Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. users
Credentialed scans against Windows 2008
rvandolson at esri
Nov 6, 2008, 5:16 PM
Post #1 of 7 (12007 views)
Permalink
Hi all, I'm trying to run a credentialed scan against a Windows Server
2008 machine from a box running Nessus 3.2.1. I initially was doing
this from NessusClient, but am testing with nasl as follows:

./nasl -T /tmp/hi.log -X -t 10.49.102.75 \
/opt/nessus/lib/nessus/plugins/compliance_check.nbin

Then providing a valid SMB account as prompted.

The problem is that none of the credentialed checks appear to be
succeeding. I have verified that the account supplied is in the local
Administrators group, and I can remote desktop into the machine as that
user just fine.

Output from the nasl command is as follows:

There was an error during compliance check initialization. Nessus returned
the following error message :
Some errors occurred when attempting to perform the compliance checks :
can't initialize the audit engine: AUDIT_ERROR_NO_SOCKET: an error happened while opening a socket

I did a tcpdump while running the above command and noticed that
Windows responds with a 'reset' packet in response to Nessus' initial
packet to port 445 -- almost like a firewall. However, the firewall is
disabled on this machine.

Also, I am unable to connect to the default shares on the machine using
smbclient (C$, ADMIN$). I get the following error there:

$ smbclient //STDBSTG/C$ -I 10.49.102.175 -U nessus
Password:
Domain=[STDBSTG] OS=[Windows Server (R) 2008 Enterprise 6001 Service Pack 1] Server=[Windows Server (R) 2008 Enterprise 6.0]
tree connect failed: NT_STATUS_ACCESS_DENIED

Perhaps this is related.

Anyone have any suggestions? I figure this must be some security
setting in 2008...

Thanks,
Ray
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Credentialed scans against Windows 2008 [ In reply to ]
pdavis at tenablesecurity
Nov 7, 2008, 6:29 AM
Post #2 of 7 (11818 views)
Permalink
Ray,

How is the following configuration set on your Windows 2008 system:

Control Panel (Classic View) => System => Remote settings (upper left hand corner). It should be set to: "Allow connections from computers
running any version of Remote Desktop".

Let me know if this helps.

Paul



Ray Van Dolson wrote:
> Hi all, I'm trying to run a credentialed scan against a Windows Server
> 2008 machine from a box running Nessus 3.2.1. I initially was doing
> this from NessusClient, but am testing with nasl as follows:
>
> ./nasl -T /tmp/hi.log -X -t 10.49.102.75 \
> /opt/nessus/lib/nessus/plugins/compliance_check.nbin
>
> Then providing a valid SMB account as prompted.
>
> The problem is that none of the credentialed checks appear to be
> succeeding. I have verified that the account supplied is in the local
> Administrators group, and I can remote desktop into the machine as that
> user just fine.
>
> Output from the nasl command is as follows:
>
> There was an error during compliance check initialization. Nessus returned
> the following error message :
> Some errors occurred when attempting to perform the compliance checks :
> can't initialize the audit engine: AUDIT_ERROR_NO_SOCKET: an error happened while opening a socket
>
> I did a tcpdump while running the above command and noticed that
> Windows responds with a 'reset' packet in response to Nessus' initial
> packet to port 445 -- almost like a firewall. However, the firewall is
> disabled on this machine.
>
> Also, I am unable to connect to the default shares on the machine using
> smbclient (C$, ADMIN$). I get the following error there:
>
> $ smbclient //STDBSTG/C$ -I 10.49.102.175 -U nessus
> Password:
> Domain=[STDBSTG] OS=[Windows Server (R) 2008 Enterprise 6001 Service Pack 1] Server=[Windows Server (R) 2008 Enterprise 6.0]
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> Perhaps this is related.
>
> Anyone have any suggestions? I figure this must be some security
> setting in 2008...
>
> Thanks,
> Ray
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>

--
Best Regards,

Paul Davis
Research Engineer
Tenable Network Security Inc
Phone: 410.872.0555 x245
www.tenablesecurity.com

