Accessing WMI through a firewall - which ports are required?

Written by - 0 comments

Published on - Listed in Nagios Icinga Monitoring Windows Linux

As I previously wrote, I'm working on an internal Icinga 2 auto-config tool. For the Windows hosts, I use the wmic command to access the remote hosts and gather information.

In the internal networks (without firewall) everything worked well. But as soon as I tried to add hosts in the DMZ (therefore passing through the firewall), the WMI connection didn't work. Prior to my tests I already asked to open tcp port 135 as this seems to be the port on which WMI listens. Kind of.

A tcpdump, that wmic is not only talking to tcp/135. A non-successful attempt shows a connection to tcp/135 at first, but then switches to a high-port (tcp/49154):

tcpdump host windowstarget
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:59:47.355251 IP icingahost.59472 > windowstarget.135: Flags [S], seq 3719360348, win 29200, options [mss 1460,sackOK,TS val 258933120 ecr 0,nop,wscale 7], length 0
13:59:47.357135 IP windowstarget.135 > icingahost.59472: Flags [S.], seq 2335876244, ack 3719360349, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 406805145 ecr 258933120], length 0
13:59:47.357150 IP icingahost.59472 > windowstarget.135: Flags [.], ack 1, win 229, options [nop,nop,TS val 258933120 ecr 406805145], length 0
13:59:47.357210 IP icingahost.59472 > windowstarget.135: Flags [P.], seq 1:73, ack 1, win 229, options [nop,nop,TS val 258933120 ecr 406805145], length 72
13:59:47.359327 IP windowstarget.135 > icingahost.59472: Flags [P.], seq 1:61, ack 73, win 514, options [nop,nop,TS val 406805145 ecr 258933120], length 60
13:59:47.359339 IP icingahost.59472 > windowstarget.135: Flags [.], ack 61, win 229, options [nop,nop,TS val 258933121 ecr 406805145], length 0
13:59:47.359477 IP icingahost.59472 > windowstarget.135: Flags [P.], seq 73:97, ack 61, win 229, options [nop,nop,TS val 258933121 ecr 406805145], length 24
13:59:47.361180 IP windowstarget.135 > icingahost.59472: Flags [P.], seq 61:89, ack 97, win 514, options [nop,nop,TS val 406805145 ecr 258933121], length 28
13:59:47.361249 IP icingahost.59473 > windowstarget.135: Flags [S], seq 1146043338, win 29200, options [mss 1460,sackOK,TS val 258933121 ecr 0,nop,wscale 7], length 0
13:59:47.363007 IP windowstarget.135 > icingahost.59473: Flags [S.], seq 1340072778, ack 1146043339, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 406805145 ecr 258933121], length 0
13:59:47.363020 IP icingahost.59473 > windowstarget.135: Flags [.], ack 1, win 229, options [nop,nop,TS val 258933122 ecr 406805145], length 0
13:59:47.363117 IP icingahost.59473 > windowstarget.135: Flags [P.], seq 1:174, ack 1, win 229, options [nop,nop,TS val 258933122 ecr 406805145], length 173
13:59:47.365113 IP windowstarget.135 > icingahost.59473: Flags [P.], seq 1:304, ack 174, win 514, options [nop,nop,TS val 406805145 ecr 258933122], length 303
13:59:47.365128 IP icingahost.59473 > windowstarget.135: Flags [.], ack 304, win 237, options [nop,nop,TS val 258933122 ecr 406805145], length 0
13:59:47.365340 IP icingahost.59473 > windowstarget.135: Flags [P.], seq 174:458, ack 304, win 237, options [nop,nop,TS val 258933122 ecr 406805145], length 284
13:59:47.373234 IP windowstarget.135 > icingahost.59473: Flags [P.], seq 304:377, ack 458, win 513, options [nop,nop,TS val 406805145 ecr 258933122], length 73
13:59:47.373316 IP icingahost.59473 > windowstarget.135: Flags [P.], seq 458:618, ack 377, win 237, options [nop,nop,TS val 258933124 ecr 406805145], length 160
13:59:47.375709 IP windowstarget.135 > icingahost.59473: Flags [P.], seq 377:1189, ack 618, win 512, options [nop,nop,TS val 406805145 ecr 258933124], length 812
13:59:47.375783 IP icingahost.59473 > windowstarget.135: Flags [F.], seq 618, ack 1189, win 250, options [nop,nop,TS val 258933125 ecr 406805145], length 0
13:59:47.375802 IP icingahost.59472 > windowstarget.135: Flags [F.], seq 97, ack 89, win 229, options [nop,nop,TS val 258933125 ecr 406805145], length 0
13:59:47.375851 IP icingahost.43755 > windowstarget.49154: Flags [S], seq 3673502881, win 29200, options [mss 1460,sackOK,TS val 258933125 ecr 0,nop,wscale 7], length 0
13:59:47.377410 IP windowstarget.135 > icingahost.59473: Flags [.], ack 619, win 512, options [nop,nop,TS val 406805147 ecr 258933125], length 0
13:59:47.377469 IP windowstarget.135 > icingahost.59473: Flags [F.], seq 1189, ack 619, win 512, options [nop,nop,TS val 406805147 ecr 258933125], length 0
13:59:47.377480 IP icingahost.59473 > windowstarget.135: Flags [.], ack 1190, win 250, options [nop,nop,TS val 258933125 ecr 406805147], length 0
13:59:47.377489 IP windowstarget.135 > icingahost.59472: Flags [.], ack 98, win 514, options [nop,nop,TS val 406805147 ecr 258933125], length 0
13:59:47.377533 IP windowstarget.135 > icingahost.59472: Flags [F.], seq 89, ack 98, win 514, options [nop,nop,TS val 406805147 ecr 258933125], length 0
13:59:47.377541 IP icingahost.59472 > windowstarget.135: Flags [.], ack 90, win 229, options [nop,nop,TS val 258933125 ecr 406805147], length 0
13:59:48.374512 IP icingahost.43755 > windowstarget.49154: Flags [S], seq 3673502881, win 29200, options [mss 1460,sackOK,TS val 258933375 ecr 0,nop,wscale 7], length 0
13:59:50.378512 IP icingahost.43755 > windowstarget.49154: Flags [S], seq 3673502881, win 29200, options [mss 1460,sackOK,TS val 258933876 ecr 0,nop,wscale 7], length 0
13:59:54.386509 IP icingahost.43755 > windowstarget.49154: Flags [S], seq 3673502881, win 29200, options [mss 1460,sackOK,TS val 258934878 ecr 0,nop,wscale 7], length 0
^C
30 packets captured
31 packets received by filter
0 packets dropped by kernel

