Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add instructions for updating wmic with newer wmic.py

Table of Contents

...

  • Proper physical connection should be verified.
  • Firewall Policies should be reviewed to verify that ICMP messages are allowed.


Note

Firewalls can be configured to block packets from ping. If a remote host does not respond to ping requests, it is possible that it is up and running normally, but ignoring ping requests.

Troubleshooting SNMP

In order to be able to obtain information from the monitored device via SNMP, we must verify that the device is correctly configured for this purpose. There is a checklist with the most common items to check on the device side:

...

  • IsĀ the WMI service running?
  • Network and firewalls must be configured to let WMI accesses pass.
  • WMI accesses are generally negotiated to use dynamic ports (following up on an initial conversation on TCP port 135)

Newer versions of Windows that are fully patched may run into connection/access issues with the version of wmic that ships with NMIS. An error like the following indicates this problem is occurring:

Code Block
librpc/rpc/dcerpc_util.c:1290:dcerpc_pipe_auth_recv()] Failed to bind to
uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 - NT_STATUS_NET_WRITE_FAULT
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT
status (c0000022) in dcerpc_pipe_connect_b_recv
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied

A replacement wmic application is available which implements the required security protocols to allow wmi to continue working.

Code Block
#download wmic.py from https://github.com/simply42/check_wmi_plus_wmic_dropin
#copy wmic.py onto box
scp wmic.py user@box:~/

# make sure python, pip and the scripts deps are available, apt instructions would be very similar
sudo yum install python3
sudo pip3 install --upgrade pip
sudo pip3 install impacket

#move old wmic out of the way and put in the new one
sudo mv /usr/local/nmis9/bin/wmic /usr/local/nmis9/bin/wmic-orig-2023-05-23
sudo mv ~/wmic.py /usr/local/nmis9/bin/
sudo ln -s /usr/local/nmis9/bin/wmic.py /usr/local/nmis9/bin/wmic
sudo chown nmis:nmis /usr/local/nmis9/bin/wmic.py
sudo chmod u+x /usr/local/nmis9/bin/wmic.py

# verify wmic runs:
sudo /usr/local/nmis9/bin/wmic
#usage: wmic [-h] [-U USERNAME] [-A AUTHFILE] [-v] [-n NAMESPACE]
#            [-d DELIMITER]
#            host query
#wmic: error: the following arguments are required: host, query


Test WMI availability and credentials

...