No results after running scan

Hi all,
I know this question might have been in other topics, however I couldn’t find a solution. I’m running latest version of GCE VM on VirtualBox with network Bridge Adapter. I followed your guide.

The scan starts but it finishes pretty quick without providing any results or feedback:

It states No hosts available.
Using the command line, I can see gvm processes running:
Screenshot from 2019-12-13 09-00-21
From the above picture, Reloading NVTs and OSP: Updating NVT cache looks intriguing, however it is something that appears to run every x seconds.

I can confirm the feed update has successfully completed and I can see NVTs, CVEs, CPEs, etc from the SecInfo tab.

My About information:

Screenshot from 2019-12-13 09-14-29

One thing that I’m missing is checking the logs. Can someone provide the location of the logs viaa command line?

I tried 2 different networks (work network which contains firewalls and home network).

I also created a new target with the configuration Alive Test: Consider alive.

What else do you guys suggest me to do?

Thank you for your time.

First thing I’d do is change the filter in your first picture to
levels=hmlgf min_qod=0
this should show you the two hosts in the host tab, that are currently filtered out.

Secondly check the live logs in the command line via
journalctl -f
Try scanning localhost just to make sure the GSM is ready to scan. Then try nmap the target from the shell to make sure it can be reached.

2 Likes

Hi Tino. Thank you.
Will try that and provide feedback asap.

@Tino I got some logs from scanning localhost. It finished successfully.

Initial part of scan:

Dec 13 10:10:09 gsm gvmd[26619]: Target Target for immediate scan of IP localhost - 2019-12-13 10:10:09 (b0bbe82d-ffee-4f8a-a15b-e7d713c920cf) has been created by digivante
Dec 13 10:10:09 gsm gvmd[26619]: Status of task (13e7aa99-109d-4028-99b1-71bd172e1e89) has changed to New
Dec 13 10:10:09 gsm gvmd[26619]: Task Immediate scan of IP localhost (13e7aa99-109d-4028-99b1-71bd172e1e89) has been created by digivante
Dec 13 10:10:09 gsm gvmd[26619]: Status of task Immediate scan of IP localhost (13e7aa99-109d-4028-99b1-71bd172e1e89) has changed to Requested
Dec 13 10:10:09 gsm gvmd[26619]: Task Immediate scan of IP localhost (13e7aa99-109d-4028-99b1-71bd172e1e89) has been requested to start by digivante
Dec 13 10:10:09 gsm gvmd[26619]: Wizard quick_first_scan has been run by digivante
Dec 13 10:10:22 gsm ospd-openvas[26696]: OSPD - openvas: INFO: (ospd.ospd) 29a78007-6b3b-4cae-a1c7-95aa476e73ab: Scan started.
Dec 13 10:10:22 gsm gvmd[26630]: Status of task Immediate scan of IP localhost (13e7aa99-109d-4028-99b1-71bd172e1e89) has changed to Running
Dec 13 10:10:22 gsm sudo[26703]: ospd : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/openvas --scan-start b4bc1668-1196-444e-af1b-ac044a1fc2e4
Dec 13 10:10:22 gsm sudo[26703]: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 13 10:10:22 gsm openvas[26704]: openvas 7.0.0 started

Then I got a lot of these:

Dec 13 10:10:24 gsm openvas[26704]: There was a problem trying to load gsf/Policy/WindowsGeneral/MSSecurityGuide/win_sg_wdigest_authentication.nasl, a dependency of SYS.2.2.3.A11. This may be due to a parse error, or it failed to find the dependency. Please check the path to the file.
Dec 13 10:10:24 gsm openvas[26704]: There was a problem trying to load gsf/Policy/WindowsGeneral/System/win_vbs_credential_guard.nasl, a dependency of SYS.2.2.3.A11. This may be due to a parse error, or it failed to find the dependency. Please check the path to the file.
Dec 13 10:10:24 gsm openvas[26704]: There was a problem trying to load gsf/Policy/WindowsGeneral/UserAccountControl/win_uac_behavior_elevation_prompt_users.nasl, a dependency of SYS.2.2.2.A7. This may be due to a parse error, or it failed to find the dependency. Please check the path to the file.
Dec 13 10:10:24 gsm openvas[26704]: There was a problem trying to load gsf/Policy/WindowsGeneral/UserAccountControl/win_uac_behaviour_elevation_prompt_admin.nasl, a dependency of SYS.2.2.2.A7. This may be due to a parse error, or it failed to find the dependency. Please check the path to the file.
Dec 13 10:10:24 gsm openvas[26704]: There was a problem trying to load gsf/Policy/WindowsGeneral/UserAccountControl/win_uac_admin_approval_mode.nasl, a dependency of SYS.2.2.2.A7. This may be due to a parse error, or it failed to find the dependency. Please check the path to the file.
Dec 13 10:10:24 gsm openvas[26704]: There was a problem trying to load gsf/Policy/WindowsGeneral/UserAccountControl/win_uac_all_admins_approval_mode.nasl, a dependency of SYS.2.2.2.A7. This may be due to a parse error, or it failed to find the dependency. Please check the path to the file.
Dec 13 10:10:24 gsm openvas[26704]: There was a problem trying to load gsf/Policy/WindowsGeneral/UserAccountControl/win_uac_sec_desktop_when_prompt.nasl, a dependency of SYS.2.2.2.A7. This may be due to a parse error, or it failed to find the dependency. Please check the path to the file.
Dec 13 10:10:24 gsm openvas[26704]: There was a problem trying to load gsf/Policy/WindowsDefenderAV/defav_turn_off_defender.nasl, a dependency of SYS.2.2.2.A5. This may be due to a parse error, or it failed to find the dependency. Please check the path to the file.
Dec 13 10:10:24 gsm openvas[26704]: There was a problem trying to load gsf/Policy/WindowsDefenderAV/defav_turn_off_defender.nasl, a dependency of SYS.2.2.2.A6. This may be due to a parse error, or it failed to find the dependency. Please check the path to the file.

