WBEM Based Management in Linux
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Offensive-WMI
OFFENSIVE WMI Tim Medin [email protected] redsiege.com/wmi TIM MEDIN Red Siege - Principal IANS Faculty Consultant , Founder Formerly SANS ▸ CounterHack – NetWars, ▸ Principal Instructor Penetration Testing, CyberCity ▸ Co-author 460 Vulnerability Assessment ▸ FishNet (Optiv) – Sr Penetration Tester ▸ Instructor 560 Network Penetration Testing ▸ Financial Institution – Sr Technical Analyst – Security ▸ Instructor 660 Advanced Pen Testing, Exploit Dev ▸ Network Admin, Control Systems Engineer, Robots ▸ MSISE (Master of Engineering) Program Director WTH IS WMI WINDOWS MANAGEMENT INSTRUMENTATION “Infrastructure for management data and operations on Windows-based operating systems” ▸Common data formats – Common Information Model (CIM) ▸Common access methods Allows for management and monitoring the guts of Windows systems ▸Local ▸Remote First included in Windows 2000 WMIC is the command line interface ATTACK USAGE Not for initial access, but for many things after Requires credentials or existing access Used for ▸Recon ▸Lateral Movement ▸Situational Awareness ▸Persistence ▸PrivEsc ▸C&C QUERYING WITH WMI(C) “The WMI Query Language (WQL) is a subset of standard American National Standards Institute Structured Query Language (ANSI SQL) with minor semantic changes to support WMI.” The syntax will make you hate being born! GRAMMAR https://www.sans.org/security-resources/sec560/windows_command_line_sheet_v1.pdf RECONNAISSANCE & SITUATIONAL AWARENESS Get local user accounts with net user Get domain user accounts with net user /domain Both wmic useraccount -
Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor Matt Graeber
Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor Matt Graeber Black Hat 2015 Introduction As technology is introduced and subsequently deprecated over time in the Windows operating system, one powerful technology that has remained consistent since Windows NT 4.01 and Windows 952 is Windows Management Instrumentation (WMI). Present on all Windows operating systems, WMI is comprised of a powerful set of tools used to manage Windows systems both locally and remotely. While it has been well known and utilized heavily by system administrators since its inception, WMI was likely introduced to the mainstream security community when it was discovered that it was used maliciously as one component in the suite of exploits and implants used by Stuxnet3. Since then, WMI has been gaining popularity amongst attackers for its ability to perform system reconnaissance, AV and VM detection, code execution, lateral movement, persistence, and data theft. As attackers increasingly utilize WMI, it is important for defenders, incident responders, and forensic analysts to have knowledge of WMI and to know how they can wield it to their advantage. This whitepaper will introduce the reader to WMI, actual and proof-of-concept attacks using WMI, how WMI can be used as a rudimentary intrusion detection system (IDS), and how to perform forensics on the WMI repository file format. WMI Architecture 1 https://web.archive.org/web/20050115045451/http://www.microsoft.com/downloads/details.aspx?FamilyID=c17 4cfb1-ef67-471d-9277-4c2b1014a31e&displaylang=en 2 https://web.archive.org/web/20051106010729/http://www.microsoft.com/downloads/details.aspx?FamilyId=98A 4C5BA-337B-4E92-8C18-A63847760EA5&displaylang=en 3 http://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html WMI is the Microsoft implementation of the Web-Based Enterprise Management (WBEM)4 and Common Information Model (CIM)5 standards published by the Distributed Management Task Force (DMTF)6. -
Z/OS Common Information Model User's Guide for Version 2 Release 4 (V2R4)
z/OS 2.4 Common Information Model User's Guide IBM SC34-2671-40 Note Before using this information and the product it supports, read the information in “Notices” on page 335. This edition applies to Version 2 Release 4 of z/OS (5650-ZOS) and to all subsequent releases and modifications until otherwise indicated in new editions. Last updated: 2021-04-26 © Copyright International Business Machines Corporation 2005, 2021. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Figures................................................................................................................. xi Tables................................................................................................................ xiii Abstract.............................................................................................................. xv How to send your comments to IBM.................................................................... xvii If you have a technical problem............................................................................................................... xvii z/OS information................................................................................................ xix Summary of changes...........................................................................................xxi Summary of changes for z/OS Common Information Model User's Guide for Version 2 Release 4 (V2R4)...................................................................................................................................................xxi -
Open Virtualization Format Specification
