Compliance scans not working (windows targets)


#1

Hi all,

Struggling to get any of the compliance scans to return results (errors or any other output);

  • PCI/DSS - nothing
  • GDPR - nothing
  • IT GrundSchultz - all tests fail with either:

Ergebnis: Fehler Details: Beim Testen des Systems trat ein Fehler auf:
No SSH Port or Connection!

or

Ergebnis: Fehler
Details: Beim Testen des Systems trat ein Fehler auf: No access to SMB host.
Firewall is activated or there is not a Windows system.

I include Windows SMB login scripts, and they all work normally. A standard Vulnerability scan can access SMB and WMI normally.

Is there anything specific to the compliance scans that I need to include to get them to return results? How can I see the verbose output of the script running?

Versions:
redis - 4.0
openvassd - 6.0
gvmd - 8.0
gsad - 8.0

Output from SMB Auth scan info consolidation:
Description (Knowledge base entry) Value/Content


Access to the registry possible (SMB/registry_access) : TRUE
Access via WMI possible (WMI/access_successful) : TRUE
Architecture of the OS (SMB/Windows/Arch) : x64
Build number of the OS (SMB/WindowsBuild) : 7601
Disable file search via WMI on Windows (win/lsc/disable_wmi_search) : FALSE
Disable the usage of win_cmd_exec for remote commands on Windows (win/lsc/disable_win_cmd_exec) : FALSE
Domain used for authenciated scans (kb_smb_domain()) : Empty/None
Enable Detection of Portable Apps on Windows (win/lsc/search_portable_apps) : FALSE
Enable NTLMSSP (SMB/NTLMSSP) : TRUE
Extended SMB support available via openvas-smb module (Tools/Present/smb) : TRUE
Extended WMI support available via openvas-smb module (Tools/Present/wmi) : TRUE
Login via SMB failed (login/SMB/failed) : FALSE
Login via SMB successful (login/SMB/success) : TRUE
Missing access permissions to the registry (SMB/registry_access_missing_permissions) : FALSE
Name of the most recent service pack installed (SMB/CSDVersion) : Service Pack 1
Never send SMB credentials in clear text (SMB/dont_send_in_cleartext) : TRUE
Only use NTLMv2 (SMB/dont_send_ntlmv1) : FALSE
Path to the OS SystemRoot (smb_get_systemroot()) : C:\Windows
Path to the OS SystemRoot for 32bit (smb_get_system32root()) : C:\Windows\system32
Port configured for authenciated scans (kb_smb_transport()) : 445/tcp
Port used for the successful login via SMB : 445/tcp
Product name of the OS (SMB/WindowsName) : Windows 7 Professional
SMB name used for authenciated scans (kb_smb_name()) : 192.168.1.150
User used for authenciated scans (kb_smb_login()) : remote
Version number of the OS (SMB/WindowsVersion) : 6.1
Workgroup of the SMB server (SMB/workgroup) : WORKGROUP


IT-Grundschutz Scans not authenticating via SMB
#2

Hi,

did you try to use the this IT-Grundschutz_scan_config.xml (541.8 KB) scan configuration to scan for IT-Grundschutz? You can upload the scan config in GSA “Configuration -> Scan Configs -> Import Scan Config”.

GDPR and PCI-DSS are available for Greenbone customers only (Greenbone Security Feed only content). If I see correctly, you use the Greenbone Community Feed, so here you can’t get results for these Policies.


#3

Cheers!

Does this mean I need to buy an appliance? That’s way overkill for what I need; I have a running instance, I just need the feed.

Also - shouldn’t these commercial-only scans be removed from the open source version? Along with the Nmap NSE scans not working, it’s getting harder to actually get the open source one to do what I need it to do.


#4

Please take a look at this topic

and especially my answer


#5

Ok, I’ll look at that.

If I go for the virtual applicance, I assume all the IT GrundShultz and Nmap NSE stuff will work? These are the key scans for me.


#6

Hi Emoss,

Looks like this one is working! Many thanks!


#7

Some additional info for nmap NSE can be found at the following topic


#8

As pointed out in Nmap smb enum users not returning any results the Nmap NSE NASL wrappers are a deprecated concept. As the appliances are using newer nmap version these won’t work there too.

The Nmap NSE NASL wrappers are kept in the feed for the following reasons:

  1. To allow GSE users to install an older nmap version and use the wrappers
  2. For archiving purposes, if VTs are removed from the feed older reports (which might still exist) referencing these VTs are missing the metadata about these VTs.

As you seems to have found out the IT-Grundschutz Scans should work on the GSE/GCE as well. The related documentation and the previously attached IT-Grundschutz scan config can be found here:

https://docs.greenbone.net/GSM-Manual/gos-4/en/compliance.html#it-grundschutz


#9

Ok.

I guess my hypothetical question is - since i can run a successful nmap scan from the CLI, I guess there’s nothing stopping me writing my own .nasl to run this CLI command?

Edit: I see your OSP comment. I’ll look there first.