After a couple of rechecks it seems that this high-port always stays the same. After three retries it was always tcp/49154 on which wmic tried to launch the WQL queries.

When tcp/49154 was opened in the firewall rule, the connection worked and data was transferred back to my auto config tool:

tcpdump host windowstarget
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:26:28.360513 IP icingahost.57370 > windowstarget.135: Flags [S], seq 3242590878, win 29200, options [mss 1460,sackOK,TS val 259333371 ecr 0,nop,wscale 7], length 0
14:26:28.362566 IP windowstarget.135 > icingahost.57370: Flags [S.], seq 1978845556, ack 3242590879, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 406965240 ecr 259333371], length 0
14:26:28.362584 IP icingahost.57370 > windowstarget.135: Flags [.], ack 1, win 229, options [nop,nop,TS val 259333372 ecr 406965240], length 0
14:26:28.362656 IP icingahost.57370 > windowstarget.135: Flags [P.], seq 1:73, ack 1, win 229, options [nop,nop,TS val 259333372 ecr 406965240], length 72
14:26:28.364900 IP windowstarget.135 > icingahost.57370: Flags [P.], seq 1:61, ack 73, win 514, options [nop,nop,TS val 406965240 ecr 259333372], length 60
14:26:28.364913 IP icingahost.57370 > windowstarget.135: Flags [.], ack 61, win 229, options [nop,nop,TS val 259333372 ecr 406965240], length 0
14:26:28.365057 IP icingahost.57370 > windowstarget.135: Flags [P.], seq 73:97, ack 61, win 229, options [nop,nop,TS val 259333372 ecr 406965240], length 24
14:26:28.366695 IP windowstarget.135 > icingahost.57370: Flags [P.], seq 61:89, ack 97, win 514, options [nop,nop,TS val 406965240 ecr 259333372], length 28
14:26:28.366774 IP icingahost.57371 > windowstarget.135: Flags [S], seq 1931709756, win 29200, options [mss 1460,sackOK,TS val 259333373 ecr 0,nop,wscale 7], length 0
14:26:28.368560 IP windowstarget.135 > icingahost.57371: Flags [S.], seq 952209303, ack 1931709757, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 406965241 ecr 259333373], length 0
14:26:28.368574 IP icingahost.57371 > windowstarget.135: Flags [.], ack 1, win 229, options [nop,nop,TS val 259333373 ecr 406965241], length 0
14:26:28.368674 IP icingahost.57371 > windowstarget.135: Flags [P.], seq 1:174, ack 1, win 229, options [nop,nop,TS val 259333373 ecr 406965241], length 173
14:26:28.370565 IP windowstarget.135 > icingahost.57371: Flags [P.], seq 1:304, ack 174, win 514, options [nop,nop,TS val 406965241 ecr 259333373], length 303
14:26:28.370578 IP icingahost.57371 > windowstarget.135: Flags [.], ack 304, win 237, options [nop,nop,TS val 259333374 ecr 406965241], length 0
14:26:28.370786 IP icingahost.57371 > windowstarget.135: Flags [P.], seq 174:458, ack 304, win 237, options [nop,nop,TS val 259333374 ecr 406965241], length 284
14:26:28.379981 IP windowstarget.135 > icingahost.57371: Flags [P.], seq 304:377, ack 458, win 513, options [nop,nop,TS val 406965241 ecr 259333374], length 73
14:26:28.380048 IP icingahost.57371 > windowstarget.135: Flags [P.], seq 458:618, ack 377, win 237, options [nop,nop,TS val 259333376 ecr 406965241], length 160
14:26:28.382301 IP windowstarget.135 > icingahost.57371: Flags [P.], seq 377:1189, ack 618, win 512, options [nop,nop,TS val 406965241 ecr 259333376], length 812
14:26:28.382376 IP icingahost.57371 > windowstarget.135: Flags [F.], seq 618, ack 1189, win 250, options [nop,nop,TS val 259333376 ecr 406965241], length 0
