Accessing WMI through a firewall - which ports are required?

Written by Claudio Kuenzler - 0 comments

Published on March 2nd 2016 - Listed in Nagios Icinga Monitoring Windows Linux

---

As I previously wrote, I'm working on an internal Icinga 2 auto-config tool. For the Windows hosts, I use the wmic command to access the remote hosts and gather information.

In the internal networks (without firewall) everything worked well. But as soon as I tried to add hosts in the DMZ (therefore passing through the firewall), the WMI connection didn't work. Prior to my tests I already asked to open tcp port 135 as this seems to be the port on which WMI listens. Kind of.

A tcpdump, that wmic is not only talking to tcp/135. A non-successful attempt shows a connection to tcp/135 at first, but then switches to a high-port (tcp/49154):

tcpdump host windowstarget
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:59:47.355251 IP icingahost.59472 > windowstarget.135: Flags [S], seq 3719360348, win 29200, options [mss 1460,sackOK,TS val 258933120 ecr 0,nop,wscale 7], length 0
13:59:47.357135 IP windowstarget.135 > icingahost.59472: Flags [S.], seq 2335876244, ack 3719360349, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 406805145 ecr 258933120], length 0
13:59:47.357150 IP icingahost.59472 > windowstarget.135: Flags [.], ack 1, win 229, options [nop,nop,TS val 258933120 ecr 406805145], length 0
13:59:47.357210 IP icingahost.59472 > windowstarget.135: Flags [P.], seq 1:73, ack 1, win 229, options [nop,nop,TS val 258933120 ecr 406805145], length 72
13:59:47.359327 IP windowstarget.135 > icingahost.59472: Flags [P.], seq 1:61, ack 73, win 514, options [nop,nop,TS val 406805145 ecr 258933120], length 60
13:59:47.359339 IP icingahost.59472 > windowstarget.135: Flags [.], ack 61, win 229, options [nop,nop,TS val 258933121 ecr 406805145], length 0
13:59:47.359477 IP icingahost.59472 > windowstarget.135: Flags [P.], seq 73:97, ack 61, win 229, options [nop,nop,TS val 258933121 ecr 406805145], length 24
13:59:47.361180 IP windowstarget.135 > icingahost.59472: Flags [P.], seq 61:89, ack 97, win 514, options [nop,nop,TS val 406805145 ecr 258933121], length 28
13:59:47.361249 IP icingahost.59473 > windowstarget.135: Flags [S], seq 1146043338, win 29200, options [mss 1460,sackOK,TS val 258933121 ecr 0,nop,wscale 7], length 0
13:59:47.363007 IP windowstarget.135 > icingahost.59473: Flags [S.], seq 1340072778, ack 1146043339, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 406805145 ecr 258933121], length 0
13:59:47.363020 IP icingahost.59473 > windowstarget.135: Flags [.], ack 1, win 229, options [nop,nop,TS val 258933122 ecr 406805145], length 0
13:59:47.363117 IP icingahost.59473 > windowstarget.135: Flags [P.], seq 1:174, ack 1, win 229, options [nop,nop,TS val 258933122 ecr 406805145], length 173
13:59:47.365113 IP windowstarget.135 > icingahost.59473: Flags [P.], seq 1:304, ack 174, win 514, options [nop,nop,TS val 406805145 ecr 258933122], length 303
13:59:47.365128 IP icingahost.59473 > windowstarget.135: Flags [.], ack 304, win 237, options [nop,nop,TS val 258933122 ecr 406805145], length 0
13:59:47.365340 IP icingahost.59473 > windowstarget.135: Flags [P.], seq 174:458, ack 304, win 237, options [nop,nop,TS val 258933122 ecr 406805145], length 284
13:59:47.373234 IP windowstarget.135 > icingahost.59473: Flags [P.], seq 304:377, ack 458, win 513, options [nop,nop,TS val 406805145 ecr 258933122], length 73
13:59:47.373316 IP icingahost.59473 > windowstarget.135: Flags [P.], seq 458:618, ack 377, win 237, options [nop,nop,TS val 258933124 ecr 406805145], length 160
13:59:47.375709 IP windowstarget.135 > icingahost.59473: Flags [P.], seq 377:1189, ack 618, win 512, options [nop,nop,TS val 406805145 ecr 258933124], length 812
13:59:47.375783 IP icingahost.59473 > windowstarget.135: Flags [F.], seq 618, ack 1189, win 250, options [nop,nop,TS val 258933125 ecr 406805145], length 0
13:59:47.375802 IP icingahost.59472 > windowstarget.135: Flags [F.], seq 97, ack 89, win 229, options [nop,nop,TS val 258933125 ecr 406805145], length 0
13:59:47.375851 IP icingahost.43755 > windowstarget.49154: Flags [S], seq 3673502881, win 29200, options [mss 1460,sackOK,TS val 258933125 ecr 0,nop,wscale 7], length 0
13:59:47.377410 IP windowstarget.135 > icingahost.59473: Flags [.], ack 619, win 512, options [nop,nop,TS val 406805147 ecr 258933125], length 0
13:59:47.377469 IP windowstarget.135 > icingahost.59473: Flags [F.], seq 1189, ack 619, win 512, options [nop,nop,TS val 406805147 ecr 258933125], length 0
13:59:47.377480 IP icingahost.59473 > windowstarget.135: Flags [.], ack 1190, win 250, options [nop,nop,TS val 258933125 ecr 406805147], length 0
13:59:47.377489 IP windowstarget.135 > icingahost.59472: Flags [.], ack 98, win 514, options [nop,nop,TS val 406805147 ecr 258933125], length 0
13:59:47.377533 IP windowstarget.135 > icingahost.59472: Flags [F.], seq 89, ack 98, win 514, options [nop,nop,TS val 406805147 ecr 258933125], length 0
13:59:47.377541 IP icingahost.59472 > windowstarget.135: Flags [.], ack 90, win 229, options [nop,nop,TS val 258933125 ecr 406805147], length 0
13:59:48.374512 IP icingahost.43755 > windowstarget.49154: Flags [S], seq 3673502881, win 29200, options [mss 1460,sackOK,TS val 258933375 ecr 0,nop,wscale 7], length 0
13:59:50.378512 IP icingahost.43755 > windowstarget.49154: Flags [S], seq 3673502881, win 29200, options [mss 1460,sackOK,TS val 258933876 ecr 0,nop,wscale 7], length 0
13:59:54.386509 IP icingahost.43755 > windowstarget.49154: Flags [S], seq 3673502881, win 29200, options [mss 1460,sackOK,TS val 258934878 ecr 0,nop,wscale 7], length 0
^C
30 packets captured
31 packets received by filter
0 packets dropped by kernel

