Click here to load reader

1 WMI 廖凡磊. 2 agenda ► Namespace ► WMI scripts ► WMIC ► WMI security

  • View
    260

  • Download
    13

Embed Size (px)

Text of 1 WMI 廖凡磊. 2 agenda ► Namespace ► WMI scripts ► WMIC ► WMI security

  • Slide 1
  • 1 WMI
  • Slide 2
  • 2 agenda Namespace WMI scripts WMIC WMI security
  • Slide 3
  • 3 Namespace \ROOT CIMV2DefaultWMIsecurity
  • Slide 4
  • 4 Namespace (cont.) CIM classes are organized into namespaces. control the scope and visibility of managed resource class definitions. contains a logical group of related classes representing a specific technology or area of management. Namespaces are equivalent to folders
  • Slide 5
  • 5 Namespace(cont.) Default namespace root/CIMV2 root/Default root/Security root/WMI
  • Slide 6
  • 6 Class category Core and Common Classes Extension Classes
  • Slide 7
  • 7 Core and Common Classes Define in root\cimv2 classes prefaced with CIM_ 271 / 275 is abstract classes 4 / 275 is dynamic classes Win32 Provider (cimwin32.dll) CIM_DataFile CIM_DirectoryContainsFile CIM_ProcessExecutable CIM_VideoControllerResolution
  • Slide 8
  • 8 Extension Classes Define in the root\cimv2 identified by the Win32_ prefix 68/463 are abstract classes 395/463 are dynamic classes you can directly use them in your WMI scripts.
  • Slide 9
  • 9 Property and value \\DARYL\root\CIMV2:Win32_NTLogEvent.Logfile=Application. RecordNumber=1 property value class namespce computer
  • Slide 10
  • 10 Listing Classes in a Namespace Example of WMI script Find specific class which contains string cscript GetClasses.vbs |findstr /I "win32_tssessionsetting" cscript GetClasses.vbs |findstr /I __" cscript GetClasses.vbs |findstr /I CIM_" cscript GetClasses.vbs |findstr /I "win32_"
  • Slide 11
  • 11 Exploring the CIM Repository WMI Tester Wbemtest.exe CIM Studio part of the WMI SDK Web-based interface WMI scripts
  • Slide 12
  • 12 Exploring the CIM Repository (cont.) Wbemtest run -> wbemtest -> root/cimv2
  • Slide 13
  • 13 Exploring the CIM Repository (cont.) CIM Studio Download WMI tools http://www.microsoft.com/downloads/detail s.aspx?familyid=6430F853-1120-48DB- 8CC5-F2ABDC3ED314&displaylang=en http://www.microsoft.com/downloads/detail s.aspx?familyid=6430F853-1120-48DB- 8CC5-F2ABDC3ED314&displaylang=en http://www.microsoft.com/downloads/detail s.aspx?familyid=6430F853-1120-48DB- 8CC5-F2ABDC3ED314&displaylang=en
  • Slide 14
  • 14 Exploring the CIM Repository (cont.) WMI script strComputer = "." Set objSWbemServices = GetObject("winmgmts:\\" & strComputer & "\root") Set colNameSpaces = objSwbemServices.InstancesOf("__NAMESPACE") For Each objNameSpace In colNameSpaces Wscript.Echo objNameSpace.Name Next Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. SECURITY RSOP Cli SecurityCenter WMI CIMV2 Policy Microsoft DEFAULT directory subscription MSAPPS11
  • Slide 15
  • 15 Creating a WMI Script Environment: OS support WMI Scripting language that supports Microsoft ActiveX script hosting Visual Basic Scripting Edition Microsoft JScript Perl Windows Script Host Active Server Pages Internet Explorer
  • Slide 16
  • 16 The flow of creating WMI scripts Connect to default CIM namespace Connect to specific CIM namespace Get instance of class Print 1.To connect to WMI using SWbemLocator 2.To connect to WMI and retrieve an object using a moniker prefix 1.Get instance collection using InstancesOf method 2.Get instance collection using ExecQuery method 3.Get specific instance using Get method 4.Get specific instance using moniker prefix 1. Wscript.echo
  • Slide 17
  • 17 Background cola collection reference obja object reference syntax comment &connect two string _uncompletely keyword, put _ at end of line No need ; WQL WMI Query Language a subset of the American National Standards Institute Structured Query Language (ANSI SQL) tutorial tutorial
  • Slide 18
  • 18 connect to Default CIM namespace The default namespace is defined by the following registry entry: default namespace:root/cimv2 Using SWbemLocator in default namespace Using moniker in default namespace HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Namespace Set objLocator = CreateObject("WbemScripting.SWbemLocator") Set objService = objLocator.ConnectServer strComputer = "." Set objService = GetObject("winmgmts:)
  • Slide 19
  • 19 Connect to specific CIM Namespace Using SWbemLocator Using moniker winmgmts:[{SecuritySettings}!][\\ComputerNa me][\Namespace][:ClassName][.Key] Set objLocator = CreateObject("WbemScripting.SWbemLocator") Set objService = objLocator.ConnectServer(".", "root\cimv2") strComputer = "." Set objService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" _ & strComputer & "\root\cimv2")
