Thanks Christian
________________________________ From: Openvas-discuss <[email protected]> on behalf of Christian Fischer <[email protected]> Sent: August 1, 2017 9:13 AM To: [email protected] Subject: Re: [Openvas-discuss] Windows 8 EOL false positive Hi Matt, On 30.07.2017 13:00, Christian Fischer wrote: > Hi Matt, > > On 26.07.2017 17:48, Matt Koivisto wrote: >> Thanks Christian, you are correct, I was looking at two separate reports by >> mistake. I have noticed that this issue seems to "flap" sometimes - one scan >> will report the issue, then a subsequent scan it won't. When looking into >> the differences in the Detection Consolidation and Reporting (OID: >> 1.3.6.1.4.1.25623.1.0.105937) between the two runs, I notice that when it >> incorrectly identifies the host as windows 8 this is the result: >> >>> Best matching OS: >>> >>> OS: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft >>> Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 >>> Update 1 >>> CPE: cpe:/o:microsoft:windows_8 >>> Found by NVT: 1.3.6.1.4.1.25623.1.0.108021 (Nmap OS Identification (NASL >>> wrapper)) >>> Concluded from Nmap TCP/IP fingerprinting: >>> OS details: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, >>> Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or >>> Windows 8.1 Update 1 >>> OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows >>> cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 >>> cpe:/o:microsoft:windows_8 >>> Setting key "Host/runs_windows" based on this information >>> >>> Other OS detections (in order of reliability): >>> >>> OS: Microsoft Windows >>> CPE: cpe:/o:microsoft:windows >>> Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS Fingerprinting) >>> Concluded from ICMP based OS fingerprint: >>> (95% confidence) >>> >>> Microsoft Windows >> >> IE, it appears to not have used the NVT 1.3.6.1.4.1.25623.1.0.102011 (SMB >> NativeLanMan) to determine the OS. When SMB is used, it correctly identifies >> the host as windows 7. >> >> Looking into SMB NVT in the same runs, I see that in the false positive case >> the NVT 1.3.6.1.4.1.25623.1.0.90011 (SMB Test with 'smbclient') is getting >> errors: >> >>> OS Version = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM >>> Domain = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM >>> SMB Serverversion = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM >> >> But in the proper identification case: >> >>> OS Version = WINDOWS 7 PROFESSIONAL 7601 SERVICE PACK 1 >>> Domain = <expected domain> >>> SMB Serverversion = WINDOWS 7 PROFESSIONAL 6.1 > > Thanks for this additional info. I thought that the issue might related > to the nmap OS detection and this info confirms that. > > That nmap based OS detection is more or less the "last" fallback as the > ICMP based OS Fingerprinting isn't also that reliable, especially > against virtual machines. > > I will update the nmap based OS detection in the next few days to only > set a detailed CPE (e.g cpe:/o:microsoft:windows_8) if one single CPE > was returned. If more then one CPE is returned (like in your posted > example) we need to go for a generic cpe:/o:microsoft:windows CPE to > avoid such false positives. for this specific scenario a generic Windows should be detected now once the following NVT is reaching the feed in revision r6289: os_detection.nasl OS Detection Consolidation and Reporting OID: 1.3.6.1.4.1.25623.1.0.105937 >> So it looks like the root cause is SMB being intermittent on windows 7 when >> OpenVAS is accessing it. > > It looks like this is related to the memory management on the Windows 7 > machine: > > https://superuser.com/questions/857324/connecting-with-smbclient-to-windows-7-produces-error-protocol-negotiation-fai [https://cdn.sstatic.net/Sites/superuser/img/[email protected]?v=e869e4459439]<https://superuser.com/questions/857324/connecting-with-smbclient-to-windows-7-produces-error-protocol-negotiation-fai> Connecting with SMBCLIENT to Windows 7 produces error ...