Fatal编程技术网
  • linux/
  • Linux 如何识别WinRM部署的当前传输、身份验证、通道和消息加密类型?

Linux 如何识别WinRM部署的当前传输、身份验证、通道和消息加密类型?

linux windows ansible

Linux 如何识别WinRM部署的当前传输、身份验证、通道和消息加密类型?,linux,windows,ansible,kerberos,winrm,Linux,Windows,Ansible,Kerberos,Winrm,我很难弄清楚在现有WinRM部署中使用了哪些机制 WinRM通过Windows域中的组策略对象配置,并应用于一组Windows端点。它可以从Linux和Python库“pywinrm”中使用,也可以从Windows和Powershell远程处理中使用 GPO允许在Windows主机上自动配置WinRM侦听器。文档说明WinRM defaut的初始身份验证机制是Kerberos,这在域环境中很好,并且生成票证非常困难 奇怪的是,即使在每个Windows端点上配置了HTTP和HTTPs侦听器,在Li

我很难弄清楚在现有WinRM部署中使用了哪些机制

WinRM通过Windows域中的组策略对象配置,并应用于一组Windows端点。它可以从Linux和Python库“pywinrm”中使用,也可以从Windows和Powershell远程处理中使用

GPO允许在Windows主机上自动配置WinRM侦听器。文档说明WinRM defaut的初始身份验证机制是Kerberos,这在域环境中很好,并且生成票证非常困难

奇怪的是,即使在每个Windows端点上配置了HTTP和HTTPs侦听器,在Linux客户端(Ansible驻留的位置)上发出tcpdump也不会显示tcp 5985(WinRM“HTTP”侦听器的目标端口)的通信量,而是在对Windows主机发出Ansible命令时,将通信量定向到SSL WinRM端口(tcp 5986)(见下文)

Ansible

# Ansible command issued from Ansible client machine (Linux)
ansible -m win_ping --vault-id vault@prompt host.domain.tld

host.tld | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

# Ansible configuration for Windows hosts group on Ansible client machine (Linux)
  ansible_connection: winrm
  ansible_winrm_scheme: https
  ansible_winrm_transport: kerberos
  ansible_winrm_server_cert_validation: ignore
  ansible_winrm_operation_timeout_sec: 60
  ansible_winrm_read_timeout_sec: 70

  ansible_user: user@DOMAIN.TLD
  ansible_password: XXXXXXXXXXXXXXXXXXX
  ansible_port: 5986

# Traffic detected here on Ansible client machine (Linux) 
tcpdump -vv -i ensXXX dst 10.10.10.10 and dst port 5986

# No traffic visible here on Ansible client machine (Linux) 
tcpdump -vv -i ensXXX dst 10.10.10.10 and dst port 5985

# No traffic visible here on Django client machine (Linux) 
tcpdump -vv -i ensXXX dst 10.10.10.11 and dst port 5986

# Traffic visible here on Django client machine (Linux) 
tcpdump -vv -i ensXXX dst 10.10.10.11 and dst port 5985
网络捕获

# Ansible command issued from Ansible client machine (Linux)
ansible -m win_ping --vault-id vault@prompt host.domain.tld

host.tld | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

# Ansible configuration for Windows hosts group on Ansible client machine (Linux)
  ansible_connection: winrm
  ansible_winrm_scheme: https
  ansible_winrm_transport: kerberos
  ansible_winrm_server_cert_validation: ignore
  ansible_winrm_operation_timeout_sec: 60
  ansible_winrm_read_timeout_sec: 70

  ansible_user: user@DOMAIN.TLD
  ansible_password: XXXXXXXXXXXXXXXXXXX
  ansible_port: 5986

# Traffic detected here on Ansible client machine (Linux) 
tcpdump -vv -i ensXXX dst 10.10.10.10 and dst port 5986

# No traffic visible here on Ansible client machine (Linux) 
tcpdump -vv -i ensXXX dst 10.10.10.10 and dst port 5985

# No traffic visible here on Django client machine (Linux) 
tcpdump -vv -i ensXXX dst 10.10.10.11 and dst port 5986

# Traffic visible here on Django client machine (Linux) 
tcpdump -vv -i ensXXX dst 10.10.10.11 and dst port 5985
在WinRM端,配置如下:

WinRM服务配置

# Global service configuration (Windows endpoint)
winrm get winrm/config/Service

Service
    RootSDDL = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = false [Source="GPO"]
    Auth
        Basic = true [Source="GPO"]
        Kerberos = true
        Negotiate = true
        Certificate = false
        CredSSP = true [Source="GPO"]
        CbtHardeningLevel = Relaxed
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    IPv4Filter = * [Source="GPO"]
    IPv6Filter [Source="GPO"]
    EnableCompatibilityHttpListener = false [Source="GPO"]
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint
    AllowRemoteAccess = true [Source="GPO"]

# Code extract 
winrm_session = winrm.Session(self.server, auth=(self.principal, self.password), transport=self.transport, server_cert_validation='ignore')
command = "gci"
run_ps = winrm_session.run_ps(command)
winrm_output = run_ps.std_out.decode('unicode-escape').encode('utf8')
winrm_output_json = json.loads(winrm_output)
WinRM侦听器

# winrm listener configuration (Windows endpoint)
winrm enumerate winrm/config/listener

Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 10.10.10.10

Listener
    Address = *
    Transport = HTTPS
    Port = 5986
    Hostname = HOST.TLD
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    ListeningOn = 127.0.0.1, 10.10.10.10
另一方面,我有一个基于Django的Web应用程序,它依赖于pywinrm从Linux服务器对Windows主机进行查询,这次WinRM流量似乎被定向到Windows端点上的非SSL TCP端口5985:

Django应用程序

# Global service configuration (Windows endpoint)
winrm get winrm/config/Service

Service
    RootSDDL = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    MaxConcurrentOperations = 4294967295
    MaxConcurrentOperationsPerUser = 1500
    EnumerationTimeoutms = 240000
    MaxConnections = 300
    MaxPacketRetrievalTimeSeconds = 120
    AllowUnencrypted = false [Source="GPO"]
    Auth
        Basic = true [Source="GPO"]
        Kerberos = true
        Negotiate = true
        Certificate = false
        CredSSP = true [Source="GPO"]
        CbtHardeningLevel = Relaxed
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    IPv4Filter = * [Source="GPO"]
    IPv6Filter [Source="GPO"]
    EnableCompatibilityHttpListener = false [Source="GPO"]
    EnableCompatibilityHttpsListener = false
    CertificateThumbprint
    AllowRemoteAccess = true [Source="GPO"]

# Code extract 
winrm_session = winrm.Session(self.server, auth=(self.principal, self.password), transport=self.transport, server_cert_validation='ignore')
command = "gci"
run_ps = winrm_session.run_ps(command)
winrm_output = run_ps.std_out.decode('unicode-escape').encode('utf8')
winrm_output_json = json.loads(winrm_output)
网络捕获

# Ansible command issued from Ansible client machine (Linux)
ansible -m win_ping --vault-id vault@prompt host.domain.tld

host.tld | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

# Ansible configuration for Windows hosts group on Ansible client machine (Linux)
  ansible_connection: winrm
  ansible_winrm_scheme: https
  ansible_winrm_transport: kerberos
  ansible_winrm_server_cert_validation: ignore
  ansible_winrm_operation_timeout_sec: 60
  ansible_winrm_read_timeout_sec: 70

  ansible_user: user@DOMAIN.TLD
  ansible_password: XXXXXXXXXXXXXXXXXXX
  ansible_port: 5986

# Traffic detected here on Ansible client machine (Linux) 
tcpdump -vv -i ensXXX dst 10.10.10.10 and dst port 5986

# No traffic visible here on Ansible client machine (Linux) 
tcpdump -vv -i ensXXX dst 10.10.10.10 and dst port 5985

# No traffic visible here on Django client machine (Linux) 
tcpdump -vv -i ensXXX dst 10.10.10.11 and dst port 5986

# Traffic visible here on Django client machine (Linux) 
tcpdump -vv -i ensXXX dst 10.10.10.11 and dst port 5985
为什么即使Kerberos用于初始身份验证,稍后用于消息传输,WinRM通信也会定向到TCP端口5986(SSL)或TCP端口5985?如何确定用于特定WinRM查询的身份验证、传输等

在对防火墙规则进行故障排除期间,我发现了来自Ansible的WinRM流量和来自Django/pywinrm的WinRM流量之间的差异,该防火墙规则似乎阻止WinRM查询,这取决于它是来自Ansible还是Django/pywinrm