  • Slide 20
  • 20 Get instance of class InstancesOf ExecQuery Get SwbemServices.Get([strObjectPath][.KeyProp erty='Value']) Set objSWbemObjectSet = objSWbemServices.InstancesOf("Win32_Processor ") Set objSWbemObjectSet = objSWbemServices.ExecQuery("select ProcessorId from Win32_Processor where DeviceID='cpu0'") Set objSWbemObject = objSWbemServices.Get("Win32_Processor.DeviceID='cpu0'")
  • Slide 21
  • 21 Get instance of class (cont.) moniker winmgmts:[{SecuritySettings}!][\\ComputerNa me][\Namespace][:ClassName][.Key] Set objSWbemObject = GetObject("winmgmts:Win32_Processor.DeviceID='cpu0'")
  • Slide 22
  • 22 Print 1.Object2.collection Wscript.echo CPU " & objSWbemObject.name For Each objSWbemObject In objSWbemObjectSet Wscript.echo CPU " & objSWbemObject.name Next
  • Slide 23
  • 23 Example1 strComputer = "." Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator") Set objSWbemServices = objSWbemLocator.ConnectServer// root/CIMV2 Set objSWbemObjectSet = objSWbemServices.InstancesOf("Win32_Processor") For Each objSWbemObject In objSWbemObjectSet Wscript.echo CPU " & objSWbemObject.name Next This script enumerates all of the cpu on the local computer system. strComputer = ". Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator") Set objSWbemServices = objSWbemLocator.ConnectServer// root/CIMV2 Set objSWbemObjectSet = objSWbemServices.ExecQuery("SELECT * From Win32_Processor") For Each objSWbemObject In objSWbemObjectSet Wscript.echo "CPU " & objSWbemObject.name Next
  • Slide 24 'Microsoft'))") For Each objObject In objObjectSet Wscript.echo objObject.Caption & " " &objObject.MacAddress Next strComputer = "." Set objLocator = CreateObject("WbemScripting.SWbemLocator") Set objServices = objLocator.ConnectServer(".", "root\cimv2") Set objObjectSet = objServices.InstancesOf("Win32_NetworkAdapter") For Each objObject In objObjectSet Wscript.echo objObject.Caption & " " &objObject.MacAddress Next">
  • 24 Example2 strComputer = "." Set objLocator = CreateObject("WbemScripting.SWbemLocator") Set objServices = objLocator.ConnectServer(".", "root\cimv2") Set objObjectSet = objServices.ExecQuery("SELECT MACAddress,Caption FROM Win32_NetworkAdapter WHERE ((MACAddress Is Not NULL) AND (Manufacturer 'Microsoft'))") For Each objObject In objObjectSet Wscript.echo objObject.Caption & " " &objObject.MacAddress Next strComputer = "." Set objLocator = CreateObject("WbemScripting.SWbemLocator") Set objServices = objLocator.ConnectServer(".", "root\cimv2") Set objObjectSet = objServices.InstancesOf("Win32_NetworkAdapter") For Each objObject In objObjectSet Wscript.echo objObject.Caption & " " &objObject.MacAddress Next
  • Slide 25
  • 25 WMI WMI [ 1] WMI /WQL objSWbemService s.InstancesOf("Wi n32_Service") 157,398 objSWbemService s.ExecQuery("SELE CT * FROM Win32_Service") 156,222 objSWbemService s.ExecQuery("SELE CT Name FROM Win32_Service") 86,294 objSWbemService s.ExecQuery("SELE CT StartMode FROM Win32_Service") 88,116 objSWbemService s.ExecQuery("SELE CT StartMode FROM Win32_Service WHERE State='Running'") 52,546 objSWbemService s.ExecQuery("SELE CT StartMode, State FROM Win32_Service WHERE State='Running'") 56,314 objSWbemService s.ExecQuery("SELE CT * FROM Win32_Service WHERE Name='WinMgmt'") 27,852 objSWbemService s.Get("Win32_Servi ce.Name='WinMgmt' ") 14,860 [ 1] WMI Ref:https://www.microsoft.com/taiwan/msdn/library/2003/Feb-2003/scripting01142003.htm
  • Slide 26
  • 26 Monitoring Resources by Using WMI Event Notifications How can we know system state Write a WMI script and run it repeatly Interval problem drawback Not real time What you can do in WMI Event Notification Free disk space notification Process notification
  • Slide 27
  • 27 Example strComputer = "." Set objSWbemServices = GetObject("winmgmts:" &_ "{impersonationLevel=impersonate}!" &_ "\\" & strComputer & "\root\cimv2") Set objEventSource = objSWbemServices.ExecNotificationQuery( _ "SELECT * FROM __InstanceCreationEvent " &_ "WITHIN 10 " &_ "WHERE TargetInstance " &_ "ISA 'Win32_Process' " &_ "AND TargetInstance.Name = 'notepad.exe'") Set objEventObject = objEventSource.NextEvent() Wscript.Echo "An instance of notepad.exe just started." 1.A connection is made to a WMI namespace on a computer. 2.A notification query is issued. 3.The event is received and some action performed.
