Use this category for all topics (General discussion of results, reporting of false positive / negative results, VT development) around vulnerability tests (the so called “NASL scripts”).
When scanning a Windows Server 2016 test host, which has ports 135, 139 and 445 enabled. We get positive authentication via WMI, meaning the credentials are good. However, we get failures for authentication via SMB, and remote registry.
Specifically, we have found that in toggling SMB 3.1.1 Encryption from On to Off (https://blogs.msdn.microsoft.com/openspecification/2015/09/09/smb-3-1-1-encryption-in-windows-10/) Allows to authenticate as we should. But disabling it, means we get unauthenticated scans, based on the following output of the Windows SMB/LSC Authenticated Scan Info Consolidation NASL:
Description (Knowledge base entry) Value/Content ---------------------------------- ------------- Access to the registry possible (SMB/registry_access) : FALSE Access via WMI possible (WMI/access_successful) : TRUE Architecture of the OS (SMB/Windows/Arch) : Empty/None Build number of the OS (SMB/WindowsBuild) : Empty/None Disable file search via WMI on Windows (win/lsc/disable_wmi_search) : FALSE Disable the usage of win_cmd_exec for remote commands on Windows (win/lsc/disable_win_cmd_exec) : FALSE Domain used for authenciated scans (kb_smb_domain()) : Empty/None Enable Detection of Portable Apps on Windows (win/lsc/search_portable_apps) : FALSE Enable NTLMSSP (SMB/NTLMSSP) : TRUE Extended SMB support available via openvas-smb module (Tools/Present/smb) : TRUE Extended WMI support available via openvas-smb module (Tools/Present/wmi) : TRUE Login via SMB failed (login/SMB/failed) : TRUE Login via SMB successful (login/SMB/success) : FALSE Missing access permissions to the registry (SMB/registry_access_missing_permissions) : FALSE Name of the most recent service pack installed (SMB/CSDVersion) : Empty/None Never send SMB credentials in clear text (SMB/dont_send_in_cleartext) : TRUE Only use NTLMv2 (SMB/dont_send_ntlmv1) : FALSE Path to the OS SystemRoot (smb_get_systemroot()) : Empty/None Path to the OS SystemRoot for 32bit (smb_get_system32root()) : Empty/None Port configured for authenciated scans (kb_smb_transport()) : 445/tcp Port used for the failed login via SMB : 445/tcp Product name of the OS (SMB/WindowsName) : Empty/None SMB name used for authenciated scans (kb_smb_name()) : [[ REDACTED ]] User used for authenciated scans (kb_smb_login()) : [[ REDACTED ]] Version number of the OS (SMB/WindowsVersion) : Empty/None Workgroup of the SMB server (SMB/workgroup) : [[ REDACTED ]]
Is there a setting, or configuration that should be enabled within the scan configuration that will allow registry access via SMB 3.1.1 Encryption?