Hi Matt, On 26.07.2017 17:48, Matt Koivisto wrote: > Thanks Christian, you are correct, I was looking at two separate reports by > mistake. I have noticed that this issue seems to "flap" sometimes - one scan > will report the issue, then a subsequent scan it won't. When looking into the > differences in the Detection Consolidation and Reporting (OID: > 1.3.6.1.4.1.25623.1.0.105937) between the two runs, I notice that when it > incorrectly identifies the host as windows 8 this is the result: > >> Best matching OS: >> >> OS: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft >> Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 >> Update 1 >> CPE: cpe:/o:microsoft:windows_8 >> Found by NVT: 1.3.6.1.4.1.25623.1.0.108021 (Nmap OS Identification (NASL >> wrapper)) >> Concluded from Nmap TCP/IP fingerprinting: >> OS details: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, >> Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or >> Windows 8.1 Update 1 >> OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows >> cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 >> cpe:/o:microsoft:windows_8 >> Setting key "Host/runs_windows" based on this information >> >> Other OS detections (in order of reliability): >> >> OS: Microsoft Windows >> CPE: cpe:/o:microsoft:windows >> Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS Fingerprinting) >> Concluded from ICMP based OS fingerprint: >> (95% confidence) >> >> Microsoft Windows > > IE, it appears to not have used the NVT 1.3.6.1.4.1.25623.1.0.102011 (SMB > NativeLanMan) to determine the OS. When SMB is used, it correctly identifies > the host as windows 7. > > Looking into SMB NVT in the same runs, I see that in the false positive case > the NVT 1.3.6.1.4.1.25623.1.0.90011 (SMB Test with 'smbclient') is getting > errors: > >> OS Version = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM >> Domain = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM >> SMB Serverversion = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM > > But in the proper identification case: > >> OS Version = WINDOWS 7 PROFESSIONAL 7601 SERVICE PACK 1 >> Domain = <expected domain> >> SMB Serverversion = WINDOWS 7 PROFESSIONAL 6.1
Thanks for this additional info. I thought that the issue might related to the nmap OS detection and this info confirms that. That nmap based OS detection is more or less the "last" fallback as the ICMP based OS Fingerprinting isn't also that reliable, especially against virtual machines. I will update the nmap based OS detection in the next few days to only set a detailed CPE (e.g cpe:/o:microsoft:windows_8) if one single CPE was returned. If more then one CPE is returned (like in your posted example) we need to go for a generic cpe:/o:microsoft:windows CPE to avoid such false positives. > So it looks like the root cause is SMB being intermittent on windows 7 when > OpenVAS is accessing it. It looks like this is related to the memory management on the Windows 7 machine: https://superuser.com/questions/857324/connecting-with-smbclient-to-windows-7-produces-error-protocol-negotiation-fai I had scanned tons of Windows 7 machines in the past and never had such ERRDOS:ERRnomem messages. Currently quite unsure why this is showing up at your setup but it might worth to try the suggestion in the superuser.com thread linked above. Regards, -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks GmbH | http://greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner > -----Original Message----- > From: Christian Fischer [mailto:[email protected]] > Sent: Wednesday, July 19, 2017 11:07 AM > To: Matt Koivisto <[email protected]> > Cc: openvas-discuss <[email protected]> > Subject: Re: [Openvas-discuss] Windows 8 EOL false positive > > Hey, > > On 18.07.2017 22:18, Matt Koivisto wrote: >> Thanks Christian, >> >> Here's the output of that nvt. It seems to report the expected value for >> best matching OS: > > thanks for passing this info. Unfortunately its technically not possible > that: > > OS End of Life Detection (http://plugins.openvas.org/nasl.php?oid=103674) > > is reporting Windows 8 as EOL with an output of Detection Consolidation and > Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937) you have passed to me below. > > All detected and registered OS types which are evaluated by the "OS End of > Life Detection" are showing up there. > > Could you make sure that this is an output of a report / host you have seen > this issue? > > Regards, > Christian > >>> Best matching OS: >>> >>> OS: Windows 7 Enterprise 7601 Service Pack 1 >>> CPE: cpe:/o:microsoft:windows_7:-:sp1 Found by NVT: >>> 1.3.6.1.4.1.25623.1.0.102011 (SMB NativeLanMan) Concluded from >>> SMB/Samba banner on port 445/tcp: OS String: Windows 7 Enterprise >>> 7601 Service Pack 1; SMB String: Windows 7 Enterprise 6.1 Setting key >>> Host/runs_windows based on this information >>> >>> Other OS detections (in order of reliability): >>> >>> OS: Microsoft Windows Server 2008 SP2 >>> CPE: cpe:/o:microsoft:windows_server_2008::sp2 >>> Found by NVT: 1.3.6.1.4.1.25623.1.0.108021 (Nmap OS Identification >>> (NASL wrapper)) Concluded from Nmap TCP/IP fingerprinting: >>> OS details: Microsoft Windows Server 2008 SP2 OS CPE: >>> cpe:/o:microsoft:windows_server_2008::sp2 >>> >>> OS: Microsoft Windows >>> CPE: cpe:/o:microsoft:windows >>> Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS >>> Fingerprinting) Concluded from ICMP based OS fingerprint: >>> (95% confidence) >>> >>> Microsoft Windows > > Regards, > >> >> -----Original Message----- >> From: Openvas-discuss >> [mailto:[email protected]] On Behalf Of >> Christian Fischer >> Sent: Tuesday, July 18, 2017 4:04 PM >> To: [email protected] >> Subject: Re: [Openvas-discuss] Windows 8 EOL false positive >> >> Hi, >> >> On 18.07.2017 21:16, Matt Koivisto wrote: >>> Hi, >>> >>> I am running openvas-9 on centos 7, all the feeds up to date. I have >>> seen some windows 7 hosts with SP1 installed and fully patched that >>> are being detected as windows 8 machines and thus get flagged as "OS >>> End of Life Detection" (http://plugins.openvas.org/nasl.php?oid=103674). >>> >>> Specifically, for verified windows 7 machines I get the false positive: >>> >>>> The "Windows 8" Operating System on the remote host has reached the >>> end of life. >>> >>>> CPE: cpe:/o:microsoft:windows_8 >>> >>>> Installed version: >>> >>>> EOL date: 2016-01-12 >>> >>>> EOL info: >>> https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Wi >>> n >>> dows%208&Filter=FilterNO >>> >>> Is anyone else seeing this on their network as well? Any suggestions? >>> >>> I tried to trace through a bit to verify what's coming back from the >>> remote registry using openvas-nasl directly, but without any success. >> >> thanks for your report. Could you post the output of the following NVT: >> >> OS Detection Consolidation and Reporting (OID: >> 1.3.6.1.4.1.25623.1.0.105937) >> >> This might give more info where the Windows 8 detection is coming from. >> >> Regards, >> >> -- >> >> Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks >> GmbH | http://greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG >> Osnabrück, HR B 202460 >> Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner >> >> _______________________________________________ >> Openvas-discuss mailing list >> [email protected] >> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-dis >> cuss This e-mail may contain information that is privileged or >> confidential. If you are not the intended recipient, please delete the >> e-mail and any attachments and notify us immediately. >> > _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
