Child pages
  • Why Can't Windows Open-AudIT Discover Itself?

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

(and what can I do about it?)


When we run Open-AudIT Server on Windows and try to discover the IP that the server is using, we will not get a meaningful result - why is this?

When discovery runs it has no idea that the IP it is attempting to talk to is actually the local machine. It is treated just like any other IP. This means we will attempt to connect to it, over the "network", using credentials.

WMI simply does not support doing this. No credentials we supply will work, because they will be rejected by WMI on the local machine.

You can try this for yourself by running the below command on your Open-AudIT Server. Obviously substitute the IP, username, domain and password.

Code Block
wmic /Node:"YOUR-IP" /user:"YOUR_DOMAIN\YOUR_USERNAME" /password:"YOUR_PASSWORD" csproduct get uuid

The result you get will be as below.

Code Block
Node - 192.168.88.73
ERROR:
Description = User credentials cannot be used for local connections

And you can see this in the discovery log when we attempt to connect using WMI (ID 375 below). We don't actually retrieve a result, even with valid credentials.


So how can we audit the Open-AudIT Server?

The best option right now is to setup a scheduled task to run the audit script or to run it manually when you need to.

If you have a Collector that is able to reach the server using the required network ports, you could have that collector discover the server.

We have this as an outstanding item to be addressed in a future release.

This issue has been outstanding for a very long time, but with the work-around in place, it is not crucial to the function of Open-AudIT.


When running a discovery that includes the IP of the local server, you will receive very limited data from, the discovery but you will receive the FQDN and the MAC address. Between these two items and the default match settings, no extraneous devices will be created.



06/08/19 09:05343127.0.0.1startDiscovery for 192.168.88.73 submitted for discovery 3 starting
06/08/19 09:05344127.0.0.1noticeStarting discovery for 192.168.88.73
06/08/19 09:05345127.0.0.1noticeDiscovery for 192.168.88.73 using Nmap version 7.60 at C:\Program Files (x86)\Nmap\nmap.exe
06/08/19 09:05346127.0.0.1notice

IPs in subnet: 1

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -sL 192.168.88.73

06/08/19 09:05347127.0.0.1notice

IPs after exclusions in subnet: 1

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -sL 192.168.88.73

06/08/19 09:05348127.0.0.1notice

IPs responding to Nmap ping in subnet (to be scanned): 1

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -oG - -sP 192.168.88.73

06/08/19 09:05349192.168.88.73noticeScanning Host: 192.168.88.73
06/08/19 09:05350192.168.88.73notice

Nmap Command

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -T4 -sS -p T:22,135,62078 192.168.88.73 :: Custom TCP Ports

06/08/19 09:05351192.168.88.73notice

Host 192.168.88.73 is up, received ssh (TCP port 22 open) response

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -T4 -sS -p T:22,135,62078 192.168.88.73 :: Custom TCP Ports

Output: 22/tcp open ssh

06/08/19 09:05352192.168.88.73notice

Host 192.168.88.73 is up, received wmi (TCP port 135 open) response

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -T4 -sS -p T:22,135,62078 192.168.88.73 :: Custom TCP Ports

06/08/19 09:05353192.168.88.73noticeCommand: C:\Program Files (x86)\Nmap\nmap.exe -n -T4 -sU -p U:161 192.168.88.73 :: Custom UDP Ports
06/08/19 09:05354192.168.88.73notice

Scanning localhost, so setting WMI status to true

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -T4 -sU -p U:161 192.168.88.73 :: Custom UDP Ports

06/08/19 09:05355192.168.88.73(1 of 1)

IP 192.168.88.73 responding, ping reply, adding to device list. SSH Status: true, WMI Status: true, SNMP Status: false.

