Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Run

...

Introduction

Remote access to Windows machines is carried out over a number of protocols that must be available (as part of the pre-reqs for the CAM tool to execute correctly). The four access methods that are used are:

  • WMI

  • Remote Registry

  • SMB

  • Remote Command

By default, only local administrators can have access to WMI remotely. If you are using a standard domain user account, you will obtain a “WMI Access denied” error while testing the connectivity. The user must be configured to allow WMI access.

Once a user with appropriate privileges has been created then there are some simple diagnostic methods to establish that appropriate connectivity is available.

WBEMTEST Tool

In order to test the credentials used by the appliance are valid. The customer will need to use the wbemtest tool to connect to the target, using the same credentials as the appliance uses to scan the target server.

  1. Go to Start and type "WBEMTEST" into the search or run box. This will launch the wbemtest tool.

  2. Click on the Connect button and you will be prompted for the namespace that is to be queried. This is typically either:

    1. \\<hostname>\root\cimv2

    2. \\<ip address>\root\cimv2

  3. Provide the username and password for the user that has permissions to access WMI on the target machine.

    Image Added
  4. If the connection is established, this will succeed silently and the Connect dialogue will disappear.

  5. You will be prompted with a series of Services associated WBEM.

    Image Added
  6. Click Query…

  7. Enter "SELECT * FROM Win32_DiskDrive"

    Image Added
  8. Click Apply

    Image Added

  9. The results of the WMI query will be displayed, showing that basic connectivity is available.

Commands on the Appliance

Once the basic connectivity of a target device has been established using the WBEMTEST tool, it is also possible to run test commands from the appliance to execute WMI commands and a number of other remote queries.

As the appliance software is containerised, it is necessary to execute the required command through a specific container on the appliance. The ID of this container is required in subsequent commands. To get teh container id value execute teh following command when logged into a shell on the apliance.

Code Block
% sudo docker ps -f "name=docker_appliance-server*" --format "{{.ID}}"

Example output:

Code Block
CONTAINER ID        IMAGE6f2294adae77


Note this ID value and insert into commands lines in place of the <container-id> tag. .
The complete list of place holders in the following commands are:

  • <container-id> - the docker appliance container ID

  • -server <ip> - the IP address of the target server

  • -username <user> - the username for the login

  • -password <password> - the password for this user

  • -domain <domain> - If the login is associated with a specific domain, specify it using this parameter

WMI Query

Code Block
% sudo docker exec -it <container-id> bash -c "/opt/iqas/server/tmp/scripts/wmi_query.py -server <ip> -username <user> -password <pass> -query 'SELECT SERIALNUMBER FROM Win32_BIOS'"

Example Result

Code Block
{
    "domain": ".",
    "execution_result": {
  COMMAND      "query_results": [
          CREATED  {
          STATUS      "SerialNumber": {
      PORTS              "inherited": 16384,
                    "inherited_default": false,
    NAMES 6f2294adae77        043f064b7228       "name": "/opt/iqas/server/fe…"   27 hours agoSerialNumber",
                    "null_default": false,
         Up 6 hours         "order": 0.0.0.0:7896->7896/tcp, 0.0.0.0:80->8081/tcp   docker_appliance-server_1

6f2294adae77

There will be CONTAINER ID in form of 6f2294adae77
Save the ID

Next modify ContainterID, IPaddress, username and password to the appropriate values

Code Block
sudo docker exec -it CONTAINER ID bash -c "/opt/iqas/server/tmp/scripts/wmi_query.py -server ip_address -username username -password password -query 'SELECT SERIALNUMBER FROM Win32_BIOS'"
CONTAINER ID=6f2294adae77 
ip_address=192.168.4.69
username=svc_test
password=iQuate123

if you want to test a server on a domain

WMI:

