Access via WMI not possible

bellum · August 11, 2023, 2:31pm

Hello,

I’m using Greenbone Community Container Edition with Docker on Ubuntu 22.04 LTS.

Currently I’m doing an authenticated scan of a Windows 10 machine.

This seems to basically work and some vunerabilies have been detected.

But while reviewing the results I discovered in the report entry ‘Authenticated Scan / LSC Info Consolidation (Windows SMB Login)’ an entry:

Description (Knowledge base entry)              : Value/Content
-----------------------------------------------------------------
Access via WMI possible (WMI/access_successful) : FALSE

and the openvas.log of the ospd-openvas container also shows an entry:

lib nasl:MESSAGE:2023-08-11 13h19.59 utc:8012: nasl_wmi_connect: WMI Connect failed or missing WMI support for the scanner

What is needed to successfully use WMI with the Greenbone Community Edition Docker Container?

Thanks for any help.

bellum · August 16, 2023, 7:50am

Has anybody came across this issue, too?

Any help greatly appreciated because need to have this working in my environment.

Thank you very much.

rippledj · August 17, 2023, 4:57pm

You can check this post:

bellum · August 17, 2023, 6:54pm

Does this mean I have to install python-impacket into the container?

rippledj · August 17, 2023, 7:09pm

Yes, I guess that would solve the problem.

bellum · August 28, 2023, 8:51am

But the containers are provided by Greenbone and I’m pulling them from the official repo according to the documentation.

How should I install python-impacket into the official conainer?

bricks · August 28, 2023, 3:47pm

python-impacket is already installed in the current ospd-openvas container

github.com

greenbone/ospd-openvas/blob/main/.docker/prod.Dockerfile#L72-L76


      
          # install impacket via pip and not apt-get to get the latest version
          RUN python3 -m pip install --break-system-packages impacket 
          # openvas is expecting impacket-wmiexec to be in the path although it got renamed
          # until openvas is fixed we create a symlink
          RUN ln -s /usr/local/bin/wmiexec.py /usr/local/bin/impacket-wmiexec

bellum · August 28, 2023, 3:51pm

Thanks, but if its already installed in the current ospd-openvas container, why do I get the following:

But while reviewing the results I discovered in the report entry ‘Authenticated Scan / LSC Info Consolidation (Windows SMB Login)’ an entry:
Description (Knowledge base entry)              : Value/Content
-----------------------------------------------------------------
Access via WMI possible (WMI/access_successful) : FALSE
and the openvas.log of the ospd-openvas container also shows an entry:

lib nasl:MESSAGE:2023-08-11 13h19.59 utc:8012: nasl_wmi_connect: WMI Connect failed or missing WMI support for the scanner

What is needed to successfully use WMI with the Greenbone Community Edition Docker Container?

bellum · August 30, 2023, 8:34am

That’s correct - when I checked this, I found out that my containers weren’t up to date …
So I updated them and tried again but with the same result.

The report still shows in ‘Authenticated Scan / LSC Info Consolidation (Windows SMB Login)’ an entry:

Description (Knowledge base entry)              : Value/Content
-----------------------------------------------------------------
Access via WMI possible (WMI/access_successful) : FALSE

and the openvas.log of the ospd-openvas container also still shows:

lib nasl:MESSAGE:2023-08-29 14h45.19 utc:348: nasl_wmi_connect: WMI Connect failed or missing WMI support for the scanner

So I opened up a shell in the ospd-openvas container and found the following files related to WMI

root@ospd-openvas:/usr/local/bin# ls -la *wmi*
lrwxrwxrwx 1 root root      25 Aug  3 07:39 impacket-wmiexec -> /usr/local/bin/wmiexec.py
-rwxr-xr-x 1 root root 4627944 Jun 15 11:31 wmic
-rwxr-xr-x 1 root root   19578 Aug  3 07:39 wmiexec.py
-rwxr-xr-x 1 root root   12193 Aug  3 07:39 wmipersist.py
-rwxr-xr-x 1 root root    9070 Aug  3 07:39 wmiquery.py

I know wmic from my Windows machines and played around with it but never were successful – I always get:

root@ospd-openvas:~# /usr/local/bin/wmic -U DOMAIN/myScanUser%myPassword //10.10.10.10 "SELECT * FROM Win32_OperatingSystem"
[/source/samba/librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[/source/samba/librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
[/source/wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_IO_TIMEOUT - NT_STATUS_IO_TIMEOUT

When I try the same target form a Windows Host (logged on as DOMAIN/myScanUser) it is successful:

C:\Users\ myScanUser>wmic /node:10.10.10.10 path win32_operatingsystem get caption
Caption
Microsoft Windows 10 Pro

The scanned Windows 10 target machine has the (Windows) Firewall completetly disabled.

What’s going wrong here and how can this be fixed?

Thanks for any help.

jjnicola · August 31, 2023, 2:50pm

Hello!
I was checking the scanner code and the error comes from nasl_wmi.c, which uses openvas-smb library for establishing the connection. Python impacket should not be involved here.
I checked in the container and the openvas is linked against the necessary library

root@ospd-openvas:/ospd-openvas# ldd /usr/local/sbin/openvas |grep wm
	libopenvas_wmiclient.so.22 => /usr/local/lib/libopenvas_wmiclient.so.22 (0x00007f64709fa000)

Then, the scanner has indeed WMI support.

Since it works for you from your windows wmi client, I would think it is either a bug in the libopenvas_wmiclient.so or a misusage (missing argument like namespace, unsupported char in the user/pass, etc) and therefore you get a connection error.

From the code, I can see that for establishing the connection, the namespace defaults to root\\cimv2 and the options defaults to [sign].

Regards,
Juan

bellum · August 31, 2023, 7:33pm

I had a look at the code, too and found the following:

openvas-scanner/nasl/nasl_wmi.c at main · greenbone/openvas-scanner · GitHub

but I’m not sure if this is the correct place and if this is really used because I’m not a programmer.

That’s why I also can’t fix this …

jjnicola · September 1, 2023, 6:35am

Indeed, that is what I a mentioned in my last comment, and yes, it is used for the connection if it is not override for provided values. Those are just the used defaults.
So, should it work with that defaults ? Do you need to change anything in your target to get it working with those defaults?

bellum · September 4, 2023, 10:33am

I don’t know exactly what you mean - the test-target is an out of the box installation of Windows 10 21H2 with completely disabled firewall and I’m not aware of anything special …

I did another wmic test with debug output and got:

root@ospd-openvas:/ospd-openvas# /usr/local/bin/wmic -d 7 -U DOMAIN/myScanUser%myPassword //10.10.10.10 --namespace root/cimv2 "SELECT * FROM Win32_OperatingSystem"
[/source/samba/param/loadparm.c:587:init_globals()] Initialising global parameters
[/source/samba/param/loadparm.c:2464:lp_load()] lp_load: refreshing parameters from /usr/local/etc/openvas/openvas-smb.conf
[/source/samba/param/params.c:517:OpenConfFile()] params.c:OpenConfFile() - Unable to open configuration file "/usr/local/etc/openvas/openvas-smb.conf":
        No such file or directory
[/source/samba/param/loadparm.c:2473:lp_load()] pm_process() returned No
[/source/samba/param/loadparm.c:1344:lp_add_hidden()] adding hidden service IPC$
[/source/samba/param/loadparm.c:1344:lp_add_hidden()] adding hidden service ADMIN$
[/source/samba/auth/credentials/credentials_krb5.c:170:cli_credentials_set_ccache()] failed to get principal from default ccache: No such file or directory: get-principal lstat(/tmp/krb5cc_0)
[/source/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'spnego' registered
[/source/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'schannel' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'sam' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'sam_ignoredomain' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'name_to_ntstatus' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'fixed_challenge' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'winbind_samba3' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'winbind' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'anonymous' registered
[/source/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'krb5' registered
[/source/samba/auth/gensec/gensec.c:1205:gensec_register()] gensec subsystem fake_gssapi_krb5 is disabled
[/source/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'ntlmssp' registered
[/source/samba/auth/gensec/gensec.c:1205:gensec_register()] gensec subsystem gssapi_spnego is disabled
[/source/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'gssapi_krb5' registered
[/source/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'gssapi_krb5_sasl' registered
[/source/samba/lib/com/dcom/main.c:527:dcom_determine_rpc_binding()] Using binding ncacn_ip_tcp:xed_challenge
[/source/samba/librpc/rpc/dcerpc_connect.c:513:continue_map_binding()] Mapped to DCERPC endpoint 135
[/source/samba/lib/util/util.c:334:interpret_addr()] sys_gethostbyname: Unknown host. xed_challenge
[/source/samba/lib/socket/interface.c:103:add_interface()] added interface ip=172.19.0.7 nmask=255.255.0.0
[/source/samba/librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[/source/samba/librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
[/source/wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_IO_TIMEOUT - NT_STATUS_IO_TIMEOUT

Perhaps this is helpful …

Has anybody working WMI with a current Greenbone Docker Container environment?

bellum · September 11, 2023, 3:37pm

In the meantime, I installed GVM on a separate VM from source (also using Ubuntu 22.04 LTS) and there WMI access to the same Windows 10 machine works.

I launched on both VMs:
/usr/local/bin/wmic -d 7 -U DOMAIN/myScanUser%myPassword //10.10.10.10 "SELECT * FROM Win32_OperatingSystem"

Output of native install:

greenbone@vmgreenbone:~$ /usr/local/bin/wmic -d 7 -U DOMAIN/myScanUser%myPassword //10.10.10.10 "SELECT * FROM Win32_OperatingSystem"
[/home/greenbone/source/openvas-smb-22.5.3/samba/param/loadparm.c:587:init_globals()] Initialising global parameters
[/home/greenbone/source/openvas-smb-22.5.3/samba/param/loadparm.c:2464:lp_load()] lp_load: refreshing parameters from /usr/local/etc/openvas/openvas-smb.conf
[/home/greenbone/source/openvas-smb-22.5.3/samba/param/params.c:517:OpenConfFile()] params.c:OpenConfFile() - Unable to open configuration file "/usr/local/etc/openvas/openvas-smb.conf":
        No such file or directory
[/home/greenbone/source/openvas-smb-22.5.3/samba/param/loadparm.c:2473:lp_load()] pm_process() returned No
[/home/greenbone/source/openvas-smb-22.5.3/samba/param/loadparm.c:1344:lp_add_hidden()] adding hidden service IPC$
[/home/greenbone/source/openvas-smb-22.5.3/samba/param/loadparm.c:1344:lp_add_hidden()] adding hidden service ADMIN$
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/credentials/credentials_krb5.c:170:cli_credentials_set_ccache()] failed to get principal from default ccache: No such file or directory: get-principal lstat(/tmp/krb5cc_1000)
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'spnego' registered
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'schannel' registered
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/auth.c:446:auth_register()] AUTH backend 'sam' registered
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/auth.c:446:auth_register()] AUTH backend 'sam_ignoredomain' registered
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/auth.c:446:auth_register()] AUTH backend 'name_to_ntstatus' registered
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/auth.c:446:auth_register()] AUTH backend 'fixed_challenge' registered
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/auth.c:446:auth_register()] AUTH backend 'winbind_samba3' registered
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/auth.c:446:auth_register()] AUTH backend 'winbind' registered
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/auth.c:446:auth_register()] AUTH backend 'anonymous' registered
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'krb5' registered
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec.c:1205:gensec_register()] gensec subsystem fake_gssapi_krb5 is disabled
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'ntlmssp' registered
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec.c:1205:gensec_register()] gensec subsystem gssapi_spnego is disabled
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'gssapi_krb5' registered
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'gssapi_krb5_sasl' registered
[/home/greenbone/source/openvas-smb-22.5.3/samba/lib/com/dcom/main.c:527:dcom_determine_rpc_binding()] Using binding ncacn_ip_tcp:10.10.10.10
[/home/greenbone/source/openvas-smb-22.5.3/samba/librpc/rpc/dcerpc_connect.c:513:continue_map_binding()] Mapped to DCERPC endpoint 135
[/home/greenbone/source/openvas-smb-22.5.3/samba/lib/com/dcom/main.c:413:determine_rpc_binding_continue2()] dcerpc_ndr_request_recv returned NT_STATUS_OK
[/home/greenbone/source/openvas-smb-22.5.3/samba/lib/com/dcom/main.c:417:determine_rpc_binding_continue2()] IObjectExporter::ServerAlive returned NT_STATUS_OK
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec.c:597:gensec_start_mech()] Starting GENSEC mechanism spnego
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec.c:597:gensec_start_mech()] Starting GENSEC submechanism gssapi_krb5
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec_gssapi.c:305:gensec_gssapi_client_start()] Cannot do GSSAPI to an IP address
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec.c:605:gensec_start_mech()] Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec.c:597:gensec_start_mech()] Starting GENSEC submechanism ntlmssp
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/ntlmssp/ntlmssp_client.c:128:ntlmssp_client_challenge()] Got challenge flags:
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/ntlmssp/ntlmssp.c:72:debug_ntlmssp_flags()] Got NTLMSSP neg_flags=0x62898205
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_CHAL_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/ntlmssp/ntlmssp_client.c:242:ntlmssp_client_challenge()] NTLMSSP: Set final flags:
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/ntlmssp/ntlmssp.c:72:debug_ntlmssp_flags()] Got NTLMSSP neg_flags=0x60088205
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
[/home/greenbone/source/openvas-smb-22.5.3/samba/librpc/ndr/ndr_string.c:214:ndr_pull_string()] long string ''
[/home/greenbone/source/openvas-smb-22.5.3/samba/lib/com/dcom/main.c:567:complete_activation()] Negotiated COM version: 5.7 using binding ncacn_ip_tcp:10.10.10.10[135]
[/home/greenbone/source/openvas-smb-22.5.3/samba/lib/com/dcom/main.c:1171:bind_new_pipe()] /home/greenbone/source/openvas-smb-22.5.3/samba/lib/com/dcom/main.c:1171: dcom_get_pipe: host=10.10.10.10, similar=10.10.10.10[49788]
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/gensec/gensec.c:597:gensec_start_mech()] Starting GENSEC mechanism ntlmssp
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/ntlmssp/ntlmssp_client.c:128:ntlmssp_client_challenge()] Got challenge flags:
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/ntlmssp/ntlmssp.c:72:debug_ntlmssp_flags()] Got NTLMSSP neg_flags=0x62898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_CHAL_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/ntlmssp/ntlmssp_client.c:242:ntlmssp_client_challenge()] NTLMSSP: Set final flags:
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/ntlmssp/ntlmssp.c:72:debug_ntlmssp_flags()] Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/ntlmssp/ntlmssp_sign.c:318:ntlmssp_sign_init()] NTLMSSP Sign/Seal - Initialising with flags:
[/home/greenbone/source/openvas-smb-22.5.3/samba/auth/ntlmssp/ntlmssp.c:72:debug_ntlmssp_flags()] Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
[/home/greenbone/source/openvas-smb-22.5.3/samba/librpc/ndr/ndr_string.c:214:ndr_pull_string()] long string ''
[/home/greenbone/source/openvas-smb-22.5.3/wmi/wmic.c:196:main()] OK   : Login to remote object.
[/home/greenbone/source/openvas-smb-22.5.3/samba/librpc/ndr/ndr_string.c:214:ndr_pull_string()] long string ''
[/home/greenbone/source/openvas-smb-22.5.3/wmi/wmic.c:200:main()] OK   : WMI query execute.
[/home/greenbone/source/openvas-smb-22.5.3/samba/librpc/ndr/ndr_string.c:214:ndr_pull_string()] long string ''
[/home/greenbone/source/openvas-smb-22.5.3/wmi/wmic.c:203:main()] OK   : Reset result of WMI query.
[/home/greenbone/source/openvas-smb-22.5.3/samba/librpc/ndr/ndr_string.c:214:ndr_pull_string()] long string ''
[/home/greenbone/source/openvas-smb-22.5.3/samba/librpc/ndr/ndr_string.c:214:ndr_pull_string()] long string ''
[/home/greenbone/source/openvas-smb-22.5.3/samba/librpc/ndr/ndr_string.c:214:ndr_pull_string()] long string ''
[/home/greenbone/source/openvas-smb-22.5.3/wmi/wmic.c:212:main()] OK   : Retrieve result data.
CLASS: Win32_OperatingSystem
BootDevice|BuildNumber|BuildType|Caption|CodeSet|CountryCode|CreationClassName|CSCreationClassName|CSDVersion|CSName|CurrentTimeZone|DataExecutionPrevention_32BitApplications|DataExecutionPrevention_Available|DataExecutionPrevention_Drivers|DataExecutionPrevention_SupportPolicy|Debug|Description|Distributed|EncryptionLevel|ForegroundApplicationBoost|FreePhysicalMemory|FreeSpaceInPagingFiles|FreeVirtualMemory|InstallDate|LargeSystemCache|LastBootUpTime|LocalDateTime|Locale|Manufacturer|MaxNumberOfProcesses|MaxProcessMemorySize|MUILanguages|Name|NumberOfLicensedUsers|NumberOfProcesses|NumberOfUsers|OperatingSystemSKU|Organization|OSArchitecture|OSLanguage|OSProductSuite|OSType|OtherTypeDescription|PAEEnabled|PlusProductID|PlusVersionNumber|PortableOperatingSystem|Primary|ProductType|RegisteredUser|SerialNumber|ServicePackMajorVersion|ServicePackMinorVersion|SizeStoredInPagingFiles|Status|SuiteMask|SystemDevice|SystemDirectory|SystemDrive|TotalSwapSpaceSize|TotalVirtualMemorySize|TotalVisibleMemorySize|Version|WindowsDirectory
\Device\HarddiskVolume1|19044|Multiprocessor Free|Microsoft Windows 10 Pro|1252|49|Win32_OperatingSystem|Win32_ComputerSystem|(null)|JKW10HORE|120|True|True|True|2|False||False|256|2|2479160|715548|3104276|20220210150208.000000+060|0|20230907122453.500000+120|20230911170946.482000+120|0407|Microsoft Corporation|4294967295|137438953344|(de-DE)|Microsoft Windows 10 Pro|C:\Windows|\Device\Harddisk0\Partition3|0|98|5|48||64-Bit|1031|256|18|(null)|False|(null)|(null)|False|True|1|Microsoft|00330-80000-00000-AA107|0|0|720896|OK|272|\Device\HarddiskVolume3|C:\Windows\system32|C:|0|4914168|4193272|10.0.19044|C:\Windows
greenbone@vmgreenbone:~$

