本文介绍如何使用Network Monitor 3.0修改一个远程脚本的错误,原文发布于WindowsNetworking.com。 在上一篇文章《修复神秘的错误——使用脚本管理Windows网络》中,我们开始修复一个神秘的错误,这个错误发生在我们尝试使用我们开发的脚本ChangeIPAddress.vbs远程修改一个XP主机的IP地址的过程中。这个神秘错误是这样的: SWbemObjectEx: The remote procedure call failed 在前一篇文章中,我提到我已经联系了一些脚本高手一起解决这个错误,其中我收到最好的答……
我们一直都在努力坚持原创.......请不要一声不吭,就悄悄拿走。
我原创,你原创,我们的内容世界才会更加精彩!
【所有原创内容版权均属TechTarget,欢迎大家转发分享。但未经授权,严禁任何媒体(平面媒体、网络媒体、自媒体等)以及微信公众号复制、转载、摘编或以其他方式进行使用。】
微信公众号
TechTarget
官方微博
TechTarget中国
本文介绍如何使用Network Monitor 3.0修改一个远程脚本的错误,原文发布于WindowsNetworking.com。
在上一篇文章《修复神秘的错误——使用脚本管理Windows网络》中,我们开始修复一个神秘的错误,这个错误发生在我们尝试使用我们开发的脚本ChangeIPAddress.vbs远程修改一个XP主机的IP地址的过程中。这个神秘错误是这样的:
| SWbemObjectEx: The remote procedure call failed |
在前一篇文章中,我提到我已经联系了一些脚本高手一起解决这个错误,其中我收到最好的答案是可能有一个热补丁(Hotfix)破坏了WMI的功能,结果这个脚本虽然在远程工作了但却产生一个错误。
但是,后来有一个聪明的读者联系我并给了我这样的评论:
“在我看来这不是任何一个热补丁上发生的错误。记住你正在修改XP2的IP地址。远程过程调用失败了是因为它失去了XP2在原来IP地址(172.16.11.43)的连接。然后它花了一段时间(大约1分钟)在新的IP地址上(172.16.11.65)寻找XP2,直到最后放弃了。”
“想象你作为管理员Telnet到一个服务器,然后修改服务器的IP地址。你会失去与服务器连接吗?它会僵死一段时间,这与我们脚本的现象是一样的。但是修改服务器的默认网关将不会打断已存在的(Telnet)连接(假定你在同一个子网内)。如果你尝试从远程位置修改默认网关,你应该也会经历相同的延迟。”
非常对!我们要怎么测试这个解释呢?
使用Network Monitor 3.0
Microsoft最近发布了一个新版本的Network Monitor,一个作为Microsoft Systems Management Server一部分的包探测工具。Network Monitor 3.0比起之前的版本已经有了好几处的改进,诸如以下几项:
- 新的功能是,改进了用户界面,当他们正在实时捕捉时能够显示帧;
- 多种并发的会话捕捉和多个网络适配器并发捕捉;
- 显示网络“会话”的能力,比如,特殊协议的会话;
- 支持Vista,Windows XP和Windows Server 2003,包括32位和64位平台;
- 新的过滤面板支持手动指定过滤规则。
更多关于Network Monitor 3.0的信息,见Paul Long在TechNet的博客。
然后这是我的计划。我将在运行ChangeIPAddress.vbs脚本的主机上,通过使用NM3捕捉一个网络轨迹。我的测试步骤如下:
| Administrator workstation Name: test124.test.com IP address: 172.16.11.124 (static) Target machine Name: test125.test.com IP address: 172.16.11.125 (static) Domain controller Name: dc181.test.com IP address: 172.16.11.181 |
但在我尝试在Test124上运行ChangeIPAddress.vbs来修改test125的IP地址之前,让我们快速地浏览一下NM3。
当你启动NM3时,它的界面是这样的(图1):
图1:Network Monitor 3.0启动页面
在我继续阐述之前,让我们选择“Enable Conversations”复选框,这样我们就可以浏览每一种在我们跟踪过程中出现的协议的会话。
现在点击“Create A New Capture Tab”。将会打开一个名称为“Capture1”的新标签,我们可以用这个来创建我们的网络跟踪(图2):
图2:打开一个新的捕捉标签
现在让我测试NM3的一些简单功能。我们将点击“Play”按钮开始一个捕捉,然后我们将在主机test124上打开命令提示符并输入“ping 172.16.11.125”——我们从主机test124上ping主机test125。结果是这样的(图3):
图3:跟踪对172.16.11.125的ping操作
这就是我们所期待的:2个ARP数据包(一个ARP请求和一个ARP响应),然后是一系列的ICMP数据包(Echo请求消息和Echo回复消息)。如果你知道基本的TCP/IP网络,这会更容易理解。
让我们看看发生的“会话”。展开“My Traffic”节点就可以显示这些会话,如图4所示:
图4:显示会话
注意有两个会话发生:ARP和IPv4(ICMP)。同样,如果你知道基本的TCP/IP网络,很明显,你会相当容易地理解这个。
现在让我们选择ARP请求数据包并查看其内部信息(图5):
图5:检查一个数据包
现在我们已经简单地介绍了NM3(还有更复杂的)。让我们尝试用它来修改我们神秘的错误吧。
捕捉跟踪
我将从重启两个工作站以清除所有缓存(ARP,DNS等)开始,然后我将在test124打开一个命令提示符,并输入“ChangeIPAddress.vbs 172.16.11.144”,以便将test125的IP地址从172.16.11.125修改成172.16.11.144。(我已经将目标计算机test125写到这个脚本中。)下面就是运行的结果(图6):
图6:运行ChangeIPAddress.vbs 172.16.11.144的结果
这是所发生的概述:捕捉持续了总共90秒,捕捉到274个帧。错误消息发生在第241个帧,命令提示符在第274帧返回。(我之所以知道这些是因为在跟踪正在捕捉时,我在观察命令行输出。)这里有许多的流量要分析!看一下上面的图6,我们至少可以开始分析它了:
- 帧3-4显示主机名TEST125正被DNS转换成IP地址172.16.11.125。
- 帧5-6显示IP地址172.16.11.125正被ARP转换成一个MAC地址。
- 帧7-9显示一个三向TCP握手(SYN,SYN/ACK,ACK)在test124和test125之间发生。
- 帧10-11显示一个ROC绑定正在2个主机间建立。
- 帧12-13显示DCOM正在RCP(WMI使用DCOM处理远程调用)间使用。
……等等。
显然我们不能在图中显示所有的274个帧,所以我将Frame Summary信息拷贝到一个文本文件。(我也将捕捉另存为一个.cap文件。)你可以点击这个链接(Frame Summary)查看我们运行ChangeIPAddress.vbs的结果。
这是非常难懂的,不是吗?我们要怎么才能理解这个捕捉正在说什么呢?
当你在修复故障时,最好是从你了解的地方入手,而不是从不懂的地方开始。而我们知道我们在前一篇文章中开发的其他脚本(ChangeGateway.vbs)都是正常工作并不会产生任何错误消息的。所以在我们继续探究ChangeIPAddress.txt之前,让我们重启我们的工作站并执行另一个捕捉,这次显示在test124上运行命令“ChangeGateway.vbs 172.16.11.2 1”的结果,它将test125的默认网关从172.16.11.1修改成172.16.11.2(并指定跳数为1)。这是第二次捕捉的结果(图7):
图7:运行“ChangeGateway.vbs 172.16.11.2 1”的结果
你可以从Frame Summary看到这次只有217帧需要分析。
分析ChangeGateway.vbs的捕捉
让我们尝试通过将帧概要(Frame Summary)分成一块块地分析第二个捕捉(运行后不产生任何错误的)。如下所示:
| 1 0.000000 NetmonFilter NetmonFilter: Updated Capture Filter: None 2 0.000000 NetworkInfo NetworkInfo: Network info for TEST124, Network Adapter Count = 1 |
这只是NM3的头信息——可以忽略它。
| 3 0.000000 {DNS:3, UDP:2, IPv4:1} 172.16.11.124 dc181.test.local DNS DNS: QueryId = 0x4275, QUERY (Standard query), Query for 124.11.16.172.in-addr.arpa of type SOA on class Internet 4 1.281250 {ARP:4} 172.16.11.181 172.16.11.1 ARP ARP: Request, 172.16.11.181 asks for 172.16.11.1 5 1.890625 {DNS:6, UDP:5, IPv4:1} 172.16.11.124 dc181.test.local DNS DNS: QueryId = 0xEB6E, QUERY (Standard query), Query for test125.test.local of type Host Addr on class Internet 6 1.890625 {DNS:6, UDP:5, IPv4:1} dc181.test.local 172.16.11.124 DNS DNS: QueryId = 0xEB6E, QUERY (Standard query), Response - Success 7 1.906250 {ARP:7} 172.16.11.124 172.16.11.125 ARP ARP: Request, 172.16.11.124 asks for 172.16.11.125 8 1.906250 {ARP:7} 172.16.11.125 172.16.11.124 ARP ARP: Response, 172.16.11.125 at 00-11-D8-E3-EC-84 |
这是名称和地址解析信息(DNS和ARP)
| 9 1.906250 {TCP:9, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: Flags=.S......, SrcPort=1069, DstPort=DCE endpoint resolution(135), Len=0, Seq=1441244938, Ack=0, Win=65535 (scale factor 0) = 65535 10 1.906250 {TCP:9, IPv4:8} test125.test.local 172.16.11.124 TCP TCP: Flags=.S..A..., SrcPort=DCE endpoint resolution(135), DstPort=1069, Len=0, Seq=871910569, Ack=1441244939, Win=65535 (scale factor 0) = 65535 11 1.906250 {TCP:9, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: Flags=....A..., SrcPort=1069, DstPort=DCE endpoint resolution(135), Len=0, Seq=1441244939, Ack=871910570, Win=65535 (scale factor 0) = 65535 |
Test124刚刚与Test125建立一个TCP连接。
| 12 1.906250 {MSRPC:10, TCP:9, IPv4:8} 172.16.11.124 test125.test.local MSRPC MSRPC: c/o Bind: UUID{99FCFEC4-5260-101B-BBCB-00AA0021347A} DCOM-IObjectExporter Call=0x1 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 13 1.906250 {MSRPC:10, TCP:9, IPv4:8} test125.test.local 172.16.11.124 MSRPC MSRPC: c/o Bind Ack: Call=0x1 Assoc Grp=0x32E9 Xmit=0x16D0 Recv=0x16D0 14 1.906250 {MSRPC:10, TCP:9, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 15 1.906250 {MSRPC:10, TCP:9, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM |
Test124建立一个与Test125绑定的RCP并调用DCOM。
提示:如果你对理解这个跟踪的RPC部分存在困难的话,可以链接see KB 159258 for help。
| 16 1.921875 {TCP:11, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: Flags=.S......, SrcPort=1070, DstPort=DCE endpoint resolution(135), Len=0, Seq=3003512395, Ack=0, Win=65535 (scale factor 0) = 65535 17 1.921875 {TCP:11, IPv4:8} test125.test.local 172.16.11.124 TCP TCP: Flags=.S..A..., SrcPort=DCE endpoint resolution(135), DstPort=1070, Len=0, Seq=4088700167, Ack=3003512396, Win=65535 (scale factor 0) = 65535 18 1.921875 {TCP:11, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: Flags=....A..., SrcPort=1070, DstPort=DCE endpoint resolution(135), Len=0, Seq=3003512396, Ack=4088700168, Win=65535 (scale factor 0) = 65535 |
这个是主机间的另一个TCP三向的握手。
| 19 1.921875 {UDP:12, IPv4:1} 172.16.11.124 dc181.test.local KerberosV5 KerberosV5: TGS Request Realm: TEST.LOCAL Sname: RPCSS/test125.test.local 20 1.921875 {UDP:12, IPv4:1} dc181.test.local 172.16.11.124 KerberosV5 KerberosV5: TGS Response Cname: Administrator |
Kerberos身份验证(2个主机都是域联结的)。
| 21 1.921875 {MSRPC:13, TCP:11, IPv4:8} 172.16.11.124 test125.test.local MSRPC MSRPC: c/o Bind: UUID{000001A0-0000-0000-C000-000000000046} DCOM-IRemoteSCMActivator Call=0x2 Assoc Grp=0x32E9 Xmit=0x16D0 Recv=0x16D0 22 1.921875 {ARP:14} 172.16.11.181 172.16.11.125 ARP ARP: Request, 172.16.11.181 asks for 172.16.11.125 23 1.921875 {MSRPC:13, TCP:11, IPv4:8} test125.test.local 172.16.11.124 MSRPC MSRPC: c/o Bind Ack: Call=0x2 Assoc Grp=0x32E9 Xmit=0x16D0 Recv=0x16D0 24 1.921875 {MSRPC:13, TCP:11, IPv4:8} 172.16.11.124 test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{000001A0-0000-0000-C000-000000000046} DCOM-IRemoteSCMActivator Call=0x2 25 1.921875 {MSRPC:13, TCP:11, IPv4:8} test125.test.local 172.16.11.124 MSRPC MSRPC: c/o Alter Cont Resp: Call=0x2 Assoc Grp=0x32E9 Xmit=0x16D0 Recv=0x16D0 26 1.921875 {MSRPC:13, TCP:11, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 27 1.937500 {MSRPC:13, TCP:11, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM |
这是更多的RPC和DCOM。我认为“Alter Cont”表示正在使用替代的上下文,但我不能保证是这样的。同样的,既然脚本已经正常工作并不产生任何错误,那么一切运行就必然是OK的。
| 28 1.937500 {TCP:15, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: Flags=.S......, SrcPort=1072, DstPort=1117, Len=0, Seq=3011418470, Ack=0, Win=65535 (scale factor 0) = 65535 29 1.937500 {TCP:15, IPv4:8} test125.test.local 172.16.11.124 TCP TCP: Flags=.S..A..., SrcPort=1117, DstPort=1072, Len=0, Seq=554832695, Ack=3011418471, Win=65535 (scale factor 0) = 65535 30 1.937500 {TCP:15, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: Flags=....A..., SrcPort=1072, DstPort=1117, Len=0, Seq=3011418471, Ack=554832696, Win=65535 (scale factor 0) = 65535 |
这里是另外一个TCP握手。
| 31 1.937500 {UDP:16, IPv4:1} 172.16.11.124 dc181.test.local KerberosV5 KerberosV5: TGS Request Realm: TEST.LOCAL Sname: TEST125$ 32 1.937500 {UDP:16, IPv4:1} dc181.test.local 172.16.11.124 KerberosV5 KerberosV5: TGS Response Cname: Administrator |
这是更多的Kerberos信息。
| 33 1.937500 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local MSRPC MSRPC: c/o Bind: UUID{00000143-0000-0000-C000-000000000046} DCOM-IRemUnknown2 Call=0x1 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 34 1.937500 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 MSRPC MSRPC: c/o Bind Ack: Call=0x1 Assoc Grp=0x333D Xmit=0x16D0 Recv=0x16D0 35 1.937500 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{00000143-0000-0000-C000-000000000046} DCOM-IRemUnknown2 Call=0x1 36 1.937500 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 MSRPC MSRPC: c/o Alter Cont Resp: Call=0x1 Assoc Grp=0x333D Xmit=0x16D0 Recv=0x16D0 37 1.937500 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 38 1.937500 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM 39 1.937500 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{D4781CD6-E5D3-44DF-AD94-930EFE48A887} WMI-IWbemLoginClientID Call=0x2 40 1.937500 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 MSRPC MSRPC: c/o Alter Cont Resp: Call=0x2 Assoc Grp=0x333D Xmit=0x16D0 Recv=0x16D0 41 1.937500 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 42 1.937500 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM 43 1.937500 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{F309AD18-D86A-11D0-A075-00C04FB68820} WMI-IWbemLevel1Login Call=0x3 44 1.937500 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 MSRPC MSRPC: c/o Alter Cont Resp: Call=0x3 Assoc Grp=0x333D Xmit=0x16D0 Recv=0x16D0 45 1.937500 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 46 1.937500 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM 47 1.937500 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 48 1.937500 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM 49 1.953125 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{9556DC99-828C-11CF-A37E-00AA003240C7} WMI-IWbemServices Call=0x5 50 1.953125 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 MSRPC MSRPC: c/o Alter Cont Resp: Call=0x5 Assoc Grp=0x333D Xmit=0x16D0 Recv=0x16D0 51 1.953125 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 52 1.953125 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM 53 1.953125 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 54 1.953125 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM 55 1.953125 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{1C1C45EE-4395-11D2-B60B-00104B703EFD} WMI-IWbemFetchSmartEnum Call=0x7 56 1.953125 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 MSRPC MSRPC: c/o Alter Cont Resp: Call=0x7 Assoc Grp=0x333D Xmit=0x16D0 Recv=0x16D0 57 1.953125 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 58 1.953125 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM 59 1.953125 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{423EC01E-2E35-11D2-B604-00104B703EFD} WMI-IWbemWCOSmartEnum Call=0x8 60 1.953125 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 MSRPC MSRPC: c/o Alter Cont Resp: Call=0x8 Assoc Grp=0x333D Xmit=0x16D0 Recv=0x16D0 61 1.953125 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 62 2.015625 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM |
这里还有许多的RPC/DCOM信息。看起来很奇怪,对吗?如何你仔细观察你会看到有一些WMI信息出现,如WMI-IWbemLoginClientID,WMI-IWbemLevel1Login, WMI-IWbemServices,WMI-IWbemFetchSmartEnum等等。搜索MSDN我们会知道更多关于这里的具体细节。比如,Microsoft Developer Network库告诉我们“IWbemServices接口是客户和提供者用于访问WMI服务的”,所以看起来似乎所有这些I-thingies都是WMI接口(API),而这些接口是在我们运行脚本的工作站上的远程主机(使用DCOM)正在调用的。并且事实上这些接口中有一些似乎没有文档化,所以我们将不用太着急去理解它们。
从这里开始东西变得越来越多。首先会有更多的TCP信息和ROC“Continued Response”数据包,这些数据包似乎暗示之前建立的连接正在被用于某些用途。我准备从跟踪的下一部分开始忽略一些帧:
| 63 2.015625 {TCP:15, IPv4:8} test125.test.local 172.16.11.124 TCP TCP: [Continuation to #62]Flags=....A..., SrcPort=1117, DstPort=1072, Len=1460, Seq=554835972 - 554837432, Ack=3011421991, Win=65061 (scale factor 0) = 65061 64 2.015625 {TCP:15, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: Flags=....A..., SrcPort=1072, DstPort=1117, Len=0, Seq=3011421991, Ack=554837432, Win=65535 (scale factor 0) = 65535 65 2.015625 {TCP:15, IPv4:8} test125.test.local 172.16.11.124 TCP TCP: [Continuation to #62]Flags=....A..., SrcPort=1117, DstPort=1072, Len=1460, Seq=554837432 - 554838892, Ack=3011421991, Win=65061 (scale factor 0) = 65061 66 2.015625 {TCP:15, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: Flags=....A..., SrcPort=1072, DstPort=1117, Len=0, Seq=3011421991, Ack=554838892, Win=65535 (scale factor 0) = 65535 67 2.015625 {TCP:15, IPv4:8} test125.test.local 172.16.11.124 TCP TCP: [Continuation to #62]Flags=...PA..., SrcPort=1117, DstPort=1072, Len=1449, Seq=554838892 - 554840341, Ack=3011421991, Win=65061 (scale factor 0) = 65061 68 2.015625 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 MSRPC MSRPC: c/o Continued Response: WMI-IWbemWCOSmartEnum Call=0x8 Context=0x5 Hint=0x198C Cancels=0x0 . . . 155 2.031250 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 MSRPC MSRPC: c/o Continued Response: WMI-IWbemServices Call=0x9 Context=0x3 Hint=0x904 Cancels=0x0 156 2.031250 {TCP:15, IPv4:8} test125.test.local 172.16.11.124 TCP TCP: [Continuation to #155]Flags=...PA..., SrcPort=1117, DstPort=1072, Len=929, Seq=554924260 - 554925189, Ack=3011422236, Win=64816 (scale factor 0) = 64816 157 2.031250 {TCP:15, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: Flags=....A..., SrcPort=1072, DstPort=1117, Len=0, Seq=3011422236, Ack=554925189, Win=65535 (scale factor 0) = 65535 158 2.031250 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 159 2.031250 {TCP:15, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: [Continuation to #158]Flags=...PA..., SrcPort=1072, DstPort=1117, Len=1, Seq=3011423696 - 3011423697, Ack=554925189, Win=65535 (scale factor 0) = 65535 160 2.031250 {TCP:15, IPv4:8} test125.test.local 172.16.11.124 TCP TCP: Flags=....A..., SrcPort=1117, DstPort=1072, Len=0, Seq=554925189, Ack=3011423697, Win=65535 (scale factor 0) = 65535 |
现在仅仅过去两秒钟而已。现在有一组DCOM信息,随后是使用FIN/ACK来中断TCP连接,所以我猜想这个脚本很可能已经完成它的工作并,并且现在正在清理中:
| 161 2.062500 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM 162 2.062500 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 163 2.062500 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM 164 2.062500 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 165 2.062500 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM 166 2.062500 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 167 2.062500 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM 168 2.062500 {MSRPC:17, TCP:15, IPv4:8} 172.16.11.124 test125.test.local DCOM DCOM 169 2.062500 {MSRPC:17, TCP:15, IPv4:8} test125.test.local 172.16.11.124 DCOM DCOM 170 2.078125 {TCP:15, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: Flags=F...A..., SrcPort=1072, DstPort=1117, Len=0, Seq=3011424421, Ack=554926046, Win=64678 (scale factor 0) = 64678 171 2.078125 {TCP:15, IPv4:8} test125.test.local 172.16.11.124 TCP TCP: Flags=....A..., SrcPort=1117, DstPort=1072, Len=0, Seq=554926046, Ack=3011424422, Win=64811 (scale factor 0) = 64811 172 2.078125 {TCP:15, IPv4:8} test125.test.local 172.16.11.124 TCP TCP: Flags=F...A..., SrcPort=1117, DstPort=1072, Len=0, Seq=554926046, Ack=3011424422, Win=64811 (scale factor 0) = 64811 173 2.078125 {TCP:15, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: Flags=....A..., SrcPort=1072, DstPort=1117, Len=0, Seq=3011424422, Ack=554926047, Win=64678 (scale factor 0) = 64678 174 2.093750 {TCP:9, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: Flags=....A..., SrcPort=1069, DstPort=DCE endpoint resolution(135), Len=0, Seq=1441245035, Ack=871910766, Win=65339 (scale factor 0) = 65339 175 2.093750 {TCP:11, IPv4:8} 172.16.11.124 test125.test.local TCP TCP: Flags=....A..., SrcPort=1070, DstPort=DCE endpoint resolution(135), Len=0, Seq=3003514721, Ack=4088701653, Win=65535 (scale factor 0) = 65535 176 2.546875 {TCP:18, IPv4:1} 172.16.11.124 dc181.test.local TCP TCP: Flags=.S......, SrcPort=1074, DstPort=DCE endpoint resolution(135), Len=0, Seq=4283854964, Ack=0, Win=65535 (scale factor 0) = 65535 177 2.546875 {TCP:18, IPv4:1} dc181.test.local 172.16.11.124 TCP TCP: Flags=.S..A..., SrcPort=DCE endpoint resolution(135), DstPort=1074, Len=0, Seq=2447011944, Ack=4283854965, Win=16384 (scale factor 0) = 16384 178 2.546875 {TCP:18, IPv4:1} 172.16.11.124 dc181.test.local TCP TCP: Flags=....A..., SrcPort=1074, DstPort=DCE endpoint resolution(135), Len=0, Seq=4283854965, Ack=2447011945, Win=65535 (scale factor 0) = 65535 |
现在有一些DNS和LDAP信息出现在Test124和域控制器之间。我不确定为什么有这些信息,但由于太多了,我将略过这些帧中的一些:
| 179 2.546875 {MSRPC:19, TCP:18, IPv4:1} 172.16.11.124 dc181.test.local MSRPC MSRPC: c/o Bind: UUID{E1AF8308-5D1F-11C9-91A4-08002B14A0FA} Endpoint Mapper Call=0x1 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 180 2.546875 {MSRPC:19, TCP:18, IPv4:1} dc181.test.local 172.16.11.124 MSRPC MSRPC: c/o Bind Ack: Call=0x1 Assoc Grp=0x7DAD Xmit=0x16D0 Recv=0x16D0 181 2.546875 {MSRPC:19, TCP:18, IPv4:1} 172.16.11.124 dc181.test.local EPM EPM: Request: ept_map: NDR, Tracking Server Service v1.0, RPC v5, 0.0.0.0:135 (0x87) [DCE endpoint resolution(135)] 182 2.546875 {MSRPC:19, TCP:18, IPv4:1} dc181.test.local 172.16.11.124 EPM EPM: Response: ept_map: 0x16C9A0D6 - EP_S_NOT_REGISTERED 183 2.546875 {DNS:21, UDP:20, IPv4:1} 172.16.11.124 dc181.test.local DNS DNS: QueryId = 0x896A, QUERY (Standard query), Query for _ldap._tcp.Default-First-Site._sites.dc._msdcs.test.local of type SRV on class Internet 184 2.546875 {DNS:21, UDP:20, IPv4:1} dc181.test.local 172.16.11.124 DNS DNS: QueryId = 0x896A, QUERY (Standard query), Response - Success 185 2.546875 {LDAP:23, UDP:22, IPv4:1} 172.16.11.124 dc181.test.local LDAP LDAP: Search Request, MessageID:4, BaseObject: NULL, SearchScope: base Object, SearchAlias: neverDerefAliases 186 2.546875 {LDAP:23, UDP:22, IPv4:1} dc181.test.local 172.16.11.124 LDAP LDAP: Search Result Entry, MessageID:4, Status: Success . . . 212 6.546875 {DNS:32, UDP:5, IPv4:1} 172.16.11.124 dc181.test.local DNS DNS: QueryId = 0x266D, QUERY (Standard query), Query for download.windowsupdate.com of type Host Addr on class Internet 213 6.546875 {ARP:4} 172.16.11.181 172.16.11.1 ARP ARP: Request, 172.16.11.181 asks for 172.16.11.1 214 7.546875 {DNS:32, UDP:5, IPv4:1} 172.16.11.124 dc181.test.local DNS DNS: QueryId = 0x266D, QUERY (Standard query), Query for download.windowsupdate.com of type Host Addr on class Internet 215 8.546875 {DNS:32, UDP:5, IPv4:1} 172.16.11.124 dc181.test.local DNS DNS: QueryId = 0x266D, QUERY (Standard query), Query for download.windowsupdate.com of type Host Addr on class Internet 216 9.281250 {ARP:4} 172.16.11.181 172.16.11.1 ARP ARP: Request, 172.16.11.181 asks for 172.16.11.1 |
到这里,脚本已经结束了,所以我停止了这个跟踪。
分析ChangeIPAddress.vbs的捕捉
我们现在知道了一些关于一个成功的远程脚本的捕捉大概会是什么样子的了:
- 一些DNS和ARP信息
- 使用三向握手建立TCP会话
- RPC绑定和DCOM
- 更多的TCP握手
- Kerberos信息(主机是在同一个域中)
- 更多的RPC/DCOM信息
- 更多的TCP握手,Kerberos,RPC/DCOM及TCP通信
- 更多的DCOM及随后的TCP会话拆除
所有这些仅仅在两秒钟内发生。
现在让我们看看我们对ChangeIPAddress.vbs(远程运行时产生一个RPC错误的脚本)的捕捉,看它与之前的有什么不同。
| 1 0.000000 NetmonFilter NetmonFilter: Updated Capture Filter: None 2 0.000000 NetworkInfo NetworkInfo: Network info for TEST124, Network Adapter Count = 1 |
这仅仅是一些Netmon信息。
| 3 0.000000 {DNS:3, UDP:2, IPv4:1} test124.test.local dc181.test.local DNS DNS: QueryId = 0x7869, QUERY (Standard query), Query for test125.test.local of type Host Addr on class Internet 4 0.000000 {DNS:3, UDP:2, IPv4:1} dc181.test.local test124.test.local DNS DNS: QueryId = 0x7869, QUERY (Standard query), Response - Success 5 0.015625 {ARP:4} 172.16.11.124 172.16.11.125 ARP ARP: Request, 172.16.11.124 asks for 172.16.11.125 6 0.015625 {ARP:4} 172.16.11.125 172.16.11.124 ARP ARP: Response, 172.16.11.125 at 00-11-D8-E3-EC-84 7 0.015625 {TCP:6, IPv4:5} test124.test.local test125.test.local TCP TCP: Flags=.S......, SrcPort=1063, DstPort=DCE endpoint resolution(135), Len=0, Seq=539163285, Ack=0, Win=65535 (scale factor 0) = 65535 8 0.015625 {TCP:6, IPv4:5} test125.test.local test124.test.local TCP TCP: Flags=.S..A..., SrcPort=DCE endpoint resolution(135), DstPort=1063, Len=0, Seq=981335265, Ack=539163286, Win=65535 (scale factor 0) = 65535 9 0.015625 {TCP:6, IPv4:5} test124.test.local test125.test.local TCP TCP: Flags=....A..., SrcPort=1063, DstPort=DCE endpoint resolution(135), Len=0, Seq=539163286, Ack=981335266, Win=65535 (scale factor 0) = 65535 |
这是一个ARP,一个DNS,然后是一个TCP握手——与前面的一样。
| 10 0.015625 {MSRPC:7, TCP:6, IPv4:5} test124.test.local test125.test.local MSRPC MSRPC: c/o Bind: UUID{99FCFEC4-5260-101B-BBCB-00AA0021347A} DCOM-IObjectExporter Call=0x1 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 11 0.015625 {MSRPC:7, TCP:6, IPv4:5} test125.test.local test124.test.local MSRPC MSRPC: c/o Bind Ack: Call=0x1 Assoc Grp=0x32EA Xmit=0x16D0 Recv=0x16D0 12 0.031250 {MSRPC:7, TCP:6, IPv4:5} test124.test.local test125.test.local DCOM DCOM 13 0.031250 {MSRPC:7, TCP:6, IPv4:5} test125.test.local test124.test.local DCOM DCOM 14 0.078125 {TCP:8, IPv4:5} test124.test.local test125.test.local TCP TCP: Flags=.S......, SrcPort=1064, DstPort=DCE endpoint resolution(135), Len=0, Seq=1367843928, Ack=0, Win=65535 (scale factor 0) = 65535 15 0.078125 {TCP:8, IPv4:5} test125.test.local test124.test.local TCP TCP: Flags=.S..A..., SrcPort=DCE endpoint resolution(135), DstPort=1064, Len=0, Seq=3625279350, Ack=1367843929, Win=65535 (scale factor 0) = 65535 16 0.078125 {TCP:8, IPv4:5} test124.test.local test125.test.local TCP TCP: Flags=....A..., SrcPort=1064, DstPort=DCE endpoint resolution(135), Len=0, Seq=1367843929, Ack=3625279351, Win=65535 (scale factor 0) = 65535 17 0.078125 {UDP:9, IPv4:1} test124.test.local dc181.test.local KerberosV5 KerberosV5: TGS Request Realm: TEST.LOCAL Sname: RPCSS/test125.test.local 18 0.078125 {UDP:9, IPv4:1} dc181.test.local test124.test.local KerberosV5 KerberosV5: TGS Response Cname: Administrator |
RPC,DCOM,另一个TCP握手,然后是一些Kerberos信息。它看起来与之前的一样。
| 19 0.078125 {MSRPC:10, TCP:8, IPv4:5} test124.test.local test125.test.local MSRPC MSRPC: c/o Bind: UUID{000001A0-0000-0000-C000-000000000046} DCOM-IRemoteSCMActivator Call=0x2 Assoc Grp=0x32EA Xmit=0x16D0 Recv=0x16D0 20 0.093750 {ARP:11} 172.16.11.125 172.16.11.181 ARP ARP: Request, 172.16.11.125 asks for 172.16.11.181 21 0.093750 {MSRPC:10, TCP:8, IPv4:5} test125.test.local test124.test.local MSRPC MSRPC: c/o Bind Ack: Call=0x2 Assoc Grp=0x32EA Xmit=0x16D0 Recv=0x16D0 22 0.093750 {MSRPC:10, TCP:8, IPv4:5} test124.test.local test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{000001A0-0000-0000-C000-000000000046} DCOM-IRemoteSCMActivator Call=0x2 23 0.093750 {MSRPC:10, TCP:8, IPv4:5} test125.test.local test124.test.local MSRPC MSRPC: c/o Alter Cont Resp: Call=0x2 Assoc Grp=0x32EA Xmit=0x16D0 Recv=0x16D0 24 0.093750 {MSRPC:10, TCP:8, IPv4:5} test124.test.local test125.test.local DCOM DCOM 25 0.093750 {MSRPC:10, TCP:8, IPv4:5} test125.test.local test124.test.local DCOM DCOM 26 0.093750 {TCP:12, IPv4:5} test124.test.local test125.test.local TCP TCP: Flags=.S......, SrcPort=1066, DstPort=1117, Len=0, Seq=1180773456, Ack=0, Win=65535 (scale factor 0) = 65535 27 0.093750 {TCP:12, IPv4:5} test125.test.local test124.test.local TCP TCP: Flags=.S..A..., SrcPort=1117, DstPort=1066, Len=0, Seq=539972629, Ack=1180773457, Win=65535 (scale factor 0) = 65535 28 0.093750 {TCP:12, IPv4:5} test124.test.local test125.test.local TCP TCP: Flags=....A..., SrcPort=1066, DstPort=1117, Len=0, Seq=1180773457, Ack=539972630, Win=65535 (scale factor 0) = 65535 29 0.093750 {UDP:13, IPv4:1} test124.test.local dc181.test.local KerberosV5 KerberosV5: TGS Request Realm: TEST.LOCAL Sname: TEST125$ 30 0.109375 {UDP:13, IPv4:1} dc181.test.local test124.test.local KerberosV5 KerberosV5: TGS Response Cname: Administrator |
我们看到相同的模式。
| 31 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local MSRPC MSRPC: c/o Bind: UUID{00000143-0000-0000-C000-000000000046} DCOM-IRemUnknown2 Call=0x1 Assoc Grp=0x0 Xmit=0x16D0 Recv=0x16D0 32 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local MSRPC MSRPC: c/o Bind Ack: Call=0x1 Assoc Grp=0x333E Xmit=0x16D0 Recv=0x16D0 33 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{00000143-0000-0000-C000-000000000046} DCOM-IRemUnknown2 Call=0x1 34 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local MSRPC MSRPC: c/o Alter Cont Resp: Call=0x1 Assoc Grp=0x333E Xmit=0x16D0 Recv=0x16D0 35 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local DCOM DCOM 36 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local DCOM DCOM 37 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{D4781CD6-E5D3-44DF-AD94-930EFE48A887} WMI-IWbemLoginClientID Call=0x2 38 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local MSRPC MSRPC: c/o Alter Cont Resp: Call=0x2 Assoc Grp=0x333E Xmit=0x16D0 Recv=0x16D0 39 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local DCOM DCOM 40 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local DCOM DCOM 41 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{F309AD18-D86A-11D0-A075-00C04FB68820} WMI-IWbemLevel1Login Call=0x3 42 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local MSRPC MSRPC: c/o Alter Cont Resp: Call=0x3 Assoc Grp=0x333E Xmit=0x16D0 Recv=0x16D0 43 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local DCOM DCOM 44 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local DCOM DCOM 45 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local DCOM COM 46 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local DCOM DCOM 47 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{9556DC99-828C-11CF-A37E-00AA003240C7} WMI-IWbemServices Call=0x5 48 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local MSRPC MSRPC: c/o Alter Cont Resp: Call=0x5 Assoc Grp=0x333E Xmit=0x16D0 Recv=0x16D0 49 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local DCOM DCOM 50 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local DCOM DCOM 51 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local DCOM DCOM 52 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local DCOM DCOM 53 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{1C1C45EE-4395-11D2-B60B-00104B703EFD} WMI-IWbemFetchSmartEnum Call=0x7 54 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local MSRPC MSRPC: c/o Alter Cont Resp: Call=0x7 Assoc Grp=0x333E Xmit=0x16D0 Recv=0x16D0 55 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local DCOM DCOM 56 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local DCOM DCOM 57 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local MSRPC MSRPC: c/o Alter Cont: UUID{423EC01E-2E35-11D2-B604-00104B703EFD} WMI-IWbemWCOSmartEnum Call=0x8 58 0.109375 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local MSRPC MSRPC: c/o Alter Cont Resp: Call=0x8 Assoc Grp=0x333E Xmit=0x16D0 Recv=0x16D0 59 0.109375 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local DCOM DCOM |
然后一整串的RPC/DCOM信息,与其他跟踪一样的。
| 60 0.187500 {TCP:6, IPv4:5} test124.test.local test125.test.local TCP TCP: Flags=....A..., SrcPort=1063, DstPort=DCE endpoint resolution(135), Len=0, Seq=539163382, Ack=981335462, Win=65339 (scale factor 0) = 65339 61 0.187500 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local DCOM DCOM 62 0.187500 {TCP:12, IPv4:5} test125.test.local test124.test.local TCP TCP: [Continuation to #61]Flags=....A..., SrcPort=1117, DstPort=1066, Len=1460, Seq=539975906 - 539977366, Ack=1180776977, Win=65061 (scale factor 0) = 65061 63 0.187500 {TCP:12, IPv4:5} test124.test.local test125.test.local TCP TCP: Flags=....A..., SrcPort=1066, DstPort=1117, Len=0, Seq=1180776977, Ack=539977366, Win=65535 (scale factor 0) = 65535 64 0.187500 {TCP:12, IPv4:5} test125.test.local test124.test.local TCP TCP: [Continuation to #61]Flags=....A..., SrcPort=1117, DstPort=1066, Len=1460, Seq=539977366 - 539978826, Ack=1180776977, Win=65061 (scale factor 0) = 65061 65 0.187500 {TCP:12, IPv4:5} test124.test.local test125.test.local TCP TCP: Flags=....A..., SrcPort=1066, DstPort=1117, Len=0, Seq=1180776977, Ack=539978826, Win=65535 (scale factor 0) = 65535 66 0.187500 {TCP:12, IPv4:5} test125.test.local test124.test.local TCP TCP: [Continuation to #61]Flags=...PA..., SrcPort=1117, DstPort=1066, Len=1449, Seq=539978826 - 539980275, Ack=1180776977, Win=65061 (scale factor 0) = 65061 67 0.187500 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local MSRPC MSRPC: c/o Continued Response: WMI-IWbemWCOSmartEnum Call=0x8 Context=0x5 Hint=0x198C Cancels=0x0 . . . 148 0.187500 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local MSRPC MSRPC: c/o Continued Response: WMI-IWbemServices Call=0x9 Context=0x3 Hint=0x1F84 Cancels=0x0 149 0.187500 {TCP:12, IPv4:5} test125.test.local test124.test.local TCP TCP: [Continuation to #148]Flags=....A..., SrcPort=1117, DstPort=1066, Len=1460, Seq=540058365 - 540059825, Ack=1180777222, Win=64816 (scale factor 0) = 64816 150 0.187500 {TCP:12, IPv4:5} test124.test.local test125.test.local TCP TCP: Flags=....A..., SrcPort=1066, DstPort=1117, Len=0, Seq=1180777222, Ack=540059825, Win=65535 (scale factor 0) = 65535 151 0.187500 {TCP:12, IPv4:5} test125.test.local test124.test.local TCP TCP: [Continuation to #148]Flags=....A..., SrcPort=1117, DstPort=1066, Len=1460, Seq=540059825 - 540061285, Ack=1180777222, Win=64816 (scale factor 0) = 64816 152 0.187500 {TCP:12, IPv4:5} test125.test.local test124.test.local TCP TCP: [Continuation to #148]Flags=...PA..., SrcPort=1117, DstPort=1066, Len=1449, Seq=540061285 - 540062734, Ack=1180777222, Win=64816 (scale factor 0) = 64816 153 0.187500 {TCP:12, IPv4:5} test124.test.local test125.test.local TCP TCP: Flags=....A..., SrcPort=1066, DstPort=1117, Len=0, Seq=1180777222, Ack=540062734, Win=65535 (scale factor 0) = 65535 154 0.187500 {MSRPC:14, TCP:12, IPv4:5} test125.test.local test124.test.local MSRPC MSRPC: c/o Continued Response: WMI-IWbemServices Call=0x9 Context=0x3 Hint=0x904 Cancels=0x0 155 0.187500 {TCP:12, IPv4:5} test125.test.local test124.test.local TCP TCP: [Continuation to #154]Flags=...PA..., SrcPort=1117, DstPort=1066, Len=929, Seq=540064194 - 540065123, Ack=1180777222, Win=64816 (scale factor 0) = 64816 156 0.187500 {TCP:12, IPv4:5} test124.test.local test125.test.local TCP TCP: Flags=....A..., SrcPort=1066, DstPort=1117, Len=0, Seq=1180777222, Ack=540065123, Win=65535 (scale factor 0) = 65535 157 0.187500 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local DCOM DCOM |
这里是RPC和TCP。你可以看到WMI接口的调用。
| 158 0.218750 {ARP:15} 172.16.11.144 172.16.11.144 ARP ARP: Request, 172.16.11.144 asks for 172.16.11.144 |
这又是什么?脚本已经成功将目标主机(Test125)的IP地址从172.16.11.125修改成172.16.11.144,那么为什么目标使用ARP去尝试把它自己的IP地址解析成MAC地址呢?这是一个无故的ARP(Gratuitous ARP),它发生在一个节点向它自己的IP地址发送一个ARP请求的情况下。为了确认它的新IP地址172.16.11.144没有被网络上的其他节点所使用。如果在它发送了几个ARP请求后没有收ARP响应,它就会认定它的新地址在网络中是唯一,然后这个地址将被保留。但如果另一个节点收到ARP请求发送了一个ARP响应,第1个节点就会认定网络上有IP地址冲突,然后它将失效它的IP地址(设为0.0.0.0)。
提示:如果你想要学习更多关于ARP的知识,请阅读Thomas Lee和Joseph Davies的《Microsoft® Windows® 2000 TCP/IP Protocols and Services Technical Reference》的第3章“寻址解析协议(Address Resolution Protocol, ARP)”。
这里事情似乎变乱了——你可以发现数据包的时间间隔明显增大。而且接下来似乎还发生了源节点(Test124)不停地尝试向目标发送告知TCP包,但总是到达不了。
| 159 0.296875 {TCP:8, IPv4:5} test124.test.local test125.test.local TCP TCP: Flags=....A..., SrcPort=1064, DstPort=DCE endpoint resolution(135), Len=0, Seq=1367846254, Ack=3625280836, Win=65535 (scale factor 0) = 65535 160 0.437500 {ARP:15} 172.16.11.144 172.16.11.144 ARP ARP: Request, 172.16.11.144 asks for 172.16.11.144 161 0.515625 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local DCOM DCOM 162 1.062500 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local DCOM DCOM 163 1.437500 {ARP:15} 172.16.11.144 172.16.11.144 ARP ARP: Request, 172.16.11.144 asks for 172.16.11.144 164 2.265625 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local DCOM DCOM 165 2.453125 {ARP:15} 172.16.11.144 172.16.11.144 ARP ARP: Request, 172.16.11.144 asks for 172.16.11.144 166 3.437500 {ARP:15} 172.16.11.144 172.16.11.144 ARP ARP: Request, 172.16.11.144 asks for 172.16.11.144 167 4.437500 {ARP:15} 172.16.11.144 172.16.11.144 ARP ARP: Request, 172.16.11.144 asks for 172.16.11.144 168 4.671875 {MSRPC:14, TCP:12, IPv4:5} test124.test.local test125.test.local DCOM DCOM |
让我们使用NM3仔细地看看第159个数据包。(如图8)
图8:TCP连接问题
从图中我们注意到源主机(Test124)仍然认为目标主机有IP地址172.16.11.125,所以它不停地尝试向Test125主机发送ACK以维持之前建立的连接。
现在让我们看看第161帧(如图9):
图9:RPC/DCOM问题
我们注意到由源主机(Test124)之前建立的与目标主机Tet125的RPC绑定正在尝试使用DCOM去调用Win32_NetworkAdapterConfiguration类的EnableStatic方法。(查看右侧的Hex Details窗口,你可以看到显示为UNICODE文本的RPC包的十六进制负载。)但在尝试使用DCOM时,源主机认为目标主机的IP地址仍然是172.16.11.125(见图中的Frame Details窗口)。
所以看起来那位读者说的是对的!
尝试和分析其余的ChangeIPAddress.vbs捕捉是很有趣的,但看起来我们已经可以判断我们远程脚本不能正常运行的原因了。正如我们在前一篇文章提到的,如果我们使用On Error Resume Next工作区,那么它就能正常工作了。
作者
Mitch Tulloch是一个作家、培训师和Windows服务器操作系统、IIS管理、网络故障修复和安全方面的专业顾问。他已经写了15本书,其中包括:Microsoft Encyclopedia of Networking (Microsoft Press),Microsoft Encyclopedia of Security (Microsoft Press),Windows Server Hacks (O'Reilly),Windows Server 2003 in a Nutshell (O'Reilly),Windows 2000 Administration in a Nutshell (O'Reilly),and IIS 6 Administration (Osborne/McGraw-Hill)。Mitch居住在加拿大的Winnipeg,你可以他的网站www.mtit.com查到更多关于他的书的信息。
翻译
TechTarget中国特约技术编辑,某高校计算机科学专业教师和网络实验室负责人,曾任职某网络国际厂商,关注数据中心、开发运维、数据库及软件开发技术。有多本关于思科数据中心和虚拟化技术的译著,如《思科绿色数据中心建设与管理》和《基于IP的能源管理》等。
相关推荐
-
管理思科路由器的十大蠢事 你犯了吗?(下)
在成长过程中避免问题的最佳方法就是不断从别人的失败中吸取教训。本文汇集了人们在管理Cisco路由器中常犯的错误,希望大家能引以为鉴。
-
管理思科路由器的十大蠢事 你犯了吗?(上)
在成长过程中避免问题的最佳方法就是不断从别人的失败中吸取教训。本文汇集了人们在管理Cisco路由器中常犯的错误,希望大家能引以为鉴。