Versions Compared

Version Old Version 1 New Version Current
Changes made by

Louis Tissington

Louis Tissington

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
# ----------------------------------- USER DEFINITIONS -----------------------------------
# user identity config block - used for authentication between the wmic_server and the wmi target 
# id key name will match the id passed in by calling clients - these ids must not use any other valid top level key in this file
# id key name must be formatted according to the validation rules also specified in this file (since they are also passed in by the clients as http parameters)
# data in the config block must have user and pass, domain is optional, tokens are optional
user1:
   user: MYUSER
   pass: MYPASSWORD
   domain:
   # optional list of valid id-specific tokens the client calling the wmi server can use to "authenticate" to the wmi server (not the wmi target)
   # leave empty or do not include to not require these tokens
   tokens:
      - MYSECRETUSERACCESSTOKEN1
      - MYSECRETUSERACCESSTOKEN2
      
# ----------------------------------- TOKEN DEFINITIONS -----------------------------------
# token array
# optional list of valid tokens the client calling the wmi server can use to "authenticate" to the wmi server (not the wmi target)
# any user above can use these tokens - if you need user-specific tokens you can add them in the user defintions above and leave these ones empty
# leave empty or do not include to not require these tokens
tokens:
   - MYSECRETACCESSTOKEN1
   - MYSECRETACCESSTOKEN2      
# ----------------------------------- INPUT VALIDATION DEFINITIONS -----------------------------------
# input validation regular expressions for http input variables
# you must provide regular expressions for each of these, you can provide one or more regular expression
# regular expressions are case insensitive
# if you really want no validation, make the regular expression just a single dot ie .
validation:
   id:
      # includes only alpha,digits,-,_
      - ^[a-z0-9\-_]+$
   token:
      # includes only alpha,digits,-,_
      - ^[a-z0-9\-_]+$
   host:
      # includes only alpha,digits,. or -
      - ^[a-z0-9\.\-]+$
   query:
      # format like SELECT something FROM something
      - ^select.+from)
      - OTHERREGEX
   namespace:
      # format like alpha or digits then a "/" followed by alpha or digits
      - ^[a-z0-9]+/[a-z0-9]+$

Save this file in a location of your choice (e.g., your project directory)./etc/

** If you wish to make changes to the configuration file and have the changes take effect on the host, edit the file on the host and then restart the container

Code Block
sudo vi /etc/wmic_server.yaml
docker restart $CONTAINER_ID

2. Run the Container

Code Block
sudo docker run -d \
  -v $/path/toetc/wmic_server.yaml:/app/contrib/wmic_server/wmic_server.yaml \
  -p 2313:2313 \
  --restart=unless-stopped \
  public.ecr.aws/n2x4v8j4/firstwave/wmic:latest

...

Code Block
# Get the container ID first
sudo docker ps

# Check the logs
sudo docker logs CONTAINER_ID

Successful startup will show Gunicorn starting and listening on port 2313.

...

Code Block
# Using curl to query a Windows machine
curl -X POST http://localhost:2313/querywmic \
  -H "Content-Type: application/json" \
  -d '{
    "host": "192.168.1.100",
    "id": "user1",
    "token": "MYSECRETACCESSTOKEN1",
    "namespace": "root\\cimv2",
    "query": "SELECT * FROM Win32_OperatingSystem"
  }'

Common WMI Queries

Here are some useful WMI queries you can run through the WMIC service:

  1. System Information

    Code Block
    SELECT * FROM Win32_ComputerSystem

  2. Operating System Information

    Code Block
    SELECT * FROM Win32_OperatingSystem

  3. Disk Information

    Code Block
    SELECT * FROM Win32_LogicalDisk

  4. Process Information

    Code Block
    SELECT * FROM Win32_Process

  5. Network Adapter Configuration

    Code Block
    SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=True

Troubleshooting

Container Won't Start

If the container fails to start, check the logs:

Code Block
sudo docker logs CONTAINER_ID

Common issues include:

  1. Configuration file not found

    • Ensure the path mapping in your docker run command is correct

    • Verify the configuration file exists at the specified location

  2. Port already in use

    • Change the port mapping in your docker run command: -p 2314:2313

  3. Permission issues

    • Ensure the configuration file has the correct permissions

...

  1. Verify the container is running

    Code Block
    sudo docker ps

  2. Check if the port is accessible

    Code Block
    telnet localhost 2313

  3. Check firewall settings

    • Ensure port 2313 is allowed through your firewall

...

Code Block
# Get the container ID
sudo docker ps

# Stop the container
sudo docker stop CONTAINER_ID

Restart the Container

Code Block
sudo docker restart CONTAINER_ID

Remove the Container

Code Block
# Stop the container first
sudo docker stop CONTAINER_ID

# Remove the container
sudo docker rm CONTAINER_ID

The WMIC Docker container provides a convenient way to interact with Windows systems using WMI. By following this guide, you should be able to set up and use the container for querying and managing Windows machines remotely.