After a couple of rechecks it seems that this high-port always stays the same. After three retries it was always tcp/49154 on which wmic tried to launch the WQL queries.

When tcp/49154 was opened in the firewall rule, the connection worked and data was transferred back to my auto config tool:

tcpdump host windowstarget
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:26:28.360513 IP icingahost.57370 > windowstarget.135: Flags [S], seq 3242590878, win 29200, options [mss 1460,sackOK,TS val 259333371 ecr 0,nop,wscale 7], length 0
14:26:28.362566 IP windowstarget.135 > icingahost.57370: Flags [S.], seq 1978845556, ack 3242590879, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 406965240 ecr 259333371], length 0
14:26:28.362584 IP icingahost.57370 > windowstarget.135: Flags [.], ack 1, win 229, options [nop,nop,TS val 259333372 ecr 406965240], length 0
14:26:28.362656 IP icingahost.57370 > windowstarget.135: Flags [P.], seq 1:73, ack 1, win 229, options [nop,nop,TS val 259333372 ecr 406965240], length 72
14:26:28.364900 IP windowstarget.135 > icingahost.57370: Flags [P.], seq 1:61, ack 73, win 514, options [nop,nop,TS val 406965240 ecr 259333372], length 60
14:26:28.364913 IP icingahost.57370 > windowstarget.135: Flags [.], ack 61, win 229, options [nop,nop,TS val 259333372 ecr 406965240], length 0
14:26:28.365057 IP icingahost.57370 > windowstarget.135: Flags [P.], seq 73:97, ack 61, win 229, options [nop,nop,TS val 259333372 ecr 406965240], length 24
14:26:28.366695 IP windowstarget.135 > icingahost.57370: Flags [P.], seq 61:89, ack 97, win 514, options [nop,nop,TS val 406965240 ecr 259333372], length 28
14:26:28.366774 IP icingahost.57371 > windowstarget.135: Flags [S], seq 1931709756, win 29200, options [mss 1460,sackOK,TS val 259333373 ecr 0,nop,wscale 7], length 0
14:26:28.368560 IP windowstarget.135 > icingahost.57371: Flags [S.], seq 952209303, ack 1931709757, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 406965241 ecr 259333373], length 0
14:26:28.368574 IP icingahost.57371 > windowstarget.135: Flags [.], ack 1, win 229, options [nop,nop,TS val 259333373 ecr 406965241], length 0
14:26:28.368674 IP icingahost.57371 > windowstarget.135: Flags [P.], seq 1:174, ack 1, win 229, options [nop,nop,TS val 259333373 ecr 406965241], length 173
14:26:28.370565 IP windowstarget.135 > icingahost.57371: Flags [P.], seq 1:304, ack 174, win 514, options [nop,nop,TS val 406965241 ecr 259333373], length 303
14:26:28.370578 IP icingahost.57371 > windowstarget.135: Flags [.], ack 304, win 237, options [nop,nop,TS val 259333374 ecr 406965241], length 0
14:26:28.370786 IP icingahost.57371 > windowstarget.135: Flags [P.], seq 174:458, ack 304, win 237, options [nop,nop,TS val 259333374 ecr 406965241], length 284
14:26:28.379981 IP windowstarget.135 > icingahost.57371: Flags [P.], seq 304:377, ack 458, win 513, options [nop,nop,TS val 406965241 ecr 259333374], length 73
14:26:28.380048 IP icingahost.57371 > windowstarget.135: Flags [P.], seq 458:618, ack 377, win 237, options [nop,nop,TS val 259333376 ecr 406965241], length 160
14:26:28.382301 IP windowstarget.135 > icingahost.57371: Flags [P.], seq 377:1189, ack 618, win 512, options [nop,nop,TS val 406965241 ecr 259333376], length 812
