...
Adding trusted host for WinRM. This is a bit of a lazy configuration on my part here, because I don't think I need target and source, and ip and FQDN, but it works.
PS C:\Windows\system32> winrm s winrm/config/client '@{TrustedHosts="spinup-0005a2.yu.yale.edu,172.17.172.207,spinup-0005a8.yu.yale.edu,172.17.172.247"}'
...
- Windows - CPU / Memory, which is a WMI Probe is executed.
ECC Entry looks like this. In this case basically just a list of values it wants. Executed via mid server at 172.17.172.207.
Code Block language xml linenumbers true collapse true <?xml version="1.0" encoding="UTF-8"?><parameters><parameter name="used_by_discovery" value="true"/><parameter name="probe_name" value="Windows - CPU / Memory"/><parameter name="probe" value="b141fd470a0a0ba5001d3c32c7d834fb"/><parameter name="WMI_FetchData" value="Win32_Processor.NumberOfLogicalProcessors,Win32_Processor.NumberOfCores,Win32_PhysicalMemory.BankLabel,Win32_PhysicalMemory.DataWidth,Win32_PhysicalMemory.FormFactor,Win32_PhysicalMemory.DeviceLocator,Win32_PhysicalMemory.Manufacturer,Win32_PhysicalMemory.PartNumber,Win32_PhysicalMemory.SerialNumber,Win32_PhysicalMemory.Speed,Win32_PhysicalMemory.Status,Win32_PhysicalMemory.TotalWidth,Win32_PhysicalMemory.MemoryType,Win32_PhysicalMemory.TypeDetail,Win32_PhysicalMemory.Tag,Win32_PhysicalMemory.Capacity,Win32_Processor.Name,Win32_Processor.MaxClockSpeed,Win32_Processor.Manufacturer"/><parameter name="credential_id" value="a5896eea1366be0057f7b7a66144b0fd"/></parameters>
- This input is parsed by scripts on the mid server and executed on the target machine at 172.17.172.247. Here's some powershell logging showing the execution going against the remote host.
- Script is executed as PowerShell. See the log from the target machine here:
PowerShell_transcript.SPINUP-0005A8.NdOTnTCh.20170607142128.txt - Information is pulled back into the mid server and parsed. See the output here.
probe_response.xml - ServiceNow works it's magic to get it into the CMDB.
...
One thing that's a bit confusing here is that we see WMI being invoked. This isn't actually remote WMI , which we'll get into belowas evidenced above and is handled differently based on the protocol being used.
Wireshark
Shows WinRM port 5985 and only 5985 being used.
...