  • Slide 28
  • 28 Example strComputer = "." Set objSWbemServices = GetObject("winmgmts:" &_ "{impersonationLevel=impersonate}!" &_ "\\" & strComputer & "\root\cimv2") Set objEventSource = objSWbemServices.ExecNotificationQuery( _ "SELECT * FROM __InstanceModificationEvent " &_ "WITHIN 10 " &_ "WHERE TargetInstance " &_ "ISA 'Win32_Service' " &_ "AND TargetInstance.Name = 'alerter '") Set objEventObject = objEventSource.NextEvent() Wscript.Echo "The status of the alerter service just changed."
  • Slide 29
  • Slide 30
  • 30 problem on remote WMI script C:MyWorkSpacemyVbs est2.vbs(15, 1) SWbemLocator: Windows XP -> ( ) , WMI , -> WMI . Ref:http://www.wretch.cc/blog/redray/1821552
  • Slide 31
  • 31 problem on remote WMI script (cont.) C:wmi_info.vbs(47, 2) SWbemLocator: RPC , MSDN MSDN TCP : 135 445 1024 ~ 1034 ( ) , WMI , [ ] -> [ ] Windows Management Instrumentation .
  • Slide 32
  • 32 WMIC Windows Management Instrumentation Command-line c:\windows\ wmic:root\cli>os /? wmic os /?
  • Slide 33 PROCESS WHERE NAME="CALC.EXE" DELETE">
  • 33 commands CALL Executes a method. CREATE Creates a new instance and sets the property values. CREATE cannot be used to create a new class. DELETE Deletes the current instance or set of instances. DELETE can be used to delete a class. wmic:root\cli>SERVICE WHERE CAPTION='TELNET' CALL STARTSERVICE wmic:root\cli>ENVIRONMENT CREATE NAME="TEMP", VARIABLEVALUE="NEW" wmic:root\cli>PROCESS WHERE NAME="CALC.EXE" DELETE
  • Slide 34
  • 34 Commands (cont.) GET Retrieve specific property values. LIST Shows data. LIST is the default verb. wmic:root\cli>PROCESS GET NAME AdverbDescription BRIEF Core set of the properties. FULL Full set of properties. This is the default adverb for LIST. INSTANCE Instance paths only. STATUS Status of the objects. SYSTEM System properties. wmic:root\cli>PROCESS LIST BRIEF
  • Slide 35
  • 35 Commands (cont.) CONTEXT view the current value of the conditions set wmic:root\cli>context
  • Slide 36
  • 36 wmic:root\cli> bios list full wmic:root\cli>process list brief
  • Slide 37 c:\Application.htm C:\>WMIC /NODE:@"c:\MyServerList.txt" OSswheres(Primary="TRUE") CALL Win32ShutDown 6">
  • 37 WMIC C:\>WMIC /node:"dc2" /user:"mytest" NTEVENTswheres"eventtype 0 AND logfile='Application'" GET Logfile, SourceName, Eventtype, Message, TimeGenerated /FORMAT:htable:"sortby=EventType">c:\Application.htm C:\>WMIC /NODE:@"c:\MyServerList.txt" OSswheres(Primary="TRUE") CALL Win32ShutDown 6
  • Slide 38
  • 38 WMI Security WMI is powerful Easy to run a script WMI scripts run in the security context of the user running the script WMI namespace-level security. DCOM security Standard Windows Operating System Security
  • Slide 39
  • 39 WMI namespace-level security Ref:http://www.microsoft.com/technet/scriptcenter/guide/sas_wmi_ocmw.mspx
  • Slide 40
  • 40 WMI namespace-level security Setting Namespace Security Descriptors Setting Namespace Security Descriptors Setting Namespace Security Descriptors WMI control properties WMI control properties WMI control properties
  • Slide 41
  • 41 Distributed COM (DCOM) security Impersonation enables you to specify whom the WMI service should act as when carrying out a task It is possible to allow Computer B to also use your credentials; for that matter, you can also allow computers C, D, and E to use your credentials. No double delegation The authenticationLevel setting enables you to request the level of DCOM authentication and privacy to be used throughout a connection. Setting the Default Process Security Level Using VBScript Setting the Default Process Security Level Using VBScript Setting the Default Process Security Level Using VBScript use a moniker in a call to GetObject GetObject
