No detection of missing Windows Security Patches

Vulnerability Tests
1

Hello,

I’m using Greenbone Community Container Edition with Docker on Ubuntu 22.04 LTS.

Currently I’m doing an authenticated scan of a test Windows 10 21H2 machine (with firewall completely disabled) where the last windows updates of February 2022 and vulnerable versions of e.g. Adobe Reader, Microsoft Edge and Firefox are installed.

This seems to basically work and the vulnerabilities of the installed applications have been detected - but the missing Windows Updates weren’t detected.
E.g. I’m missing KB5026361 of which I can see a NVT in the SecInfo → NVT section but it’s not detected on the test Windows 10 21H2 machine.

How can I troubleshoot this, or doesn’t the Greenbone Community Edition detect missing Windows 10 Security Patches?

Thanks for any help.

2

In the meantime I scanned a Windows 8.1 host with the same Greenbone settings and got detections of missing Windows Securtiy Patches.

Why does GVM detect missing Windows Securtiy Patches on Windows 8.1 but not on Windows 10 hosts.
Both hosts are part of the same Windows Domain and have Windows firewall completely disabled.

How can I troubleshoot this - I’m currenly running out of ideas …
Has anyboy this working ?

Thanks for any help in advance.

3

In the meantime, I installed GVM on a separate VM from source (also using Ubuntu 22.04 LTS) to better adjust log levels and grabbing logs but there the detection of missing Windows Security Patches for the same Windows 10 machine also doesn’t work.

I assume that there is a difference between Windows 8.1 and Windows 10 but I can’t figure out which and all the logs I’ve reviewed didn’t point me to the right direction to solve this.

But without detecting missing Windows 10 Security Patches GVM doesn’t really help for my requirements.
Has anybody this working for Windows 10 hosts?

Can someone help, perhaps Greenbone?

Thanks in advance.

4

Did you followed the documentation ? I think it´s the same for the commercial product as well the community edition. It shows what Group Policy or config for stand alone windows systems are needed.

https://docs.greenbone.net/GSM-Manual/gos-22.04/en/scanning.html#requirements-on-target-systems-with-microsoft-windows

5

Yes I followed the documentation exactly and the log entry ‘Authenticated Scan / LSC Info Consolidation (Windows SMB Login)’ in the report says:

Detection Result
Description (Knowledge base entry) : Value/Content

Access to the registry possible (SMB/registry_access) : TRUE
Access via WMI possible (WMI/access_successful) : TRUE
Architecture of the OS (SMB/Windows/Arch) : x64
Build number of the OS (SMB/WindowsBuild) : 19044
Disable file search via WMI on Windows (win/lsc/disable_wmi_search) : FALSE
Disable the usage of win_cmd_exec for remote commands on Windows (win/lsc/disable_win_cmd_exec) : FALSE
Domain used for authenticated scans (kb_smb_domain()) : myDomain
Enable Detection of Portable Apps on Windows (win/lsc/search_portable_apps) : FALSE
Extended SMB support available via openvas-smb module (Tools/Present/smb) : TRUE
Extended WMI support available via openvas-smb module (Tools/Present/wmi) : TRUE
Login via SMB failed (login/SMB/failed) : FALSE
Login via SMB successful (login/SMB/success) : TRUE
Missing access permissions to the registry (SMB/registry_access_missing_permissions) : FALSE
Name of the most recent service pack installed (SMB/CSDVersion) : Empty/None
Never send SMB credentials in clear text (SMB/dont_send_in_cleartext) : TRUE
Only use NTLMv2 (SMB/dont_send_ntlmv1) : FALSE
Path to the OS SystemRoot (smb_get_systemroot()) : C:\Windows
Path to the OS SystemRoot for 32bit (smb_get_system32root()) : C:\Windows\system32
Port configured for authenticated scans (kb_smb_transport()) : 445/tcp
Port used for the successful login via SMB : 445/tcp
Product name of the OS (SMB/WindowsName) : Windows 10 Pro
SMB name used for authenticated scans (kb_smb_name()) : 10.10.10.10
User used for authenticated scans (kb_smb_login()) : myScanUser
Version number of the OS (SMB/WindowsVersion) : 6.3
Version string of the OS (SMB/WindowsVersionString) : 21H2
Workgroup of the SMB server (SMB/workgroup) : Empty/None

6

That does not look right … do you use a domain account or a local administrator account for scanning ?

