Versions Compared

Old Version 2

changes.mady.by.user Dan Franko

Saved on

compared with

New Version Current

changes.mady.by.user Dan Franko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Setup

Mid Server Configuration

...

Adding trusted host for WinRM.  This is a bit of a lazy configuration on my part here, because I don't think I need target and source, and ip and FQDN, but it works.

PS C:\Windows\system32> winrm s winrm/config/client '@{TrustedHosts="spinup-0005a2.yu.yale.edu,172.17.172.207,spinup-0005a8.yu.yale.edu,172.17.172.247"}'

Ran into some issues with reverse DNS lookup.  Might need some more investigation.

Run Results

High Level Process

  1. Script provided to probe is parsed on mid server

  2. Script is executed via remote session on the target server
  3. Results are picked up from mid server

Example:

Note : Tests run on Server 2016 in Spinup environment

  1. Windows - CPU / Memory, which is a WMI Probe is executed.

  2. ECC Entry looks like this.  In this case basically just a list of values it wants.  Executed via mid server at 172.17.172.207.

    Code Block
    languagexml
    linenumberstrue
    collapsetrue
    <?xml version="1.0" encoding="UTF-8"?><parameters><parameter name="used_by_discovery" value="true"/><parameter name="probe_name" value="Windows - CPU / Memory"/><parameter name="probe" value="b141fd470a0a0ba5001d3c32c7d834fb"/><parameter name="WMI_FetchData" value="Win32_Processor.NumberOfLogicalProcessors,Win32_Processor.NumberOfCores,Win32_PhysicalMemory.BankLabel,Win32_PhysicalMemory.DataWidth,Win32_PhysicalMemory.FormFactor,Win32_PhysicalMemory.DeviceLocator,Win32_PhysicalMemory.Manufacturer,Win32_PhysicalMemory.PartNumber,Win32_PhysicalMemory.SerialNumber,Win32_PhysicalMemory.Speed,Win32_PhysicalMemory.Status,Win32_PhysicalMemory.TotalWidth,Win32_PhysicalMemory.MemoryType,Win32_PhysicalMemory.TypeDetail,Win32_PhysicalMemory.Tag,Win32_PhysicalMemory.Capacity,Win32_Processor.Name,Win32_Processor.MaxClockSpeed,Win32_Processor.Manufacturer"/><parameter name="credential_id" value="a5896eea1366be0057f7b7a66144b0fd"/></parameters>


  3. This input is parsed by scripts on the mid server and executed on the target machine at 172.17.172.247.  Here's some powershell logging showing the execution going against the remote host.
    Image Added
  4. Script is executed as PowerShell.  See the log from the target machine here:
    PowerShell_transcript.SPINUP-0005A8.NdOTnTCh.20170607142128.txt
  5. Information is pulled back into the mid server and parsed.  See the output here.
    probe_response.xml
  6. ServiceNow works it's magic to get it into the CMDB.

More Details 

Script Files

Powershell and WinRM scripts are here:

https://yale.app.box.com/files/0/f/27799187643/Mid_Server_Powershell_Scripts_

Ecc Queue

One thing that's a bit confusing here is that we see WMI being invoked.  This isn't actually remote WMI , which we'll get into belowas evidenced above and is handled differently based on the protocol being used.

High Level Process

Wireshark

Shows WinRM port 5985 and only 5985 being used.

...

Without local admin

Work in progress...

Add user to Remote Admin Group

LocalAccountTokenFilterPolicy needs to be set for local account to work