Week of PowerShell Shells – Day 4 – WMI Shell

Welcome to the Day 4 of Week of PowerShell Shells. The Shell which we are going to discuss today is much different from the ones we have dicussed previously. Today, we will discuss a shell which utilizes WMI (Read more about WMI here).
We can execute PowerShell commands and scripts using WMI using the Invoke-WmiMethod cmdlet. But the cmdlet does not return any output. It is the ReturnValue of 0 and a ProcessId which tells us that *may be* the command was executed successfully:
Notice that in the above example we need valid crednetials for the target machine.
I am no fan of WMI as it is not NAT and Firewall friendly, but having alternative techniques and methodologies are essential for a succesfull attacker. Inability to see the output kills the fun part of command/script execution. Fortunately, a very clever solution to this problem was discussed by Andrei Dumitrescu at HES 2014. The solution is to store the output in Base64 encoding into WMI namespaces. retrieve it and decode on the attacker’s machine. The solution was implemented in PowerShell by Jesse Davis (@secabstraction) here: https://github.com/secabstraction/WmiSploit.
Based entirely on Jesse’s code, I give you Invoke-PowerShellWmi. A script which provides interactive PowerShell session using WMI.
Here is how to use it. The script will prompt for a password:

 

Note that like normal WMI operations, valid Administrative access/credentials for the target machine are required to use this script. This privilege could be achieved by dumping passwords in plaintext, stealing tokens etc.

Here is Invoke-PowerShellWmi in action:

Great! We can see output of PowerShell and native commands.

PowerShell scripts could be executed as well using the -EncodedCommand parameter of PowerShell:

Nice! We executed encoded Invoke-PowerShellTcpOneLine using WMI.
The default shell available is PowerShell but cmd can be used as well using the -ShellType parameter.
Looking at WireShark, this obviosuly is a genuine WMI traffic.

The pcap is available here: https://drive.google.com/folderview?id=0B-Hsu8q12kG3fnBMWlhFQ2VqaDFLM3BheVpyOFdrUExKcGRLbjExcURfMHBaSkNCanFiQWM&usp=sharing

The Namespaces created in the process are marked with “SYSINFOS” unless specified otherwise by the user.  Make sure to use “exit” command when closing the shell as it initiates a cleanup of the target system.
A video demonstration of Invoke-PowerShellWmi:
Remember, much more could be achieved with PowerShell once you have access to a machine. You may like to see my other blog posts for that.
Hope you enjoyed it! Please leave feedback and comments.

Once again, to support my research and work, join me for a two days training “PowerShell for Penetration Testers” at:

NolaCon, New Orleans (June 10-11th)https://nolacon.com/powershell-for-penetration-testers/

Shakacon, Honolulu (July 6-7th)http://shakacon.org/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s