7

Indeed and thats the only difference when scanning a Windows 8.1 machine which shows:

Description (Knowledge base entry) : Value/Content

Access to the registry possible (SMB/registry_access) : TRUE
Access via WMI possible (WMI/access_successful) : TRUE
Architecture of the OS (SMB/Windows/Arch) : x64
Build number of the OS (SMB/WindowsBuild) : 9600
Disable file search via WMI on Windows (win/lsc/disable_wmi_search) : FALSE
Disable the usage of win_cmd_exec for remote commands on Windows (win/lsc/disable_win_cmd_exec) : FALSE
Domain used for authenticated scans (kb_smb_domain()) : myDomain
Enable Detection of Portable Apps on Windows (win/lsc/search_portable_apps) : FALSE
Extended SMB support available via openvas-smb module (Tools/Present/smb) : TRUE
Extended WMI support available via openvas-smb module (Tools/Present/wmi) : TRUE
Login via SMB failed (login/SMB/failed) : FALSE
Login via SMB successful (login/SMB/success) : TRUE
Missing access permissions to the registry (SMB/registry_access_missing_permissions) : FALSE
Name of the most recent service pack installed (SMB/CSDVersion) : Empty/None
Never send SMB credentials in clear text (SMB/dont_send_in_cleartext) : TRUE
Only use NTLMv2 (SMB/dont_send_ntlmv1) : FALSE
Path to the OS SystemRoot (smb_get_systemroot()) : C:\Windows
Path to the OS SystemRoot for 32bit (smb_get_system32root()) : C:\Windows\system32
Port configured for authenticated scans (kb_smb_transport()) : 445/tcp
Port used for the successful login via SMB : 445/tcp
Product name of the OS (SMB/WindowsName) : Windows 8.1 Pro
SMB name used for authenticated scans (kb_smb_name()) : 10.10.10.11
User used for authenticated scans (kb_smb_login()) : myScanUser
Version number of the OS (SMB/WindowsVersion) : 6.3
Version string of the OS (SMB/WindowsVersionString) : FALSE
Workgroup of the SMB server (SMB/workgroup) : myDomain

For scanning I’m using a domain user. In the credential element the username is entered as ‘myDomain\myScanUser’ but I also tried ‘myDomain/myScanUser’ and ‘myScanUser@myDomain’ without success …

8

And that user has Domain Administrator rights ? If not you won´t see the patches on Windows 10.
What is the event log saying about the login ?

9

No, he hadn’t - but now I did a new authenticated scan with the Domain Administrator credentials and got the same results as before.

In the security event log I can see the following:

Einer neuen Anmeldung wurden besondere Rechte zugewiesen.

Antragsteller:
Sicherheits-ID: myDomain\Administrator
Kontoname: Administrator
Kontodomäne: myDomain
Anmelde-ID: 0x1CE29E

Berechtigungen: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege

Ein Konto wurde erfolgreich angemeldet.

Antragsteller:
Sicherheits-ID: NULL SID
Kontoname: -
Kontodomäne: -
Anmelde-ID: 0x0

Anmeldeinformationen:
Anmeldetyp: 3
Eingeschränkter Administratormodus: -
Virtuelles Konto: Nein
Token mit erhöhten Rechten: Ja

Identitätswechselebene: Identitätswechsel

Neue Anmeldung:
Sicherheits-ID: myDomain\Administrator
Kontoname: Administrator
Kontodomäne: myDomain
Anmelde-ID: 0x1CE29E
Verknüpfte Anmelde-ID: 0x0
Netzwerk-Kontoname: -
Netzwerk-Kontodomäne: -
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}

Prozessinformationen:
Prozess-ID: 0x0
Prozessname: -

Netzwerkinformationen:
Arbeitsstationsname: -
Quellnetzwerkadresse: 10.10.10.153
Quellport: 45629

Detaillierte Authentifizierungsinformationen:
Anmeldeprozess: NtLmSsp
Authentifizierungspaket: NTLM
Übertragene Dienste: -
Paketname (nur NTLM): NTLM V2
Schlüssellänge: 128

To me it’s looks quite good …

10

I also tried to run the specific NASL script from the command line using:

openvas-nasl -t 10.10.10.10 -i /var/lib/openvas/plugins/ -T ./KB5026361.log -d -X --kb="SMB/domain=myDomain" --kb="SMB/name=myScanUser" --kb="SMB/password=secret" /var/lib/openvas/plugins/2023/microsoft/gb_ms_kb5026361.nasl

but I don’t even see a connect on the target machine.
I assume I’m using the wrong parameters for the login.

