One of my devices show log messages indicating that SMB login was successful, despite not running an authenticated scan. I’m a bit confused as to why. I thought smb checks would not run if the scan is not authenticated. The nasl files indicates so at least.
Is this something that should be ignored or is it a sign of something worse?
The first test “SMB log in” performs the actual login attempt while the second test “SMB Login Successful for Authenticated Checks” simply reports on the status of the kb (knowledge base / database) field login/SMB/success/port that indicates a successful login status from the first test.
If the script finds that the login/SMB/success key exists (which typically indicates a successful SMB login), it logs the port used for the login and exits with a status of 0.
First, you should double check to ensure you have not provided a login credential to the scan task. If certainly no credential has been provided, it appears to me that the SMB log in test (VT OID 1.3.6.1.4.1.25623.1.0.10394) uses empty credentials, via the scan task configuration (see screenshot below).
Therefore, my guess is that this potentially indicates that empty credentials could successfully login to the system remotely via SMB.
1 Like