wmic – RPC_C_AUTHN_LEVEL_PKT_INTEGRITY problem – KB5004442

[linspec9078]

Like it

Up

0

Down

Drop it

::

Hello,

any suggestion about this case?

[Mario]

Like it

Up

2

Down

Drop it

::

Hello,

A few months ago we updated the wmic binary to include the latest security changes made by Windows.

https://firefly.artica.es/centos7/wmic-1.4-1.el7.x86_64.rpm

With this version you should be able to continue your remote wmi monitoring operation without any problems.

Kind regards

[Sancho]

Like it

Up

0

Down

Drop it

::

Thanks for reporting this.

We’re working in a wmic replacement, Windows servers will forbid this method in next release.

[linspec9078]

Like it

Up

0

Down

Drop it

::

Hello Sancho,

what you mean with “wmic replacement” ? A completly new tool will be released? And could you estimate when?

Thank you.

[Sancho]

Like it

Up

1

Down

Drop it

::

Yes, it’s planned to be finished at 761 release. Will replace the current binary and it will have a similar interface, just to replace it. Please read carefully the release notes when the release it’s finished.

[linspec9078]

Like it

Up

0

Down

Drop it

::

Hello Sancho,

do you know when 761 version will be released?

Thank you

[Sancho]

Like it

Up

0

Down

Drop it

::

In a week more or less, we have already a solution for this. You will need to replace the wmiclient for a new one. It will be detailed in the update documentation.

Thanks for reporting this, please contact us here for any question regarding to this.

[linspec9078]

Like it

Up

0

Down

Drop it

::

Hello Sancho,

i seen version 761 is avaiable, but when i update the rpm, wmic client is not updated and is not bundled with the new rpm.

Where i can find the new wmic and the documentation regarding it?

Thank you

[Mario]

Like it

Up

2

Down

Drop it

::

Hi

To fix the issue, it is neccesary to install a new binary ( pandorawmic ) . You can install it from https://firefly.artica.es/centos8/pandorawmic-1.0.0-1.x86_64.rpm .

After you have installed the new binary, it is necessary to change the wmi_client binary in your pandora_server.conf
https://pandorafms.com/manual/en/documentation/02_installation/04_configuration?s%5B%5D=pandorawmic#wmi_client

After finishing the installation and updating pandora_server.conf, you should restart the Pandora FMS server service to apply the changes.

https://pandorafms.com/manual/en/faq/start#what_are_the_differences_between_wmic_and_pandorawmic

Installation:

https://pandorafms.com/manual/en/documentation/02_installation/01_installing?s%5B%5D=pandorawmic

Kind regards

[linspec9078]

Like it

Up

0

Down

Drop it

::

Hello Mario,

thank you for the clarification.

Now i am on 757. Is mandatory to update 761 or i can stay on 757 and only use the new binary?

Thank you

[Mario]

Like it

Up

0

Down

Drop it

::

Yes, you need update server to v761 version because there is some changes in the server to adapt the output of the new tool.

Kind regards

[linspec9078]

Like it

Up

0

Down

Drop it

::

Hello Mario,

using the Update Manager Online in Web Console, while updating from 759 to 760, at the end of the process it shows the message “Signatures does not match”, as you can see from this image:

https://imgur.com/a/9UbaHQW

In the footer it shows “Pandora FMS v7.0NG.760 – OUM 760 – MR 52” .

Can i consider the update from 759 to 760 sucseeded anyway, an then can i procede to update to version 761?

Thank you

[linspec9078]

Like it

Up

0

Down

Drop it

::

Hello all,

with the old wmic i used the parameter “–option=’client ntlmv2 auth’=Yes” . Wich autentication schema is used by default from new pandorawmi tool ?

Thank you

[vic]

Like it

Up

1

Down

Drop it

::

Hi,

Can you check if you have the following token enabled, if so, disable it and try again.

secured.png 13 KB Image File - Click to view

• Copy Download Link

[linspec9078]

Like it

Up

0

Down

Drop it

::

Hello all,

with the old wmic i used the parameter “–option=’client ntlmv2 auth’=Yes” . Wich autentication schema is used by default from new pandorawmi tool ?

Thank youHello all,

with the old wmic i used the parameter “–option=’client ntlmv2 auth’=Yes” . Wich autentication schema is used by default from new pandorawmi tool ?

