I’m experiencing a false positive for Microsoft SQL (MSSQL) Server Brute Force Logins With Default Credentials (Remote) with OID 1.3.6.1.4.1.25623.1.0.10862 on multiple host in multiple networks.
Result:
Testing of the following account(s) has been stopped due to reaching the configured threshold of "2":
sa
admin
However, these accounts are disabled/or do not exist. It seems like the scanner “thinks” it could login, while it could not.
Is anyone seeing this? How can I provide more information to troubleshoot?
It seems there is a misunderstanding on this result, this is just a “log level” / 0.0 score based informative result (via a used log_message()) that the VT in question has stopped to test these accounts because reaching the defined threshold of testing these (defined via the preferences of the VT in question).
No false positive is involved here as the message doesn’t say / tell that a log in was possible via these accounts and there is no severity assigned to this result.