Introduction
Remote access to Windows machines is carried out over a number of protocols that must be available (as part of the pre-reqs for the CAM tool to execute correctly). The four access methods that are used are:
WMI
Remote Registry
SMB
Remote Command
Access to this protocol level typically requires local administrator privileges or higher. By default, only local administrators can have access to WMI remotely. If you are using a standard domain user account, you will obtain a “WMI Access denied” error while testing the connectivity.
Once a user with appropriate privileges has been created then there are some simple diagnostic methods to establish that appropriate connectivity is available.
WBEMTEST Tool
In order to test the credentials used by the appliance are valid. The customer will need to use the wbemtest tool to connect to the target, using the same credentials as the appliance uses to scan the target server.
Go to Start and type "WBEMTEST" into the search or run box. This will launch the wbemtest tool.
Click on the Connect button and you will be prompted for the namespace that is to be queried. This is typically either:
\\<hostname>\root\cimv2
\\<ip address>\root\cimv2
Provide the username and password for the user that has permissions to access WMI on the target machine.
If the connection is established, this will succeed silently and the Connect dialogue will disappear.
You will be prompted with a series of Services associated WBEM.
Click Query…
Enter
"SELECT * FROM Win32_DiskDrive"
Click Apply
The results of the WMI query will be displayed, showing that basic connectivity is available.
Commands on the Appliance
Once the basic connectivity of a target device has been established using the WBEMTEST tool, it is also possible to run test commands from the appliance to execute WMI commands and a number of other remote queries.
...
Note this ID value and insert into commands lines in place of <container-id>
.
WMI Query:
Code Block |
---|
% sudo docker exec -it <container-id> bash -c "/opt/iqas/server/tmp/scripts/wmi_query.py -server <ip> -username <user> -password <pass> -query 'SELECT SERIALNUMBER FROM Win32_BIOS'" |
...
Code Block |
---|
{ "domain": ".", "execution_result": { "query_results": [ { "SerialNumber": { "inherited": 16384, "inherited_default": false, "name": "SerialNumber", "null_default": false, "order": 0, "qualifiers": { "CIMTYPE": "string", "Mappingstrings": [ "MIF.DMTF|ComponentID|001.4" ], "Maxlen": 64, "read": "True" }, "stype": "string", "type": 16392, "value": "VMware-42 37 d5 25 f7 77 29 16-0e c4 af db 5e f7 93 1b" } } ] }, "namespace": "//./root/cimv2", "password": "xxxxxx", "query": "SELECT SERIALNUMBER FROM Win32_BIOS", "rpc_auth_level": "privacy", "server": "xxxxxxxx", "username": "xxxxxxxx" } |
SMB:
Code Block |
---|
% sudo docker exec -it <container-id> bash -c "/opt/iqas/server/tmp/scripts/get_file_smb.py -server <ip> -username <user> -password <pass> -file -query 'C$:\Windows\win.ini'" |
...
Code Block |
---|
b'; for 16-bit app support\r\n[fonts]\r\n[extensions]\r\n[mci extensions]\r\n[files]\r\n[Mail]\r\nMAPI=1\r\n' |
Remote Registry:
Code Block |
---|
% sudo docker exec -it <container-id> bash -c "/opt/iqas/server/tmp/scripts/wmi_exec.py -server 192.168.4.69 -username <user> -password <pass> -command 'REG QUERY -command 'REG QUERY "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters" /v HOSTNAME'" |
...
Code Block |
---|
{ "codec": "850", "command": "REG QUERY HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters /v HOSTNAME", "command_results": { "end_date": 1678877382342, "executed_command": "cmd.exe /Q /C REG QUERY HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters /v HOSTNAME 1> %SYSTEMROOT%\\Temp\\8ac79afb-998d-41c9-a59b-0455e796f5d7.stdOut 2> %SYSTEMROOT%\\Temp\\8ac79afb-998d-41c9-a59b-0455e796f5d7.stdErr", "raw_command": "REG QUERY HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters /v HOSTNAME", "start_date": 1678877380224, "std_err": "", "std_out": "\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\r\n HOSTNAME REG_SZ VM-Cassandra1\r\n\r\n" }, "cwd": "C:\\", "domain": ".", "output": "8ac79afb-998d-41c9-a59b-0455e796f5d7", "password": "xxxxxxxx", "port": "445", "server": "xxxxxxx", "share": "ADMIN$", "username": "xxxxxxxx", "wait": 2 } |
Remote Command:
Code Block |
---|
% sudo docker exec -it <container-id> bash -c "/opt/iqas/server/tmp/scripts/wmi_exec.py -server <ip> -username <user> -password <pass> -command netstat -ano |
...