MyKE's questions

Is there any way how to get the IP address of CRL during the TLS handshake in air gap env?

Example:

• Do a simple curl request over HTTPS against app.contoso.com:

curl -v https://app.contoso.com listening on 20.20.10.1 which is whitelisted. But To allow communication by default we need to whitelist CRL (for example GoDaddy).

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 20.20.10.1...
* TCP_NODELAY set
* Connected to app.contoso.com (20.20.10.1) port 443 (#0)
* schannel: SSL/TLS connection with app.contoso.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 180 bytes...
* schannel: sent initial handshake data: sent 180 bytes
* schannel: SSL/TLS connection with app.contoso.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with app.contoso.com port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4026
* schannel: encrypted data buffer: offset 4026 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with app.contoso.com port 443 (step 2/3)
* schannel: encrypted data got 934
* schannel: encrypted data buffer: offset 4960 length 5050
* schannel: sending next handshake data: sending 126 bytes...

  0     0    0     0    0     0      0      0 --:--:--  0:01:45 --:--:--     0* schannel: SSL/TLS connection with app.contoso.com port 443 (step 2/3)
* schannel: failed to receive handshake, SSL/TLS connection failed

  0     0    0     0    0     0      0      0 --:--:--  0:01:45 --:--:--     0
* Closing connection 0
* schannel: shutting down SSL/TLS connection with app.contoso.com port 443
* schannel: clear security context handle
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed
Process exited with code 35

From the request I can see 20.20.10.1 but I can't see the IP address of CRL which is communication trying to be opened:

* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 180 bytes...

Any tips on how to get IP address of the CRL server during request? Is possible via curl or a different tool? I would like to avoid any low-level tools like Wireshark if possible. Thanks.

I'm looking for some Powershell cmdlet/script which list WMI 3rd party providers before I will rebuild whole repository.

There is GWMI cmdlet which lists all WMI objects but I'm missing something like "Company:", then I would use filter to list non-microsoft WMIs.

Get-WmiObject -List | fl *
...
PSComputerName   : MyComputer
Name             : __SystemClass
__GENUS          : 1
__CLASS          : __SystemClass
__SUPERCLASS     :
__DYNASTY        : __SystemClass
__RELPATH        : __SystemClass
__PROPERTY_COUNT : 0
__DERIVATION     : {}
__SERVER         : MyComputer
__NAMESPACE      : ROOT\CIMV2
__PATH           : \\MyComputer\ROOT\CIMV2:__SystemClass
Path             : \\MyComputer\ROOT\CIMV2:__SystemClass
Derivation       : {}
Methods          : {}
Scope            : System.Management.ManagementScope
Options          : System.Management.ObjectGetOptions
ClassPath        : \\MyComputer\ROOT\CIMV2:__SystemClass
Properties       : {}
SystemProperties : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers       : {abstract}
Site             :
Container        :
....

Is there any way how to detect 3rd party WMI providers? Thank you for any help.