0 hosts alive

Openvas is returning 0 hosts alive, even though it is up running. Nmap clearly shows open ports.

Openvas logs:




gvmd_1                 | event target:MESSAGE:2024-08-13 09h25.30 utc:294: Target could not be created by admin
gvmd_1                 | event task:MESSAGE:2024-08-13 09h25.30 utc:306: Status of task  (a67b990c-d0bd-4d4d-a6ce-0fcee4e30c08) has changed to New
gvmd_1                 | event task:MESSAGE:2024-08-13 09h25.30 utc:306: Task AccelQ@publicIpScan-3 (a67b990c-d0bd-4d4d-a6ce-0fcee4e30c08) has been created by admin
gvmd_1                 | event task:MESSAGE:2024-08-13 09h25.30 utc:310: Status of task AccelQ@publicIpScan-3 (a67b990c-d0bd-4d4d-a6ce-0fcee4e30c08) has changed to Requested
gvmd_1                 | event task:MESSAGE:2024-08-13 09h25.30 utc:310: Task AccelQ@publicIpScan-3 (a67b990c-d0bd-4d4d-a6ce-0fcee4e30c08) has been requested to start by admin
ospd-openvas_1         | OSPD[8] 2024-08-13 09:25:35,100: INFO: (ospd.command.command) Scan 6f76b244-584d-46bf-8f68-c77a840bed9a added to the queue in position 2.
gvmd_1                 | event task:MESSAGE:2024-08-13 09h25.35 utc:312: Status of task AccelQ@publicIpScan-3 (a67b990c-d0bd-4d4d-a6ce-0fcee4e30c08) has changed to Queued
ospd-openvas_1         | OSPD[8] 2024-08-13 09:25:35,953: INFO: (ospd.ospd) Currently 1 queued scans.
ospd-openvas_1         | OSPD[8] 2024-08-13 09:25:36,043: INFO: (ospd.ospd) Starting scan 6f76b244-584d-46bf-8f68-c77a840bed9a.
gvmd_1                 | event task:MESSAGE:2024-08-13 09h25.40 utc:312: Status of task AccelQ@publicIpScan-3 (a67b990c-d0bd-4d4d-a6ce-0fcee4e30c08) has changed to Running
openvas_1              | sd   main:MESSAGE:2024-08-13 09h26.01 utc:470: openvas 23.0.1 started
openvas_1              | libgvm util:  DEBUG:2024-08-13 09h26.01 utc:470: fetch_max_db_index: maximum DB number: 1025
openvas_1              | sd   main:MESSAGE:2024-08-13 09h26.01 utc:470: attack_network_init: LSC via openvasd
openvas_1              | sd   main:  DEBUG:2024-08-13 09h26.01 utc:470: Start loading scan preferences.
openvas_1              | libgvm util:  DEBUG:2024-08-13 09h26.01 utc:470: fetch_max_db_index: maximum DB number: 1025
openvas_1              | sd   main:  DEBUG:2024-08-13 09h26.01 utc:470: End loading scan preferences.
openvas_1              | libgvm util:  DEBUG:2024-08-13 09h26.01 utc:470: fetch_max_db_index: maximum DB number: 1025
openvas_1              | libgvm util:  DEBUG:2024-08-13 09h26.01 utc:470: get_redis_ctx: connected to redis:///run/redis/redis.sock/4
openvas_1              | libgvm util:  DEBUG:2024-08-13 09h26.01 utc:470: redis_delete_all: deleting all elements from KB #4
openvas_1              | libgvm util:  DEBUG:2024-08-13 09h26.01 utc:470: redis_delete_all: deleting all elements from KB #4
openvas_1              | libgvm util:  DEBUG:2024-08-13 09h26.01 utc:470: get_redis_ctx: connected to redis:///run/redis/redis.sock/2
openvas_1              | sd   main:  DEBUG:2024-08-13 09h26.05 utc:470: Client tried to raise the maximum hosts number - 32. Using 30. Change 'max_hosts' in openvas.conf if you believe this is incorrect
openvas_1              | sd   main:  DEBUG:2024-08-13 09h26.05 utc:470: Client tried to raise the maximum checks number - 32. Using 10. Change 'max_checks' in openvas.conf if you believe this is incorrect
openvas_1              | libgvm util:  DEBUG:2024-08-13 09h26.05 utc:470: get_redis_ctx: connected to redis:///run/redis/redis.sock/3