Then the scan started:

Dec 13 10:10:26 gsm openvas[26704]: Starts a new scan. Target(s) : localhost, with max_hosts = 30 and max_checks = 10
Dec 13 10:10:26 gsm openvas[26715]: Testing 127.0.0.1 (Vhosts: localhost) [26715]
Dec 13 10:10:31 gsm sshd[26788]: Bad protocol version identification ‘\026\003\001’ from 127.0.0.1 port 44047
Dec 13 10:10:31 gsm sshd[26790]: Bad protocol version identification ‘GET / HTTP/1.0’ from 127.0.0.1 port 40755
Dec 13 10:11:52 gsm sshd[27281]: Did not receive identification string from 127.0.0.1 port 40339
Dec 13 10:11:52 gsm sshd[27282]: Invalid user GBN-VT from 127.0.0.1 port 57857
Dec 13 10:11:52 gsm sshd[27282]: input_userauth_request: invalid user GBN-VT [preauth]
Dec 13 10:11:52 gsm sshd[27282]: pam_unix(sshd:auth): check pass; user unknown
Dec 13 10:11:52 gsm sshd[27282]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1
Dec 13 10:11:55 gsm sshd[27282]: Failed password for invalid user GBN-VT from 127.0.0.1 port 57857 ssh2
Dec 13 10:11:55 gsm sshd[27282]: Received disconnect from 127.0.0.1 port 57857:11: Bye Bye [preauth]
Dec 13 10:11:55 gsm sshd[27282]: Disconnected from 127.0.0.1 port 57857 [preauth]
Dec 13 10:12:11 gsm sshd[27425]: Bad protocol version identification ‘\026\003\001\003\241\001’ from 127.0.0.1 port 49973
Dec 13 10:12:11 gsm sshd[27426]: Bad protocol version identification ‘\026\003\002\003\241\001’ from 127.0.0.1 port 46075
Dec 13 10:12:11 gsm sshd[27427]: Bad protocol version identification ‘\026\003\003\003\307\001’ from 127.0.0.1 port 59395
Dec 13 10:12:13 gsm sshd[27428]: Did not receive identification string from 127.0.0.1 port 52169
Dec 13 10:12:13 gsm sshd[27467]: Bad protocol version identification ‘\026\003’ from 127.0.0.1 port 41571
Dec 13 10:12:33 gsm sshd[31348]: Connection closed by 127.0.0.1 port 47921 [preauth]
Dec 13 10:12:33 gsm sshd[31359]: Protocol major versions differ for 127.0.0.1 port 59677: SSH-2.0-Greenbone_7.4p2gb Greenbone OS 6.0 vs. SSH-0.12-GBN-VTSSH_1.0
Dec 13 10:12:33 gsm sshd[31362]: Protocol major versions differ for 127.0.0.1 port 54311: SSH-2.0-Greenbone_7.4p2gb Greenbone OS 6.0 vs. SSH-1.33-GBN-VTSSH_1.0
Dec 13 10:12:33 gsm sshd[31366]: Protocol major versions differ for 127.0.0.1 port 37049: SSH-2.0-Greenbone_7.4p2gb Greenbone OS 6.0 vs. SSH-1.5-GBN-VTSSH_1.0
Dec 13 10:12:33 gsm sshd[31369]: Connection closed by 127.0.0.1 port 40741 [preauth]
Dec 13 10:12:33 gsm sshd[31373]: Connection closed by 127.0.0.1 port 48429 [preauth]
Dec 13 10:12:33 gsm sshd[31378]: User root from 127.0.0.1 not allowed because none of user’s groups are listed in AllowGroups
Dec 13 10:12:33 gsm sshd[31378]: input_userauth_request: invalid user root [preauth]
Dec 13 10:12:33 gsm sshd[31378]: Received disconnect from 127.0.0.1 port 47325:11: Bye Bye [preauth]
Dec 13 10:12:33 gsm sshd[31378]: Disconnected from 127.0.0.1 port 47325 [preauth]

