'wmic'에 해당되는 글 2건

  1. 2013.08.19 Windows Management Instrumentation (WMI) Client for Linux (3)
  2. 2012.03.19 MS12-020 RDP vulnerabilities: Patch, Mitigate, Detect
2013. 8. 19. 14:29

Windows Management Instrumentation (WMI) Client for Linux

728x90


If you don’t want to install external monitoring application to your Windows, the easiest way to monitor it is to use WMI (Windows Managament Instrumentation).
This is an infrastructure for management data and operations on Windows-based operating systems and it is available by default from Windows 2000 through Windows 7 to Windows 2008 R2.
For more details about WMI see the following pages:


Windows Managament Instrumentation on WIKI
Windows Managament Instrumentation on MSDN


For example, using WMI you can query the running processes or services from your remote server running Windows-based operating system or get a lot of important information about this host.


It sounds good, doesn’t it? But there is a problem on Linux, you need a WMI client if you want to monitor your Windows but this is not available on the most distributions by default.
On Ubuntu, you can download it from ubuntu packages, but only for Hardy: http://packages.ubuntu.com/hardy/wmi-client
Unfortunately, this version does not work with Windows Vista or above.
If you try to to run a query to Vista or Windows 7, you will receive the following error message:

ERROR: WMI query execute.
NTSTATUS: NT code 0xc002001b – NT code 0xc002001b

Also, this package is not available above Hardy because it has been removed because of licensing problem: link


So, if you want to use this useful wmi client (it’s free under GPLv2), you need to dowload it from Zenoss website and compile it for yourself.
It is very easy:
Download wmi client from zenoss repository or just use this link (perhaps it will be changed if newer version will be available):
wmi-client 1.3.13


Compiling:


tar xvf wmi-1.3.13.tar.bz2
cd wmi-1.3.13
export ZENHOME=<yourpath>/wmi-zenoss/wmi-1.3.13
make

After compiling has finished, you can find wmi client(wmic) in wmi-1.3.13/Samba/source/bin directory. I tried it on my Ubuntu Lucid and worked very well.


Now, let’s see a few examples:


To query processes that are running on my remote Windows 7 (Note: you should give the correct domainname,username and password of your system):

./wmic -U <domainname>/<username>%<password> //10.100.32.1 “SELECT CommandLine,Name,ProcessId FROM Win32_Process”


CLASS: Win32_Process
CommandLine|Handle|Name|ProcessId
“C:Windowssystem32cmd.exe” |3512|cmd.exe|3512
C:WindowsExplorer.EXE|2740|explorer.exe|2740
C:Windowssystem32lsass.exe|436|lsass.exe|436

To query running services:

./wmic -U  <domainname>/<username>%<password> //10.100.32.1 “SELECT Caption,CreationClassName,DisplayName,Name,PathName,ProcessId,State,ServiceType FROM Win32_Service WHERE State=’Running’”


CLASS: Win32_Service
Caption|CreationClassName|DisplayName|Name|PathName|ProcessId|ServiceType|State
Security Accounts Manager|Win32_Service|Security Accounts Manager|SamSs|C:Windowssystem32lsass.exe|436|Share Process|Running
RPC Endpoint Mapper|Win32_Service|RPC Endpoint Mapper|RpcEptMapper|C:Windowssystem32svchost.exe -k RPCSS|628|Share Process|Running

Or just to query disk capacity of “C:”:

./wmic -U <domainname>/<username>%<password> //10.100.32.1 “SELECT DriveLetter,Capacity,FileSystem,FreeSpace FROM Win32_Volume WHERE DriveLetter=’C:’”


CLASS: Win32_Volume
Capacity|DeviceID|DriveLetter|FileSystem|FreeSpace
21367877632|\?Volume{aa579964-997d-11df-a2d4-806e6f6e6963}|C:|NTFS|12676456448

As you can see, these are just  simple queries like SQL, but WMI uses WQL (WMI Query Language) and you can also use “*” wildcard to query all fields.
For more details about WQL: Link


Also, you should know the available WMI classess (like Win32_Volume or Win32_Service in my examples):WMI classes


Now, you are able to monitor your Windows-based servers with WMI from Linux, too. Have fun!



