Port 135 - Windows Management Instrumentation (WMI)

Windows Management Instrumentation (WMI) is Microsoft's implementation and also an extension of the Common Information Model (CIM), core functionality of the standardized Web-Based Enterprise Management (WBEM) for the Windows platform. WMI allows read and write access to almost all settings on Windows systems. Understandably, this makes it the most critical interface in the Windows environment for the administration and remote maintenance of Windows computers, regardless of whether they are PCs or servers. WMI is typically accessed via PowerShell, VBScript, or the Windows Management Instrumentation Console (WMIC). WMI is not a single program but consists of several programs and various databases, also known as repositories.

Footprinting the service

The initialization of the WMI communication always takes place on TCP port 135, and after the successful establishment of the connection, the communication is moved to a random port. For example, the program wmiexec.py from the Impacket toolkit can be used for this.

/usr/share/doc/python3-impacket/examples/wmiexec.py <username>:<"password">@$ip <hostname>

# Prints the patch level and description of the Hotfixes applied
wmic qfe get Caption,Description,HotFixID,InstalledOn   

# Displays basic host information to include any attributes within the list
wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List  

# A listing of all processes on host
wmic process list /format:list  

# Displays information about the Domain and Domain Controllers
wmic ntdomain list /format:list 

#Displays information about all local accounts and any domain accounts that have logged into the device
wmic useraccount list /format:list  

# Information about all local groups
wmic group list /format:list    

# Dumps information about any system accounts that are being used as service accounts.
wmic sysaccount list /format:list   

Last update: 2024-12-27
Created: July 1, 2023 08:34:56