Table of Contents
WMI - wmiexe
Syntax: " winexe -U domain/user%password //host "<command>" "
Preface
Sometimes it is required to execute command on remote server.
At remote UX/ Linux OS it is common to use for this reasons ”SSH” protocol (when you are from old school and not reinventing the wheel).
At MS Windows it is possible as well to install “Cygwin” to emulate UX/Linux environment. On another hand sometime it is not required (or not possible) to install additional software on remote MS Windows Server.
According to this we can use “winexe” command that is delivered with “wmic” package for our Linux server. In this way it is possible to execute remote commands on MS Windows server directly from Linux console.
WINEXE options:
[root@Linux-WMI-Client test]# winexe --help Usage: winexe //host command --uninstall Uninstall winexe service after remote execution --reinstall Reinstall winexe service before remote execution --system Use SYSTEM account --runas=[DOMAIN\]USERNAME%PASSWORD Run as user (BEWARE: password is sent in cleartext over net) --interactive=INT Desktop interaction: 0 - disallow, 1 - allow. If you allow use also --system switch (Win requirement). Vista do not support this option. Help options: -?, --help Show this help message --usage Display brief usage message Common samba options: -d, --debuglevel=DEBUGLEVEL Set debug level --debug-stderr Send debug output to STDERR -s, --configfile=CONFIGFILE Use alternative configuration file --option=name=value Set smb.conf option from command line -l, --log-basename=LOGFILEBASE Basename for log/debug files --leak-report enable talloc leak reporting on exit --leak-report-full enable full talloc leak reporting on exit Connection options: -R, --name-resolve=NAME-RESOLVE-ORDER Use these name resolution services only -O, --socket-options=SOCKETOPTIONS socket options to use -n, --netbiosname=NETBIOSNAME Primary netbios name -W, --workgroup=WORKGROUP Set the workgroup name --realm=REALM Set the realm name -i, --scope=SCOPE Use this Netbios scope -m, --maxprotocol=MAXPROTOCOL Set max protocol level Authentication options: -U, --user=[DOMAIN\]USERNAME[%PASSWORD] Set the network username -N, --no-pass Don't ask for a password --password=STRING Password -A, --authentication-file=FILE Get the credentials from a file -S, --signing=on|off|required Set the client signing state -P, --machine-pass Use stored machine account password (implies -k) --simple-bind-dn=STRING DN to use for a simple bind -k, --kerberos=STRING Use Kerberos --use-security-mechanisms=STRING Restricted list of authentication mechanisms available for use with this authentication Common samba options: -V, --version Print version
WINEXE run command
In general it is possible to say that with help of this command you are able to run same set of commands on your remote MS Windows server like used User account (for remote logging) would be able to start on local CLI interface of your remote MS Windows server. (Fu too long and complicated? not really ;) )
WINEXE - Example
[root@Linux-WMI-Client ~]# winexe -U wmiuser%wmipasswd //wmi-server.localnet "ipconfig " # requesting network config from remote MS Win Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::b9ce:96eb:7638:c103 IPv4 Address. . . . . . . . . . . : 10.0.0.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.12.1 Tunnel adapter isatap.{B8240955-75CE-4852-8D6B-407A45BF515F}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter Local Area Connection* 11: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:2470:2c12:f5ff:f387 Link-local IPv6 Address . . . . . : fe80::2470:2c12:f5ff:f387 Default Gateway . . . . . . . . . : :: [root@Linux-WMI-Client ~]#
WINEXE - "cmd" Example
It is possible to become “shell” of remote MS Windows Server with command “cmd”
[root@Linux-WMI-Client ~]# winexe -U wmiuser%wmipasswd //wmi-server.localnet "cmd" # Starting CLI/Shell/CMD on remote MS Win Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32> # We do have full CLI/Shell/CMD interface # with rights of our User on Remote MS Win
WINEXE - "cmd /c" Example
Sometime it is required to star remote command with help of remote CLI/Shell/CMD interface.
[root@Linux-WMI-Client ~]# winexe -U wmiuser%wmipasswd //wmi-server.localnet "cmd /c hostname" wmi-server [root@Linux-WMI-Client ~]#