Code Block
sudo docker exec -it 6f2294adae77 bash -c "/opt/iqas/server/tmp/scripts/wmi_query.py -server 192.168.4.69 -domain iquate -username svc_test -password iQuate123 -query ',
                    "qualifiers": {
                        "CIMTYPE": "string",
                        "Mappingstrings": [
                            "MIF.DMTF|ComponentID|001.4"
                        ],
                        "Maxlen": 64,
                        "read": "True"
                    },
                    "stype": "string",
                    "type": 16392,
                    "value": "VMware-42 37 d5 25 f7 77 29 16-0e c4 af db 5e f7 93 1b"
                }
            }
        ]
    },
    "namespace": "//./root/cimv2",
    "password": "xxxxxx",
    "query": "SELECT SERIALNUMBER FROM Win32_BIOS'"

SMB:

Code Block
",
    "rpc_auth_level": "privacy",
    "server": "xxxxxxxx",
    "username": "xxxxxxxx"
}

SMB

Code Block
% sudo docker exec -it 6f2294adae77<container-id> bash -c "/opt/iqas/server/tmp/scripts/get_file_smb.py -server 192.168.4.69 -domain iquate <ip>  -username svc_test<user> -password iQuate123<pass> -file -query 'C$:\Windows\win.ini'"

Remote Registry:

...

Example Result

Code Block
b'; for 16-bit app support\r\n[fonts]\r\n[extensions]\r\n[mci extensions]\r\n[files]\r\n[Mail]\r\nMAPI=1\r\n'

Remote Registry

Code Block
% sudo docker exec -it 6f2294adae77<container-id> bash -c "/opt/iqas/server/tmp/scripts/wmi_exec.py -server 192.168.4.69  -domainusername iquate<user> -usernamepassword svc_test<pass> -password iQuate123command 'REG QUERY -command 'REG QUERY "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters" /v HOSTNAME'"

Example Result

Code Block
{
    "codec": "850",
    "command": "REG QUERY HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters /v HOSTNAME",
    "command_results": {
        "end_date": 1678877382342,
        "executed_command": "cmd.exe /Q /C REG QUERY HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters /v HOSTNAME 1> %SYSTEMROOT%\\Temp\\8ac79afb-998d-41c9-a59b-0455e796f5d7.stdOut 2> %SYSTEMROOT%\\Temp\\8ac79afb-998d-41c9-a59b-0455e796f5d7.stdErr",
        "raw_command": "REG QUERY HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters /v HOSTNAME",
        "start_date": 1678877380224,
        "std_err": "",
        "std_out": "\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\r\n    HOSTNAME    REG_SZ    VM-Cassandra1\r\n\r\n"
    },
    "cwd": "C:\\",
    "domain": ".",
    "output": "8ac79afb-998d-41c9-a59b-0455e796f5d7",
    "password": "xxxxxxxx",
    "port": "445",
    "server": "xxxxxxx",
    "share": "ADMIN$",
    "username": "xxxxxxxx",
    "wait": 2
}

Remote Command

...

Code Block
% sudo docker exec -it 6f2294adae77<container-id> bash -c "/opt/iqas/server/tmp/scripts/wmi_exec.py -server 192.168.4.69 -domain iquate -username svc_test -password iQuate123 -command netstat -a -n -o<ip>  -username <user> -password <pass> -command netstat -ano

Example Result

Code Block
{
    "codec": "850",
    "command": "netstat -ano",
    "command_results": {
        "end_date": 1678877604784,
        "executed_command": "cmd.exe /Q /C netstat -ano 1> %SYSTEMROOT%\\Temp\\8afa1cfb-0835-4493-aca7-86b850c325eb.stdOut 2> %SYSTEMROOT%\\Temp\\8afa1cfb-0835-4493-aca7-86b850c325eb.stdErr",
        "raw_command": "netstat -ano",
        "start_date": 1678877602635,
        "std_err": "",
        "std_out": "\r\nActive Connections\r\n\r\n  Proto  Local Address          Foreign Address        State           PID\r\n ..... Network Connections are here ......\r\n"
    },
    "cwd": "C:\\",
    "domain": ".",
    "output": "8afa1cfb-0835-4493-aca7-86b850c325eb",
    "password": "xxxxxxx",
    "port": "445",
    "server": "xxxxxxxx",
    "share": "ADMIN$",
    "username": "xxxxxxx",
    "wait": 2
}