sábado, 27 de junho de 2009

○ SMI2SMIR Information / Purpose

I will assume that if you got here you already understand "computer systems terminology" so i won't get into detailed explanations, but will just write here what i know about this. To make things brief, SMI2SMIR is a WMI partial dependency. There is a script from microsoft, the WMDiag.vbs, that allows you to check if WMI is properly installed on a given computer. If you run WMDiag.vbs on a computer with SMI2SMIR missing you will be given the following lines on the resulting log:

WARNING: WMI System file 'C:\WINDOWS\SYSTEM32\WBEM\SMI2SMIR.EXE' is MISSING or is access DENIED but it is an OPTIONAL component.

So, altought it's part of WMI, as it is not a must, you could still query a remote machine for info.

For more information:
http://technet.microsoft.com/en-us/library/cc180795.aspx



Thank you for reading

Taken from http://netprobe.blogspot.com/2009/06/smi2smir-information-purpose.html


#139 NetBios Network Scan


One of my favorite apps to scan networks for shared resources is this Netbrute application. Free, quick and dirty. There are others but i use this for so long and it's so practical ( with just half a KB) that i have never forget about it. The portscan tab does not allow you to add ports to the port list for full port scans, and the Webbrute tab is usefull to check http server responses but besides that i don't use it for anything else. It's still a very nice application tough.

๑ Simple ideas to help identify devices on a network

I will begin this post by recommending the Solarwinds free tool IP Address Tracker that helps you to scan, track, and consolidate your IP address network information in one easy place.

On a medium sized network, some devices may not present you much information, and when in doubt about a particular ip address you can see if port #139 (netbios-ssn) is opened using a very neat app called NetBrute.

If it is, probably it is a computer and is sharing it's local resources, folders and printers over the network. For further inspection, you can try this address on your windows explorer address bar:

\\ipadress\c$

If you have domain administrator rights and that ip address is on your domain you can check what users are using that computer via C:\documents and settings\ folder.

If that doesn't work probably port 139 is closed, and it may be a printer device. Usually tough, printers configuration page is set trough http service so port #80 should be opened and http:\\idadress should lead you to that configuration page where you can see the printers name.

.Usually large printers however have another way to communicate their info trough the SNMP protocol. There are SNMP explorer apps out there that basically scan your network using a community string to fetch information about the various SNMP devices present on your network. Solarwinds for instance provides such tools.

.SNMP is not present in printers only, Cisco Switches, routers, hubs and bridges also use SNMP protocol to show and manage network information. SNMP is A MUST to obtain immediate states from your devices, for instance, if you want to see if the printer is printing anything in that right instance SNMP is the protocol to communicate to. I'm planning on writing a simple article about SNMP soon, demystifying it, as in general info. about SNMP is somehow mystified, i think.

Another protocol of interest, or maybe i should say service in this case, is the windows management instrumentation (WMI) that computer systems with windows operating systems from Windows NT 4.0 SP4 forward have, is a great tool to send information about computers using WMI Classes.

Thanks for reading

๑ What is the purpose of the port # 5002 ?

Ports are like bridges between the physical network and applications/services on the computer. It's a way for the computer to know what type of data is destined to what service. TCP/IP packets contain information for what port that information is sent. There are several of well known ports out there. The Well Known Ports are those from 0 through 1023. For a list of well known and not well known ports and it's associations check here

As you can see this 5002 port is not even in that wikipedia page so it is definitely a not well known port.

Information about this port and it's purpose is almost unvailable, so i tought i would write something about it as best as i can. The port 5002 is associated with the RFE service, so this is where this discussion will lean.

What's the purpose of the RFE service or what's the RFE for?

RFE stands for Radio Free Ethernet and it was projected on early 90's. It's based on a UDP port meaning that the it isn't connection oriented ( errors have to be managed on the application side ) Here's a quick def:

"Radio Free Ethernet (RFE) is a network audio broadcasting system. It consists of programs and tools that allow packets of audio data to be transmitted around a network. The system is best understood by using the analogy of traditional radio broadcasting"


NETWORK IMPLEMENTATION

Radio Free Ethernet can be configured to broadcast data either in UDP Broadcast packets or using IP Multicasting. These techniques differ in subtle but important ways.

UDP Broadcast packets are broadcast only within the local subnetwork. Network gateway routers do not forward these packets to other networks. When a UDP Broadcast packet is issued, every machine on the subnet receives the packet and discards it, unless a program is specifically registered to listen for that particular packet type. Though the overhead of processing such packets is small, it is normally considered unfriendly to issue many UDP Broadcast packets on a network (RFE normally broadcasts approximately eight packets per second, each containing around 1000 bytes). UDP Broadcast is available for the time being only because older versions of the operating system do not support IP Multicast.

IP Multicasting is an improvement over broadcast techniques. By sending network packets to a particular well-known multicast address, only machines that have registered interest in that address will receive the data (packet filtering is usually performed in the network interface hardware). Some experimental IP routers exist that will forward multicast packets to other networks. Such forwarding is only performed when there is a listener on the destination network, and when the packet itself is identified as forwardable.

In order for Radio Free Ethernet to function properly, the following entry should be present in the NIS hosts map:


RadioFreeEthernet 224.0.3.255 # IP Multicast address


For more information check this hard to find link:

http://docs.sun.com/app/docs/doc/805-3178/6j31hi8kq?a=view