WMI Scans are not working on Open-Audit 4.0.1 on Windows

 
1
0
-1

I recently decided to give open audit a go to solve my network inventory issues, and so far I've been really impressed with the functionality. Kudos to the dev team!

That being said, WMI scans on the Windows version of the application do not seem to work. I've tested this on both community and enterprise on two different machines. Whenever I try to run a discovery on a Windows device, it successfully validates the credentials and copies over the audit script, but fails afterwards after attempting an empty "net use" command. The following are the final few log outputs:

2021-04-21 14:54:54620192.168.0.108successRunning audit script on 192.168.0.108
Command: C:\xampp\open-audit\other\paexec.exe \\192.168.0.108 -s -noname -u Administrator -p "*******" cmd /c "cscript C:\WINDOWS\audit_windows.vbs submit_online=n create_file=w debugging=0 self_delete=y last_seen_by=audit_wmi system_id=2 discovery_id=1"
Output: ["Microsoft (R) Windows Script Host Version 5.812","Copyright (C) Microsoft Corporation. All rights reserved.","","File C:\\WINDOWS\\laptop-jkk6tvll-20210421145143.xml"]
2021-04-21 14:54:54621192.168.0.108failNet Use
Output: null
2021-04-21 14:54:55622192.168.0.108successCopy from laptop-jkk6tvll-20210421145143.xml
Command: copy "\\192.168.0.108\admin$\laptop-jkk6tvll-20210421145143.xml" "C:\xampp\open-audit\other\scripts\laptop-jkk6tvll-20210421145143.xml"
Output: [" 1 file(s) copied."]
2021-04-21 14:54:55623192.168.0.108failNet Use Delete
Command: net use "\\192.168.0.108\admin$" /D
Output: []

After this, it gets stuck forever.

I've successfully scanned the same device through a linux installation of open-audit without a hitch.

Would appreciate some help with this. Thanks!

    CommentAdd your comment...

    1 answer

    1.  
      1
      0
      -1

      HI Hamza,

      The audit script looks to be copied and run successfully, then copied to the Open-AudIT server for processing. That all looks fine. The "net use" commend at the end is removing the mapped network drive. It all looks OK. Can you email me a copy of an audit result file? Copy the audit script to laptop-jkk6tvll , then log on to it and run "cscript audit_windows.vbs" (in the directory you copied the script to). This should produce an XML file. Email that to me and I can see if there's something invalid inside, preventing processing.

      marku@opmantek.com

      Can you also try a discovery that has only that laptops single IP address (you can use an IP, a range or a subnet in the discovery - just use the IP). Run it again and email me the discovery support output from Enterprise as per Open-AudIT Support Information

      This is a Community oriented site. If you require support with a guaranteed response time please do consider purchasing a license (smile)

      I'm happy to help where I can, when I can - but I cannot guarantee a response time for Community level support.

      https://opmantek.com/support-information/subscription-support-information/

      Mark.


        CommentAdd your comment...