feat: comprehensive WMI query functionality with connection pooling and template library #16
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add comprehensive WQL query capabilities to slinger's WMI execution system: Core Features: - WMIQuery module with DCOM-based WQL execution - Interactive WQL shell with cmd.Cmd interface - Multiple output formats (table, JSON, CSV) - Class description and schema discovery - Namespace support for different WMI namespaces - Predefined query templates for common tasks - Output redirection integration with existing tee_output system CLI Integration: - Added 'wmiexec query' subcommand with comprehensive argument parsing - Mutually exclusive options: query string, --interactive, --describe, --template - Format options: --format (table/json/csv), -o/--output for file output - Namespace selection: --namespace (default: root/cimv2) - Template system: --template, --list-templates Architecture: - wmiexec class now inherits from WMIQuery for seamless integration - Reuses existing DCOM connection patterns and credentials - Follows established slinger patterns for CLI, output, and error handling - Added to help categorization under "System Enumeration" Query Templates: - processes, services, users, network, software, drives - startup, shares, hotfixes, environment variables Similar to impacket's wmiquery.py but integrated into slinger's interactive session architecture with enhanced usability. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Fix 'NoneType has no len()' error by properly handling None credential values: - Use empty string defaults for password and domain (matching wmiexec patterns) - Parse NTLM hash correctly from self.ntlm_hash attribute - Handle both full hash (lm:nt) and NT-only hash formats - Use lm_hash/nt_hash variables consistently in set_credentials calls Follows exact credential handling patterns from existing wmiexec module to ensure compatibility with slinger's authentication system. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Add efficient WMI connection reuse system: Connection Management: - setup_wmi(namespace) method checks for existing connections and reuses them - Single DCOM connection (_dcom_connection) reused for entire slinger session - Namespace-specific WMI service connections cached in _wmi_services dict - cleanup_wmi() method for proper session cleanup Performance Benefits: - Eliminates repeated authentication for each WMI operation - Reduces network traffic and improves response times - First WMI operation authenticates, subsequent operations reuse connection - Supports multiple namespaces with separate cached service connections Implementation: - _run_wql_query() now uses setup_wmi() instead of creating new connections - _describe_class() updated to use connection pooling - _list_classes() benefits from pooled connections via _run_wql_query() - Only cleanup query enumerators and class objects, preserve service connections Debug output shows connection reuse: - 'Creating new DCOM connection for WMI' (first time only) - 'Reusing existing DCOM connection' (subsequent operations) - 'Reusing existing WMI connection for namespace: X' (namespace reuse) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Enhanced setup_wmi() method for unified WMI connection management: Features: - operation_type parameter: 'query', 'dcom', 'event' - Returns appropriate objects based on operation type: * query: IWbemServices object (existing behavior) * dcom/event: tuple of (dcom_connection, IWbemServices) - Full DCOMConnection options (aesKey, oxidResolver, doKerberos) - Helper methods for easy access: * get_wmi_dcom_connection() - for wmiexec dcom operations * get_wmi_event_connection() - for wmiexec event operations * get_wmi_query_connection() - for wmiexec query operations Benefits: - Single DCOM authentication for ALL WMI operations in slinger session - Eliminates redundant connections in wmiexec dcom, event, task methods - Maintains backwards compatibility with existing query functionality - Provides foundation for extending connection reuse to all WMI methods Next: Modify existing wmiexec methods to use shared connections instead of creating new DCOMConnection instances. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Fix 'CLSID_WbemLocator' not found error by using correct impacket WMI interfaces: Changes: - Replace CLSID_WbemLocator with CLSID_WbemLevel1Login (available in impacket) - Replace IWbemLocator with IWbemLevel1Login interface - Use NTLMLogin() instead of ConnectServer() for namespace connection - Add proper namespace path formatting for NTLMLogin (//./root/namespace) - Handle both 'root/cimv2' and 'cimv2' namespace format inputs This matches the working pattern used in existing wmiexec DCOM method and ensures compatibility with the impacket WMI implementation. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Fix 'rpc_s_access_denied' error by removing conflicting authentication: Issue: WMI queries failing with access denied after connection reuse Root Cause: Calling set_credentials() after NTLMLogin() creates authentication conflict Solution: Remove set_credentials() call - NTLMLogin() handles authentication Changes: - Remove set_credentials() call from setup_wmi() method - NTLMLogin() already authenticates the connection properly - Matches pattern used in working wmiexec dcom method - Prevents authentication conflicts when reusing connections This should restore WMI query functionality while maintaining connection reuse. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Add user-friendly progress indicators and performance warnings: Query Performance Warnings: - Detect potentially slow queries (Win32_Product, SELECT *, etc.) - Warn about queries without WHERE clauses - Alert on complex JOIN and multiple LIKE operations - Specific warnings for known slow WMI classes Progress Feedback: - 'Executing WMI query... (this may take a moment)' for all queries - Progress updates every 5 seconds for long-running queries - Query completion timing for operations > 2 seconds - Timeout warnings and graceful handling Timeout Management: - --timeout CLI parameter (default: 120 seconds) - Timeout shown in help examples - Graceful timeout handling with partial results - Ctrl+C interrupt instructions for long queries Enhanced Templates: - Added fast alternatives (processes_fast, services_fast) - Performance comments in template definitions - Updated help examples with timeout usage User Experience: - Clear feedback for query duration and result counts - Proactive warnings before slow operations start - Non-blocking progress updates during execution - Graceful handling of timeouts and interruptions 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Implement user-friendly list format as the new default: List Format Features: - Clean, readable record-by-record display - '=== Record N ===' headers for easy scanning - Property: Value format with proper indentation - Smart value formatting (NULL, arrays, single values) - Empty line separators between records - Handles nested arrays and complex data types Format Options: - list (NEW DEFAULT): Clean, readable record format - table: Grid-based tabular format - json: Machine-readable JSON output - csv: Comma-separated values for data analysis CLI Updates: - --format choices now include 'list' as first option - Help examples show list as default format - Interactive shell supports all four formats - Updated help text and examples Example Output: === Record 1 === Name: explorer.exe ProcessId: 1234 CommandLine: C:\Windows\explorer.exe === Record 2 === Name: notepad.exe ProcessId: 5678 CommandLine: notepad.exe C:\temp\file.txt Much more readable than dense table format for typical WMI queries\! 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Expand query templates for security, recon, and system administration: Template Categories: 🔍 Process & Execution (5 templates) - processes, processes_fast, processes_full, suspicious_processes, parent_child ⚙️ Services (5 templates) - services, running_services, auto_services, stopped_services, services_fast 👥 Users & Security (6 templates) - users, local_users, admin_users, groups, local_groups, logon_sessions 🌐 Network (5 templates) - network, network_adapters, ip_config, network_connections, dns_settings 💻 System Information (5 templates) - system_info, os_info, bios_info, timezone, computer_info 💾 Storage & Drives (4 templates) - drives, disk_drives, volumes, usb_devices 🔒 Security & Monitoring (5 templates) - antivirus, firewall, audit_policy, shares, printers 📦 Software & Applications (4 templates) - software, installed_programs, startup, startup_programs ⏰ Scheduled Tasks (2 templates) - scheduled_tasks, task_info 🔄 Updates & Patches (2 templates) - hotfixes, updates 🖥️ Hardware (4 templates) - hardware, cpu_info, memory, pci_devices 🌍 Environment & Config (3 templates) - environment, system_env, registry_hives 📊 Performance & Monitoring (2 templates) - event_logs, perf_counters 🎯 Quick Reconnaissance (5 templates) - recon_basic, recon_os, recon_users, recon_shares, recon_services 🛡️ Security Focused (4 templates) - security_software, admin_shares, privileged_groups, system_accounts Enhanced Template Listing: - Organized by functional categories with emoji icons - Performance warnings (⚠️ very slow, ⏳ can be slow) - Total count and usage instructions - Clean categorized display Great for security assessments, system recon, and administration! 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
…handling Add graceful handling for service cleanup to prevent slinger hanging on exit: Service Stop Improvements: - Add 5-second timeout to RemoteRegistry service stop operations - Handle ERROR_DEPENDENT_SERVICES_RUNNING (0x41b) gracefully - Prevent blocking when other services depend on RemoteRegistry - Always cleanup service handles even if stop fails - Update internal state to prevent retry loops Error Handling: - Specific messages for dependency conflicts - Warning messages instead of blocking errors - Graceful fallback when services cannot be stopped - Debug logging for troubleshooting Connection Cleanup: - Add WMI connection cleanup to main exit handler - Prevent resource leaks on session termination - Graceful DCE disconnect with error handling - Clean state management on exit User Experience: - Non-blocking exit process - Clear feedback about service state restoration - Informative warnings instead of hanging - Fast session termination even with service dependencies Fixes the issue where slinger would hang indefinitely when trying to stop RemoteRegistry service that has dependent services running. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Modified build script to generate cli_menu.md in docs/ directory instead of root - Enhanced documentation generation to include nested subcommands (wmiexec query, eventlog query, downloads subcommands) - Improved output formatting with proper line breaks for long command help text - Ensures proper project organization following CLAUDE.md file structure guidelines 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
wmiexec query) with 54 predefined templatesImplementation Details
WMI Query System
Key Files Modified
src/slingerpkg/lib/wmiquery.py- Core WMI query functionality with connection poolingsrc/slingerpkg/lib/wmiexec.py- Integration point inheriting from WMIQuery classsrc/slingerpkg/lib/dcetransport.py- Service cleanup with timeout and dependency handlingsrc/slingerpkg/utils/cli.py- Complete CLI parser for wmiexec query subcommandscripts/build_script.py- Enhanced to generate docs in proper location with nested subcommandsService Cleanup Improvements
Authentication Optimization
wmiexec queryuses connection pooling; other methods create new sessions as designedset_credentials()calls causing authentication conflictsDocumentation Infrastructure
docs/directory following project structureTemplate Categories
Test Plan
🤖 Generated with Claude Code