nxc-wmi

Search for valid credentials by trying out every combination in the specified lists of usernames and passwords

$ nxc wmi [192.168.178.2] [[-u|--username]] [path/to/usernames.txt] [[-p|--password]] [path/to/passwords.txt]

$ nxc wmi [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] --local-auth

$ nxc wmi [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] --wmi [wmi_query]

$ nxc wmi [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] -x [command]

nxc smb <TARGETS> [-u <USERNAME> -p <PASSWORD> | -H <HASH>] [-d <DOMAIN>] [NXC_OPTIONS] -M wmi <WMI_MODULE_OPTION> [MODULE_ARGUMENTS]

--wmi-query WMI_QUERY
    Execute a custom WMI Query Language (WQL) query.

--wmi-namespace WMI_NAMESPACE
    Specify a WMI namespace for queries (default: root\cimv2).

--wmi-list-namespaces
    List all available WMI namespaces on the target.

--wmi-exec WMI_EXEC
    Execute a WMI method on a specified class, e.g., "CLASSNAME@METHODNAME@ARG1=VAL1".

--wmi-enum-class WMI_ENUM_CLASS
    Enumerate properties of a specified WMI class.

--wmi-enum-methods WMI_ENUM_METHODS
    Enumerate methods of a specified WMI class.

--wmi-enum-privs
    Enumerate token privileges of the authenticated user.

--wmi-enum-sessions
    Enumerate active sessions on the target.

--wmi-enum-share
    Enumerate available network shares.

--wmi-enum-users
    Enumerate local users on the target system.

--wmi-enum-groups
    Enumerate local groups on the target system.

--wmi-enum-loggedon-users
    Enumerate currently logged on users.

--wmi-enum-rdp
    Enumerate RDP sessions on the target.

--wmi-enum-services
    Enumerate running services on the target.

--wmi-enum-processes
    Enumerate active processes on the target.

--wmi-enum-patches
    Enumerate installed patches and hotfixes.

--wmi-enum-hotfixes
    Enumerate installed hotfixes.

--wmi-enum-uac
    Enumerate User Account Control (UAC) settings.

--wmi-enum-winlogon
    Enumerate Winlogon settings.

--wmi-enum-startup
    Enumerate programs configured to run at startup.

--wmi-enum-dns
    Enumerate DNS client settings and entries.

--wmi-enum-software
    Enumerate installed software on the target system.

The "nxc-wmi" command refers to the Windows Management Instrumentation (WMI) module within the versatile NetExec (formerly CrackMapExec or CME) framework. It's a powerful tool designed for interacting with Windows systems remotely over the Server Message Block (SMB) protocol. WMI is a core Windows technology used for managing local and remote computers, providing a standardized way to access system information and execute management tasks.

The nxc-wmi module allows security professionals, penetration testers, and system administrators to perform a wide array of actions, including executing custom WMI Query Language (WQL) queries, listing WMI namespaces, enumerating classes and methods, and performing various enumeration tasks such as listing users, groups, shares, services, processes, and installed software.

It's widely used for reconnaissance, lateral movement, and privilege escalation within Windows environments, often proving effective even when traditional remote execution methods are blocked. By leveraging valid credentials (username/password or NTLM hashes), nxc-wmi provides a flexible and often stealthy mechanism to gather intelligence and perform actions on target machines without necessarily requiring administrative shares or direct code execution.

The effective use of nxc-wmi is contingent on several factors:
1. Credentials: Requires valid SMB authentication credentials (username/password or NTLM hash) to access the target.
2. Network Connectivity: The target must be reachable over SMB (port 445 by default), and firewall rules must permit WMI traffic.
3. WMI Service: The WMI service must be running and accessible on the target Windows machine.
4. Permissions: Specific WMI queries or method executions may require local administrator privileges or specific WMI permissions on the target system.
5. Detection: Extensive or unusual WMI activity might be logged or detected by Endpoint Detection and Response (EDR) solutions or antivirus software.

Many nxc-wmi operations, particularly the --wmi-query option, rely on WQL. WQL is a SQL-like query language used for retrieving information from WMI classes and instances. It allows for highly specific and flexible data extraction from Windows systems.

nxc-wmi, via NetExec, supports various authentication methods for SMB, including clear-text passwords (-p) and NTLM hashes (-H). This flexibility is crucial for adapting to different security postures and credential types found during penetration tests.

Beyond basic enumeration, nxc-wmi is frequently used for:
* Reconnaissance: Gathering system information, installed software, network configurations.
* Lateral Movement: Executing commands or interacting with services on other systems accessible via WMI.
* Privilege Escalation: Identifying misconfigurations or vulnerabilities through detailed system enumeration.

The "nxc-wmi" module is an integral part of NetExec, a direct successor to the widely recognized penetration testing tool CrackMapExec (CME), originally developed by byt3bl33d3r. CME quickly rose to prominence for its ability to interact with various Windows services, including SMB, using diverse authentication methods.

The WMI module was a core component from early versions of CME, designed to leverage Windows Management Instrumentation for powerful reconnaissance and post-exploitation capabilities. The project's evolution into NetExec signifies a continued commitment to developing and maintaining this versatile tool, with the WMI module remaining a key feature for security professionals seeking advanced Windows interaction methods.

nxc(1), crackmapexec(1), wmic(1), impacket-wmiexec(1)