check_wmi_plus and ntlm authentication

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
BenCowan
Posts: 64
Joined: Thu Jul 28, 2011 11:34 am

check_wmi_plus and ntlm authentication

Post by BenCowan »

I received the email (see below) from our AD administrator a few weeks back regarding a security vulnerability in NTLM Authentication, and he disabled it. Immediately Nagios started alerting for all the Windows servers, so he re-enabled for all but our most critical servers, but wants me to use the kerberos authentication option in the check, which uses the Linux wmic command. My preliminary attempts to use the --kerberos=true option don't work, but there is a possibility that I don't understand all the requirements (there seems to be a serious lack of documentation).

Has anyone had any luck using wmic with kerberos auth?

Subject: PetitPotam ADCS vuln

As seen via REN-ISAC and elsewhere over the weekend, there’s yet another nasty vuln in Windows land, and this time it affects AD Certificate Services (ADCS). I just finished a hardening and configuration review on our ADCS server about a month ago, but this particular vuln wasn’t mitigated as part of that exercise.

Details from SANS here: https://isc.sans.org/forums/diary/Activ ... ity/27668/
Mitigation guidance from MS here: https://support.microsoft.com/en-us/top ... 7910cd3429

The fix is to disable NTLM authentication either domain-wide (preferred, and I’m itching to do this), or just disable it on the ADCS server (less preferred, and will be my stop-gap fix).

Action items:
- We don’t forbid NTLM authentication at SCS for “legacy reasons” (e.g. old AD-authenticating VPN servers, various systems we’ve decommissioned over the past few years, etc.); those legacy reasons may not still be valid, but there’s no quick way to tell without possibly breaking things. I’ll check with Network Services to find out when the new VPN appliances are going in, but the current ones may not even rely on NTLM.

- To catch anything else that uses NTML auth, I’ll be updating Group Policy on our domain controllers to audit NTLM auth attempts.

- I’ll open a Jira issue to request that the ISO team set up a Splunk report to let SE know when/where NTLM auth has been used over a period of a couple weeks, then based on that information determine whether we can safely disable NTLM once and for all.
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: check_wmi_plus and ntlm authentication

Post by ssax »

Did he disable NTLMv1 or all NTLM? You can force NTLMv2 by passing --extrawmicarg "--option=client ntlmv2 auth=Yes" to check_wmi_plus if that works:

Code: Select all

/usr/local/nagios/libexec/check_wmi_plus.pl -H X.X.X.X -u 'your_domain/wmiagent' -p 'wmiagentpass' -m checkcpu --extrawmicarg "--option=client ntlmv2 auth=Yes"
I'm investigating the Kerberos thing and will update shortly.
BenCowan
Posts: 64
Joined: Thu Jul 28, 2011 11:34 am

Re: check_wmi_plus and ntlm authentication

Post by BenCowan »

First I verified that command works on a server he has not disabled ntlm auth to make sure it works, and it does, then I ran it against one of the servers where he has disabled it, and it failed, so apparently he has disabled both, but I will ask him on Monday to clarify if the vulnerability is specific to the old v1 or not. Thanks!

...still would like to see kerberos supported.
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: check_wmi_plus and ntlm authentication

Post by ssax »

I think it is probably possible to do with kerberos based on my research but I'm still trying to get this to work, the backed wmic command that the plugin uses looks like it supports it but I'm having trouble getting it to work in my lab. Will let you know what I find.
BenCowan
Posts: 64
Joined: Thu Jul 28, 2011 11:34 am

Re: check_wmi_plus and ntlm authentication

Post by BenCowan »

I was testing as root, and I noticed in the debug output it was looking for a credentials cache in /tmp/krb5cc_0, so I generated one using user svc-nagioswmi as the principal, but I still get an error about not being able to aquire credentials...

[lib/com/dcom/main.c:528:dcom_determine_rpc_binding()] Using binding ncacn_ip_tcp:****.****.nevada.edu
[librpc/rpc/dcerpc_connect.c:513:continue_map_binding()] Mapped to DCERPC endpoint 135
[lib/com/dcom/main.c:413:determine_rpc_binding_continue2()] dcerpc_ndr_request_recv returned NT_STATUS_OK
[lib/com/dcom/main.c:417:determine_rpc_binding_continue2()] IObjectExporter::ServerAlive returned NT_STATUS_OK
[auth/kerberos/krb5_init_context.c:114:smb_krb5_socket_recv()] Received smb_krb5 packet of length 202
[auth/kerberos/krb5_init_context.c:114:smb_krb5_socket_recv()] Received smb_krb5 packet of length 169
[auth/kerberos/kerberos_util.c:236:kinit_to_ccache()] kinit for svc-nagioswmi@****.NEVADA.EDU failed (Preauthentication failed)
[auth/credentials/credentials_krb5.c:300:cli_credentials_get_client_gss_creds()] Failed to get CCACHE for GSSAPI client: Preauthentication failed
[auth/gensec/gensec_gssapi.c:357:gensec_gssapi_client_start()] Aquiring initiator credentails failed
[auth/gensec/gensec.c:606:gensec_start_mech()] Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_UNSUCCESSFUL
[auth/gensec/spnego.c:634:gensec_spnego_create_negTokenInit()] Failed to setup SPNEGO negTokenInit request: NT_STATUS_UNSUCCESSFUL
[auth/gensec/gensec.c:637:gensec_start_mech_by_authtype()] Could not find GENSEC backend for auth_type=10
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: check_wmi_plus and ntlm authentication

Post by ssax »

I'm testing like this:

Code: Select all

wmic -d5 -k1 //computer.domain.com "select * from Win32_ComputerSystem"
Which is failing for me but I see proper kerberos auth in the windows logs.

