Still issues with OS recognition

Community Containers
1

Hello everybody,

this is a follow-up thread for this one (container immauss/openvas and issues with the OS recognition on targets):

Sadly, after recreating the container, this issue still persists on some hosts.
Using log_whole_attack = yes in openvas.conf, we found some more insight to this issue:

sd main:MESSAGE:2023-03-02 16h59.39 utc:8434: Not launching 
gb_unknown_os_service_reporting.nasl (1.3.6.1.4.1.25623.1.0.108441)
against IP because a mandatory key is missing (this is
not an error)
2 sd main:MESSAGE:2023-03-02 16h59.27 utc:8434: Not launching
unknown_services.nasl (1.3.6.1.4.1.25623.1.0.11154) against
IP none of the required tcp ports are open (this is not
an error)
3 sd main:MESSAGE:2023-03-02 16h59.27 utc:8434: Not launching
find_service_nmap.nasl (1.3.6.1.4.1.25623.1.0.66286) against
IP none of the required tcp ports are open (this is not
an error)
4 sd main:MESSAGE:2023-03-02 16h59.39 utc:8434: Not launching
find_service_nmap_wrapped.nasl (1.3.6.1.4.1.25623.1.0.108525)
against IP none of the required tcp ports are open (this
is not an error)

So the problem seems to be the port scan. Also, the issue is not really reproducible, sometimes there are no issues recognizing the OS, and sometimes it is not recognized, even on the same host.
We are using the list All IANA TCP and UDP ports on all targets.
Also, connecting to the target via SMB from the container was working.

Does someone have an idea how to debug this issue?

2

The OS detection is currently done by hundreds of VTs (see the os_get_cpe_src_list() of the os_func.inc file). To check which one is doing the OS detection for the target in question you could have a look at the output of the following results in the reports:

  • Name: OS Detection Consolidation and Reporting
  • OID: 1.3.6.1.4.1.25623.1.0.105937

and then start to debug from there why the OS is not detected from time to time. Known rationales for a missing OS could be e.g.:

  1. Missing open port(s) during the port scanning phase
  2. Unstable (network) connection to the target
  3. Overloaded target / network causing a missing response from the service
  4. Network devices, IDS/IPS or WAF interfering with the scan
  5. Environmental issues on the scanning host (e.g. scanner host itself is overloaded, …)
  6. Problems in the software stack itself (e.g. Docker, the linked community container, …)
2 Likes