PowerHunt icon indicating copy to clipboard operation
PowerHunt copied to clipboard
verified publisher icon NetSPI

Fails when trying to run Get-WmiObject

Open lynnewu opened this issue 3 years ago • 2 comments

This is in PowerShell 7

PS C:\src\PowerHunt> Invoke-PowerHunt

cmdlet Invoke-PowerHunt at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
OutputDirectory: .
 ===========================================
 PowerHunt
 ===========================================
 Author: Scott Sutherland (@_nullbind), NetSPI
 -------------------------------------------
 [*][10/19/2022 13:07] Authentication Mode : Current User
 [*][10/19/2022 13:07] Computer Target Mode: Active Directory Computers
 [*][10/19/2022 13:07] Output Directory    : .\Hunt-10192022130744
 [*][10/19/2022 13:07] Start active testing
 -------------------------------------------
 ENABLING POWERSHELL REMOTING
 -------------------------------------------
 [*][10/19/2022 13:07] Confirmed local administrative privileges.
 [*][10/19/2022 13:07] Checking if PS Remoting is enabled...
 [*][10/19/2022 13:07] PS Remoting appears to be enabled.
Get-WmiObject: The term 'Get-WmiObject' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path
was included, verify that the path is correct and try again.

 [x][10/19/2022 13:07] Enabling PowerShell Remoting failed.
 [!][10/19/2022 13:07] Aborting operation.

Environment

PS C:\src\PowerHunt> get-host

Name             : ConsoleHost
Version          : 7.2.6
InstanceId       : a9cd2673-68e7-4714-9bc8-1ee43e3b591d
UI               : System.Management.Automation.Internal.Host.InternalHostUserInterface
CurrentCulture   : en-US
CurrentUICulture : en-US
PrivateData      : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
DebuggerEnabled  : True
IsRunspacePushed : False
Runspace         : System.Management.Automation.Runspaces.LocalRunspace


PS C:\src\PowerHunt>

lynnewu avatar Oct 19 '22 18:10 lynnewu

Possible solution. Replace get-wmiobject with get-ciminstance Source: https://forums.powershell.org/t/powershell-7-is-missing-get-wmiobject/14011/4

in PowerHunt.psm1 (line 272)

                # Get service status
#                $ServiceStatus = Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}
                $ServiceStatus = Get-ciminstance -Class win32_service | Where-Object {$_.name -like "WinRM"}

Unfortunately, it then fails later with:

-------------------------------------------
 DISCOVERY: PORT SCANNING (5985/5986)
 -------------------------------------------
 [*][10/19/2022 13:20] Checking if TCP Port 5985 (NonSSL) is open on 588 computers
 [*][10/19/2022 13:21] - 441 computers have TCP port 5985 open.
 [*][10/19/2022 13:21] Checking if TCP Port 5986 (SSL) is open on 588 computers
 [*][10/19/2022 13:22] - 1 computers have TCP port 5986 open.
 [*][10/19/2022 13:22] Creating PS Remoting Target List.
InvalidOperation: Method invocation failed because [System.Management.Automation.PSObject] does not contain a method named 'op_Addition'.

 [*][10/19/2022 13:22] - 0 computers will be targeted.```

lynnewu avatar Oct 19 '22 18:10 lynnewu

Sorry the delay in getting back to you on this. I didn't test this with v7 so I'll have to add that to my backlog and make some tweaks. Thank you for sharing the feedback. I'll let you know when I have it wrapped up.

nullbind avatar Jan 11 '23 17:01 nullbind