Introduction
Remote access to Windows machines is carried out over a number of protocols that must be available (as part of the pre-requirements for the CAM tool to execute correctly). The four access methods that are used are:
-
WMI
-
Remote Registry
-
SMB
-
Remote Command
By default, only local administrators can have access to WMI remotely. If you are using a standard domain user account, you will obtain a “WMI Access denied” error while testing the connectivity. The user must be configured to allow WMI access.
Once a user with appropriate privileges has been created then there are some simple diagnostic methods to establish that appropriate connectivity is available.
WBEMTEST Tool
See Validate CloudSphere Credential has the right permissions to access WMI. for information about the WBEMTEST tool.
Commands on the Appliance
Once the basic connectivity of a target device has been established using the WBEMTEST tool, it is also possible to run test commands from the appliance to execute WMI commands and a number of other remote queries.
As the appliance software is containerized, it is necessary to execute the required command through a specific container on the appliance. The ID of this container is required in subsequent commands. To get the container id value, execute the following command when logged into a shell on the appliance.
% sudo docker ps -f "name=docker_appliance-server*" --format "{{.ID}}"
Example output:
6f2294adae77 |
Note this ID value and insert it into command lines in place of the <container-id> tag.
The complete list of placeholders in the following commands are:
-
<container-id> - the docker appliance container ID
-
-server <ip> - the IP address of the target server
-
-username <user> - the username for the login
-
-password <password> - the password for this user
-
-domain <domain> - If the login is associated with a specific domain, specify it using this parameter
WMI Query
% sudo docker exec -it <container-id> bash -c "/opt/iqas/server/tmp/scripts/wmi_query.py -server <ip> -username <user> -password <pass> -query 'SELECT SERIALNUMBER FROM Win32_BIOS'"
Example Result
{ "domain": ".", "execution_result": { "query_results": [ { "SerialNumber": { "inherited": 16384, "inherited_default": false, "name": "SerialNumber", "null_default": false, "order": 0, "qualifiers": { "CIMTYPE": "string", "Mappingstrings": [ "MIF.DMTF|ComponentID|001.4" ], "Maxlen": 64, "read": "True" }, "stype": "string", "type": 16392, "value": "VMware-42 37 d5 25 f7 77 29 16-0e c4 af db 5e f7 93 1b" } } ] }, "namespace": "//./root/cimv2", "password": "xxxxxx", "query": "SELECT SERIALNUMBER FROM Win32_BIOS", "rpc_auth_level": "privacy", "server": "xxxxxxxx", "username": "xxxxxxxx" } |
SMB
% sudo docker exec -it <container-id> bash -c "/opt/iqas/server/tmp/scripts/get_file_smb.py -server <ip> -username <user> -password <pass> -file 'C$:\Windows\win.ini'"
Example Result
b'; for 16-bit app support\r\n[fonts]\r\n[extensions]\r\n[mci extensions]\r\n[files]\r\n[Mail]\r\nMAPI=1\r\n'
Remote Registry
% sudo docker exec -it <container-id> bash -c "/opt/iqas/server/tmp/scripts/wmi_exec.py -server <ip> -domain <domain> -username <user> -password <pass> -command 'REG QUERY "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters" /v Hostname'"
Example Result
{ "codec": "850", "command": "REG QUERY HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters /v HOSTNAME", "command_results": { "end_date": 1678877382342, "executed_command": "cmd.exe /Q /C REG QUERY HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters /v HOSTNAME 1> %SYSTEMROOT%\\Temp\\8ac79afb-998d-41c9-a59b-0455e796f5d7.stdOut 2> %SYSTEMROOT%\\Temp\\8ac79afb-998d-41c9-a59b-0455e796f5d7.stdErr", "raw_command": "REG QUERY HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters /v HOSTNAME", "start_date": 1678877380224, "std_err": "", "std_out": "\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\r\n HOSTNAME REG_SZ VM-Cassandra1\r\n\r\n" }, "cwd": "C:\\", "domain": ".", "output": "8ac79afb-998d-41c9-a59b-0455e796f5d7", "password": "xxxxxxxx", "port": "445", "server": "xxxxxxx", "share": "ADMIN$", "username": "xxxxxxxx", "wait": 2 } |
Remote Command
% sudo docker exec -it <container-id> bash -c "/opt/iqas/server/tmp/scripts/wmi_exec.py -server <ip> -username <user> -password <pass> -command netstat -ano
Example Result
{ "codec": "850", "command": "netstat -ano", "command_results": { "end_date": 1678877604784, "executed_command": "cmd.exe /Q /C netstat -ano 1> %SYSTEMROOT%\\Temp\\8afa1cfb-0835-4493-aca7-86b850c325eb.stdOut 2> %SYSTEMROOT%\\Temp\\8afa1cfb-0835-4493-aca7-86b850c325eb.stdErr", "raw_command": "netstat -ano", "start_date": 1678877602635, "std_err": "", "std_out": "\r\nActive Connections\r\n\r\n Proto Local Address Foreign Address State PID\r\n ..... Network Connections are here ......\r\n" }, "cwd": "C:\\", "domain": ".", "output": "8afa1cfb-0835-4493-aca7-86b850c325eb", "password": "xxxxxxx", "port": "445", "server": "xxxxxxxx", "share": "ADMIN$", "username": "xxxxxxx", "wait": 2 } |