Excluded_hosts causing Interrupted scans

Hi folks,

Possibly related to [20.8.0] Unexpected interrupted return code · Issue #335 · greenbone/ospd-openvas · GitHub. I don’t know if it’s a bug, so am following the github suggestion to post here first!

I’ve built from source:

OSPd OpenVAS version 22.5.3
Greenbone Security Assistant 22.05.1
Greenbone Vulnerability Manager 22.6.0
Manager DB revision 255
OpenVAS 22.7.3
gvm-libs 22.6.3

I am attempting to scan a single specific domain on a single specific IP.

To do this I’m setting the target included hosts to the domain, and the target exclude_hosts to all the domain’s IPs except the one I want to scan. (This seems convoluted, but I couldn’t figure out a better way.) expand_vhosts=0

The excluded IPs aren’t recognized as belonging to the target, and this causes the progress calculation to be incorrect.

ospd-openvas, scan.py, simplify_exclude_host_count() treats them as invalid_exc_hosts rather than counting them, and logs the following to ospd-openvas.log:

Please check the excluded host list. It contains hosts which do not belong to the target. This warning can be ignored if this was done on purpose (e.g. to exclude specific hostname).

I imagine this check is assuming the included host is an IP range and the excluded hosts are individual IPs within it, i.e. it’s confused that I’ve “included” a domain name and “excluded” IPs. I haven’t dug deeper to understand the counting code.

(There might be a work-around to put the IPs in both included and excluded? Or you might have different suggestions for how to achieve my goal…)

I believe the scans are completing fully without error, but because the calculated progress < 100% they are considered Interrupted rather than Done.

For example, with 1 included domain and 2 excluded IPs, ospd-openvas.log:

Host scan finished.
Host scan got interrupted. Progress: 33, Status: RUNNING
Scan interrupted.
Scan process is dead and its progress is 33

I.e. the “invalid” excluded gives a counted total of 3 hosts and means 100% is treated as 33%.

With 1 included domain and 1 excluded IP the result is an Interrupted at 50%.

Since this is all automated, our gvmd client code doesn’t recognize the scans as successfully complete.

My questions:

1. Does my understanding seem correct: that the host count being off is causing the problem?
2. Can you suggest a work-around/alternative: a way to scan a specific domain and IP pair that avoids this problem?
3. Can you suggest a safe way to modify the host count code, e.g. not to consider my excluded hosts as invalid?

Thanks in advance!

The target does not accept a domain name. It accepts a host name (see docs) which could be a fully qualified domain name (FQDN). A Fully Qualified Domain Name (FQDN) is a complete and unambiguous domain name for a specific host or resource on the internet.

This means that it should resolve to only a single IP address rather than potentially resolving to multiple IP (such as with multiple sub-domains on separate IP addresses) as you state in your case.

This should solve your problem. Greenone’s scan task will not identify all the configured subdomains of a base domain and expand that into a set of IP addresses. Instead, consider the that it will resolve the provided hostname (FQDN) to a single IP host (such as nslookup would resolve it).

From the manual:

When entering manually the following options are available:

• Single IP address, e.g., 192.168.15.5
• Host name, e.g., mail.example.com
• IPv4 address range in long format, e.g., 192.168.15.5-192.168.15.27
• IPv4 address range in short format, e.g., 192.168.55.5-27
• IPv4 address range in CIDR notation, e.g., 192.168.15.0/24

If you only want to scan a particular web application by its HTTP address you should use a web-application scanner such as OWASP ZAP. Someone with more knowledge about this can confirm, but: If you specify a hostname to Greenbone that resolves to the same IP address as many other hostnames, perhaps you can set expand_vhosts=0 to avoid running tests directly against the applications of the other vhosts on the same IP.

The following PR looks relevant for the “interrupted” scan topic and is AFAICT included in release 22.7.6 of the scanner while the initial description mentions 22.7.3 as being used.

Further details probably could be discussed with the responsible development team over at Github.

Thanks for your quick response!

The target does not accept a domain name. It accepts a host name (see docs ) which could be a fully qualified domain name (FQDN).

I apologize, but I should have been more precise with my terminology. When I wrote “domain” I actually did mean “fully qualified domain name”. I am setting the target to a single FQDN host.

However, unless I’m very confused this can (and does!) resolve to multiple IPs, e.g. mail.example.com could resolve to say 192.168.15.5, 192.168.15.6 and more.

I am not expecting or wanting Greenbone to discover subdomains or expand to other hostnames. I am setting expand_vhosts=0.

What I want is to scan a single host, e.g. mail.example.com, on a single specific IP, e.g. 192.168.15.5. I want it to exclude/ignore all the other IPs the FQDN resolves to, e.g. 192.168.15.6.

My strategy of creating the target with the FQDN and then excluding the unwanted IPs seems to work… except for the Interrupted problem I describe.

Thanks. This PR does indeed look relevant!

I’ll have a closer look and see if it solves – or gives hints on how to solve – my problem.

Yes, sorry. My understanding was wrong. I should have remembered that DNS allows multiple A and AAAA records for redundancy!

I updated to the latest code that contains this #1509 fix, and unfortunately the problem remains.

Since it looks like a bug, I entered an issue in the ospd-openvas repository and will continue any discussion there: Incorrect progress calculation due to excluded_hosts results in Interrupted scan · Issue #951 · greenbone/ospd-openvas · GitHub

Thanks again!