Exploitationwmidcomrpcwindowsremote-executionsamba

wmi

wmi is a DCOM/WMI client implementation based on Samba4 sources for interacting with WMI services on Windows systems. It provides a command line client to perform remote command execution on Windows 2000/XP/2003 machines.

Description

The wmi-client package contains tools for remote interaction with Windows Management Instrumentation (WMI) services using DCOM/RPC mechanisms. This implementation, derived from Samba4 sources, enables cybersecurity professionals to execute commands and query system information remotely on legacy Windows systems like 2000, XP, and 2003.

Primary use cases include penetration testing, post-exploitation activities, and system reconnaissance where administrative credentials are available. The tools leverage standard Windows protocols, making them suitable for environments with compatible domain controllers or standalone Windows hosts.

The package includes the main 'wmic' command line client and additional utilities like 'wmis', providing flexible options for authentication, namespace specification, and output formatting during remote operations.

How It Works

wmi operates as a DCOM/WMI client using RPC/DCOM protocols to communicate with WMI services on target Windows machines. Based on Samba4 sources, it authenticates via NTLM or other Samba-supported mechanisms and executes WQL queries or commands within specified WMI namespaces (default: root\cimv2). Results are returned with configurable delimiters for multi-value outputs, supporting remote system interrogation and execution.

Installation

bash

sudo apt install wmi-client

Flags

--namespace=STRINGWMI namespace, default to root\cimv2

--delimiter=STRINGdelimiter to use when querying multiple values, default to '|'

-U, --user=[DOMAIN\]USERNAME[%PASSWORD]Set the network username

-?, --helpShow this help message

--usageDisplay brief usage message

-d, --debuglevel=DEBUGLEVELSet debug level

--debug-stderrSend debug output to STDERR

-s, --configfile=CONFIGFILEUse alternative configuration file

Examples

Display the help message for wmic

wmic --help

Query the Win32_ComputerSystem class on remote host using specified credentials

wmic -U [domain/]adminuser%password //host "select * from Win32_ComputerSystem"

Query process information from default namespace on remote host

wmic --namespace=root\cimv2 //host "select * from Win32_Process"

Query installed software with comma delimiter for multiple values

wmic --delimiter=',' //host "select Name,Version from Win32_Product"

Connect to remote host with username and password

wmic -U adminuser%password //host

Use wmis utility to connect to remote host with credentials

wmis -U [domain/]adminuser%password //host

Connect to remote host without asking for password

wmic -N //host

Updated 2026-04-16kali.org ↗