklin and grab his default sharepoint page we can do something like this:

curl --ntlm -u bob.franklin:<hash> http://intranet.demo.local/Pages/Default.aspx

And you see we get a bunch of html back from the server in the image.

Monday, April 8, 2013

PTH Toolkit For Kali - Interim status


I've uploaded 2 tarballs to

One is 32-bit and the other is 64-bit.  Everything works from my original talk on both with the exception of wmis, the WMI command execution tool.  Extract the tarball into /opt/pth and set your PATH variable to point to /opt/pth/bin and you should be good to go.

For whatever reason the 64-bit version of wmis didn't work while the 32-bit version works like a champ.  If you need that functionality, use the 32-bit binary (also uploaded).

In order to use 32-bit binaries on 64-bit Kali, you need to add the 32-bit libraries.  Follow these steps:

  1. dpkg --add-architecture i386
  2. apt-get update
  3. apt-get install ia32-libs

Slightly Longer Version

I'm starting out by distributing 2 binary tarballs, 32-bit and 64-bit.  After having spent a fair amount of time working on the packaging of winexe, only to discover that the latest version didn't work on 32-bit operating systems, I decided it was time to take the distribution in stages.

So, I tweaked my build scripts (found here on my google code site), updated stuff wherever needed and compiled.  

I had planned on only releasing one tarball.... then I discovered that 64-bit Kali didn't have any 32-bit libraries installed.  So it became an issue of whether or not to force everybody to install all the required libraries for 32-bit operation.  When I looked at it, it was something like another 300mb of libs for everything to work.  So I figured that I'd give it a shot to have 64-bit compiled version as well.

Testing revealed that the 64-bit version of the 'wmis' tool didn't work.  It gives some sort of RPC error and given the "barely working as it is" nature of things, if folks on 64-bit Kali need to run it then you can install a subset of the 32-bit libraries and it will work just fine for you.  I uploaded the 32-bit WMIS to the google code download page so it can be downloaded separately.

The Tools

Samba 4 / Openchange - Tools/libraries for interacting with Windows / Active Directory / Exchange 
FreeTDS /SQSH - library / utility for interacting with MSSSQL databases
Winexe - PSExec clone
Firefox - ESR 17 release 5
Curl - Command line web browser (upcoming blog post)
Wmic  - Simple WMI query tool (upcoming blog post)
Wmis -  WMI tool that uses "create process" from WMI to execute single commands (upcoming blog post)


I've uploaded 2 tarballs to

Download the tarball that's appropriate for your distribution and untar/gzip it to /opt/pth.

Set your path to include '/opt/pth/bin' and you should be good to go.  No need to screw with library paths as  all that jazz is compiled into the binaries to look for their libraries in /opt/pth/lib.

In order to use 32-bit binaries on 64-bit Kali, you need to add the 32-bit libraries.  Follow these steps:

  1. dpkg --add-architecture i386
  2. apt-get update
  3. apt-get install ia32-libs

More To Follow...