check_wmi_plus authentication

[monstro]

Hey tmcdonald,

The command I use to authenticate by NTLMv2 is:

./check_wmi_plus.pl -H HOST -u domain/user -p password -m checkservice --extrawmicarg --option"client ntlmv2 auth"=yes

Like I said though I would prefer Kerberos though, at this point it's proving more difficult than I had anticipated.

[ssax]

Unfortunately I'm not joined to a domain here to test.

What does the output (sanitized) of this command show?

Code: Select all

klist

[monstro]

Hey ssax,

Sorry for the late reply here is the information given to me by klist:

Valid starting Expires Service principal
09/17/2015 17:49:16 09/18/2015 03:49:16 krbtgt/[email protected]

renew until 09/24/2015 17:49:12

[jdalrymple]

As I mentioned I think we need to tackle the wmic command before we can imagine that check_wmi_plus will work (it will probably need to be modified).

I wouldn't expect it to work - but I would expect if anything would have worked it would have been what we've already tried. It can't hurt to try using the -P flag, which implies -k:

• -P, --machine-pass Use stored machine account password (implies -k)

This still assumes using the user with the valid kerberos ticket.

[monstro]

Hey jdalrymple,

Sorry it has taken me so long to respond. The command I tried to run was :

wmic //FQDN "select * from Win32_Service" --debuglevel=10 --debug-stdeer -P

wmic -U domain/user%password //FQDN "select * from Win32_Service" --debuglevel=10 --debug-stdeer -P

wmic -U domain/user //FQDN "select * from Win32_Service" --debuglevel=10 --debug-stdeer -P

All commands end up with the same error as before however, I did notice something

unable to load tdb from /usr/local/bsamba/modules/ldb/tdb.so: /usr/local/samba/modules/ldb/std.so:cannot open shared object file: No such file or directory

Unable to find backend '/usr/local/samba/private/secrets.ldb'

[auth/credentials/credentials_files.c:217:cli_credentials_set_secrets()] Could not open secrets.ldb

I'm assuming this has something to do with my Samba config what I do not know could I possibly be missing something in the configuration of samba? Again forgive my ignorance and any help you provide as usual is greatly appreciated.

[jdalrymple]

So the implementation of kerberos utilized by wmic is the product of a Samba installation. Do you indeed have all of the Samba suite installed? It's possible that unless explicitly put in place the parts you need aren't recognized as a dependency since what you're trying to do is generally still seen as a bit out in left field (not kerberos but rather wmic+kerberos).

[monstro]

Is having kerberos work with WMIC just seen as something that's unnecessary and that is why most use the --option="client ntlmv2 auth"=Yes or am I missing the boat entirely?

[jdalrymple]

Is having kerberos work with WMIC just seen as something that's unnecessary and that is why most use the --option="client ntlmv2 auth"=Yes or am I missing the boat entirely?

I like the thought of it working, and wish it worked easier. The poor amount of documentation I can find makes me guess it's a "path of least resistance" situation for most. Not a whole lot to be gained using kerberos in a Windows only environment, which is defined by wmi.

[monstro]

I would like it to work as well however, like you said documentation is lacking and I have yet to find anything. At this point I think I'm just going to stick with using the NTLMv2 option and save the headache for someone else with more experience than or who is more of a masochist than I. I appreciate all who have tried to help me using Kerberos to authenticate WMIC queries thanks again guys.

[jdalrymple]

I'm going to go ahead and lock the thread monstro (to keep it off our dashboard). If ever you want it unlocked for further investigation please PM one of us with a green name and we'll be happy to unlock it for you.

In the meantime, if you have spare time you might want to head over to some Samba and/or wmic forums. That's the real place that the solution starts. We're the last link in the chain.