What would be the correct command for checking this from the command line?

11

That will not work, you can test single NASL scripts but never run a scan or a complex task with dependencies to different previous scripts.

12

I would suggest you can debug this in layers.

Create a Domain Administrator and try to login with that credentials first before reducing the rights. It looks like a test environment you are running. So no security implication there.

If you can login with net or other Microsoft Tools, you can try GVM as well.

13

O.K., Thanks - I’ve now created a user myDomain\Greenbone which is member of the groups: Domain-Admins and Domain-Users.

Using this user I can successfully connect to the target host using net and regedit from another Windows machine.

Then with this credentials I ran a scan of this target but no missing Windows Patches were detected.

In the security event log I can see the following:

Einer neuen Anmeldung wurden besondere Rechte zugewiesen.

Antragsteller:
Sicherheits-ID: myDomain\Greenbone
Kontoname: Greenbone
Kontodomäne: myDomain
Anmelde-ID: 0xC4081

Berechtigungen: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege

Ein Konto wurde erfolgreich angemeldet.

Antragsteller:
Sicherheits-ID: NULL SID
Kontoname: -
Kontodomäne: -
Anmelde-ID: 0x0

Anmeldeinformationen:
Anmeldetyp: 3
Eingeschränkter Administratormodus: -
Virtuelles Konto: Nein
Token mit erhöhten Rechten: Ja

Identitätswechselebene: Identitätswechsel

Neue Anmeldung:
Sicherheits-ID: myDomain\Greenbone
Kontoname: Greenbone
Kontodomäne: myDomain
Anmelde-ID: 0xC4081
Verknüpfte Anmelde-ID: 0x0
Netzwerk-Kontoname: -
Netzwerk-Kontodomäne: -
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}

Prozessinformationen:
Prozess-ID: 0x0
Prozessname: -

Netzwerkinformationen:
Arbeitsstationsname: -
Quellnetzwerkadresse: 10.10.10.153
Quellport: 50477

Detaillierte Authentifizierungsinformationen:
Anmeldeprozess: NtLmSsp
Authentifizierungspaket: NTLM
Übertragene Dienste: -
Paketname (nur NTLM): NTLM V2
Schlüssellänge: 128

14

What does the Log-NVT tell you if you can successfully login to run authenticated NVTs ?

15

I’m sorry, but what is Log-NVT - where can I find/activate it?

Thanks for your patience.

17

As a follow up to No detection of missing Windows Security Patches on Windows 10 PCs · Issue #1500 · greenbone/openvas-scanner · GitHub (as this was also placed on the scanner issue tracker but is very very unlikely a scanner issue):

The VT in question can be started from command line with something like e.g. the following:

cd /path/to/openvas/plugins
# Non-domain user
openvas-nasl -X -B -i /path/to/openvas/plugins -t <targetip> logins.nasl smb_login.nasl smb_registry_access.nasl smb_reg_service_pack.nasl 2023/microsoft/gb_ms_kb5026361.nasl --kb="SMB/login_filled/0=<username>" --kb="SMB/password_filled/0=<password>"
# Domain user
openvas-nasl -X -B -i /path/to/openvas/plugins -t <targetip> logins.nasl smb_login.nasl smb_registry_access.nasl smb_reg_service_pack.nasl 2023/microsoft/gb_ms_kb5026361.nasl --kb="SMB/login_filled/0=<username>" --kb="SMB/password_filled/0=<password>" --kb="SMB/domain_filled/0=<domain>"

When applying the following patch to it:

diff --git a/2023/microsoft/gb_ms_kb5026361.nasl b/2023/microsoft/gb_ms_kb5026361.nasl
index 02a9fff697a..73dc8a5edf8 100644
--- a/2023/microsoft/gb_ms_kb5026361.nasl
+++ b/2023/microsoft/gb_ms_kb5026361.nasl
@@ -84,6 +84,8 @@ if(!build){
   exit(0);
 }
 
