Optimum All American 13716 Posts user info edit post |
Does anyone know if the Windows Management Instrumentation tool, wmic, sends usernames or passwords in cleartext to machines it's collecting information from? 10/12/2009 10:24:14 AM |
evan All American 27701 Posts user info edit post |
it depends on how you ask it to authenticate. i haven't used wmic much, only calls to WMI from wsh/vbscript... but i'm assuming wmic just uses the credentials it's running under.
normally, it uses ntlm if at all possible. if the above is true, it's definitely using ntlm.
usernames are plaintext if i remember correctly, but the password is never sent in plaintext] 10/12/2009 11:11:53 AM |
Optimum All American 13716 Posts user info edit post |
gotcha. assume that this is running as a domain-level admin, passing similar credentials via the wmic command-line tool. same thing? 10/12/2009 11:17:37 AM |
smoothcrim Universal Magnetic! 18969 Posts user info edit post |
it can be setup to pass the kerb token itself if there's a domain involved. local accounts, the lowest common scheme is observed unless gpos are configured otherwise 10/12/2009 1:29:38 PM |
disco_stu All American 7436 Posts user info edit post |
http://www.wireshark.org/ You tell us.
That is, if no one else knows.
^or that.
[Edited on October 12, 2009 at 1:30 PM. Reason : .] 10/12/2009 1:29:48 PM |
Optimum All American 13716 Posts user info edit post |
some additional reading suggests to me that WMI is encrypted...
http://redmondmag.com/articles/2002/02/01/securing-remote-management-with-wmi.aspx 10/12/2009 4:23:18 PM |