3

I have a problem understanding remote WMI traffic.

Let's say I have 2 PC's in a LAN (PC-A and PC-B).

From PC-A i type in CMD: wmic /node:"PC-B" /user:"B" /password:"whatever" computersystem get "name"

There now should be traffic inside the LAN between the two PCs, and the answer to that query should be sent back to PC-A, from PC-B.

I tried using Wireshark, but the traffic is too overwhelming for me.

As of right now, what I understand going on goes like this (I barely understand it):

  1. llmnr/mdns trying to resolve the node parameter (the PC domain inside the LAN)
  2. TCP 3-way-handshake over port 135 (of PC-B)
  3. What happens next is completely out of my understanding, i think it should go like:
    • dcom (establishing something) over port 135
    • dcom, session moved to a different port

I'm completely clueless... I am having trouble finding useful information.

I'm thankful for any of you who can share knowledge with me.

Edit:

This is the PCAP file: https://drive.google.com/file/d/1FpvNujHlAIsY2aXxZdB0uGZd6RC4islm/view?usp=sharing

Kfir
  • 31
  • 4
  • Welcome to Stack Overflow! Stack Overflow is for programming questions. It looks like you are using windows `cmd` and are troubleshooting WMI - Why not post in a sister site like serverfault.com or superuser.com instead? – Ross Jacobs Apr 07 '20 at 20:11
  • It's a good idea! I wasn't aware of those sites..xD Thank you for pointing that out :) Imma go ahead and post my question on those two sites as well. – Kfir Apr 07 '20 at 20:17
  • Too bad I can only post once every 40 minutes.. :) Is there a way I can share this question in serverfault.com and superuser.com without posting it again in those two sites? I don't want to be turned out as a spammer :) – Kfir Apr 07 '20 at 20:25
  • No. Please create separate posts on those websites. – Ross Jacobs Apr 07 '20 at 20:26

0 Answers0