openvas_1              | sd   main:MESSAGE:2024-08-13 09h26.05 utc:470: Vulnerability scan 6f76b244-584d-46bf-8f68-c77a840bed9a started: Target has 1 hosts: 34.208.169.106, with max_hosts = 30 and max_checks = 10
openvas_1              | sd   main:  DEBUG:2024-08-13 09h26.05 utc:470: attack_network: started alive detection.
openvas_1              | libgvm boreas:  DEBUG:2024-08-13 09h26.05 utc:470: alive_detection_init: Initialise alive scanner. 
openvas_1              | libgvm boreas:  DEBUG:2024-08-13 09h26.05 utc:470: alive_detection_init: Initialisation of alive scanner finished.
openvas_1              | libgvm boreas:MESSAGE:2024-08-13 09h26.05 utc:470: Alive scan 6f76b244-584d-46bf-8f68-c77a840bed9a started: Target has 1 hosts
openvas_1              | libgvm boreas:  DEBUG:2024-08-13 09h26.05 utc:470: scan: ICMP Ping
openvas_1              | libgvm boreas:  DEBUG:2024-08-13 09h26.06 utc:470: scan: TCP-ACK Service Ping
openvas_1              | libgvm boreas:  DEBUG:2024-08-13 09h26.06 utc:470: scan: ARP Ping
openvas_1              | libgvm boreas:  DEBUG:2024-08-13 09h26.07 utc:470: send_arp_v4: Ping 34.208.169.106   Interface: eth0   Src IP: 172.18.0.6   Src MAC: 02:42:ac:12:00:06
openvas_1              | libgvm boreas:  DEBUG:2024-08-13 09h26.07 utc:470: scan: all ping packets have been sent, wait a bit for rest of replies.
openvas_1              | libgvm boreas:  DEBUG:2024-08-13 09h26.10 utc:470: stop_sniffer_thread: Try to stop thread which is sniffing for alive hosts. 
openvas_1              | libgvm boreas:  DEBUG:2024-08-13 09h26.10 utc:470: sniffer_thread: Loop was successfully broken after call to pcap_breakloop
openvas_1              | libgvm boreas:  DEBUG:2024-08-13 09h26.10 utc:470: stop_sniffer_thread: Stopped thread which was sniffing for alive hosts.
openvas_1              | libgvm boreas:MESSAGE:2024-08-13 09h26.10 utc:470: Alive scan 6f76b244-584d-46bf-8f68-c77a840bed9a finished in 5 seconds: 0 alive hosts of 1.
openvas_1              | libgvm boreas:  DEBUG:2024-08-13 09h26.11 utc:470: get_host_from_queue: Boreas already finished scanning and we reached the end of the Queue of alive hosts.
openvas_1              | sd   main:  DEBUG:2024-08-13 09h26.11 utc:470: Test complete
openvas_1              | sd   main:  DEBUG:2024-08-13 09h26.11 utc:470: attack_network: free alive detection data 
openvas_1              | sd   main:  DEBUG:2024-08-13 09h26.11 utc:470: attack_network: waiting for alive detection thread to be finished...
openvas_1              | sd   main:  DEBUG:2024-08-13 09h26.11 utc:470: attack_network: Finished waiting for alive detection thread.
openvas_1              | sd   main:MESSAGE:2024-08-13 09h26.11 utc:470: Vulnerability scan 6f76b244-584d-46bf-8f68-c77a840bed9a finished in 10 seconds: 0 alive hosts of 1
ospd-openvas_1         | OSPD[8] 2024-08-13 09:26:12,657: INFO: (ospd.ospd) 6f76b244-584d-46bf-8f68-c77a840bed9a: Host scan finished.
ospd-openvas_1         | OSPD[8] 2024-08-13 09:26:12,659: INFO: (ospd.ospd) 6f76b244-584d-46bf-8f68-c77a840bed9a: Scan finished.
gvmd_1                 | event task:MESSAGE:2024-08-13 09h26.15 utc:312: Status of task AccelQ@publicIpScan-3 (a67b990c-d0bd-4d4d-a6ce-0fcee4e30c08) has changed to Processing
gvmd_1                 | event task:MESSAGE:2024-08-13 09h26.15 utc:312: Status of task AccelQ@publicIpScan-3 (a67b990c-d0bd-4d4d-a6ce-0fcee4e30c08) has changed to Done
gvmd_1                 | event target:MESSAGE:2024-08-13 09h28.55 utc:335: Target could not be created by admin



I tried all the alive scan settings: ā€œICMP, TCP Service & ARP Ping|TCP Service & ARP Ping|Iā†µ
CMP & ARP Ping|ICMP & TCP Service Ping|ARP Ping|TCP Service Ping|ICMP Ping|Sā†µ
can Config Defaultā€

But in all cases it said 0 hosts alive.

This is likely an issue with your infrastructure. Can you successfully scan any other IPs that you control? For a remote host ICMP & TCP Service Ping or TCP Service Ping should be appropriate. Otherwise, you will have to provide additional information such as your install method.

Hi,

The server blocks ICMP packets, so i know that ICMP ping does not work.

Now nmap performed the Syn Scan and found out many open ports. Then why did open vas returned 0 hosts alive.

When I tried, Only TCP Service ping (via xml gvm-cli) I got response 400, invalid option. I am 100% sure my xml is correct because when i tried ICMP, TCP Service & ARP Ping and created target using gvm-cli and xml it worked.

I just updated my xml from ICMP, TCP Service & ARP Ping to TCP Service Ping and it returned 400 invalid option.

I think the issue is with bores scanner or what ever openvas is using.

My Question is ?

  • Why did it returned 400
  • I believe TCP Service ping did not work actually and why it did not work.
  • How to use nmap as default scanner instead of bores or what ever.
  • Is there an option to tell set host as alive and perform scan right away, because i know host is alive.

Other thoughts

  • Is it because its not having privelges of sudo to perform TCP SYN Scan and hence tcp service ping not working ?
  • is there an timeout option for the scan, may be due to less timneout its figuring out as host is down.

For your answer,

  • yes another public IP I scanned and it worked. Because that IP does not block ICMP.

THe IP which I tried blocks ICMP. here is ping and arping output as well as nmap.

ubuntu@ubuntu-openvas:~/openvas$ ping 34.xxx.yyy.1xz

PING 34.xxx.yyy.1xz (34.xxx.yyy.1xz) 56(84) bytes of data.

^C

--- 34.xxx.yyy.1xz ping statistics ---

9 packets transmitted, 0 received, 100% packet loss, time 8179ms

ubuntu@ubuntu-openvas:~/openvas$

ubuntu@ubuntu-openvas:~/openvas$ arping 34.xxx.yyy.1xz

arping: libnet_init(LIBNET_LINK, <null>): libnet_open_link(): UID/EUID 0 or capability CAP_NET_RAW required

arping: you may need to run as root

ubuntu@ubuntu-openvas:~/openvas$ sudo arping 34.xxx.yyy.1xz

arping: lookup dev: No matching interface found using getifaddrs().

arping: Unable to automatically find interface to use. Is it on the local LAN?

arping: Use -i to manually specify interface. Guessing interface eth0.

ARPING 34.xxx.yyy.1xz

Timeout

Timeout

Timeout

^C

--- 34.xxx.yyy.1xz statistics ---

4 packets transmitted, 0 packets received, 100% unanswered (0 extra)

ubuntu@ubuntu-openvas:~/openvas$ sudo nmap -T4 -sS -p 443 34.xxx.yyy.1xz

Starting Nmap 7.80 ( https://nmap.org ) at 2024-08-15 05:58 UTC

Nmap scan report for ec2-34-xxx-xxx-xxx.us-west-2.compute.amazonaws.com (34.xxx.yyy.1xz)

Host is up (0.086s latency).

