...
- Is the WMI service running?
- Network and firewalls must be configured to let WMI accesses pass.
- WMI accesses are generally negotiated to use dynamic ports (following up on an initial conversation on TCP port 135)
Newer versions of Windows that are fully patched may run into connection/access issues with the version of wmic that ships with NMIS. An error like the following indicates this problem is occurring:
| Code Block |
|---|
librpc/rpc/dcerpc_util.c:1290:dcerpc_pipe_auth_recv()] Failed to bind to
uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 - NT_STATUS_NET_WRITE_FAULT
[librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT
status (c0000022) in dcerpc_pipe_connect_b_recv
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied |
A replacement wmic application is available which implements the required security protocols to allow wmi to continue working.
| Code Block |
|---|
#download wmic.py from https://github.com/simply42/check_wmi_plus_wmic_dropin
#copy wmic.py onto box
scp wmic.py user@box:~/
# make sure python, pip and the scripts deps are available, apt instructions would be very similar
sudo yum install python3
sudo pip3 install --upgrade pip
sudo pip3 install impacket
#move old wmic out of the way and put in the new one
sudo mv /usr/local/nmis9/bin/wmic /usr/local/nmis9/bin/wmic-orig-2023-05-23
sudo mv ~/wmic.py /usr/local/nmis9/bin/
sudo ln -s /usr/local/nmis9/bin/wmic.py /usr/local/nmis9/bin/wmic
sudo chown nmis:nmis /usr/local/nmis9/bin/wmic.py
sudo chmod u+x /usr/local/nmis9/bin/wmic.py
# verify wmic runs:
sudo /usr/local/nmis9/bin/wmic
#usage: wmic [-h] [-U USERNAME] [-A AUTHFILE] [-v] [-n NAMESPACE]
# [-d DELIMITER]
# host query
#wmic: error: the following arguments are required: host, query |
Test WMI availability and credentials
...