  • Slide 42
  • 42 Distributed COM (DCOM) security DEMO A B O A C O A B X C
  • Slide 43
  • 43 Standard Windows Operating System Security Copy files from a NTFS permissions folders will cause ACCESS DENIED
  • Slide 44
  • 44 review Namespace WMI scripts WMIC WMI security
  • Slide 45
  • 45 Reference http://msdn2.microsoft.com/en-us/library/aa394582.aspx http://msdn2.microsoft.com/en-us/library/aa394582.aspx MSDN Library for Visual Studio 2005 WMI http://www.microsoft.com/downloads/results.aspx?DisplayLang=zh- tw&nr=20&freetext=WMI&DisplayEnglishAlso=true&sortCriteria=date http://www.microsoft.com/downloads/results.aspx?DisplayLang=zh- tw&nr=20&freetext=WMI&DisplayEnglishAlso=true&sortCriteria=date http://www.microsoft.com/downloads/results.aspx?DisplayLang=zh- tw&nr=20&freetext=WMI&DisplayEnglishAlso=true&sortCriteria=date TechNet Script Center http://www.microsoft.com/taiwan/technet/scriptcenter/default.mspx http://www.microsoft.com/taiwan/technet/scriptcenter/default.mspx Happy scripting http://www.microsoft.com/taiwan/technet/columns/profwin/tnascript.mspx http://www.microsoft.com/taiwan/technet/columns/profwin/tnascript.mspx WMI - Windows Management Instrumentation Windows WMI Scripting WMI ScriptingWMI Scripting WMI ( ) http://hi.baidu.com/xuejinglan/blog/item/1f9d632cbffbcaee8a139912.html http://hi.baidu.com/xuejinglan/blog/item/1f9d632cbffbcaee8a139912.html WMIC http://forum.slime.com.tw/thread61654.htm http://forum.slime.com.tw/thread61654.htm WMI http://ptt.hit.edu.cn/api/blog.aspx?title=wmi%E4%BD%BF%E7%94%A8%E6%8A%80%E5%B7 %A7l http://ptt.hit.edu.cn/api/blog.aspx?title=wmi%E4%BD%BF%E7%94%A8%E6%8A%80%E5%B7 %A7l http://ptt.hit.edu.cn/api/blog.aspx?title=wmi%E4%BD%BF%E7%94%A8%E6%8A%80%E5%B7 %A7l WMI tools http://www.microsoft.com/downloads/details.aspx?familyid=6430F853-1120-48DB-8CC5- F2ABDC3ED314&displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=6430F853-1120-48DB-8CC5- F2ABDC3ED314&displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=6430F853-1120-48DB-8CC5- F2ABDC3ED314&displaylang=en Namespaces http://www.microsoft.com/technet/scriptcenter/guide/sas_wmi_khjg.mspx?mfr=true http://www.microsoft.com/technet/scriptcenter/guide/sas_wmi_khjg.mspx?mfr=true
  • Slide 46
  • 46 strComputer = "." Set objServices = GetObject("winmgmts:\\" _ & strComputer & "\root\CIMV2") set objProcessSet = objServices.ExecQuery _ ("SELECT Name FROM Win32_Process",,48) For Each Process in objProcessSet WScript.Echo Process.Name Next strComputer = "." Set objServices = GetObject( _ "winmgmts:{impersonationLevel=impersonate," _ & "authenticationLevel=pktPrivacy}!root/cimv2") set objProcessSet = objServices.ExecQuery _ ("SELECT Name FROM Win32_Process",,48) For Each Process in objProcessSet WScript.Echo Process.Name Next
  • Slide 47
  • Slide 48
  • 48 DCOM Impersonation Levels Anonymous Hides the credentials of the caller. identity Enables objects to query the credentials of the caller. impersonate Enables objects to use the credentials of the caller. delegate Enables objects to permit other objects to use the credentials of the caller. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting\Default Impersonation Level
  • Slide 49
  • 49 Authentication Level NONE Does not use any authentication. CONNECT only when the client tries to connect to the server CALL only at the beginning of each call PKT Signed theHeader PKTINTEGRITY Signed the all packet PKTPRIVACY Signed and encrypts all packet DEFAULT Uses a standard security back
  • Slide 50
  • 50 How to use WMI control properties -> -> - >WMI -> Log Backup/restore Security on namespace Default namespace specified back