SMB authenticated scan with domain account not working (Login via SMB failed: TRUE)

GVM versions

gsa: 8.0.1
gvm: 8.0.1
openvas-scanner: 6.0.1
gvm-libs: 10.0.1

Environment

Operating system: Linux
Kernel: Linux RicohSecurity 5.2.14-arch2-1-ARCH #1 SMP PREEMPT Thu Sep 12 10:42:38 UTC 2019 x86_64 GNU/Linux
Installation method / source: pacman

====================================================================

Dear all,

I’m trying to perform authenticated scans with SMB credentials targeting windows hosts. I’m able to perform the scan and get a “SMB Successful Login” when targeting non-associated domain accounts. But I always get “SMB Failed Login” once the target is associated to a domain.

Please find below my SMB authenticated outputs in these 2 cases:

a) Targeting a host NOT assigned to a domain account:

Access to the registry possible (SMB/registry_access)                                            : TRUE
Access via WMI possible (WMI/access_successful)                                                  : FALSE
Architecture of the OS (SMB/Windows/Arch)                                                        : Empty/None
Build number of the OS (SMB/WindowsBuild)                                                        : 17134
Disable file search via WMI on Windows (win/lsc/disable_wmi_search)                              : FALSE
Disable the usage of win_cmd_exec for remote commands on Windows (win/lsc/disable_win_cmd_exec)  : FALSE
Domain used for authenciated scans (kb_smb_domain())                                             : Empty/None
Enable Detection of Portable Apps on Windows (win/lsc/search_portable_apps)                      : FALSE
Enable NTLMSSP (SMB/NTLMSSP)                                                                     : TRUE
Extended SMB support available via openvas-smb module (Tools/Present/smb)                        : FALSE
Extended WMI support available via openvas-smb module (Tools/Present/wmi)                        : FALSE
Login via SMB failed (login/SMB/failed)                                                          : FALSE
Login via SMB successful (login/SMB/success)                                                     : TRUE
Missing access permissions to the registry (SMB/registry_access_missing_permissions)             : TRUE
Name of the most recent service pack installed (SMB/CSDVersion)                                  : Empty/None
Never send SMB credentials in clear text (SMB/dont_send_in_cleartext)                            : TRUE
Only use NTLMv2 (SMB/dont_send_ntlmv1)                                                           : FALSE
Path to the OS SystemRoot (smb_get_systemroot())                                                 : Empty/None
Path to the OS SystemRoot for 32bit (smb_get_system32root())                                     : Empty/None
Port configured for authenciated scans (kb_smb_transport())                                      : 445/tcp
Port used for the successful login via SMB                                                       : 445/tcp
Product name of the OS (SMB/WindowsName)                                                         : Windows 10 Enterprise
SMB name used for authenciated scans (kb_smb_name())                                             : 192.168.71.30
User used for authenciated scans (kb_smb_login())                                                : MyUser
Version number of the OS (SMB/WindowsVersion)                                                    : 6.3
Workgroup of the SMB server (SMB/workgroup)                                                      : Empty/None

b) Targeting a host assigned to a domain account:

Credentials Username: MYWORKGROUP\MyUser

SMB Test
Error getting SMB-Data -> SESSION SETUP FAILED: NT_STATUS_ACCESS_DENIED

Windows LSC Authenticated Scan Info Consolidation
Description (Knowledge base entry)                                                                 Value/Content
----------------------------------                                                                 -------------
Access to the registry possible (SMB/registry_access)                                            : FALSE
Access via WMI possible (WMI/access_successful)                                                  : FALSE
Architecture of the OS (SMB/Windows/Arch)                                                        : Empty/None
Build number of the OS (SMB/WindowsBuild)                                                        : Empty/None
Disable file search via WMI on Windows (win/lsc/disable_wmi_search)                              : FALSE
Disable the usage of win_cmd_exec for remote commands on Windows (win/lsc/disable_win_cmd_exec)  : FALSE
Domain used for authenciated scans (kb_smb_domain())                                             : Empty/None
Enable Detection of Portable Apps on Windows (win/lsc/search_portable_apps)                      : FALSE
Enable NTLMSSP (SMB/NTLMSSP)                                                                     : TRUE
Extended SMB support available via openvas-smb module (Tools/Present/smb)                        : FALSE
Extended WMI support available via openvas-smb module (Tools/Present/wmi)                        : FALSE
Login via SMB failed (login/SMB/failed)                                                          : TRUE
Login via SMB successful (login/SMB/success)                                                     : FALSE
Missing access permissions to the registry (SMB/registry_access_missing_permissions)             : FALSE
Name of the most recent service pack installed (SMB/CSDVersion)                                  : Empty/None
Never send SMB credentials in clear text (SMB/dont_send_in_cleartext)                            : TRUE
Only use NTLMv2 (SMB/dont_send_ntlmv1)                                                           : FALSE
Path to the OS SystemRoot (smb_get_systemroot())                                                 : Empty/None
Path to the OS SystemRoot for 32bit (smb_get_system32root())                                     : Empty/None
Port configured for authenciated scans (kb_smb_transport())                                      : 445/tcp
Port used for the failed login via SMB                                                           : 445/tcp
Product name of the OS (SMB/WindowsName)                                                         : Empty/None
SMB name used for authenciated scans (kb_smb_name())                                             : 192.168.1.7
User used for authenciated scans (kb_smb_login())                                                : MYWORKGROUPMyUser
Version number of the OS (SMB/WindowsVersion)                                                    : Empty/None
Workgroup of the SMB server (SMB/workgroup)                                                      : MYWORKGROUP

I have been following the official documentation and I would need to know the following:

  1. Is openvas-smb required (mandatory) for SMB authenticated login on Windows hosts associated with a domain account?
  2. When creating the SMB credential I am passing the user as “MYWORKGROUP\MYUSERNAME”. Is this the proper way of doing it? Is the workgroup required?
  3. Is there anything else special I would take on consideration for the domain associated accounts?

Kind regards,

It is a general requirement for SMB authenticated scans, not only for hosts associated with a domain account.

The following topics could give some more additional info around this topic:

2 Likes

@cfi,

I would like to point out (in case someone is experiencing the same results) that when scanning a Windows host associated with a domain account and providing a user for the SMB credential using the following syntax:

USERNAME@WORKGROUP

the scan returns:

Login via SMB successful: TRUE

Which I think might get people confused.

Thank you for your clarifications.

2 Likes

Note that while the SMB login might be successful without openvas-smb this component might be still required for authenticated scans.

1 Like

Hello @cfi,

You said:

this component might be still required for authenticated scans

So I wonder:

Is it possible to determine in what situations (OS configuration, versions, etc) openvas-smb is required and when it is not when running authenticated scans?

Regards,

openvas-smb is providing the following “WMI Client” and “SMB Client” functionality from the first posted link:

Tool: WMI Client (Scanner not build with extended WMI support via the openvas-smb module)
Effect: Any NVTs that do rely on the built-in WMI functionality will not be executed. Most likely reduced are Authenticated Scans due missing Local Security Checks (LSC), compliance tests and OVAL NVTs.
Note: If you did not provide SMB credentials or do not scan host with Windows operating systems, the absence will not reduce the number of executed NVTs.

Tool: SMB Client (Scanner not build with extended WMI support via the openvas-smb module)
Effect: Any NVTs that do rely on the built-in SMB functionality will not be executed. Most likely reduced are Authenticated Scans due missing Local Security Checks (LSC), compliance tests and OVAL NVTs.
Note: If you did not provide SMB credentials or do not scan host with Windows operating systems, the absence will not reduce the number of executed NVTs.

The GitHub - greenbone/openvas-smb: SMB module for OpenVAS Scanner readme has the following information:

This is the smb module for the OpenVAS Scanner. It includes libraries ( openvas-wmiclient / openvas-wincmd ) to interface with Microsoft Windows Systems through the Windows Management Instrumentation API and a winexe binary to execute processes remotely on that system.

and the openvas-scanner/INSTALL.md at main · greenbone/openvas-scanner · GitHub one:

Recommended to have WMI support:

openvas-smb >= 1.0.1

Generally you always want to install and have openvas-smb available when scanning windows systems.

1 Like