+display("Build: ", build);
+
 if(!("19042" >< build || "19044" >< build || "19045" >< build)){
   exit(0);
 }
@@ -92,11 +94,15 @@ if(!dllPath ){
   exit(0);
 }
 
+display("Path: ", dllPath);
+
 fileVer = fetch_file_version(sysPath:dllPath, file_name:"ntoskrnl.exe");
 if(!fileVer){
   exit(0);
 }
 
+display("File version: ", fileVer);
+
 if(version_is_less(version:fileVer, test_version:"10.0.19041.2965"))
 {
   report = report_fixed_ver(file_checked:dllPath + "\ntoskrnl.exe",

i was able to see / observe the following:

It was possible to log into the remote host using the SMB protocol.
Windows 10 Enterprise 6.3 (22H2) is installed with build number 19045
lib  nasl-Message: 14:17:37.717: Build: 19045
lib  nasl-Message: 14:17:39.434: Path: C:\Windows\system32

which means that the VT works and reaches the fetch_file_version() function which doesn’t return the file version at all for unknown reasons. And in this case no vulnerability can is reported as the file version is missing.

I’m lacking the knowledge on Windows to further debug this / determine where this problem might originating from (e.g. if there is an actual issue in the NASL code, if there are some configuration problem on the target which prevents reading out the file version, …) but maybe this already helps a little.

I will also create an internal task for the team working on this topic to see / check this case but can’t give any guarantee if / when some one is looking into this.

18

Thank you very much for your response.

When i run your suggested command for a domain user i get:

root@vmgreenbone:/var/lib/openvas/plugins# openvas-nasl -X -b -t 10.10.10.10 logins.nasl smb_login.nasl smb_registry_access.nasl smb_reg_service_pack.nasl 2023/microsoft/gb_ms_kb5026361.nasl --kb="SMB/login_filled/0=myScanUser" --kb="SMB/password_filled/0=myPassword" --kb="SMB/domain_filled/0=myDomain"
Unknown option -b

when I omit the option -b i get:

root@vmgreenbone:/var/lib/openvas/plugins# openvas-nasl -X -t 10.10.10.10 logins.nasl smb_login.nasl smb_registry_access.nasl smb_reg_service_pack.nasl 2023/microsoft/gb_ms_kb5026361.nasl --kb="SMB/login_filled/0=myScanUser" --kb="SMB/password_filled/0=myPassword" --kb="SMB/domain_filled/0=myDomain"
lib  nasl-Message: 15:21:42.952: 2023/microsoft/gb_ms_kb5026361.nasl: Not able to open nor to locate it in include paths

What is the option -b doing?
Do we use different versions?
Mine is:

root@vmgreenbone:/var/lib/openvas/plugins# openvas-nasl -V
openvas-nasl 22.7.4

Copyright (C) 2002 - 2004 Tenable Network Security
Copyright (C) 2022 Greenbone Networks GmbH
19

Sorry, this was a typo and the -b should be -B instead (see e.g. openvas-nasl --help or man openvas-nasl for more background info)

20

Ah, O.K. thanks but now I get

root@vmgreenbone:/var/lib/openvas/plugins# openvas-nasl -t 10.10.10.10 -X -B --kb="SMB/login_filled/0=myScanUser" --kb="SMB/password_filled/0=myPassword" --kb="SMB/domain_filled/0=myDomain" logins.nasl smb_login.nasl smb_registry_access.nasl smb_reg_service_pack.nasl /var/lib/openvas/plugins/2023/microsoft/gb_ms_kb5026361.nasl
lib  nasl-Message: 16:26:50.833: secpod_reg.inc: Not able to open nor to locate it in include paths
lib  nasl-Message: 16:26:50.833: /var/lib/openvas/plugins/2023/microsoft/gb_ms_kb5026361.nasl. There were 0 parse errors.
/var/lib/openvas/plugins/2023/microsoft/gb_ms_kb5026361.nasl could not be loaded
21

Ah, an include path was missing as well (-i /path/to/openvas/plugins) and the examples got updated now (i’m usually using a Bash alias and missed to copy over the full command).