nxc-wmi

Search for valid credentials by trying out every combination in the specified lists of usernames and passwords

$ nxc wmi [192.168.178.2] [[-u|--username]] [path/to/usernames.txt] [[-p|--password]] [path/to/passwords.txt]

$ nxc wmi [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] --local-auth

$ nxc wmi [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] --wmi [wmi_query]

$ nxc wmi [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] -x [command]

nxc-wmi -u -p -d -q

    The target host or a file containing a list of target hosts.

-u
    The username for authentication.

-p
    The password for authentication.

-H
    NTLM hash for authentication, instead of password.

-k
    Use Kerberos authentication.

-d
    The domain name.

-q
    The WMI query to execute.

--hashes
    Use NTLM hashes for authentication.

--kerberos
    Use Kerberos authentication.

--verbose
    Enable verbose output

--help
    Display help message.

The `nxc-wmi` command is a tool within the `NetExec` framework (formerly known as `crackmapexec` or `cme`) used for executing Windows Management Instrumentation (WMI) queries against remote Windows hosts. It's a powerful utility for gathering information, managing systems, and performing various administrative tasks remotely without requiring traditional remote access methods.

It leverages the WMI protocol, which provides a standardized way to access and manage Windows systems. `nxc-wmi` authenticates against the target host using specified credentials (or attempts to use existing credentials if none are specified), establishes a WMI connection, and then executes the supplied WMI query. The results of the query are then displayed in the console. This tool is often used in penetration testing and security auditing to enumerate systems, identify vulnerabilities, and gather sensitive information. It's also helpful for system administrators managing Windows environments at scale.

Note that NetExec is a penetration testing tool and should be used responsibly and ethically, only with proper authorization.

Requires valid credentials to access the target system. WMI service must be enabled and accessible on the target host. Firewall rules and other network security measures may block WMI traffic. NetExec also requires Python.

The command supports various authentication methods, including username/password, NTLM hashes, and Kerberos. Choosing the appropriate method depends on the target environment and the available credentials.

The `-q` parameter requires a valid WMI Query Language (WQL) query. Familiarity with WQL is essential for effective use of the command. Common queries include retrieving system information, listing installed software, and querying event logs. For example: `SELECT Caption, Version FROM Win32_OperatingSystem`.

The `nxc-wmi` command evolved as part of the `crackmapexec` suite, which later became `NetExec`. It was developed to provide a modular and efficient way to interact with Windows systems for pentesting and security auditing. The command leverages the WMI protocol, a standard management interface for Windows, to perform various tasks remotely. Its usage has grown significantly in the security community due to its versatility and ability to automate many common pentesting tasks.

nxc(1), smbclient(1), wmiprvse.exe (Windows)