PORT STATE SERVICE

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

ubuntu@ubuntu-openvas:~/openvas$

Clearly nmap showed port 443 open. But openvas said 0 hosts alive. ICMP and arping did not work.
It means the TCP Service ping by bores is actually not working thats what i could say.


The gvm-cli I used for TCP Service Ping as stated from documentation,

gvm-cli --timeout 600 --gmp-username admin --gmp-password admin socket --socketpath /home/ubuntu/.openvas/run/gvmd/gvmd.sock --xml '<create_target><name>AccelQ2@target@e0dc4a31fc84f17a4f18e5591b003f500210e7be9f4472d7c36564b4e86e5d9d</name><hosts>34.xxx.1x.1xx</hosts><port_list id="33d0cd82-57c6-11e1-8ed1-406186ea4fc5"/><alive_tests>TCP Service Ping</alive_tests></create_target>'

and this resulted in the error:

<create_target_response status="400" status_text="Error in alive test"/>

So clearly all I could see is ICMP, ARP ping worked but since the hosts blocks ICMP, ARP, the bores scanner did not use TCP SERVICE PING AND HENCE CONCLUDED HOST IS NOT ALIVE.

Also kindly I request not want to hear the answers like your infrastructure might be blocking this that. I could clearly see its openvas fault. So if you could help from openvas point of view it would be great. I have enclosed all evidences which proves theres issue with openvas not the IP or my infrastructure.


alive_test = xsd:token { pattern = "ICMP, TCP Service & ARP Ping|TCP Service & ARP Ping|Iā†µ
CMP & ARP Ping|ICMP & TCP Service Ping|ARP Ping|TCP Service Ping|ICMP Ping|Sā†µ
can Config Default" }

mentioned TCP Service Ping But from the logs, I could see TCP-ACK Service Ping and I updated my xml to TCP-ACK Service Ping and now it did not throw error.

However it still says host is down.

Probably document needs to be updated to TCP-ACK Service Ping from TCP Service Ping.

From the wording TCP-ACK Service ping, I thought it performs TCP ACK Scan so i ran equivalent nmapā€™s ACK scan and it resulted in filtered ports instead of open ports.

ubuntu@ubuntu-openvas:~/openvas$ sudo nmap -T4 -sA -p 22,443  34.xxx.yyy.1xz
Starting Nmap 7.80 ( https://nmap.org ) at 2024-08-15 06:19 UTC
Nmap scan report for ec2-34-xx-xx-xx.us-west-2.compute.amazonaws.com (34.xxx.yyy.1xz)
Host is up (0.081s latency).

PORT    STATE    SERVICE
22/tcp  filtered ssh
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.04 seconds
ubuntu@ubuntu-openvas:~/openvas$ 

I guess that is the root cause. Its performing ACK scan and firewall or something else might be blocking or sending RST packet resulting in filtered state.

I feel the only solution here is either set host is alive option , or let openvas use nmap TCP SYN Scan. Any ideas how to do it.

Never Mind, i found the solution. From the source code of gvm at: python-gvm/gvm/protocols/gmp/requests/v224/_targets.py at 51aa7b0958068e6baae39f7a245d5200e87c4093 Ā· greenbone/python-gvm Ā· GitHub

it supports TCP-SYN Service Ping as well as Consider Alive options. In documentation it was not mentioned.

Now I could scan correctly and see the results.

Maybe the docs you are referencing are out of date. Those options do not match the actual alive tests available from the current GOS 22.04 docs - Create A Target Section as seen here.

Alive Test
    This options specifies the method to check if a target is reachable. Options are:
        Scan Config Default (the alive test method ICMP Ping is used by default)
        ICMP Ping
        TCP-ACK Service Ping
        TCP-SYN Service Ping
        ICMP & TCP-ACK Service Ping
        ICMP & ARP Ping
        TCP-ACK Service & ARP Ping
        ICMP, TCP-ACK Service & ARP Ping
        Consider Alive

Seems you may have identified incorrect docs in the GMP 22.5 XML RNC - Alive Test settings.

Also, here in the current GOS 22.04 docs, you can see there is a consider alive option.

I suggest creating an issue for this on the gvmd GitHub Issues tracker.

Seems the docs got updated now in / via:

2 Likes