Hint: Verify target configuration / access for authenticated (LSC) scans

Description

Note: If you have any questions on this topic please start a new thread for each question and link back to this topic so that it can be updated accordingly.

When doing Authenticated Scans specific requirements on target systems with Linux/UNIX or Windows needs to be fulfilled.

If the requirements are not fulfilled the detection of installed software and possible existing vulnerabilities might fail. To help with such situations (if the Credentials are configured) a Log level entry of the one of the following two VTs (depending on the target) will provide various information within a report:

SSH

Linux/UNIX SSH/LSC Authenticated Scan Info Consolidation (OID: 1.3.6.1.4.1.25623.1.0.108162)

The most important parts of the output are the following:

Login via SSH successful (login/SSH/success)

This needs to be set to TRUE for basic access via SSH to the target. If not please verify your used / configuration credentials and the configuration of the target according to Requirements on Target Systems with Linux/UNIX.

If the SSH credentials are correct the login might have failed because of the following reasons.

This entry might show up once a login has failed. Please review the full output for additional information.

locate: Command available (ssh/locate/available)

If this is set to FALSE locate might be not available on the target system:

NOTE: The locate command seems to be unavailable for this user/account/system. This command is highly recommended for authenticated scans to improve the search performance on the target system. Please see the output above for a possible hint / reason why this command is not available.

SMB/Windows

Windows SMB/LSC Authenticated Scan Info Consolidation (OID: 1.3.6.1.4.1.25623.1.0.108442)

The most important parts of the output are the following:

Extended SMB support available via openvas-smb module (Tools/Present/smb) and Extended WMI support available via openvas-smb module (Tools/Present/wmi)

Only valid for: Greenbone Community Edition installations build from source / installed via 3rd-party integration.

Not valid for: Greenbone OS based installation like Greenbone Enterprise Appliances. On such installations the related module is already pre-installed.

Note: Both needs to be set to TRUE before continuing with this article.

If the above is not the case your 3rd-party integration might miss the installation of GitHub - greenbone/openvas-smb: SMB module for OpenVAS Scanner which is required for authenticated scans. If your installation was build from source please install the related openvas-smb library, if the installation is provided via packages / repositories please contact the maintainer of this 3rd-party integration to make the module available.

Login via SMB successful (login/SMB/success)

This needs to be set to TRUE for basic access via SMB to the target. If not please verify your used / configuration credentials and the configuration of the target according to Requirements on Target Systems with Windows.

Access to the registry possible (SMB/registry_access)

Additional to the previous described login via SMB an access to the Remote Registry needs to be provided by the target system as well. If this key is set to FALSE no access was possible. The reason for this could be e.g.:

  1. an insufficient configuration of the target
  2. a not running / disabled Remote Registry

For both points please review the configuration of the target according to Requirements on Target Systems with Windows as well as a possible output of the following within this VT:

It was not possible to connect to the PIPE\winreg on the remote host. If you intend to use the Scanner to perform registry-based checks, the registry checks will not work because the 'Remote Registry' service is not running or has been disabled on the remote host.

Please either:

- configure the 'Startup Type' of the 'Remote Registry' service on the target host to 'Automatic'.
- configure the NVT 'Windows Services Start' (OID: 1.3.6.1.4.1.25623.1.0.804786) to start this service automatically.

Missing access permissions to the registry (SMB/registry_access_missing_permissions)

Even if the access to the Remote Registry was possible the user for the authenticated scan might miss additional permissions to access the registry. Please review the Requirements on Target Systems with Windows documentation, especially the part about the LocalAccountTokenFilterPolicy registry key.

Access via WMI possible (WMI/access_successful)

Especially Policy / Compliance VTs but also various Detection-VTs for software rely on being able to access the target system via the Windows Management Instrumentation (WMI). If this is set to FALSE please verify your used / configuration credentials to access the target as well as e.g. firewall restrictions and similar topics.

5 Likes