Troubleshooting Help Needed | Unable to Discovery one specific Windows 10 computer

cynlink1
Tera Expert

Hello,

I am facing a challenge in discovering a Windows 10 computer. Below are the troubleshooting steps that I have performed so far:

- Ran Ping from mid server host was successful

- Ran Telnet from mid server host to verify which ports are open

    WMI: 135 - Open

    SSH: 22 - failed

    VCenter: 443 - failed

    WinRM: 5985 - Open

    WBEM: 5989 - Open

    LDAP: 389 - failed

- Ran Tracert works using the name and IP - both result in the expected results

- Verified the user account stored in ServiceNow credentials is a member of the local administrator's group on the computer

- Used "Test credentials" link within ServiceNow. The test fails. However, I CAN successfully log into Windows 10 directly on the computer via RDP. I do not believe there is an issue with the credentials stored in ServiceNow because they work on hundreds of other devices.

- Verified that WMI is allowed on the local firewall

- Unable to verify WMI connection via PowerShell command (gwmi) from mid server host. Results in "Access is denied"

- Checked with DNS admin and they stated the DNS entry is correct.

- I am able to discover another on the same network segment without any issues.

There is something different about the configuration of this one specific computer that I can't seem to figure out. I was hoping that someone with a little more experience might be able to help me out with the next steps.

Thanks in advance!

--------------------------------------------------------------------------------------------------------

Discovery Log

08-03-2020 09:20:20 AM Warning Authentication failure(s) with available Windows credentials from the instance. WMIRunner (empty) Windows Classify

08-03-2020 09:20:20 AM  Warning Active, couldn't classify: No WMI connection, now finished
WMIRunner (empty) Windows Classify

---------------------------------------------------------------------------------------------------------

WMIRunner Payload

<results probe_time="7016" result_code="1">
<result>
<error>Authentication failure(s) with available Windows credentials from the instance.</error>
<debug_info>{"debug_info":[{"xx.xx.xxx.xxx":{"credentials_attempted":[{"credential_type":"Windows","credential_name":"Windows OS Credential","credential_matches_affinity":true,"credential_order":"100","credential_success":false,"credential_id":"abced9b68db2ef64071f7d92b5e961xxx"},{"credential_type":"Windows","credential_name":"Windows OS Credential 2","credential_matches_affinity":false,"credential_order":"200","credential_success":false,"credential_id":"def53247db184c14615b3ebf9d96xxx"}],"connection_parameters":{"affinity_credential_id":"a0ed9b68db2ef64071f7d92b5e961900","credential_types":["Windows"],"target":"xx.xx.xxx.xxx"}}}]}</debug_info>
16 REPLIES 16

Windows Management Instrumentation (WMI-In) is enabled. Logging was not turned on so I turned it on. I ran a Quick Discovery then checked the log file. Nothing was captured in the firewall log file. 

You mentioned you were able to RDP to the Windows computer.  Initiate an RDP connection to the Windows host from the MID server and see if any traffic is generated in the firewall log file.  RDP uses port 3389 and you should see traffic on this port.

I rdp'd to target from the MID Server

2020-08-04 18:45:36 ALLOW TCP 10.14.XXX.XXX 10.49.XXX.XXX 27341 3389 0 - 0 0 0 - - - RECEIVE

I ran a quick discovery

2020-08-04 19:06:57 ALLOW TCP 10.14.XXX.XXX 10.49.XXX.XXX 55796 135 0 - 0 0 0 - - - RECEIVE
2020-08-04 19:06:57 ALLOW TCP 10.14.XXX.XXX 10.49.XXX.XXX 55799 5985 0 - 0 0 0 - - - RECEIVE
2020-08-04 19:07:00 ALLOW UDP 10.14.XXX.XXX 10.49.XXX.XXX 58782 137 0 - - - - - - - RECEIVE

 

 

 

 

cyndim,

I don't see any responses back to the MID server (path = SEND) in the log file you provided.  It is possible the packets may be blocked (action = DROP) as in the following example:

find_real_file.png

Can you check if you are logging dropped packets?  To check, go to Logging->Customize and check if Log dropped packets is set to yes:

find_real_file.png