Is your network TENABLE?
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Credentialed scans against Windows 2008 [ In reply to ]
rvandolson at esri
Nov 7, 2008, 7:17 AM
Post #3 of 7 (11828 views)
Permalink
On Fri, Nov 07, 2008 at 06:29:45AM -0800, Paul Davis wrote:
> Ray,
>
> How is the following configuration set on your Windows 2008 system:
>
> Control Panel (Classic View) => System => Remote settings (upper left
> hand corner). It should be set to: "Allow connections from computers
> running any version of Remote Desktop".
>
> Let me know if this helps.
>
> Paul
>

Thanks Paul. This is how it was already set. I have no problems
connecting via Remote Desktop as the 'nessus' user account that was set
up in this case either.

It seems the SMB connection is what isn't working.

Also have opened a support request with you guys.

Thanks for the response!

Ray

>
> Ray Van Dolson wrote:
> > Hi all, I'm trying to run a credentialed scan against a Windows Server
> > 2008 machine from a box running Nessus 3.2.1. I initially was doing
> > this from NessusClient, but am testing with nasl as follows:
> >
> > ./nasl -T /tmp/hi.log -X -t 10.49.102.75 \
> > /opt/nessus/lib/nessus/plugins/compliance_check.nbin
> >
> > Then providing a valid SMB account as prompted.
> >
> > The problem is that none of the credentialed checks appear to be
> > succeeding. I have verified that the account supplied is in the local
> > Administrators group, and I can remote desktop into the machine as that
> > user just fine.
> >
> > Output from the nasl command is as follows:
> >
> > There was an error during compliance check initialization. Nessus returned
> > the following error message :
> > Some errors occurred when attempting to perform the compliance checks :
> > can't initialize the audit engine: AUDIT_ERROR_NO_SOCKET: an error happened while opening a socket
> >
> > I did a tcpdump while running the above command and noticed that
> > Windows responds with a 'reset' packet in response to Nessus' initial
> > packet to port 445 -- almost like a firewall. However, the firewall is
> > disabled on this machine.
> >
> > Also, I am unable to connect to the default shares on the machine using
> > smbclient (C$, ADMIN$). I get the following error there:
> >
> > $ smbclient //STDBSTG/C$ -I 10.49.102.175 -U nessus
> > Password:
> > Domain=[STDBSTG] OS=[Windows Server (R) 2008 Enterprise 6001 Service Pack 1] Server=[Windows Server (R) 2008 Enterprise 6.0]
> > tree connect failed: NT_STATUS_ACCESS_DENIED
> >
> > Perhaps this is related.
> >
> > Anyone have any suggestions? I figure this must be some security
> > setting in 2008...
> >
> > Thanks,
> > Ray
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Credentialed scans against Windows 2008 [ In reply to ]
pdavis at tenablesecurity
Nov 7, 2008, 8:44 AM
Post #4 of 7 (11841 views)
Permalink
Ray,

What steps other than disabling the firewall and enabling remote desktop were taken on this system? There's a blog entry for scanning Windows
Vista systems for FDCC Compliance which details steps to enable policy compliance scanning on systems with Security Center such as Vista (or 2008).

I am currently successfully scanning a Windows 2008 system for audit compliance, and IIRC, I configured it using the steps in this blog entry:

http://blog.tenablesecurity.com/2008/02/testing-windows.html

Paul

Ray Van Dolson wrote:
> On Fri, Nov 07, 2008 at 06:29:45AM -0800, Paul Davis wrote:
>> Ray,
>>
>> How is the following configuration set on your Windows 2008 system:
>>
>> Control Panel (Classic View) => System => Remote settings (upper left
>> hand corner). It should be set to: "Allow connections from computers
>> running any version of Remote Desktop".
>>
>> Let me know if this helps.
>>
>> Paul
>>
>
> Thanks Paul. This is how it was already set. I have no problems
> connecting via Remote Desktop as the 'nessus' user account that was set
> up in this case either.
>
> It seems the SMB connection is what isn't working.
>
> Also have opened a support request with you guys.
>
> Thanks for the response!
>
> Ray
>
>> Ray Van Dolson wrote:
>>> Hi all, I'm trying to run a credentialed scan against a Windows Server
>>> 2008 machine from a box running Nessus 3.2.1. I initially was doing
>>> this from NessusClient, but am testing with nasl as follows:
>>>
>>> ./nasl -T /tmp/hi.log -X -t 10.49.102.75 \
>>> /opt/nessus/lib/nessus/plugins/compliance_check.nbin
>>>
>>> Then providing a valid SMB account as prompted.
>>>
>>> The problem is that none of the credentialed checks appear to be
>>> succeeding. I have verified that the account supplied is in the local
>>> Administrators group, and I can remote desktop into the machine as that
>>> user just fine.
>>>
>>> Output from the nasl command is as follows:
>>>
>>> There was an error during compliance check initialization. Nessus returned
>>> the following error message :
>>> Some errors occurred when attempting to perform the compliance checks :
>>> can't initialize the audit engine: AUDIT_ERROR_NO_SOCKET: an error happened while opening a socket
>>>
>>> I did a tcpdump while running the above command and noticed that
>>> Windows responds with a 'reset' packet in response to Nessus' initial
>>> packet to port 445 -- almost like a firewall. However, the firewall is
>>> disabled on this machine.
>>>
>>> Also, I am unable to connect to the default shares on the machine using
>>> smbclient (C$, ADMIN$). I get the following error there:
>>>
>>> $ smbclient //STDBSTG/C$ -I 10.49.102.175 -U nessus
>>> Password:
>>> Domain=[STDBSTG] OS=[Windows Server (R) 2008 Enterprise 6001 Service Pack 1] Server=[Windows Server (R) 2008 Enterprise 6.0]
>>> tree connect failed: NT_STATUS_ACCESS_DENIED
>>>
>>> Perhaps this is related.
>>>
>>> Anyone have any suggestions? I figure this must be some security
>>> setting in 2008...
>>>
>>> Thanks,
>>> Ray
>

--
Best Regards,

Paul Davis
Research Engineer
Tenable Network Security Inc
Phone: 410.872.0555 x245
www.tenablesecurity.com

Is your network TENABLE?
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Credentialed scans against Windows 2008 [ In reply to ]
rvandolson at esri
Nov 7, 2008, 8:59 AM
Post #5 of 7 (11801 views)
Permalink
On Fri, Nov 07, 2008 at 08:44:18AM -0800, Paul Davis wrote:
> Ray,
>
> What steps other than disabling the firewall and enabling remote
> desktop were taken on this system? There's a blog entry for scanning
> Windows Vista systems for FDCC Compliance which details steps to
> enable policy compliance scanning on systems with Security Center
> such as Vista (or 2008).
>
> I am currently successfully scanning a Windows 2008 system for audit
> compliance, and IIRC, I configured it using the steps in this blog
> entry:
>
> http://blog.tenablesecurity.com/2008/02/testing-windows.html
>
> Paul

Paul, I believe I found the issue. My initial hypothesis that I had
something misconfigured on the Windows 2008 side was incorrect... I
took a peek at the Nessus scanner logs and saw the following:

Couldn't load /opt/nessus//lib/nessus/plugins/nessus_tcp_scanner.nes
- libssl.so.4: cannot open shared object file: No such file or
directory

This is using the Fedora 8 RPM of Nessus. However, Fedora 8 only has a
libssl.so.6 file. :) Probably some libraries within Nessus need to be
relinkned against the proper .so...

However, easy workaround was to create a symlink from libssl.so.4 (and,
as it turns out, libcrypto.so.4) to the corresponding .so.6 files.

Re-ran the scan and everything seems to be working now.

Sorry for the wild goose chase!

