Remote WMI Traffic - wmi

I have a problem understanding remote WMI traffic.
Let's say I have 2 PC's in a LAN (PC-A and PC-B).
From PC-A i type in CMD:
wmic /node:"PC-B" /user:"B" /password:"whatever" computersystem get "name"
There now should be traffic inside the LAN between the two PCs, and the answer to that query should be sent back to PC-A, from PC-B.
I tried using Wireshark, but the traffic is too overwhelming for me.
As of right now, what I understand going on goes like this (I barely understand it):
llmnr/mdns trying to resolve the node parameter (the PC domain inside the LAN)
TCP 3-way-handshake over port 135 (of PC-B)
What happens next is completely out of my understanding, i think it should go like:
dcom (establishing something) over port 135
dcom, session moved to a different port
I'm completely clueless... I am having trouble finding useful information.
I'm thankful for any of you who can share knowledge with me.
Edit:
This is the PCAP file:
https://drive.google.com/file/d/1FpvNujHlAIsY2aXxZdB0uGZd6RC4islm/view?usp=sharing

Related

How Does WMI Work?

Recently I've been trying to figure out how to keep track of computers for inventory and then manage them remotely. I've stumbled upon WMI and Psexec. Psexec seems to be using port 135 to talk to RPC to execute remote PC services. (If I'm understanding correctly) However, I can't say that I understand exactly how WMI works, and I can't find any resources to help me with that. As far as I know, it uses ports 135, 445, and a group of IPs that are defined in registry. Port 135 doesn't surprise me because I know that WMI can do a lot of the things that Psexec can do, but what does is port 445. Normally that port is for TCP/IP SMB if I recall correctly. Why does WMI need access to that, what are the range of IPs for, and generally - how does WMI inner-workings work?
I'm going down the same path you are: using WMI to inventory or manage devices. It has been working well for the last year, but there is always more to add or do (like inventorying monitors).
So, port 445 does SMB, but it also does AD authentication.

How do I use WAMP?

I can easily connect to local host and my LAN IP both on port 80 and 8080, but my external IP is having connectivity issues. I cannot connect to it by just typing my external IP or even by typing a port number, I've read countless of articles and google didn't help me because I don't have the same problems as the people asking the questions.
When I type my external IP address with and without a port extension it gives me nothing except a "Problem loading page". I followed many advice and tips i even uninstalled it and reinstalled it and still cannot connect to my external IP. It's irritating because I port forwarded my IP, i know my port forwarding works because I can play any game on any port. But My WAMP is being stubborn for some reason.
I clicked on put online and that should've worked. But I'm at a pause at the moment in my website development. So i know my webpage isn't corrupted because it works like a charm locally, which thank goodness that was easier than hosting it online. If anyone has an idea as to why this is happening, help is appreciated.
Thank you.

Get COM/DCOM Connections?

I'd like to figure out what IP address a DCOM client is connecting from. I have an OPC server, and from the context of the COM/DCOM code, there is no way to get the client IP that I can find. This article appears to confirm that (http://blogs.msdn.com/b/sanpil/archive/2004/03/01/82302.aspx).
I tried using a C++ library that netstat uses (iphlpapi.lib, GetExtendedTcpTable) to get open connections with no luck. It looks like COM/DCOM defaults to UDP.
The only other thing I can think of is using WireShark pcap to try and capture inbound traffic on port 135?
Does anyone have any clever ideas?
It's said "Using DCOM through firewalls becomes problematic because it dynamically allocates one port per process (configurable through the registry) and requires UPD and TCP ports 135-139 to be open. ".

