Wmic-linux

Description

Windows Management Instrumentation Command-line (WMIC) uses Windows Management Instrumentation (WMI) to enable system management from the command line.

This post explains how to install a wmic client on a Linux machine. The above installation procedure has been tested on a Ubuntu 12.04 LTS 32 bits host.

The client for Linux is not as powerful as the one for Windows because it is limited to "select" requests (i.e. not possible to request something like "process list brief") but will be helpful if you don't want to start your Windows virtual machine.

Installation

Pre-requisites

$ sudo aptitude install autoconf

Compilation

$ cd /data/tools/
$ wget http://www.openvas.org/download/wmi/wmi-1.3.14.tar.bz2
$ bzip2 -cd wmi-1.3.14.tar.bz2 | tar xf -
$ cd wmi-1.3.14/
$ sudo make
$ sudo cp Samba/source/bin/wmic /usr/local/bin/

Usage

Usage

Usage: wmic -U user%password //host "query"

Options

-?, --help

Show this help message

-A, --authentication-file=FILE

Get the credentials from a file

--delimiter=STRING

delimiter to use when querying multiple values, default to '|'

-d, --debuglevel=DEBUGLEVEL

Set debug level

--debug-stderr

Send debug output to STDERR

-i, --scope=SCOPE

Use this Netbios scope

-k, --kerberos=STRING

Use Kerberos

-l, --log-basename=LOGFILEBASE

Basename for log/debug files

--leak-report

enable full talloc leak reporting on exit

--leak-report-full

enable talloc leak reporting on exit

-m, --maxprotocol=MAXPROTOCOL

Set max protocol level

--namespace=STRING

WMI namespace, default to root\cimv2

-N, --no-pass

Don't ask for a password

-n, --netbiosname=NETBIOSNAME

Primary netbios name

--option=name=value

Set smb.conf option from command line

-O, --socket-options=SOCKETOPTIONS

socket options to use

--password=STRING

Password

-P, --machine-pass

Use stored machine account password (implies -k)

--realm=REALM

Set the realm name

-R, --name-resolve=NAME-RESOLVE-ORDER

Use these name resolution services only

--simple-bind-dn=STRING

DN to use for a simple bind

-S, --signing=on|off|required

Set the client signing state

-s, --configfile=CONFIGFILE

Use alternative configuration file

--usage

Display brief usage message

--use-security-mechanisms=STRING

Restricted list of authentication mechanisms available for use with this authentication

-U, --user=[DOMAIN\]USERNAME[%PASSWORD]

Set the network username

-V, --version

Print version

-W, --workgroup=WORKGROUP

Set the workgroup name

Examples

Note: For a complete list of classes you can request, please refer to http://msdn.microsoft.com/en-us/library/aa394554(v=vs.85).aspx

Get system information

$ wmic -U unknown //192.168.1.12 "select * from Win32_ComputerSystem"
Password for [WORKGROUP\unknown]:
CLASS: Win32_ComputerSystem
AdminPasswordStatus|AutomaticResetBootOption|AutomaticResetCapability|BootOptionOnLimit|BootOptionOnWatchDog|BootROMSupported|
BootupState|Caption|ChassisBootupState|CreationClassName|CurrentTimeZone|DaylightInEffect|Description|Domain|DomainRole|
EnableDaylightSavingsTime|FrontPanelResetStatus|InfraredSupported|InitialLoadInfo|InstallDate|KeyboardPasswordStatus|LastLoadInfo|
Manufacturer|Model|Name|NameFormat|NetworkServerModeEnabled|NumberOfLogicalProcessors|NumberOfProcessors|OEMLogoBitmap|OEMStringArray|
PartOfDomain|PauseAfterReset|PowerManagementCapabilities|PowerManagementSupported|PowerOnPasswordStatus|PowerState|PowerSupplyState|
PrimaryOwnerContact|PrimaryOwnerName|ResetCapability|ResetCount|ResetLimit|Roles|Status|SupportContactDescription|SystemStartupDelay|
SystemStartupOptions|SystemStartupSetting|SystemType|ThermalState|TotalPhysicalMemory|UserName|WakeUpType|Workgroup
3|True|True|0|0|True|Normal boot|UNKNOWN-7C76953|3|Win32_ComputerSystem|120|True|AT/AT COMPATIBLE|WORKGROUP|0|True|3|False|NULL|(null)|
3|(null)|innotek GmbH|VirtualBox|UNKNOWN-7C76953|(null)|True|1|1|NULL|(vboxVer_4.2.12,vboxRev_84980)|False|-1|NULL|False|3|0|3|(null)|
Unknown|1|-1|-1|(LM_Workstation,LM_Server,NT,Potential_Browser)|OK|NULL|30|("Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect)|
0|X86-based PC|3|1073201152|UNKNOWN-7C76953\unknown|6|(null)

Get list of running processes

$ wmic -U unknown%oopsoops //192.168.1.12 "select caption, name, parentprocessid, processid from win32_process"
CLASS: Win32_Process
Caption|Handle|Name|ParentProcessId|ProcessId
System Idle Process|0|System Idle Process|0|0
System|4|System|0|4
smss.exe|460|smss.exe|4|460
csrss.exe|924|csrss.exe|460|924
winlogon.exe|948|winlogon.exe|460|948
services.exe|992|services.exe|948|992
lsass.exe|1004|lsass.exe|948|1004
VBoxService.exe|1168|VBoxService.exe|992|1168
svchost.exe|1220|svchost.exe|992|1220
svchost.exe|1332|svchost.exe|992|1332
MsMpEng.exe|1576|MsMpEng.exe|992|1576
svchost.exe|1616|svchost.exe|992|1616
svchost.exe|1712|svchost.exe|992|1712
svchost.exe|1940|svchost.exe|992|1940
spoolsv.exe|244|spoolsv.exe|992|244
explorer.exe|916|explorer.exe|788|916
VBoxTray.exe|1288|VBoxTray.exe|916|1288
concentr.exe|1388|concentr.exe|916|1388
msseces.exe|1400|msseces.exe|916|1400
ctfmon.exe|1424|ctfmon.exe|916|1424
wfcrun32.exe|1472|wfcrun32.exe|1220|1472
svchost.exe|1812|svchost.exe|992|1812
dsNcService.exe|1908|dsNcService.exe|992|1908
jqs.exe|280|jqs.exe|992|280
TeamViewer_Service.exe|780|TeamViewer_Service.exe|992|780
alg.exe|3556|alg.exe|992|3556
wmiapsrv.exe|532|wmiapsrv.exe|992|532
wscntfy.exe|1640|wscntfy.exe|1616|1640
wmiprvse.exe|4000|wmiprvse.exe|1220|4000