출처 : pzolee.blogs.balabit.com


Trackback 0 Comment 3
  1. Favicon of https://blog.pages.kr 날으는물고기 2013.08.19 14:53 신고 address edit & del reply

    use strict;
    use warnings;

    use Win32::OLE;
    use Win32::OLE::Variant;

    STDOUT->autoflush;

    my $wmi = Win32::OLE->GetObject('winmgmts:\\\\SYSTEM\root\cimv2') or die Win32::OLE->LastError;
    my $list = $wmi->ExecQuery('SELECT * FROM Win32_PerfFormattedData_Counters_ProcessorInformation');
    my $n = 0;
    for my $cpu (in $list) {
    printf "%s: %d%%\n", $n ? "CPU$n" : ' ALL', $cpu->PercentProcessorTime;
    $n++;
    }

  2. Favicon of https://blog.pages.kr 날으는물고기 2013.08.19 14:53 신고 address edit & del reply

    output

    ALL: 8%
    CPU1: 8%
    CPU2: 12%
    CPU3: 6%
    CPU4: 12%
    CPU5: 6%
    CPU6: 6%
    CPU7: 6%

  3. 2013.10.24 20:07 address edit & del reply

    비밀댓글입니다

2012. 3. 19. 18:50

MS12-020 RDP vulnerabilities: Patch, Mitigate, Detect

728x90

As a follow up to the fact the we've raised the INFOCON level to yellow for MS12-020, a step not taken lightly, it was suggested that we offer a few simple things folks can do to ensure that they're patched appropriately, as well as employ possible mitigations and detection.

Specifically, MS12-020 includes KB2671387 (Remote Code Execution - CVE-2012-0002) and KB2667402(Denial of Service - CVE-2012-0152) or KB2621440
The reference for the update you'll see on a Windows system, when installed, depends on the version of the OS you're running. For Windows 7 you'll likely note KB2667402, whereas you should only expect KB2621440 on a Windows XP host.
Confusing, I know, but it matters. Read the full MS12-020 bulletin to confirm.
 
The simplest step to determine if you're properly updated, using Window 7 x64 as an example is: 
Start -> All Programs -> Windows Update -> View Update History and look for reference to KB2667402 as seen in Figure 1.
 

Figure 1 
 
If on a Windows XP host, using Microsoft Update, you can opt for Start -> Microsoft Update -> Review your update history and ensure KB2621440 is installed.
 
Additionally, at the command prompt, you can use Windows Management Instrumentation Command-line (WMIC) and issue:
wmic qfe | find "KB2667402" or wmic qfe | find "KB2621440"
If patched you'll note results as seen in Figure 2.
 

Figure 2
 
Mitigation
Per the bulletins, "systems that do not have RDP enabled are not at risk."
Your privileges on a given system (enterprise GPOs may prevent changes) may dictate your level of success.
Options include, aside from the obvious (PATCH):
1) Don't run RDP if you don't really need it.
Start -> Run -> services.msc -> Stop and/or disable Remote Desktop Services (Figure 3) or disable it via Control Panel

Figure 3
 
2) Use Windows Firewall (where applicable and if enabled) to prevent access to RDP (Figure 4)at the host level

Figure 4
 
3) Ensure your network security configurations don't unnecessarily allow RDP (TCP 3389) from the Internet. If you absolutely, positively must do so, restrict it to approved hosts.
 
4) Enable Network Level Authentication (NLA) on Vista and later systems. Per the SRD blog: "On systems with NLA enabled, the vulnerable code is still present and could potentially be exploited for code execution. However, NLA would require an attacker to first authenticate to the server before attempting to exploit the vulnerability."
  
Detection
Snort users can keep an eye on the likes of Emerging Threats. A rule (SID 2014384) has been included to identify a possible RDP DoS attack as described in KB2667402/CVE-2012-0152. I'm certain additional rules and detection logic are being added across the spectrum of detection options; check in with your vendor/provider accordingly.
 
Feel free to comment with methodology related to the above that works for you and thus may help others.


출처 : isc.sans.edu

Trackback 0 Comment 0