Socket application does not work over the internet

I've got a problem in socket programming. I'm currently writing a simple server/client application which asks connecting clients to answer a survey (I'm following the exercises in the book: TCP/IP Sockets in C: Practical guide for Programmers). It works fine in my local network (using localhost to connect), but I can't make it work over the internet.
Since I changed some of the code found in the book, I tried to compile the original source code from the book but it still doesn't work. I assume this is not a code problem but a network problem.
I did some research and so I turned off my firewall, I forwarded the port I'm using (12543) in my router but it still doesn't work... I've got a remote windows server running Windows 7 for testing: when I run my server on it and try to connect from my computer it fails, when I try to run my server from my computer and try to connect from the remote windows server: it fails again. Even when I run my server on my computer and try to connect with the client from the same computer using my private IPv4 address 192.168.x.x or my public one, it fails ! Oh, and there is no firewall running on the windows server.
I really don't know what to do now... I can ping my windows server from my computer, I can ping my computer from my windows server, but it's impossible to connect to my application.
The source code can be found here: http://cs.ecs.baylor.edu/~donahoo/practical/CSockets2/textcode.html (SurveyServer2.cpp, SurveyClient2.cpp, SurveyCommon.h), but I don't think it's a code problem.
Please tell me if it's not clear enough. And excuse me if I did some grammatical errors, I'm french!
Any help would be appreciated, thanks!
EDIT : Ok, I know what's going on: it's a compatibility issue between IPv4 and IPv6! It's not properly working yet, but I now know what to fix. Thanks everybody :)
SECOND EDIT : Well, I think I finally understood. I was binding my server to a IPv6 address, but the host my server is running on only have a public IPv4 address. When I tried to connect, the DNS resolution only returned a IPv4 address so I was unable to connect to my server. I told to getaddrinfo to return only IPv4 addresses, so now it binds on a IPv4 address and it works fine.
There is surely a way to add a IPv6 address to my host but I don't think I will need it, it works okay right now, I hope this doesn't cause any trouble.
The code makes usage of getaddrinfo and need a hostname not a IP address.
It does sound like you have a connectivity issue or a DNS issue.
Ensure the name resolution is working:
Enter 'ping server_NAME' on the command line of the client machine.
If it can't find an IP address for the server name that could be your issue.
Ensure connectivity:
On the server command line:
enter 'netstat -an -p TCP'. This will show a list of all programs listening and their port numbers. You should see your server listening on port 12543.
On the machine where you are running your client program:
Use telnet to see if you can get through to the server. You can set the port number telnet uses with a command line option. Usually something like 'telnet -p 12543 server-ip'. If it says 'connection refused' then there's a connectivity issue (a firewall/etc). If it opens a connection you will get no error message and you will be able to type text to be sent to the server. You really only care if telnet was able to establish a tcp connection here.
If Telnet does connect then your issue is communication between the programs and not a network issue.

C/C++ detect network type

I need to write a win32 c/c++ application which will be able to determine whether the PC it's running on is connected to one of 2 networks. The first network is the company LAN (which has no internet connection) and the second network is a standalone switch with a single PC connected to it (the PC that the program is running on).
I'm pretty new to network programming but so far I have tried testing to see if a network drive which is held on our LAN can be mapped. This works fine if the PC is connected to the LAN, the drive mapping succeeds so so LAN detection is successful. However, if the PC is connected to the switch, this results in a VERY long timeout which is not a suitable as it will delay the program so much as to make it unusable.
Does anyone have any alternative suggestions?
I'm using c/c++ in VS 6.0
[Update]
Whilst trying a few different ideas and looking at some of the suggestions below I thought I should update with some additional information as many (if not all) of the suggestions I don't think will work.
(1) The aforementioned LAN has no external connections at all, it is completely isolated so no resolving of external DNS or pinging websites is possible.
(2) Hostname, MAC address, IP, Default Gateway, Subnet etc etc (basically everything you see in ipconfig -all) are all manually configured (not dynamic from the router) so checking any of these settings will return the same whether connected to the LAN or the switch.
(3) Due to point (2), any attempts to communicate with the switch seem to be unsuccessful, in fact almost all networking commands (ping, arp etc) seem to fail - I think due to the machine trying to connect to the LAN when it isn't there :-(
One thing I have found which works is pinging the default gateway IP which times out when connected to the switch. This is sort of ok as I can reduce the timeout of ping so it doesn't just hang for ages but it feels like a bit of a hack and I would certainly appreciate any better solutions.
Thanks
As far as TCP/IP is concerned there is no such thing as a LAN on WAN. There are a set of non-internet routable addresses like 192.168.x.x and 10.x.x.x but these are sometimes used by ISP short of IP addresses.
You best bet is to use Asynchronous APIs when making TCP/IP connections. WIN32 defines a whole buch of OVERLAPPED APIs for this purpose. This will prevent your application from grinding to a halt while waiting for a remote connection.
Alternatively put the socket stuff into another thread and then only notify the UI when the operation is done.
I would first try to differentiate between the two using information available locally--that is, from your computer. Does the output of ipconfig /all differ depending on which network you're connected to? If so, exploit that difference if you can.
Is it possible to get the MAC address of the standalone switch? Of the switch that controls the company LAN? That would be a sure way to tell. Unless somebody cloned the MAC address.
If you try using the existence or non-existence of some network service to determine which network you're connected to, you can never be sure. For example, if you failed to map that network drive, all you know is that the network drive isn't available. You can't say for certain that you're not connected to the company LAN. Same is true if you use ping. Lack of response from a particular machine means only that the machine didn't respond.
Various things you can look at for differentiation:
DNS domain name (GetComputerNameEx)
MAC address of gateway (ping it, then GetIpNetTable)
Routing table(do you have a gateway and default route on the company LAN)
WNet discovered network resources (WNetOpenEnum, WNetEnumResource)
Ability to resolve external hostnames (try a 5-10 names like www.google.com, www.microsoft.com and so on, if one resolves you should have internet)
You'll have to decide how many indicators are "enough" to decide you're on one or the other LAN though if tests fail. Then keep retrying until you have a definite result.
http://msdn.microsoft.com/en-us/library/aa366071%28v=VS.85%29.aspx has a lot of network related functions that you can experiment with to create further indicators.