Thanks!
Ray
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Credentialed scans against Windows 2008 [ In reply to ]
rvandolson at esri
Nov 7, 2008, 9:44 AM
Post #6 of 7 (11815 views)
Permalink
On Fri, Nov 07, 2008 at 08:59:25AM -0800, Ray Van Dolson wrote:
> On Fri, Nov 07, 2008 at 08:44:18AM -0800, Paul Davis wrote:
> > Ray,
> >
> > What steps other than disabling the firewall and enabling remote
> > desktop were taken on this system? There's a blog entry for scanning
> > Windows Vista systems for FDCC Compliance which details steps to
> > enable policy compliance scanning on systems with Security Center
> > such as Vista (or 2008).
> >
> > I am currently successfully scanning a Windows 2008 system for audit
> > compliance, and IIRC, I configured it using the steps in this blog
> > entry:
> >
> > http://blog.tenablesecurity.com/2008/02/testing-windows.html
> >
> > Paul
>
> Paul, I believe I found the issue. My initial hypothesis that I had
> something misconfigured on the Windows 2008 side was incorrect... I
> took a peek at the Nessus scanner logs and saw the following:
>
> Couldn't load /opt/nessus//lib/nessus/plugins/nessus_tcp_scanner.nes
> - libssl.so.4: cannot open shared object file: No such file or
> directory
>
> This is using the Fedora 8 RPM of Nessus. However, Fedora 8 only has a
> libssl.so.6 file. :) Probably some libraries within Nessus need to be
> relinkned against the proper .so...
>
> However, easy workaround was to create a symlink from libssl.so.4 (and,
> as it turns out, libcrypto.so.4) to the corresponding .so.6 files.
>
> Re-ran the scan and everything seems to be working now.
>
> Sorry for the wild goose chase!
>

Actually, one additional step was required on my part to get the
Windows 2008 scan to work completely correctly. I had to disable UAC
for local accounts (done via the registry).

Support pointed me to this blog link which contained the relevant
instructions:

http://blog.tenablesecurity.com/2008/02/testing-windows.html

Everything is working as-expected now.

Thanks!
Ray
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Credentialed scans against Windows 2008 [ In reply to ]
pdavis at tenablesecurity
Nov 7, 2008, 11:39 AM
Post #7 of 7 (11809 views)
Permalink
Excellent! Glad things are working now..

Paul

Ray Van Dolson wrote:
> On Fri, Nov 07, 2008 at 08:59:25AM -0800, Ray Van Dolson wrote:
>> On Fri, Nov 07, 2008 at 08:44:18AM -0800, Paul Davis wrote:
>>> Ray,
>>>
>>> What steps other than disabling the firewall and enabling remote
>>> desktop were taken on this system? There's a blog entry for scanning
>>> Windows Vista systems for FDCC Compliance which details steps to
>>> enable policy compliance scanning on systems with Security Center
>>> such as Vista (or 2008).
>>>
>>> I am currently successfully scanning a Windows 2008 system for audit
>>> compliance, and IIRC, I configured it using the steps in this blog
>>> entry:
>>>
>>> http://blog.tenablesecurity.com/2008/02/testing-windows.html
>>>
>>> Paul
>> Paul, I believe I found the issue. My initial hypothesis that I had
>> something misconfigured on the Windows 2008 side was incorrect... I
>> took a peek at the Nessus scanner logs and saw the following:
>>
>> Couldn't load /opt/nessus//lib/nessus/plugins/nessus_tcp_scanner.nes
>> - libssl.so.4: cannot open shared object file: No such file or
>> directory
>>
>> This is using the Fedora 8 RPM of Nessus. However, Fedora 8 only has a
>> libssl.so.6 file. :) Probably some libraries within Nessus need to be
>> relinkned against the proper .so...
>>
>> However, easy workaround was to create a symlink from libssl.so.4 (and,
>> as it turns out, libcrypto.so.4) to the corresponding .so.6 files.
>>
>> Re-ran the scan and everything seems to be working now.
>>
>> Sorry for the wild goose chase!
>>
>
> Actually, one additional step was required on my part to get the
> Windows 2008 scan to work completely correctly. I had to disable UAC
> for local accounts (done via the registry).
>
> Support pointed me to this blog link which contained the relevant
> instructions:
>
> http://blog.tenablesecurity.com/2008/02/testing-windows.html
>
> Everything is working as-expected now.
>
> Thanks!
> Ray
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>

--
Best Regards,

Paul Davis
Research Engineer
Tenable Network Security Inc
Phone: 410.872.0555 x245
www.tenablesecurity.com

Is your network TENABLE?
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal