Brute force is executed even though it's disabled

Dear all,

I followed this solution to disable bruteforce : How to disable NVT family from a scan configuration via python-gvm - #2 by victor.sanchez.
Brute force vulnerability are not reported by openvas but it seems that the tests are still executed.
On my target I can see that openvas is trying to brute force :
Failed password for invalid user superadmin from …

Is there another way to disable the Brute Force family ?

Many thanks

Hi Elias, welcome to the Greenbone community forum. My immediate thought is that what you are seeing is not a brute force VT , but rather more likely to be a VT that is testing for default credentials. :thinking:

Even if a VT or a VT family is disabled, the VTs may get pulled in and executed via dependencies.

To disable brute force checks fully, please edit the scan config, go to the VT family “Settings”, make sure the VT “Options for Brute Force NVTs”, is included, edit it and set the option “Disable brute force checks” to “Yes” and save.

Depending on your requirements, you may also want to set the option “Disable default account checks” to “Yes”.

1 Like

Hi all,
Thank you for your replies.
I tried activating the option “Disable brute force checks” programmatically but the base64 value of “yes” string is not passed to the VT script.
I’ll try to activating “Disable default account checks” and watch the log on my target machine.

While it is not directly an answer to the initial question it is questionable to disable such checks in general. See the following postings for more background:

1 Like

@cfi I agree but I have a use case where I need to disable this.
I tried to set preferences “Disable brute force checks” and “Disable default account checks” to “yes” but the value is not passed to the NVT. I’ll try to disable the “Default accounts” family.

I don’t understand why in the logs my preferences are set to “No”.
Here are my commands :

b'<modify_config config_id="ae7bc58d-6678-43bb-a0a1-d856c8cfa65c"><nvt_selection><family>Default accounts</family></nvt_selection></modify_config>'
b'<modify_config config_id="ae7bc58d-6678-43bb-a0a1-d856c8cfa65c"><nvt_selection><family>Brute force attacks</family></nvt_selection></modify_config>'
b'<modify_config config_id="ae7bc58d-6678-43bb-a0a1-d856c8cfa65c"><preference><nvt oid=""/><name> brute force checks</name><value>eWVz</value></preference></modify_config>'
b'<modify_config config_id="ae7bc58d-6678-43bb-a0a1-d856c8cfa65c"><preference><nvt oid=""/><name> default account checks</name><value>eWVz</value></preference></modify_config>'
b'<modify_config config_id="ae7bc58d-6678-43bb-a0a1-d856c8cfa65c"><preference><nvt oid=""/><name> only credentials listed in uploaded file:</name><value>eWVz</value></preference></modify_config>'

This should be enough to disable any VT related to brute force.
Any idea why ?

This doesn’t look like a valid preference value to me

It is the base64 value of “yes”
In the GMP API doc this value is used

Ah, good to know and thanks for clarification. :slight_smile:

It would have made sense to mention that GMP is used as not everyone in this forum is familiar with that protocol and the specific requirements of it.

To make sure that this is not a problem of the usage of GMP to set the preferences (maybe the settings are not applied on the expected / used scan config, the changes scan config is not assigned to the correct task, …) i would first try to do the change manually / without using the API.

Thank you, sorry I didn’t mention that I use GMP.
I didn’t install the GUI in my container.
Is there any way to get the full config using the config_id ?