Command: http://127.0.0.1/open-audit/index.php/input/discoveries

06/08/19 09:05356192.168.88.73successThe discovery_id was used to successfully retrieve information for the discovery entry named local
06/08/19 09:05357192.168.88.73successReceived data for 192.168.88.73, now starting to process
06/08/19 09:05358192.168.88.73successIP 192.168.88.73 resolved to DNS hostname hel
06/08/19 09:05359192.168.88.73noticeRunning devices::match function.
06/08/19 09:05360192.168.88.73noticeNot running match_hostname_uuid, uuid not set.
06/08/19 09:05361192.168.88.73noticeNot running match_hostname_dbus, dbus_identifier not set.
06/08/19 09:05362192.168.88.73noticeNot running match_hostname_serial, serial not set.
06/08/19 09:05363192.168.88.73noticeNot running match_dbus, matching rule set to: n.
06/08/19 09:05364192.168.88.73success

HIT on fqdn.

Output: FQDN: hel.opmantek.com

06/08/19 09:05365192.168.88.73successDevice with ID 2 found on initial Nmap result.
06/08/19 09:05366192.168.88.73success

Delete the previous log entries for this device

Command: /* input::discoveries */ DELETE FROM discovery_log WHERE system_id = 2 and discovery_id != 3

06/08/19 09:05367192.168.88.73success

Update the current log entries with our new device

Command: /* input::discoveries */ UPDATE discovery_log SET system_id = 2 WHERE discovery_id = 3 and ip = '192.168.88.73'


368192.168.88.73noticeWMI Status is true on 192.168.88.73
06/08/19 09:05369192.168.88.73noticeSSH Status is true on 192.168.88.73
06/08/19 09:05370192.168.88.73noticeSNMP Status is false on 192.168.88.73
06/08/19 09:05371192.168.88.73noticeSSH audit starting
06/08/19 09:05372192.168.88.73warningSSH detected but no valid SSH credentials for 192.168.88.73.
06/08/19 09:05373192.168.88.73noticeTesting Windows credentials for 192.168.88.73
06/08/19 09:05374192.168.88.73noticeWindows credentials starting
06/08/19 09:05375192.168.88.73notice

Attempting to execute command

Command: %comspec% /c start /b wmic /Node:"192.168.88.73" /user:"hel\administrator" /password:"*******" csproduct get uuid

Output: ["",""]

06/08/19 09:05376192.168.88.73noticeCredential set for Windows named local admin not working on 192.168.88.73
06/08/19 09:05377192.168.88.73warningWMI detected but no valid Windows credentials for 192.168.88.73.
06/08/19 09:05378192.168.88.73noticeMAC (input) matched to manufacturer
06/08/19 09:05379192.168.88.73noticeStart of NMAP update for 192.168.88.73
06/08/19 09:05380192.168.88.73noticeFormatting system details
06/08/19 09:05381192.168.88.73noticeEnd of NMAP update for 192.168.88.73
06/08/19 09:05382192.168.88.73noticeProcessing found ip addresses (non-snmp) for 192.168.88.73
06/08/19 09:05383192.168.88.73noticeUpdating ip with ID 7
06/08/19 09:05384192.168.88.73noticeProcessing Nmap ports for 192.168.88.73
06/08/19 09:05385192.168.88.73noticeAt IP 192.168.88.73, discovery found an unknown device.
06/08/19 09:05386192.168.88.73failNo valid credentials for 192.168.88.73
06/08/19 09:05387192.168.88.73noticeAudit result incoming from target.
06/08/19 09:05388192.168.88.73noticeDiscovery has completed processing 192.168.88.73 .
06/08/19 09:05389192.168.88.73success

IP 192.168.88.73 has successfully been sent to the server. Discovery script continuing to next IP.

Command: Status: 200 URL: http://127.0.0.1/open-audit/index.php/input/discoveries

Output: Response:

06/08/19 09:05390127.0.0.1successThe discovery_id was used to successfully retrieve information for the discovery entry named local
06/08/19 09:05391127.0.0.1successSet discovery entry status to complete
06/08/19 09:05392127.0.0.1finishCompleted discovery, scanned 1 IP addresses