Until that works, check_wmi_plus.pl won't work.
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: check_wmi_plus and ntlm authentication

Post by ssax »

Here's what I'm showing for mine:

Code: Select all

[root@xid ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)

Code: Select all

[root@xid ~]# kinit wmiagent@CONTOSO.LOCAL
Password for wmiagent@CONTOSO.LOCAL:

Code: Select all

[root@xid ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: wmiagent@CONTOSO.LOCAL

Valid starting       Expires              Service principal
08/16/2021 12:08:18  08/16/2021 22:08:18  krbtgt/CONTOSO.LOCAL@CONTOSO.LOCAL
        renew until 08/17/2021 12:08:14

Code: Select all

[root@xid ~]# wmic -d5 -k1 //thecomputer.contoso.local "select * from Win32_ComputerSystem"
[param/loadparm.c:587:init_globals()] Initialising global parameters
[param/loadparm.c:2462:lp_load()] lp_load: refreshing parameters from /dev/null
[param/params.c:556:pm_process()] params.c:pm_process() - Processing configuration file "/dev/null"
[param/loadparm.c:2471:lp_load()] pm_process() returned Yes
[param/loadparm.c:1343:lp_add_hidden()] adding hidden service IPC$
[param/loadparm.c:1343:lp_add_hidden()] adding hidden service ADMIN$
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend 'sasl-DIGEST-MD5' registered
[auth/auth.c:447:auth_register()] AUTH backend 'winbind_samba3' registered
[auth/auth.c:447:auth_register()] AUTH backend 'winbind' registered
[auth/auth.c:447:auth_register()] AUTH backend 'name_to_ntstatus' registered
[auth/auth.c:447:auth_register()] AUTH backend 'fixed_challenge' registered
[auth/auth.c:447:auth_register()] AUTH backend 'unix' registered
[auth/auth.c:447:auth_register()] AUTH backend 'anonymous' registered
[auth/auth.c:447:auth_register()] AUTH backend 'sam' registered
[auth/auth.c:447:auth_register()] AUTH backend 'sam_ignoredomain' registered
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend 'krb5' registered
[auth/gensec/gensec.c:1205:gensec_register()] gensec subsystem fake_gssapi_krb5 is disabled
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend 'schannel' registered
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend 'spnego' registered
[auth/gensec/gensec.c:1205:gensec_register()] gensec subsystem gssapi_spnego is disabled
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend 'gssapi_krb5' registered
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend 'gssapi_krb5_sasl' registered
[auth/gensec/gensec.c:1229:gensec_register()] GENSEC backend 'ntlmssp' registered
[lib/com/dcom/main.c:528:dcom_determine_rpc_binding()] Using binding ncacn_ip_tcp:dc1.contoso.local
[librpc/rpc/dcerpc_connect.c:513:continue_map_binding()] Mapped to DCERPC endpoint 135
[lib/com/dcom/main.c:413:determine_rpc_binding_continue2()] dcerpc_ndr_request_recv returned NT_STATUS_OK
[lib/com/dcom/main.c:417:determine_rpc_binding_continue2()] IObjectExporter::ServerAlive returned NT_STATUS_OK
[auth/gensec/gensec.c:599:gensec_start_mech()] Starting GENSEC mechanism spnego
[auth/gensec/gensec.c:599:gensec_start_mech()] Starting GENSEC submechanism gssapi_krb5
[lib/socket/interface.c:103:add_interface()] added interface ip=192.168.X.X nmask=255.X.X.X
[auth/kerberos/krb5_init_context.c:114:smb_krb5_socket_recv()] Received smb_krb5 packet of length 1386
[auth/kerberos/krb5_init_context.c:114:smb_krb5_socket_recv()] Received smb_krb5 packet of length 1310
[auth/gensec/gensec_gssapi.c:479:gensec_gssapi_update()] gensec_gssapi: credentials were delegated
[auth/gensec/gensec_gssapi.c:506:gensec_gssapi_update()] GSSAPI Connection will be cryptographicly sealed
[librpc/rpc/dcerpc.c:849:dcerpc_request_recv_data()] rpc fault: DCERPC fault 0x00000721
[wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_NET_WRITE_FAULT - NT_STATUS_NET_WRITE_FAULT
BenCowan
Posts: 64
Joined: Thu Jul 28, 2011 11:34 am

Re: check_wmi_plus and ntlm authentication

Post by BenCowan »

I am stuck at the same place you are. Not being an AD expert, and not having access to really dig into it, and also lacking detaied documentation on wmic (all I've found is the --help option, which is NOT helpful...), I'm not sure where to go from here. I did lookup the error code:

0x00000721
RPC_S_SEC_PKG_ERROR
An error that has no RPC mapping was returned by the security package. Retrieve the security provider error using the RPC Extended Error Mechanism.

Dead end?
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: check_wmi_plus and ntlm authentication

Post by mcapra »

I haven't touched this code in ages, and it never really moved past the POC phase, but it's built on impacket which supports Kerberos:
https://github.com/mcapra/nagios-check_ ... eck_wmi.py

Could try altering the authentication handler by just passing doKerberos=True
https://github.com/mcapra/nagios-check_ ... mi.py#L392

I don't have a lab environment to test against unfortunately.
Former Nagios employee
https://www.mcapra.com/
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: check_wmi_plus and ntlm authentication

Post by ssax »

Neither of them are working for me and I've spent a bunch of time trying to get it to work, I still see successful kerberos authentication in the windows server logs but it's not working:

Code: Select all

ERROR:root:Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
Locked