Thank you

[Mario]

Like it

Up

0

Down

Drop it

::

Hi

Have you tried to get information without additional parameters?

Could you send the output of the pandorawmic command to check it?

Thanks
Kind regards

[linspec9078]

Like it

Up

0

Down

Drop it

::

Hi,

yes i did and it works.

I just want to now if by default the pandorawmic tool is using NTLMv2 and if it’s possible to use also kerberos, if so in wich way.

Thank you

[Mario]

Like it

Up

0

Down

Drop it

::

Yes, with pandorawmic the use of NTLMv1 is restricted to SMB version 1 only if NTLMv2 authentication failed or SMB Extended Security is not supported.

We have been checking about kerberos authentication and it is true that the new library used in pandorawmic supports this authentication, but it is not included in the new binary. We are going to check it to include it in next versions.

Thanks
Kind regards

[linspec9078]

Like it

Up

0

Down

Drop it

::

Hi,

during these days i noticed that pandorawmic use of CPU is more intensive than wmic. Don’t you think?

[Mario]

Like it

Up

0

Down

Drop it

::

Hi

We have not experienced that problem at the moment, we will monitor the CPU usage in depth.

Kind regards

[linspec9078]

Like it

Up

0

Down

Drop it

::

Hi All,

is possible that pandorawmic is creating a lot of subdirs like this one under /tmp ?

ls -l /tmp/_MEI77SShW/

totale 10788

-rwx—— 1 root root 786953 6 giu 09.49 base_library.zip

-rwx—— 1 root root 856432 6 giu 09.49 _cffi_backend.cpython-36m-x86_64-linux-gnu.so

drwx—— 8 root root 4096 6 giu 09.49 Cryptodome

drwx—— 2 root root 4096 6 giu 09.49 impacket-0.9.24.dist-info

-rwx—— 1 root root 68192 6 giu 09.49 libbz2.so.1

-rwx—— 1 root root 15856 6 giu 09.49 libcom_err.so.2

-rwx—— 1 root root 2521144 6 giu 09.49 libcrypto.so.10

drwx—— 2 root root 4096 6 giu 09.49 lib-dynload

-rwx—— 1 root root 173320 6 giu 09.49 libexpat.so.1

-rwx—— 1 root root 63088 6 giu 09.49 libffi-d58a691e.so.8.1.0

-rwx—— 1 root root 32328 6 giu 09.49 libffi.so.6

-rwx—— 1 root root 320720 6 giu 09.49 libgssapi_krb5.so.2

-rwx—— 1 root root 210784 6 giu 09.49 libk5crypto.so.3

-rwx—— 1 root root 15688 6 giu 09.49 libkeyutils.so.1

-rwx—— 1 root root 967840 6 giu 09.49 libkrb5.so.3

-rwx—— 1 root root 67104 6 giu 09.49 libkrb5support.so.0

-rwx—— 1 root root 157424 6 giu 09.49 liblzma.so.5

-rwx—— 1 root root 402384 6 giu 09.49 libpcre.so.1

-rwx—— 1 root root 3144192 6 giu 09.49 libpython3.6m.so.1.0

-rwx—— 1 root root 285136 6 giu 09.49 libreadline.so.6

-rwx—— 1 root root 155744 6 giu 09.49 libselinux.so.1

-rwx—— 1 root root 470376 6 giu 09.49 libssl.so.10

-rwx—— 1 root root 174576 6 giu 09.49 libtinfo.so.5

-rwx—— 1 root root 90176 6 giu 09.49 libz.so.1

drwx—— 2 root root 4096 6 giu 09.49 setuptools-59.6.0.dist-info

drwx—— 2 root root 4096 6 giu 09.49 wheel-0.37.1.dist-info

[Mario]

Like it

Up

1

Down

Drop it

::

Hi

It´s true that this folder is created by python, but we have not this files in /tmp folder of our testing environment. Do you have wmi checks not working at this moment in Pandora Server or failing some times with timeouts problems?

We have seen in other occasions with compiled files that can store these files when they do not finish the execution correctly.

Kind regards

[linspec9078]

Like it

Up

0

Down

Drop it

::

ok i will investigate further.

Thank you for the clarification.