1 2 Document Number: DSP0243 3 Date: 2013-12-12 4 Version: 2.1.0 5 Open Virtualization Format Specification 6 Document Type: Specification 7 Document Status: DMTF Standard 8 Document Language: en-US Open Virtualization Format Specification DSP0243 9 Copyright notice 10 Copyright © 2010-2013 Distributed Management Task Force, Inc. (DMTF). All rights reserved. 11 DMTF is a not-for-profit association of industry members dedicated to promoting enterprise and systems 12 management and interoperability. Members and non-members may reproduce DMTF specifications and 13 documents, provided that correct attribution is given. As DMTF specifications may be revised from time to 14 time, the particular version and release date should always be noted. 15 Implementation of certain elements of this standard or proposed standard may be subject to third party 16 patent rights, including provisional patent rights (herein "patent rights"). DMTF makes no representations 17 to users of the standard as to the existence of such rights, and is not responsible to recognize, disclose, 18 or identify any or all such third party patent right, owners or claimants, nor for any incomplete or 19 inaccurate identification or disclosure of such rights, owners or claimants. DMTF shall have no liability to 20 any party, in any manner or circumstance, under any legal theory whatsoever, for failure to recognize, 21 disclose, or identify any such third party patent rights, or for such party’s reliance on the standard or 22 incorporation thereof in its product, protocols or testing procedures. DMTF shall have no liability to any 23 party implementing such standard, whether such implementation is foreseeable or not, nor to any patent 24 owner or claimant, and shall have no liability or responsibility for costs or losses incurred if a standard is 25 withdrawn or modified after publication, and shall be indemnified and held harmless by any party 26 implementing the standard from any and all claims of infringement by a patent owner for such 27 implementations. -
[MS-WMI]: Windows Management Instrumentation Remote Protocol
[MS-WMI]: Windows Management Instrumentation Remote Protocol Intellectual Property Rights Notice for Open Specifications Documentation . Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions. Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation. No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting [email protected]. -
Dell Command | Monitor Version 9.2 User's Guide Notes, Cautions, and Warnings
Dell Command | Monitor Version 9.2 User's Guide Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2008 - 2017 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners. 2017 - 01 Rev. A00 Contents 1 Introduction..................................................................................................................... 5 What's new in this release.................................................................................................................................................. 5 Dell Command | Monitor overview......................................................................................................................................6 2 Features..........................................................................................................................8 CIM schema support.......................................................................................................................................................... 8 BIOS settings configuration and enumeration.....................................................................................................................8 -
CIM and IBM I: What It Is and How It Works
CIM and IBM i: What it is and how it works Li Gong Liu January 29, 2013 This article provides basic knowledge about Common Information Model (CIM) and explains how CIM works on IBM® i. It helps you understand CIM and the Web Based Enterprise Management (WBEM) technology, and briefs the relationship between the standardized technology and IBM i. What is CIM If you are new to CIM with IBM i knowledge, you are in the right place. CIM provides a standard way to model and expose management information. CIM has been available on IBM i since V5R4 by loading the IBM Universal Manageability Enablement (UME) licensed program, and 5770-UME license program is included in IBM i 6.1 and IBM i 7.1 with enhanced functions. Currently, it is free for use and is mainly used as an agent of IBM Systems Director to retrieve and monitor IBM i resources. CIM is one of the core standards of WBEM. WBEM is the set of management and Internet standard technologies that defines how data can be exchanged between the ever increasing disparate networks, devices, and applications used in today's IT environment. The Distributed Management Task Force (DMTF) defines the standards for WBEM, which includes CIM that can promote multivendor interoperability (and this is the base goal of WBEM). On IBM i, CIM is a specific product that is delivered. Combining CIM with the other products that IBM i provides, the complete WBEM solution can be provided. Often, WBEM functions are simply referred to as CIM. An example from Systems Director is CIM monitors. -
DMTF Management Standards for Edge Virtual Bridging (EVB) and Network Port Profiles
DMTF Management Standards for Edge Virtual Bridging (EVB) and Network Port Profiles Hemal Shah, Associate Technical Director, Broadcom Corporation DMTF Platform Management Sub-Committee Chair March, 2011 www.broadcom.com Agenda • DMTF Overview • IEEE/DMTF Areas of Collaboration • DMTF Standards for EVB Management and Network Port Profiles • VM Lifecycle Management • Open Virtualization Format (OVF) • Network Port Profiles • CIM Profiles for Virtual Networking Distributed Management Task Force (DMTF) • Develops management standards for enterprise and Internet environments • Formed in 1992 • More than 4,000 active participants – from nearly 200 organizations in over 40 countries • 3 Major committees and 25+ Working Groups/Forums – Committees: Technical, Marketing, Interoperability… • Over a dozen Alliance Partners • SNIA, OGF/GGF, NGN, TMF, TCG, OASIS, etc. • Developed standards & initiatives • CIM, CIM-XML, SMBIOS, CDM, ASF, SMASH, DASH, WS-Management… DMTF Technology Diagram DASH – Desktop and Mobile Architecture for CIM – Common Information Model System Hardware WBEM – Web Based Enterprise Management SMASH – System Management Architecture for OVF – Open Virtualization Format Server Hardware MOF – Managed Object Format SMI – Storage Management Initiative WS-Man – Web Services Based Management CDM – Common Diagnostics Model VMAN – Virtualization Management 3 DMTF Technical Committee Organization http://www.dmtf.org/about/working-groups Platform Management Sub-Committee Overview • Cloud Management Working Group (CMWG) – Focuses on management -
[MS-WSMV-Diff]: Web Services Management Protocol Extensions for Windows Vista
