Child pages
  • Why Can't Windows Open-AudIT Discover Itself?
Skip to end of metadata
Go to start of metadata

(and what can I do about it?)

When we run Open-AudIT Server on Windows and try to discover the IP that the server is using, we will not get a meaningful result - why is this?

When discovery runs it has no idea that the IP it is attempting to talk to is actually the local machine. It is treated just like any other IP. This means we will attempt to connect to it, over the "network", using credentials.

WMI simply does not support doing this. No credentials we supply will work, because they will be rejected by WMI on the local machine.

You can try this for yourself by running the below command on your Open-AudIT Server. Obviously substitute the IP, username, domain and password.

wmic /Node:"YOUR-IP" /user:"YOUR_DOMAIN\YOUR_USERNAME" /password:"YOUR_PASSWORD" csproduct get uuid

The result you get will be as below.

Node -
Description = User credentials cannot be used for local connections

And you can see this in the discovery log when we attempt to connect using WMI (ID 375 below). We don't actually retrieve a result, even with valid credentials.

So how can we audit the Open-AudIT Server?

The best option right now is to setup a scheduled task to run the audit script or to run it manually when you need to.

If you have a Collector that is able to reach the server using the required network ports, you could have that collector discover the server.

We have this as an outstanding item to be addressed in a future release.

This issue has been outstanding for a very long time, but with the work-around in place, it is not crucial to the function of Open-AudIT.

When running a discovery that includes the IP of the local server, you will receive very limited data from, the discovery but you will receive the FQDN and the MAC address. Between these two items and the default match settings, no extraneous devices will be created.

06/08/19 09:05343127.0.0.1startDiscovery for submitted for discovery 3 starting
06/08/19 09:05344127.0.0.1noticeStarting discovery for
06/08/19 09:05345127.0.0.1noticeDiscovery for using Nmap version 7.60 at C:\Program Files (x86)\Nmap\nmap.exe
06/08/19 09:05346127.0.0.1notice

IPs in subnet: 1

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -sL

06/08/19 09:05347127.0.0.1notice

IPs after exclusions in subnet: 1

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -sL

06/08/19 09:05348127.0.0.1notice

IPs responding to Nmap ping in subnet (to be scanned): 1

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -oG - -sP

06/08/19 09:05349192.168.88.73noticeScanning Host:
06/08/19 09:05350192.168.88.73notice

Nmap Command

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -T4 -sS -p T:22,135,62078 :: Custom TCP Ports

06/08/19 09:05351192.168.88.73notice

Host is up, received ssh (TCP port 22 open) response

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -T4 -sS -p T:22,135,62078 :: Custom TCP Ports

Output: 22/tcp open ssh

06/08/19 09:05352192.168.88.73notice

Host is up, received wmi (TCP port 135 open) response

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -T4 -sS -p T:22,135,62078 :: Custom TCP Ports

06/08/19 09:05353192.168.88.73noticeCommand: C:\Program Files (x86)\Nmap\nmap.exe -n -T4 -sU -p U:161 :: Custom UDP Ports
06/08/19 09:05354192.168.88.73notice

Scanning localhost, so setting WMI status to true

Command: C:\Program Files (x86)\Nmap\nmap.exe -n -T4 -sU -p U:161 :: Custom UDP Ports

06/08/19 09:05355192.168.88.73(1 of 1)

IP responding, ping reply, adding to device list. SSH Status: true, WMI Status: true, SNMP Status: false.


06/08/19 09:05356192.168.88.73successThe discovery_id was used to successfully retrieve information for the discovery entry named local
06/08/19 09:05357192.168.88.73successReceived data for, now starting to process
06/08/19 09:05358192.168.88.73successIP resolved to DNS hostname hel
06/08/19 09:05359192.168.88.73noticeRunning devices::match function.
06/08/19 09:05360192.168.88.73noticeNot running match_hostname_uuid, uuid not set.
06/08/19 09:05361192.168.88.73noticeNot running match_hostname_dbus, dbus_identifier not set.
06/08/19 09:05362192.168.88.73noticeNot running match_hostname_serial, serial not set.
06/08/19 09:05363192.168.88.73noticeNot running match_dbus, matching rule set to: n.
06/08/19 09:05364192.168.88.73success

HIT on fqdn.

Output: FQDN:

06/08/19 09:05365192.168.88.73successDevice with ID 2 found on initial Nmap result.
06/08/19 09:05366192.168.88.73success

Delete the previous log entries for this device

Command: /* input::discoveries */ DELETE FROM discovery_log WHERE system_id = 2 and discovery_id != 3

06/08/19 09:05367192.168.88.73success

Update the current log entries with our new device

Command: /* input::discoveries */ UPDATE discovery_log SET system_id = 2 WHERE discovery_id = 3 and ip = ''

368192.168.88.73noticeWMI Status is true on
06/08/19 09:05369192.168.88.73noticeSSH Status is true on
06/08/19 09:05370192.168.88.73noticeSNMP Status is false on
06/08/19 09:05371192.168.88.73noticeSSH audit starting
06/08/19 09:05372192.168.88.73warningSSH detected but no valid SSH credentials for
06/08/19 09:05373192.168.88.73noticeTesting Windows credentials for
06/08/19 09:05374192.168.88.73noticeWindows credentials starting
06/08/19 09:05375192.168.88.73notice

Attempting to execute command

Command: %comspec% /c start /b wmic /Node:"" /user:"hel\administrator" /password:"*******" csproduct get uuid

Output: ["",""]

06/08/19 09:05376192.168.88.73noticeCredential set for Windows named local admin not working on
06/08/19 09:05377192.168.88.73warningWMI detected but no valid Windows credentials for
06/08/19 09:05378192.168.88.73noticeMAC (input) matched to manufacturer
06/08/19 09:05379192.168.88.73noticeStart of NMAP update for
06/08/19 09:05380192.168.88.73noticeFormatting system details
06/08/19 09:05381192.168.88.73noticeEnd of NMAP update for
06/08/19 09:05382192.168.88.73noticeProcessing found ip addresses (non-snmp) for
06/08/19 09:05383192.168.88.73noticeUpdating ip with ID 7
06/08/19 09:05384192.168.88.73noticeProcessing Nmap ports for
06/08/19 09:05385192.168.88.73noticeAt IP, discovery found an unknown device.
06/08/19 09:05386192.168.88.73failNo valid credentials for
06/08/19 09:05387192.168.88.73noticeAudit result incoming from target.
06/08/19 09:05388192.168.88.73noticeDiscovery has completed processing .
06/08/19 09:05389192.168.88.73success

IP has successfully been sent to the server. Discovery script continuing to next IP.

Command: Status: 200 URL:

Output: Response:

06/08/19 09:05390127.0.0.1successThe discovery_id was used to successfully retrieve information for the discovery entry named local
06/08/19 09:05391127.0.0.1successSet discovery entry status to complete
06/08/19 09:05392127.0.0.1finishCompleted discovery, scanned 1 IP addresses