Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Nessus: users

Credentialed scans against Windows 2008

 

 

Nessus users RSS feed   Index | Next | Previous | View Threaded


rvandolson at esri

Nov 6, 2008, 5:16 PM

Post #1 of 7 (5571 views)
Permalink
Credentialed scans against Windows 2008

Hi all, I'm trying to run a credentialed scan against a Windows Server
2008 machine from a box running Nessus 3.2.1. I initially was doing
this from NessusClient, but am testing with nasl as follows:

./nasl -T /tmp/hi.log -X -t 10.49.102.75 \
/opt/nessus/lib/nessus/plugins/compliance_check.nbin

Then providing a valid SMB account as prompted.

The problem is that none of the credentialed checks appear to be
succeeding. I have verified that the account supplied is in the local
Administrators group, and I can remote desktop into the machine as that
user just fine.

Output from the nasl command is as follows:

There was an error during compliance check initialization. Nessus returned
the following error message :
Some errors occurred when attempting to perform the compliance checks :
can't initialize the audit engine: AUDIT_ERROR_NO_SOCKET: an error happened while opening a socket

I did a tcpdump while running the above command and noticed that
Windows responds with a 'reset' packet in response to Nessus' initial
packet to port 445 -- almost like a firewall. However, the firewall is
disabled on this machine.

Also, I am unable to connect to the default shares on the machine using
smbclient (C$, ADMIN$). I get the following error there:

$ smbclient //STDBSTG/C$ -I 10.49.102.175 -U nessus
Password:
Domain=[STDBSTG] OS=[Windows Server (R) 2008 Enterprise 6001 Service Pack 1] Server=[Windows Server (R) 2008 Enterprise 6.0]
tree connect failed: NT_STATUS_ACCESS_DENIED

Perhaps this is related.

Anyone have any suggestions? I figure this must be some security
setting in 2008...

Thanks,
Ray
_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus


pdavis at tenablesecurity

Nov 7, 2008, 6:29 AM

Post #2 of 7 (5431 views)
Permalink
Re: Credentialed scans against Windows 2008 [In reply to]

Ray,

How is the following configuration set on your Windows 2008 system:

Control Panel (Classic View) => System => Remote settings (upper left hand corner). It should be set to: "Allow connections from computers
running any version of Remote Desktop".

Let me know if this helps.

Paul



Ray Van Dolson wrote:
> Hi all, I'm trying to run a credentialed scan against a Windows Server
> 2008 machine from a box running Nessus 3.2.1. I initially was doing
> this from NessusClient, but am testing with nasl as follows:
>
> ./nasl -T /tmp/hi.log -X -t 10.49.102.75 \
> /opt/nessus/lib/nessus/plugins/compliance_check.nbin
>
> Then providing a valid SMB account as prompted.
>
> The problem is that none of the credentialed checks appear to be
> succeeding. I have verified that the account supplied is in the local
> Administrators group, and I can remote desktop into the machine as that
> user just fine.
>
> Output from the nasl command is as follows:
>
> There was an error during compliance check initialization. Nessus returned
> the following error message :
> Some errors occurred when attempting to perform the compliance checks :
> can't initialize the audit engine: AUDIT_ERROR_NO_SOCKET: an error happened while opening a socket
>
> I did a tcpdump while running the above command and noticed that
> Windows responds with a 'reset' packet in response to Nessus' initial
> packet to port 445 -- almost like a firewall. However, the firewall is
> disabled on this machine.
>
> Also, I am unable to connect to the default shares on the machine using
> smbclient (C$, ADMIN$). I get the following error there:
>
> $ smbclient //STDBSTG/C$ -I 10.49.102.175 -U nessus
> Password:
> Domain=[STDBSTG] OS=[Windows Server (R) 2008 Enterprise 6001 Service Pack 1] Server=[Windows Server (R) 2008 Enterprise 6.0]
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> Perhaps this is related.
>
> Anyone have any suggestions? I figure this must be some security
> setting in 2008...
>
> Thanks,
> Ray
> _______________________________________________
> Nessus mailing list
> Nessus [at] list
> http://mail.nessus.org/mailman/listinfo/nessus
>

--
Best Regards,

Paul Davis
Research Engineer
Tenable Network Security Inc
Phone: 410.872.0555 x245
www.tenablesecurity.com