Then I got this kind of pattern:

pam_unix(sshd:auth): check pass; user unknown
Dec 13 10:13:16 gsm sshd[8127]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1
Dec 13 10:13:16 gsm sshd[7800]: Failed password for invalid user htinit from 127.0.0.1 port 60371 ssh2
Dec 13 10:13:16 gsm sshd[7800]: Received disconnect from 127.0.0.1 port 60371:11: Bye Bye [preauth]
Dec 13 10:13:16 gsm sshd[7800]: Disconnected from 127.0.0.1 port 60371 [preauth]
Dec 13 10:13:16 gsm sshd[7801]: Failed password for invalid user db2fenc1 from 127.0.0.1 port 57171 ssh2
Dec 13 10:13:16 gsm sshd[7801]: Received disconnect from 127.0.0.1 port 57171:11: Bye Bye [preauth]
Dec 13 10:13:16 gsm sshd[7801]: Disconnected from 127.0.0.1 port 57171 [preauth]
Dec 13 10:13:16 gsm sshd[8245]: Invalid user db2fenc1 from 127.0.0.1 port 59021
Dec 13 10:13:16 gsm sshd[8245]: input_userauth_request: invalid user db2fenc1 [preauth]

The scanner finished successfully and found vulnerabilities.

@Tino
Here’s the output from nmap the respective target I want to scan:

Starting Nmap 7.40 ( https://nmap.org ) at 2019-12-13 10:18 UTC
Nmap scan report for my host (my host ip)
Host is up (0.029s latency).
rDNS record for [my host ip]: ec2-[my host ip].eu-west-2.compute.amazonaws.com
Not shown: 969 filtered ports, 28 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 4.18 seconds

Tried scanning the target I want:

(same errors I described above for the missing nasls)

Dec 13 10:35:27 gsm openvas[15813]: Starts a new scan. Target(s) : (my host), with max_hosts = 30 and max_checks = 10
Dec 13 10:35:28 gsm openvas[15825]: Testing (my host) (Vhosts: ec2-(my host).eu-west-2.compute.amazonaws.com, (my host)) [15825]
Dec 13 10:35:30 gsm openvas[15825]: The remote host (my host) is dead
Dec 13 10:35:30 gsm openvas[15825]: Finished testing (my host). Time : 2.19 secs
Dec 13 10:35:30 gsm openvas[15813]: Test complete
Dec 13 10:35:30 gsm openvas[15813]: Total time to scan all hosts : 5 seconds

It finished quite fast and it is saying host is dead.

The “Further debugging / logging” part of the following thread around this topic should allow to enable some logging to see why your host is seen as dead:

1 Like

Thank you. Will try and provide feedback asap

@cfi
It is only showing results from ping_host.nasl:

Summary

Detection Result

The remote host (my host) was considered as dead. Used/configured checks: Host is down (failed ARP/ICMP ping), Method: nmap nmap command: nmap --reason -sP -T3 --send-ip -PE (my host) Starting Nmap 7.40 ( https://nmap.org ) at 2019-12-13 14:30 utc Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 2.07 seconds

Detection Method

Details: Ping Host OID: 1.3.6.1.4.1.25623.1.0.100315

Solution

Solution Type:

Name Default Value
Timeout default
nmap additional ports for -PA 137,587,3128,8081
nmap: try also with only -sP no
Log nmap output no
Log failed nmap calls no
nmap timing policy Normal
Do a TCP ping no
TCP ping tries also TCP-SYN ping no
Do an ICMP ping yes
Use ARP no
Mark unrechable Hosts as dead (not scanning) yes
Report about unrechable Hosts no
TCP ping tries only TCP-SYN ping no
Use nmap yes
Report about reachable Hosts no

Is it even possible to disable host discovery and perform a port scan only?

So this is already providing you the info why the host is considered as dead:

The previously linked thread contains some additional information at “The targets are not answering to an ICMP Echo Request” on how to change the alive test method.

3 Likes