Does anyone know if the Windows Management Instrumentation tool, wmic, sends usernames or passwords in cleartext to machines it's collecting information from?

10/12/2009 10:24:14 AM

it depends on how you ask it to authenticate. i haven't used wmic much, only calls to WMI from wsh/vbscript... but i'm assuming wmic just uses the credentials it's running under.

normally, it uses ntlm if at all possible. if the above is true, it's definitely using ntlm.

usernames are plaintext if i remember correctly, but the password is never sent in plaintext

10/12/2009 11:11:53 AM

gotcha. assume that this is running as a domain-level admin, passing similar credentials via the wmic command-line tool. same thing?

10/12/2009 11:17:37 AM

it can be setup to pass the kerb token itself if there's a domain involved. local accounts, the lowest common scheme is observed unless gpos are configured otherwise

10/12/2009 1:29:38 PM

http://www.wireshark.org/
You tell us.

That is, if no one else knows.

^or that.

[Edited on October 12, 2009 at 1:30 PM. Reason : .]

10/12/2009 1:29:48 PM

some additional reading suggests to me that WMI is encrypted...

http://redmondmag.com/articles/2002/02/01/securing-remote-management-with-wmi.aspx

10/12/2009 4:23:18 PM