Output of docker install:

root@ospd-openvas:/ospd-openvas# /usr/local/bin/wmic -d 7 -U DOMAIN/myScanUser%myPassword //10.10.10.10 "SELECT * FROM Win32_OperatingSystem"
[/source/samba/param/loadparm.c:587:init_globals()] Initialising global parameters
[/source/samba/param/loadparm.c:2464:lp_load()] lp_load: refreshing parameters from /usr/local/etc/openvas/openvas-smb.conf
[/source/samba/param/params.c:517:OpenConfFile()] params.c:OpenConfFile() - Unable to open configuration file "/usr/local/etc/openvas/openvas-smb.conf":
        No such file or directory
[/source/samba/param/loadparm.c:2473:lp_load()] pm_process() returned No
[/source/samba/param/loadparm.c:1344:lp_add_hidden()] adding hidden service IPC$
[/source/samba/param/loadparm.c:1344:lp_add_hidden()] adding hidden service ADMIN$
[/source/samba/auth/credentials/credentials_krb5.c:170:cli_credentials_set_ccache()] failed to get principal from default ccache: No such file or directory: get-principal lstat(/tmp/krb5cc_0)
[/source/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'spnego' registered
[/source/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'schannel' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'sam' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'sam_ignoredomain' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'name_to_ntstatus' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'fixed_challenge' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'winbind_samba3' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'winbind' registered
[/source/samba/auth/auth.c:446:auth_register()] AUTH backend 'anonymous' registered
[/source/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'krb5' registered
[/source/samba/auth/gensec/gensec.c:1205:gensec_register()] gensec subsystem fake_gssapi_krb5 is disabled
[/source/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'ntlmssp' registered
[/source/samba/auth/gensec/gensec.c:1205:gensec_register()] gensec subsystem gssapi_spnego is disabled
[/source/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'gssapi_krb5' registered
[/source/samba/auth/gensec/gensec.c:1228:gensec_register()] GENSEC backend 'gssapi_krb5_sasl' registered
[/source/samba/lib/com/dcom/main.c:527:dcom_determine_rpc_binding()] Using binding ncacn_ip_tcp:m
[/source/samba/librpc/rpc/dcerpc_connect.c:513:continue_map_binding()] Mapped to DCERPC endpoint 135
[/source/samba/lib/util/util.c:334:interpret_addr()] sys_gethostbyname: Unknown host. m
[/source/samba/lib/socket/interface.c:103:add_interface()] added interface ip=172.19.0.7 nmask=255.255.0.0
[/source/samba/librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[/source/samba/librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv
[/source/wmi/wmic.c:196:main()] ERROR: Login to remote object.
NTSTATUS: NT_STATUS_IO_TIMEOUT - NT_STATUS_IO_TIMEOUT
root@ospd-openvas:/ospd-openvas#

The difference is:

Native:
[/home/greenbone/source/openvas-smb-22.5.3/samba/lib/com/dcom/main.c:527:dcom_determine_rpc_binding()] Using binding ncacn_ip_tcp:10.10.10.10
[/home/greenbone/source/openvas-smb-22.5.3/samba/librpc/rpc/dcerpc_connect.c:513:continue_map_binding()] Mapped to DCERPC endpoint 135
[/home/greenbone/source/openvas-smb-22.5.3/samba/lib/com/dcom/main.c:413:determine_rpc_binding_continue2()] dcerpc_ndr_request_recv returned NT_STATUS_OK
[/home/greenbone/source/openvas-smb-22.5.3/samba/lib/com/dcom/main.c:417:determine_rpc_binding_continue2()] IObjectExporter::ServerAlive returned NT_STATUS_OK

vs.

Docker:
[/source/samba/lib/com/dcom/main.c:527:dcom_determine_rpc_binding()] Using binding ncacn_ip_tcp:m
[/source/samba/librpc/rpc/dcerpc_connect.c:513:continue_map_binding()] Mapped to DCERPC endpoint 135
[/source/samba/lib/util/util.c:334:interpret_addr()] sys_gethostbyname: Unknown host. m
[/source/samba/lib/socket/interface.c:103:add_interface()] added interface ip=172.19.0.7 nmask=255.255.0.0
[/source/samba/librpc/rpc/dcerpc_connect.c:329:dcerpc_pipe_connect_ncacn_ip_tcp_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_ncacn_ip_tcp_recv
[/source/samba/librpc/rpc/dcerpc_connect.c:790:dcerpc_pipe_connect_b_recv()] failed NT status (c00000b5) in dcerpc_pipe_connect_b_recv

To me it seems that wmic can’t connect to outside of the container but I don’t know the root cause.
Can someone help, perhaps Greenbone?

Thanks in advance.

jjnicola · September 21, 2023, 8:46am

I was able to reproduce the issue. Please follow this into the Github bug tracker

jjnicola · October 12, 2023, 1:02pm

I have created a PR which fixes this issue.

github.com/greenbone/openvas-smb

Fix: issue related to a fix in popt v1.19

greenbone:main ← greenbone:fix-cmd-args

opened 12:57PM - 12 Oct 23 UTC

jjnicola

+133 -63

## What With the new popt release, a memory leak was fixed. Wmic relais into …the leak to get the command line options (hostname, namespace, etc). Once the leak is fixed, the command line options are not available anymore. This patch makes a deep copy of the options and now are available again. Also, adds a new file with structure definition and functions to init and free the structure with the program arguments, necessary not only for wmic, but also for other libs related to wmi (wmireg, wmirsop). Close #77 Close https://github.com/greenbone/openvas-scanner/issues/1491 Jira: SC-923  ## Why wmi didn't work. This patch solve it. ## References ## Checklist - [ ] Tests

bellum · October 18, 2023, 3:31pm

@jjnicola I saw that the bug report on Github has been closed and a fix has been merged.

Is the fix also available in the current (I updated today) containers?
As far as I’ve tested, this isn’t the case.

jjnicola · October 19, 2023, 1:21pm

Hi! thanks for reporting it. I will check if the build processes were triggered.

jjnicola · October 20, 2023, 12:14pm

When you update the containers, you get the ospd-openvas which includes other modules (gvm-libs, openvas-smb and openvas). Also, I suppose you are using the latest stable ospd-openvas images.
Ospd-openvas images are created with latest/stable tag only with a new release. Last release is 2 month old, but next week a new ospd-openvas release (and docker image including all patches) should be available.

If you don’t want to wait, you can pull the ospd-openvas:edge (instead of stable) which should already include the last openvas-smb with the fix.

Regards

bellum · October 20, 2023, 2:08pm

Thanks for the information and explanation.

According to greenbone/ospd-openvas Tags | Docker Hub the edge Ospd-openvas images has been created 9 days ago but according to Fix: issue related to a fix in popt v1.19 by jjnicola · Pull Request #80 · greenbone/openvas-smb (github.com) the fix has been merged 3 days ago.

So it seems that the fix isn’t included in the edge Ospd-openvas image what my current tests confirms.
But that’s not really a problem, I’ll monitor for the new release next week and retest again …

Best Regards