Troubleshooting Help Needed | Unable to Discovery one specific Windows 10 computer

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2020 06:52 AM
Hello,
I am facing a challenge in discovering a Windows 10 computer. Below are the troubleshooting steps that I have performed so far:
- Ran Ping from mid server host was successful
- Ran Telnet from mid server host to verify which ports are open
WMI: 135 - Open
SSH: 22 - failed
VCenter: 443 - failed
WinRM: 5985 - Open
WBEM: 5989 - Open
LDAP: 389 - failed
- Ran Tracert works using the name and IP - both result in the expected results
- Verified the user account stored in ServiceNow credentials is a member of the local administrator's group on the computer
- Used "Test credentials" link within ServiceNow. The test fails. However, I CAN successfully log into Windows 10 directly on the computer via RDP. I do not believe there is an issue with the credentials stored in ServiceNow because they work on hundreds of other devices.
- Verified that WMI is allowed on the local firewall
- Unable to verify WMI connection via PowerShell command (gwmi) from mid server host. Results in "Access is denied"
- Checked with DNS admin and they stated the DNS entry is correct.
- I am able to discover another on the same network segment without any issues.
There is something different about the configuration of this one specific computer that I can't seem to figure out. I was hoping that someone with a little more experience might be able to help me out with the next steps.
Thanks in advance!
--------------------------------------------------------------------------------------------------------
Discovery Log
08-03-2020 09:20:20 AM Warning Authentication failure(s) with available Windows credentials from the instance. WMIRunner (empty) Windows Classify
08-03-2020 09:20:20 AM Warning Active, couldn't classify: No WMI connection, now finished
WMIRunner (empty) Windows Classify
---------------------------------------------------------------------------------------------------------
WMIRunner Payload
- Labels:
-
Discovery

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2020 03:57 PM
Windows Management Instrumentation (WMI-In) is enabled. Logging was not turned on so I turned it on. I ran a Quick Discovery then checked the log file. Nothing was captured in the firewall log file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-03-2020 08:07 PM
You mentioned you were able to RDP to the Windows computer. Initiate an RDP connection to the Windows host from the MID server and see if any traffic is generated in the firewall log file. RDP uses port 3389 and you should see traffic on this port.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2020 04:14 PM
I rdp'd to target from the MID Server
2020-08-04 18:45:36 ALLOW TCP 10.14.XXX.XXX 10.49.XXX.XXX 27341 3389 0 - 0 0 0 - - - RECEIVE
I ran a quick discovery
2020-08-04 19:06:57 ALLOW TCP 10.14.XXX.XXX 10.49.XXX.XXX 55796 135 0 - 0 0 0 - - - RECEIVE
2020-08-04 19:06:57 ALLOW TCP 10.14.XXX.XXX 10.49.XXX.XXX 55799 5985 0 - 0 0 0 - - - RECEIVE
2020-08-04 19:07:00 ALLOW UDP 10.14.XXX.XXX 10.49.XXX.XXX 58782 137 0 - - - - - - - RECEIVE

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2020 04:21 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2020 04:44 PM
cyndim,
I don't see any responses back to the MID server (path = SEND) in the log file you provided. It is possible the packets may be blocked (action = DROP) as in the following example:
Can you check if you are logging dropped packets? To check, go to Logging->Customize and check if Log dropped packets is set to yes: