111 views

Overview


When discovering an application using patterns via either discovery or Service Mapping, the following error is returned and discovery fails:

Failed to download binary using httpgetbin_adodb.vbs

Root Cause


The MID server has a ServiceNow WMI Collector service that listens on port 8585 by default. You can change this port by updating wmi_collector.ini.

Patterns can run commands on a target server to collect data. Depending on the method used to collect the data, a new connection is created from the target back to the MID server to return the information. Some firewalls might be configured to allow established connection traffic back to the MID server. However, because this is a new connection, these firewall rules will not allow this traffic.

MID Server To Target Connection

The following example shows sample output in the .\agent\bin\sw_wmi\log\logfile.txt file.

DEBUG NeebulaWMI.NeebulaWMIProcess - Connection ID: #### Context: 14315 Host:  Action Type: executeQuery Process ended: -r:http://target_server_ip:5985 -u:username -p:******* -d:c:\temp cscript httpgetbin_adodb.vbs httputil.exe http://mid_server_ip:8585/download/64/httputil.exe
DEBUG NeebulaWMI.NeebulaWMIProcess - Connection ID: #### Context: 14315 Host: target_server_ip Action Type: executeQuery WinRS result: Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

c:\temp\httpgetbin_adodb.vbs(10, 1) msxml3.dll: The operation timed out

This command is asking the target server to download httputil.exe from the MID server to the target. Other tools are downloaded next. This step will fail if the connection back to the MID Server is not successfully created. These tools are downloaded to the target's C:\Temp directory.

Note – Simply moving the files to the target's C:\Temp directory will not resolve the issue because these tools will also run commands later and return the output back to the WMI Collector service on the default port.

In some scenarios, the MID Server might have multiple network cards and some of the network cards might not be reachable from the target's network. Therefore, the MID Server might ask the target to download the files from an interface it cannot reach. When the MID Server builds the command it will use one of the IPs returned by Dns.GetHostName.

Therefore, this error can happen due to the following issues:

  1. New connections cannot be created from the target back to the MID server on port 8585
  2. The command is using an IP address for the MID server that is not reachable by the target

Solution


  1. Create a firewall rule allowing for new connections from the target server back to the MID Server on port 8585.

  2. Update .\agent\bin\sw_wmi\conf\wmi_collector.ini with an IP address that the target sever can reach by adding parameter "localAddress". Restart the MID Server.

    localAddress=<MidServerReachableIP>

Note – You can also change the default port on which WMI Collector listens by updating wmi_collector.ini.

Article Information

Last Updated:2018-05-22 05:20:39
Published:2018-05-22