14:26:28.382376 IP icingahost.57371 > windowstarget.135: Flags [F.], seq 618, ack 1189, win 250, options [nop,nop,TS val 259333376 ecr 406965241], length 0
14:26:28.382394 IP icingahost.57370 > windowstarget.135: Flags [F.], seq 97, ack 89, win 229, options [nop,nop,TS val 259333376 ecr 406965240], length 0
14:26:28.382441 IP icingahost.41653 > windowstarget.49154: Flags [S], seq 857171839, win 29200, options [mss 1460,sackOK,TS val 259333376 ecr 0,nop,wscale 7], length 0
14:26:28.384247 IP windowstarget.135 > icingahost.57371: Flags [.], ack 619, win 512, options [nop,nop,TS val 406965242 ecr 259333376], length 0
14:26:28.384262 IP windowstarget.135 > icingahost.57370: Flags [.], ack 98, win 514, options [nop,nop,TS val 406965242 ecr 259333376], length 0
14:26:28.384265 IP windowstarget.135 > icingahost.57371: Flags [F.], seq 1189, ack 619, win 512, options [nop,nop,TS val 406965242 ecr 259333376], length 0
14:26:28.384274 IP icingahost.57371 > windowstarget.135: Flags [.], ack 1190, win 250, options [nop,nop,TS val 259333377 ecr 406965242], length 0
14:26:28.384305 IP windowstarget.49154 > icingahost.41653: Flags [S.], seq 1424418429, ack 857171840, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 406965242 ecr 259333376], length 0
14:26:28.384318 IP icingahost.41653 > windowstarget.49154: Flags [.], ack 1, win 229, options [nop,nop,TS val 259333377 ecr 406965242], length 0
14:26:28.384372 IP icingahost.41653 > windowstarget.49154: Flags [P.], seq 1:140, ack 1, win 229, options [nop,nop,TS val 259333377 ecr 406965242], length 139
14:26:28.384394 IP windowstarget.135 > icingahost.57370: Flags [F.], seq 89, ack 98, win 514, options [nop,nop,TS val 406965242 ecr 259333376], length 0
14:26:28.384405 IP icingahost.57370 > windowstarget.135: Flags [.], ack 90, win 229, options [nop,nop,TS val 259333377 ecr 406965242], length 0
14:26:28.387091 IP windowstarget.49154 > icingahost.41653: Flags [P.], seq 1:273, ack 140, win 514, options [nop,nop,TS val 406965243 ecr 259333377], length 272
14:26:28.387105 IP icingahost.41653 > windowstarget.49154: Flags [.], ack 273, win 237, options [nop,nop,TS val 259333378 ecr 406965243], length 0
14:26:28.387310 IP icingahost.41653 > windowstarget.49154: Flags [P.], seq 140:360, ack 273, win 237, options [nop,nop,TS val 259333378 ecr 406965243], length 220
14:26:28.449580 IP windowstarget.49154 > icingahost.41653: Flags [.], ack 360, win 513, options [nop,nop,TS val 406965249 ecr 259333378], length 0
14:26:28.449594 IP icingahost.41653 > windowstarget.49154: Flags [P.], seq 360:520, ack 273, win 237, options [nop,nop,TS val 259333393 ecr 406965249], length 160
14:26:28.459709 IP windowstarget.49154 > icingahost.41653: Flags [P.], seq 273:513, ack 520, win 513, options [nop,nop,TS val 406965249 ecr 259333393], length 240
14:26:28.459815 IP icingahost.41653 > windowstarget.49154: Flags [P.], seq 520:600, ack 513, win 245, options [nop,nop,TS val 259333396 ecr 406965249], length 80
14:26:28.461539 IP windowstarget.49154 > icingahost.41653: Flags [P.], seq 513:569, ack 600, win 512, options [nop,nop,TS val 406965249 ecr 259333396], length 56
14:26:28.461638 IP icingahost.41653 > windowstarget.49154: Flags [P.], seq 600:728, ack 569, win 245, options [nop,nop,TS val 259333396 ecr 406965249], length 128
[...]

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.