Is your network TENABLE?
_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus


rvandolson at esri

Nov 7, 2008, 7:17 AM

Post #3 of 7 (5437 views)
Permalink
Re: Credentialed scans against Windows 2008 [In reply to]

On Fri, Nov 07, 2008 at 06:29:45AM -0800, Paul Davis wrote:
> Ray,
>
> How is the following configuration set on your Windows 2008 system:
>
> Control Panel (Classic View) => System => Remote settings (upper left
> hand corner). It should be set to: "Allow connections from computers
> running any version of Remote Desktop".
>
> Let me know if this helps.
>
> Paul
>

Thanks Paul. This is how it was already set. I have no problems
connecting via Remote Desktop as the 'nessus' user account that was set
up in this case either.

It seems the SMB connection is what isn't working.

Also have opened a support request with you guys.

Thanks for the response!

Ray

>
> Ray Van Dolson wrote:
> > Hi all, I'm trying to run a credentialed scan against a Windows Server
> > 2008 machine from a box running Nessus 3.2.1. I initially was doing
> > this from NessusClient, but am testing with nasl as follows:
> >
> > ./nasl -T /tmp/hi.log -X -t 10.49.102.75 \
> > /opt/nessus/lib/nessus/plugins/compliance_check.nbin
> >
> > Then providing a valid SMB account as prompted.
> >
> > The problem is that none of the credentialed checks appear to be
> > succeeding. I have verified that the account supplied is in the local
> > Administrators group, and I can remote desktop into the machine as that
> > user just fine.
> >
> > Output from the nasl command is as follows:
> >
> > There was an error during compliance check initialization. Nessus returned
> > the following error message :
> > Some errors occurred when attempting to perform the compliance checks :
> > can't initialize the audit engine: AUDIT_ERROR_NO_SOCKET: an error happened while opening a socket
> >
> > I did a tcpdump while running the above command and noticed that
> > Windows responds with a 'reset' packet in response to Nessus' initial
> > packet to port 445 -- almost like a firewall. However, the firewall is
> > disabled on this machine.
> >
> > Also, I am unable to connect to the default shares on the machine using
> > smbclient (C$, ADMIN$). I get the following error there:
> >
> > $ smbclient //STDBSTG/C$ -I 10.49.102.175 -U nessus
> > Password:
> > Domain=[STDBSTG] OS=[Windows Server (R) 2008 Enterprise 6001 Service Pack 1] Server=[Windows Server (R) 2008 Enterprise 6.0]
> > tree connect failed: NT_STATUS_ACCESS_DENIED
> >
> > Perhaps this is related.
> >
> > Anyone have any suggestions? I figure this must be some security
> > setting in 2008...
> >
> > Thanks,
> > Ray
_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus


pdavis at tenablesecurity

Nov 7, 2008, 8:44 AM

Post #4 of 7 (5430 views)
Permalink
Re: Credentialed scans against Windows 2008 [In reply to]

Ray,

What steps other than disabling the firewall and enabling remote desktop were taken on this system? There's a blog entry for scanning Windows
Vista systems for FDCC Compliance which details steps to enable policy compliance scanning on systems with Security Center such as Vista (or 2008).

I am currently successfully scanning a Windows 2008 system for audit compliance, and IIRC, I configured it using the steps in this blog entry:

http://blog.tenablesecurity.com/2008/02/testing-windows.html

Paul

Ray Van Dolson wrote:
> On Fri, Nov 07, 2008 at 06:29:45AM -0800, Paul Davis wrote:
>> Ray,
>>
>> How is the following configuration set on your Windows 2008 system:
>>
>> Control Panel (Classic View) => System => Remote settings (upper left
>> hand corner). It should be set to: "Allow connections from computers
>> running any version of Remote Desktop".
>>
>> Let me know if this helps.
>>
>> Paul
>>
>
> Thanks Paul. This is how it was already set. I have no problems
> connecting via Remote Desktop as the 'nessus' user account that was set
> up in this case either.
>
> It seems the SMB connection is what isn't working.
>
> Also have opened a support request with you guys.
>
> Thanks for the response!
>
> Ray
>
>> Ray Van Dolson wrote:
>>> Hi all, I'm trying to run a credentialed scan against a Windows Server
>>> 2008 machine from a box running Nessus 3.2.1. I initially was doing
>>> this from NessusClient, but am testing with nasl as follows:
>>>
>>> ./nasl -T /tmp/hi.log -X -t 10.49.102.75 \
>>> /opt/nessus/lib/nessus/plugins/compliance_check.nbin
>>>
>>> Then providing a valid SMB account as prompted.
>>>
>>> The problem is that none of the credentialed checks appear to be
>>> succeeding. I have verified that the account supplied is in the local
>>> Administrators group, and I can remote desktop into the machine as that
>>> user just fine.
>>>
>>> Output from the nasl command is as follows:
>>>
>>> There was an error during compliance check initialization. Nessus returned
>>> the following error message :
>>> Some errors occurred when attempting to perform the compliance checks :
>>> can't initialize the audit engine: AUDIT_ERROR_NO_SOCKET: an error happened while opening a socket
>>>
>>> I did a tcpdump while running the above command and noticed that
>>> Windows responds with a 'reset' packet in response to Nessus' initial
>>> packet to port 445 -- almost like a firewall. However, the firewall is
>>> disabled on this machine.
>>>
>>> Also, I am unable to connect to the default shares on the machine using
>>> smbclient (C$, ADMIN$). I get the following error there:
>>>
>>> $ smbclient //STDBSTG/C$ -I 10.49.102.175 -U nessus
>>> Password:
>>> Domain=[STDBSTG] OS=[Windows Server (R) 2008 Enterprise 6001 Service Pack 1] Server=[Windows Server (R) 2008 Enterprise 6.0]
>>> tree connect failed: NT_STATUS_ACCESS_DENIED
>>>
>>> Perhaps this is related.
>>>
>>> Anyone have any suggestions? I figure this must be some security
>>> setting in 2008...
>>>
>>> Thanks,
>>> Ray
>

--
Best Regards,

Paul Davis
Research Engineer
Tenable Network Security Inc
Phone: 410.872.0555 x245
www.tenablesecurity.com

Is your network TENABLE?
_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus


rvandolson at esri

Nov 7, 2008, 8:59 AM

Post #5 of 7 (5418 views)
Permalink
Re: Credentialed scans against Windows 2008 [In reply to]

On Fri, Nov 07, 2008 at 08:44:18AM -0800, Paul Davis wrote:
> Ray,
>
> What steps other than disabling the firewall and enabling remote
> desktop were taken on this system? There's a blog entry for scanning
> Windows Vista systems for FDCC Compliance which details steps to
> enable policy compliance scanning on systems with Security Center
> such as Vista (or 2008).
>
> I am currently successfully scanning a Windows 2008 system for audit
> compliance, and IIRC, I configured it using the steps in this blog
> entry:
>
> http://blog.tenablesecurity.com/2008/02/testing-windows.html
>
> Paul

Paul, I believe I found the issue. My initial hypothesis that I had
something misconfigured on the Windows 2008 side was incorrect... I
took a peek at the Nessus scanner logs and saw the following:

Couldn't load /opt/nessus//lib/nessus/plugins/nessus_tcp_scanner.nes
- libssl.so.4: cannot open shared object file: No such file or
directory

This is using the Fedora 8 RPM of Nessus. However, Fedora 8 only has a
libssl.so.6 file. :) Probably some libraries within Nessus need to be
relinkned against the proper .so...

However, easy workaround was to create a symlink from libssl.so.4 (and,
as it turns out, libcrypto.so.4) to the corresponding .so.6 files.

Re-ran the scan and everything seems to be working now.

Sorry for the wild goose chase!

Thanks!
Ray
_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus


rvandolson at esri

Nov 7, 2008, 9:44 AM

Post #6 of 7 (5425 views)
Permalink
Re: Credentialed scans against Windows 2008 [In reply to]

On Fri, Nov 07, 2008 at 08:59:25AM -0800, Ray Van Dolson wrote:
> On Fri, Nov 07, 2008 at 08:44:18AM -0800, Paul Davis wrote:
> > Ray,
> >
> > What steps other than disabling the firewall and enabling remote
> > desktop were taken on this system? There's a blog entry for scanning
> > Windows Vista systems for FDCC Compliance which details steps to
> > enable policy compliance scanning on systems with Security Center
> > such as Vista (or 2008).
> >
> > I am currently successfully scanning a Windows 2008 system for audit
> > compliance, and IIRC, I configured it using the steps in this blog
> > entry:
> >
> > http://blog.tenablesecurity.com/2008/02/testing-windows.html
> >
> > Paul
>
> Paul, I believe I found the issue. My initial hypothesis that I had
> something misconfigured on the Windows 2008 side was incorrect... I
> took a peek at the Nessus scanner logs and saw the following:
>
> Couldn't load /opt/nessus//lib/nessus/plugins/nessus_tcp_scanner.nes
> - libssl.so.4: cannot open shared object file: No such file or
> directory
>
> This is using the Fedora 8 RPM of Nessus. However, Fedora 8 only has a
> libssl.so.6 file. :) Probably some libraries within Nessus need to be
> relinkned against the proper .so...
>
> However, easy workaround was to create a symlink from libssl.so.4 (and,
> as it turns out, libcrypto.so.4) to the corresponding .so.6 files.
>
> Re-ran the scan and everything seems to be working now.
>
> Sorry for the wild goose chase!
>

Actually, one additional step was required on my part to get the
Windows 2008 scan to work completely correctly. I had to disable UAC
for local accounts (done via the registry).

Support pointed me to this blog link which contained the relevant
instructions:

http://blog.tenablesecurity.com/2008/02/testing-windows.html

Everything is working as-expected now.

Thanks!
Ray
_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus


pdavis at tenablesecurity

Nov 7, 2008, 11:39 AM

Post #7 of 7 (5425 views)
Permalink
Re: Credentialed scans against Windows 2008 [In reply to]

Excellent! Glad things are working now..

Paul

Ray Van Dolson wrote:
> On Fri, Nov 07, 2008 at 08:59:25AM -0800, Ray Van Dolson wrote:
>> On Fri, Nov 07, 2008 at 08:44:18AM -0800, Paul Davis wrote:
>>> Ray,
>>>
>>> What steps other than disabling the firewall and enabling remote
>>> desktop were taken on this system? There's a blog entry for scanning
>>> Windows Vista systems for FDCC Compliance which details steps to
>>> enable policy compliance scanning on systems with Security Center
>>> such as Vista (or 2008).
>>>
>>> I am currently successfully scanning a Windows 2008 system for audit
>>> compliance, and IIRC, I configured it using the steps in this blog
>>> entry:
>>>
>>> http://blog.tenablesecurity.com/2008/02/testing-windows.html
>>>
>>> Paul
>> Paul, I believe I found the issue. My initial hypothesis that I had
>> something misconfigured on the Windows 2008 side was incorrect... I
>> took a peek at the Nessus scanner logs and saw the following:
>>
>> Couldn't load /opt/nessus//lib/nessus/plugins/nessus_tcp_scanner.nes
>> - libssl.so.4: cannot open shared object file: No such file or
>> directory
>>
>> This is using the Fedora 8 RPM of Nessus. However, Fedora 8 only has a
>> libssl.so.6 file. :) Probably some libraries within Nessus need to be
>> relinkned against the proper .so...
>>
>> However, easy workaround was to create a symlink from libssl.so.4 (and,
>> as it turns out, libcrypto.so.4) to the corresponding .so.6 files.
>>
>> Re-ran the scan and everything seems to be working now.
>>
>> Sorry for the wild goose chase!
>>
>
> Actually, one additional step was required on my part to get the
> Windows 2008 scan to work completely correctly. I had to disable UAC
> for local accounts (done via the registry).
>
> Support pointed me to this blog link which contained the relevant
> instructions:
>
> http://blog.tenablesecurity.com/2008/02/testing-windows.html
>
> Everything is working as-expected now.
>
> Thanks!
> Ray
> _______________________________________________
> Nessus mailing list
> Nessus [at] list
> http://mail.nessus.org/mailman/listinfo/nessus
>

--
Best Regards,

Paul Davis
Research Engineer
Tenable Network Security Inc
Phone: 410.872.0555 x245
www.tenablesecurity.com

Is your network TENABLE?
_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus

Nessus users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.