SMB 3.1.1 Encryption disallows remote registry

Use this category for all topics (General discussion of results, reporting of false positive / negative results, VT development) around vulnerability tests (the so called “NASL scripts”).

When scanning a Windows Server 2016 test host, which has ports 135, 139 and 445 enabled. We get positive authentication via WMI, meaning the credentials are good. However, we get failures for authentication via SMB, and remote registry.

Specifically, we have found that in toggling SMB 3.1.1 Encryption from On to Off (https://blogs.msdn.microsoft.com/openspecification/2015/09/09/smb-3-1-1-encryption-in-windows-10/) Allows to authenticate as we should. But disabling it, means we get unauthenticated scans, based on the following output of the Windows SMB/LSC Authenticated Scan Info Consolidation NASL:

Description (Knowledge base entry)                                                                 Value/Content
----------------------------------                                                                 -------------
Access to the registry possible (SMB/registry_access)                                            : FALSE
Access via WMI possible (WMI/access_successful)                                                  : TRUE
Architecture of the OS (SMB/Windows/Arch)                                                        : Empty/None
Build number of the OS (SMB/WindowsBuild)                                                        : Empty/None
Disable file search via WMI on Windows (win/lsc/disable_wmi_search)                              : FALSE
Disable the usage of win_cmd_exec for remote commands on Windows (win/lsc/disable_win_cmd_exec)  : FALSE
Domain used for authenciated scans (kb_smb_domain())                                             : Empty/None
Enable Detection of Portable Apps on Windows (win/lsc/search_portable_apps)                      : FALSE
Enable NTLMSSP (SMB/NTLMSSP)                                                                     : TRUE
Extended SMB support available via openvas-smb module (Tools/Present/smb)                        : TRUE
Extended WMI support available via openvas-smb module (Tools/Present/wmi)                        : TRUE
Login via SMB failed (login/SMB/failed)                                                          : TRUE
Login via SMB successful (login/SMB/success)                                                     : FALSE
Missing access permissions to the registry (SMB/registry_access_missing_permissions)             : FALSE
Name of the most recent service pack installed (SMB/CSDVersion)                                  : Empty/None
Never send SMB credentials in clear text (SMB/dont_send_in_cleartext)                            : TRUE
Only use NTLMv2 (SMB/dont_send_ntlmv1)                                                           : FALSE
Path to the OS SystemRoot (smb_get_systemroot())                                                 : Empty/None
Path to the OS SystemRoot for 32bit (smb_get_system32root())                                     : Empty/None
Port configured for authenciated scans (kb_smb_transport())                                      : 445/tcp
Port used for the failed login via SMB                                                           : 445/tcp
Product name of the OS (SMB/WindowsName)                                                         : Empty/None
SMB name used for authenciated scans (kb_smb_name())                                             : [[ REDACTED ]]
User used for authenciated scans (kb_smb_login())                                                : [[ REDACTED ]]
Version number of the OS (SMB/WindowsVersion)                                                    : Empty/None
Workgroup of the SMB server (SMB/workgroup)                                                      : [[ REDACTED ]]

Is there a setting, or configuration that should be enabled within the scan configuration that will allow registry access via SMB 3.1.1 Encryption?

Hey, i ran into exactly same problem, with SMB configuration “EncryptData” On , i can’t log in using SMB, when i turn it Off it works. So i would also like to know if there is a possibility to change some configuration in Openvas to be able to do auth scan with EncryptData On ? @cfi , any thoughts ?