Hi - look at the returned (inbound) payloads of the ECC queue for clues. After shazzam phase its likely finding a given IP is windows (WMI port 135). It then needs to classify the IP to figure out what version of windows (2012, 2016, etc.). The inbound response from the target during classification should (must) match 1 of the identifiers for the subsequent phases to kick off and explore deeper.
The inbound responses to the ecc queue might yield some clues. Classifiers are defined under CI Classification... and the criteria is unique to each one, which helps Disco figure out exactly what windows is running on a given IP.
Hope this helps?
What is typically expected to come back from the WMI classifier?
As you guessed, Shazzam seems to find that port 135 is open:
<scanner name="GenericTCP" port="135" portprobe="wmi" protocol="tcp" result="open" service="epmap"/>If I go in and look at the XML on the ECC queue input, it doesn't seem like anything is actually getting returned from the machine in question. Maybe I need to post the XML or see what an expected response should include. I would like to think WMI is working properly; I've used the WMI tester on a few other machines around the office and it seems to return all the objects.
well the WMI input response shoud have some basic info about the OS... something like Windows 2012, etc.. which the classifer uses to make decisions of what probes to launch next
my gut, based on your screen shot is that perhaps there is a permissions problem. because the input phase of WMI classify doesn't have the typical amount of nodes in paraen's ... something like:
your example has no nodes. look at that input payload... you should either A) see something about the windows box or B) see some type of message/error/hint...
Hope that helps?
