WMI Attack and Defense

Is it always online? When connected to the Internet, it may be attacked by viruses or hackers. How can we ensure the security of our system? We will take a common WMI attack method as an example to show you how it performs attacks and provide a general method to prevent such attacks.

WMI is short for "Microsoft Windows Management specifications" and must be supported by the "Windows Management Instrumentation" service, which is started by default, which provides great convenience for intrusion. As long as the hacker knows the Administrator's username and password and port 135 of the local machine is enabled, the hacker can execute arbitrary commands on the compromised machine to gain control. However, when installing the system, most users leave the Administrator password of the Administrator account that comes with the system blank, which undoubtedly gives hackers the opportunity, even basic "boring hackers" can easily use tools that exploit WMI vulnerabilities for intrusion.

WMI intrusion

1. Remoxec

Remoxec is the first program written using the WMI principle. It has simple functions but has the function of executing arbitrary commands.

In the software interface, enter the domain name or IP address of the target host and the username and password with administrator permissions, and then enter the command to be executed to intrude into the system. For example, to create a user named "simuz" with a password of "123456", enter "net user simuz 123456/add, after the command is successfully executed, a prompt box is displayed. Commands can be used to do many things, such as upgrading users to administrators and uploading files. You can say that what you can do in Shell can also be done in Remoxec.

TIPS: Shell is a command interpreter, similar to command.com in DOS. It is used to receive user commands and then call the corresponding application.

2. Recton

Compared with Remoxec, Recton has more functions. It has built-in functions such as enabling port 3389 and Telnet. You only need to enter the administrator username and password of the host, select the corresponding command and execute it. After the Remote Terminal Service of the other party is enabled, you can operate the host like your computer (1 ).

WMI Intrusion Prevention

We can see from the above that WMI Service intrusion requires two necessary conditions, that is, the system port 135 and the Windows Management Instrumentation Service must be enabled at the same time, so we can take the right medicine, hackers can use WMI to intrude into the system without any tools.

Method 1: WMI intrusion requires the Administrator username and password of the target host. Careless users often leave the default Administrator account and password of the system blank, so hackers can access the system. We can set a "strong" password for this account, so that it is difficult for hackers to crack the administrator password and the probability of WMI intrusion is very small.

Method 2: disabling port 135 or the Windows Management Instrumentation Service can prevent WMI intrusion. However, the WMI Service is a basic service of the system. disabling it will cause the system to crash, therefore, we can start by disabling the port and use the built-in "TCP/IP filter" function. Open "network connection" in the control panel, right-click the local connection icon, select "properties", and double-click "Internet Protocol (TCP/IP)" in the displayed dialog box) ", click the" advanced "button below to open the" advanced TVP/ipsettings "dialog box, switch to the" options "tab, and double-click" TCP/IP filtering ", you can set the port to be closed here. For example, to disable port 135, you can set it as shown in figure 2. After necessary ports are closed, hackers cannot connect to the WMI Service.