Authenticated scan openvas smbclient

authentication
authenticated_scans

#1

Hello,
When I try running an OpenVas scan, the SMB authenticated NVTS are not performed and the Scan Report shows:


Log
NVT: 1.3.6.1.4.1.25623.1.0.90011
Vulnerability Detection Result
The tool “smbclient” is not available for OpenVAS.
Therefore none of the tests using smbclient are executed.


How can I get smbclient available for OpenVAS in order to run SMB-authenticated scans?

Thanks a lot


3rd Party Software Version Check
#2

smbclient is an optional component just providing some minor additional information about the remote SMB server. It doesn’t add any additional value to vulnerability scanning (the provided info isn’t used by other VTs) and is also not required for authenticated scans.

If your authenticated scans are failing its more likely that the target doesn’t provide all requirements for such authenticated scans. To debug your issue and to verify the requirements of the remote target have a look at the following thread and the linked documentation within it.


#3

Thanks CFI. I see your point when you say that atuhenticated scan does not add VTs and so on, but I’d like to have that part available for some tests.
Now, I verified and it seems the target requirements for authenticated scans are met. The target is a Windows 10. Sorry, I don’t understand: how can the SMB authenticated scan work without an smbclient? I don’t see any log of failed authentication. The only relevant log says that none of the tests using SMB client have been performed. And I don’t see any Log in the report showing patch level of the target system or things like that. So it seems to me that no authenticated scan has been performed.
Any thought on that?
Thanks


#4

On the GCE the smbclient is probably not available at all. If you want to make that part available it might be required that you need to go for a source installation of GVM instead.

There is no single test using the information so not sure if it makes much sense to try to get it to work.

The authentication and scanning is done via various NASL scripts (using smb_nt.inc and similar .inc files shipped within the feed) with the support of https://github.com/greenbone/openvas-smb (pre-installed on the GCE)

All currently known thoughts on the authenticated scans and how to debug not working ones are collected at the linked thread. Have you tried to look at the mentioned information there (e.g. the mentioned VTs are printing out if the login was successful or failed)?


#5

Thank you very much. After further reading of Logs I finally found the failed authentication:


Access to the registry possible (SMB/registry_access)
FALSE


So, it looks like a registry access issue, but Remote Registry service is running and File and Printer sharing is activated. I’m using a Domain Administrator account for scanning credentials. So, I should have met all the requirements specified in the thread you mentioned.
Do you maybe have any other idea?
Thank you so much for you help,
Andrea


#6

That is not very secure practice, you should create a limited account only for scanning.


#7

Thanks Luka, I know that. I’m just testing a GCE installation and the scanned device is my own PC. If I can’t manage to perform an authenticated scan with Domain Admins credentials, I won’t be able to do it with other accounts. Reading at my previous posts, do you have any idea why Registry cannot be accessed (I think I met usual requirements). Thanks, Andrea


#8

I can just point you to our documentation.

https://docs.greenbone.net/GSM-Manual/gos-4/en/vulnerabilitymanagement.html#requirements-on-target-systems-with-windows


#9

I followed every requirements but I still see Logs like:


Access to the registry possible (SMB/registry_access): FALSE
Access via WMI possible (WMI/access_successful): FALSE
Architecture of the OS (SMB/Windows/Arch): Empty/None
Build number of the OS (SMB/WindowsBuild): Empty/None
Disable the usage of win_cmd_exec for remote commands on Windows (win/lsc/disable_win_cmd_exec): FALSE
Domain used for authenciated scans (kb_smb_domain()): GF-GROUP
Enable Detection of Portable Apps on Windows (win/lsc/search_portable_apps): FALSE
Enable NTLMSSP (SMB/NTLMSSP): TRUE
Extended SMB support available via openvas-smb module (Tools/Present/smb): TRUE
Extended WMI support available via openvas-smb module (Tools/Present/wmi): TRUE
Login via SMB failed: TRUE
Login via SMB successful: FALSE
Missing access permissions to the registry (SMB/registry_access_missing_permissions): FALSE
Name of the most recent service pack installed (SMB/CSDVersion): Empty/None
Never send SMB credentials in clear text (SMB/dont_send_in_cleartext): TRUE



#10

Why don´t you just test a local machine administrator, if this works you need to look over your Group Policy.


#11

Even the login to the remote SMB service failed so its not only a permission issue to the registry but a generall access problem (wrong/missing credentials etc.):


#12

Yes, but credentials are absolutely correct. I tried with both local and domain accounts.
Do you maybe have a clue about why SMB login is failing?
Thanks


#13

Your best bet is probably to:

  1. try a different user account / local admin as pointed out above
  2. revisit the previously linked documentation about authenticated scans
  3. try different less complex passwords
  4. verify that the user you’re using for the scan has indeed access permissions to the SMB service
  5. review the Event Log of your target system to see if you can find any hints on the login failures