[MS-WSMV-Diff]: Web Services Management Protocol Extensions for Windows Vista Intellectual Property Rights Notice for Open Specifications Documentation ▪ Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions. ▪ Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation. ▪ No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. ▪ Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting [email protected]. -
Design of a WBEM-Based Management System for Ubiquitous Computing Servers
Design of a WBEM-based Management System for Ubiquitous Computing Servers So-Jung Lee1, Mi-Jung Choi1, Sun-Mi Yoo1, James W. Hong1 Hee-Nam Cho2, Chang-Won Ahn2, Sung-In Jung2 1Dept. of Computer Science and Engineering, POSTECH 2Digital Home Research Division, ETRI {annie, mjchoi, sunny81, jwkhong}@postech.ac.kr, {hncho, ahn, sijung}@etri.re.kr Abstract As the Internet evolves and wireless network technologies develop, people’s need to get a network service at anytime from anywhere is growing, and the age of ubiquitous computing is coming in earnest. A ubiquitous computing server receives and processes lots of information from various sensors in a ubiquitous computing environment and plays a role in providing various useful services. In this paper, we analyze the requirements for managing the ubiquitous computing servers based on WBEM technologies which are being standardized in DMTF. We present the design of our management system, which satisfies the requirements. We also examine and compare available WBEM implementations by performing benchmarking testing. Based on the benchmarking results, we present our choice of WBEM implementation, which is being used for implementing our ubiquitous computing server management system. 1. Introduction As the Internet continues to grow and the wired/wireless network evolves, users want to get various services at anytime and anywhere by connecting to the network. The idea used to realize this service is ubiquitous computing. Ubiquitous computing is a new paradigm for distributed interactive systems, which moves computers into the background of people's attention while using them to support their activities and interactions in the workplace and beyond. -
Supervision of Computer Equipment in ABB Operateit Using WMI
ISSN 0280-5316 ISRN LUTFD2/TFRT--5655--SE Supervision of computer equipment In ABB OperateIT using WMI Jens Axelsson Department of Automatic Control Lund Institute of Technology October 2000 Department of Automatic Control Document name MASTER THESIS Lund Institute of Technology Date of issue Box 118 October 2000 SE-221 00 Lund Sweden Document Number ISRN LUTFD2/TFRT—5655--SE Author(s) Supervisor Jens Axelsson Jan Gjerseth ABB Karl-Erik Årzén LTH Sponsoring organization Title and subtitle Supervision of computer equipment in ABB operateIT using WMI (Övervakning av datorutrustning i ABB OperateIT med hjälp av WMI) Abstract This document details the investigation and implementation of a product intended for supervision and management of standard computer and office equipment. The product is run from inside the ABB OperateIT Platform, as an Aspect System. The Aspect receives its data through communication with the CIM Object Manger, as suggested in the WBEM Initiative. The document also details the WBEM Initiative and some the standards brought forward by this initiative. Keywords Classification system and/or index terms (if any) Supplementary bibliographical information ISSN and key title ISBN 0280-5316 Language Number of pages Recipient’s notes English 66 Security classification The report may be ordered from the Department of Automatic Control or borrowed through: University Library 2, Box 3, SE-221 00 Lund, Sweden Fax +46 46 222 44 22 E-mail [email protected] Master Theses at: Lund Institute of Technology Author: Jens Axelsson Examiner: Karl-Erik Årzén, Associate Professor in Automatic Control Supervisor: Jan Gjerseth Site: ABB Automation Products AB Document number: 3BSE022901/0.6 OperateIT WMI Powered Aspect Abstract This document details the investigation and implementation of a product intended for supervision and management of standard computer and office equipment. -
CIM Query Language Specification
Document Number: DSP0202 Date: 2007-08-13 Version: 1.0.0 CIM Query Language Specification Document Type: Specification Document Status: Final Document Language: E CIM Query Language Specification DSP0202 Copyright notice Copyright © 2007 Distributed Management Task Force, Inc. (DMTF). All rights reserved. DMTF is a not-for-profit association of industry members dedicated to promoting enterprise and systems management and interoperability. Members and non-members may reproduce DMTF specifications and documents for uses consistent with this purpose, provided that correct attribution is given. As DMTF specifications may be revised from time to time, the particular version and release date should always be noted. Implementation of certain elements of this standard or proposed standard may be subject to third party patent rights, including provisional patent rights (herein "patent rights"). DMTF makes no representations to users of the standard as to the existence of such rights, and is not responsible to recognize, disclose, or identify any or all such third party patent right, owners or claimants, nor for any incomplete or inaccurate identification or disclosure of such rights, owners or claimants. DMTF shall have no liability to any party, in any manner or circumstance, under any legal theory whatsoever, for failure to recognize, disclose, or identify any such third party patent rights, or for such party’s reliance on the standard or incorporation thereof in its product, protocols or testing procedures. DMTF shall have no liability to any party implementing such standard, whether such implementation is foreseeable or not, nor to any patent owner or claimant, and shall have no liability or responsibility for costs or losses incurred if a standard is withdrawn or modified after publication, and shall be indemnified and held harmless by any party implementing the standard from any and all claims of infringement by a patent owner for such implementations.