Last active
April 25, 2024 12:01
-
-
Save xorrior/67ee741af08cb1fc86511047550cdaf4 to your computer and use it in GitHub Desktop.
Useful Wmic queries for host and domain enumeration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Host Enumeration: | |
| --- OS Specifics --- | |
| wmic os LIST Full (* To obtain the OS Name, use the "caption" property) | |
| wmic computersystem LIST full | |
| --- Anti-Virus --- | |
| wmic /namespace:\\root\securitycenter2 path antivirusproduct | |
| --- Peripherals --- | |
| wmic path Win32_PnPdevice | |
| --- Installed Updates --- | |
| wmic qfe list brief | |
| --- Directory Listing and File Search --- | |
| wmic DATAFILE where "path='\\Users\\test\\Documents\\'" GET Name,readable,size | |
| wmic DATAFILE where "drive='C:' AND Name like '%password%'" GET Name,readable,size /VALUE | |
| --- Local User Accounts --- | |
| wmic USERACCOUNT Get Domain,Name,Sid | |
| Domain Enumeration: | |
| --- Domain and DC Info --- | |
| wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE | |
| --- Domain User Info --- | |
| wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='testAccount'" GET | |
| --- List All Users --- | |
| wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname | |
| --- List All Groups --- | |
| wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname | |
| --- Members of A Group --- | |
| wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value | |
| wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="YOURDOMAINHERE"") | |
| --- List All Computers --- | |
| wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname | |
| OR | |
| wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname | |
| Misc: | |
| --- Execute Remote Command --- | |
| wmic process call create "cmd.exe /c calc.exe" | |
| --- Enable Remote Desktop --- | |
| wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1" | |
| OR | |
| wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1" |
Domain user information results in "invalid query" with valid user. Need something after GET, like /value.
Also should be noted if you're using wmic for getting domain group membership, you're going to get only the LDAP results which include the CN, but you're not going to be returned the actual Windows username. I'm trying to figure out how to do that now. I'll edit this post if I figure it out.
Got it:
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="YOURDOMAINHERE"")
Just to add to the above, if you want local administrators, syntax is:
wmic /node:destination_node path win32_groupuser where (groupcomponent="win32_group.name=\"Administrators\",domain=\"destination_node\"")
Jerry Garcia is GOD
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Should be qfe list brief