14:26:28.382394 IP icingahost.57370 > windowstarget.135: Flags [F.], seq 97, ack 89, win 229, options [nop,nop,TS val 259333376 ecr 406965240], length 0
14:26:28.382441 IP icingahost.41653 > windowstarget.49154: Flags [S], seq 857171839, win 29200, options [mss 1460,sackOK,TS val 259333376 ecr 0,nop,wscale 7], length 0
14:26:28.384247 IP windowstarget.135 > icingahost.57371: Flags [.], ack 619, win 512, options [nop,nop,TS val 406965242 ecr 259333376], length 0
14:26:28.384262 IP windowstarget.135 > icingahost.57370: Flags [.], ack 98, win 514, options [nop,nop,TS val 406965242 ecr 259333376], length 0
14:26:28.384265 IP windowstarget.135 > icingahost.57371: Flags [F.], seq 1189, ack 619, win 512, options [nop,nop,TS val 406965242 ecr 259333376], length 0
14:26:28.384274 IP icingahost.57371 > windowstarget.135: Flags [.], ack 1190, win 250, options [nop,nop,TS val 259333377 ecr 406965242], length 0
14:26:28.384305 IP windowstarget.49154 > icingahost.41653: Flags [S.], seq 1424418429, ack 857171840, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 406965242 ecr 259333376], length 0
14:26:28.384318 IP icingahost.41653 > windowstarget.49154: Flags [.], ack 1, win 229, options [nop,nop,TS val 259333377 ecr 406965242], length 0
14:26:28.384372 IP icingahost.41653 > windowstarget.49154: Flags [P.], seq 1:140, ack 1, win 229, options [nop,nop,TS val 259333377 ecr 406965242], length 139
14:26:28.384394 IP windowstarget.135 > icingahost.57370: Flags [F.], seq 89, ack 98, win 514, options [nop,nop,TS val 406965242 ecr 259333376], length 0
14:26:28.384405 IP icingahost.57370 > windowstarget.135: Flags [.], ack 90, win 229, options [nop,nop,TS val 259333377 ecr 406965242], length 0
14:26:28.387091 IP windowstarget.49154 > icingahost.41653: Flags [P.], seq 1:273, ack 140, win 514, options [nop,nop,TS val 406965243 ecr 259333377], length 272
14:26:28.387105 IP icingahost.41653 > windowstarget.49154: Flags [.], ack 273, win 237, options [nop,nop,TS val 259333378 ecr 406965243], length 0
14:26:28.387310 IP icingahost.41653 > windowstarget.49154: Flags [P.], seq 140:360, ack 273, win 237, options [nop,nop,TS val 259333378 ecr 406965243], length 220
14:26:28.449580 IP windowstarget.49154 > icingahost.41653: Flags [.], ack 360, win 513, options [nop,nop,TS val 406965249 ecr 259333378], length 0
14:26:28.449594 IP icingahost.41653 > windowstarget.49154: Flags [P.], seq 360:520, ack 273, win 237, options [nop,nop,TS val 259333393 ecr 406965249], length 160
14:26:28.459709 IP windowstarget.49154 > icingahost.41653: Flags [P.], seq 273:513, ack 520, win 513, options [nop,nop,TS val 406965249 ecr 259333393], length 240
14:26:28.459815 IP icingahost.41653 > windowstarget.49154: Flags [P.], seq 520:600, ack 513, win 245, options [nop,nop,TS val 259333396 ecr 406965249], length 80
14:26:28.461539 IP windowstarget.49154 > icingahost.41653: Flags [P.], seq 513:569, ack 600, win 512, options [nop,nop,TS val 406965249 ecr 259333396], length 56
14:26:28.461638 IP icingahost.41653 > windowstarget.49154: Flags [P.], seq 600:728, ack 569, win 245, options [nop,nop,TS val 259333396 ecr 406965249], length 128
[...]



Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

Blog Tags:

AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder