Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Setup

Mid Server Configuration

Much of this is set by default, but here's the settings that work.

Windows Configuration needed

Adding trusted host for WinRM.

PS C:\Windows\system32> winrm s winrm/config/client '@{TrustedHosts="spinup-0005a2.yu.yale.edu,172.17.172.207,spinup-0005a8.yu.yale.edu,172.17.172.247"}'

Ran into some issues with reverse DNS lookup.  Might need some more investigation.

High Level Process

  1. Script provided to probe is parsed on mid server

  2. Script is executed via remote session on the target server
  3. Results are picked up from mid server

Example:

  1. Windows - CPU / Memory, which is a WMI Probe is executed.

  2. ECC Entry looks like this.  Executed via mid server at 172.17.172.207.

    <?xml version="1.0" encoding="UTF-8"?><parameters><parameter name="used_by_discovery" value="true"/><parameter name="probe_name" value="Windows - CPU / Memory"/><parameter name="probe" value="b141fd470a0a0ba5001d3c32c7d834fb"/><parameter name="WMI_FetchData" value="Win32_Processor.NumberOfLogicalProcessors,Win32_Processor.NumberOfCores,Win32_PhysicalMemory.BankLabel,Win32_PhysicalMemory.DataWidth,Win32_PhysicalMemory.FormFactor,Win32_PhysicalMemory.DeviceLocator,Win32_PhysicalMemory.Manufacturer,Win32_PhysicalMemory.PartNumber,Win32_PhysicalMemory.SerialNumber,Win32_PhysicalMemory.Speed,Win32_PhysicalMemory.Status,Win32_PhysicalMemory.TotalWidth,Win32_PhysicalMemory.MemoryType,Win32_PhysicalMemory.TypeDetail,Win32_PhysicalMemory.Tag,Win32_PhysicalMemory.Capacity,Win32_Processor.Name,Win32_Processor.MaxClockSpeed,Win32_Processor.Manufacturer"/><parameter name="credential_id" value="a5896eea1366be0057f7b7a66144b0fd"/></parameters>
  3. This input is parsed by scripts on the mid server and executed on the target machine at 172.17.172.247.  Here's some powershell logging showing the execution going against the remote host.

  4. Script is executed as PowerShell.  See the log from the target machine here:
    PowerShell_transcript.SPINUP-0005A8.NdOTnTCh.20170607142128.txt
  5. Information is pulled back into the mid server and parsed.  See the output here.
    probe_response.xml
  6. ServiceNow works it's magic to get it into the CMDB.

More Details 

Ecc Queue

One thing that's a bit confusing here is that we see WMI being invoked.  This isn't actually remote WMI, which we'll get into below.

Wireshark

Shows WinRM port 5985 and only 5985 being used.

Powershell log

Further evidenced here is that PowerShell is using the Get-WmiObject cmdlet and not remote WMI

PS>CommandInvocation(Get-WmiObject): "Get-WmiObject"
>> ParameterBinding(Get-WmiObject): name="Class"; value="Win32_ComputerSystem"


Domain              : yu.yale.edu
Manufacturer        : RDO
Model               : OpenStack Compute
Name                : SPINUP-0005A8
PrimaryOwnerName    : Windows User
TotalPhysicalMemory : 8589373440


Without local admin

Work in progress...

  • No labels