<https://superuser.com/questions/857324/connecting-with-smbclient-to-windows-7-produces-error-protocol-negotiation-fai> superuser.com We've got a home network that has a mix of different operating systems, including two Windows 7 Ultimate PCs, a couple of Android phones, a MacBook Pro and two Linux PCs. > > I had scanned tons of Windows 7 machines in the past and never had such > ERRDOS:ERRnomem messages. Currently quite unsure why this is showing up > at your setup but it might worth to try the suggestion in the > superuser.com thread linked above. > > Regards, > > -- > > Christian Fischer | PGP Key: 0x54F3CE5B76C597AD > Greenbone Networks GmbH | http://greenbone.net > Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 > Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner > >> -----Original Message----- >> From: Christian Fischer [mailto:[email protected]] >> Sent: Wednesday, July 19, 2017 11:07 AM >> To: Matt Koivisto <[email protected]> >> Cc: openvas-discuss <[email protected]> >> Subject: Re: [Openvas-discuss] Windows 8 EOL false positive >> >> Hey, >> >> On 18.07.2017 22:18, Matt Koivisto wrote: >>> Thanks Christian, >>> >>> Here's the output of that nvt. It seems to report the expected value for >>> best matching OS: >> >> thanks for passing this info. Unfortunately its technically not possible >> that: >> >> OS End of Life Detection (http://plugins.openvas.org/nasl.php?oid=103674) >> >> is reporting Windows 8 as EOL with an output of Detection Consolidation and >> Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937) you have passed to me below. >> >> All detected and registered OS types which are evaluated by the "OS End of >> Life Detection" are showing up there. >> >> Could you make sure that this is an output of a report / host you have seen >> this issue? >> >> Regards, >> Christian >> >>>> Best matching OS: >>>> >>>> OS: Windows 7 Enterprise 7601 Service Pack 1 >>>> CPE: cpe:/o:microsoft:windows_7:-:sp1 Found by NVT: >>>> 1.3.6.1.4.1.25623.1.0.102011 (SMB NativeLanMan) Concluded from >>>> SMB/Samba banner on port 445/tcp: OS String: Windows 7 Enterprise >>>> 7601 Service Pack 1; SMB String: Windows 7 Enterprise 6.1 Setting key >>>> Host/runs_windows based on this information >>>> >>>> Other OS detections (in order of reliability): >>>> >>>> OS: Microsoft Windows Server 2008 SP2 >>>> CPE: cpe:/o:microsoft:windows_server_2008::sp2 >>>> Found by NVT: 1.3.6.1.4.1.25623.1.0.108021 (Nmap OS Identification >>>> (NASL wrapper)) Concluded from Nmap TCP/IP fingerprinting: >>>> OS details: Microsoft Windows Server 2008 SP2 OS CPE: >>>> cpe:/o:microsoft:windows_server_2008::sp2 >>>> >>>> OS: Microsoft Windows >>>> CPE: cpe:/o:microsoft:windows >>>> Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS >>>> Fingerprinting) Concluded from ICMP based OS fingerprint: >>>> (95% confidence) >>>> >>>> Microsoft Windows >> >> Regards, >> >>> >>> -----Original Message----- >>> From: Openvas-discuss >>> [mailto:[email protected]] On Behalf Of >>> Christian Fischer >>> Sent: Tuesday, July 18, 2017 4:04 PM >>> To: [email protected] >>> Subject: Re: [Openvas-discuss] Windows 8 EOL false positive >>> >>> Hi, >>> >>> On 18.07.2017 21:16, Matt Koivisto wrote: >>>> Hi, >>>> >>>> I am running openvas-9 on centos 7, all the feeds up to date. I have >>>> seen some windows 7 hosts with SP1 installed and fully patched that >>>> are being detected as windows 8 machines and thus get flagged as "OS >>>> End of Life Detection" (http://plugins.openvas.org/nasl.php?oid=103674). >>>> >>>> Specifically, for verified windows 7 machines I get the false positive: >>>> >>>>> The "Windows 8" Operating System on the remote host has reached the >>>> end of life. >>>> >>>>> CPE: cpe:/o:microsoft:windows_8 >>>> >>>>> Installed version: >>>> >>>>> EOL date: 2016-01-12 >>>> >>>>> EOL info: >>>> https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Wi >>>> n >>>> dows%208&Filter=FilterNO >>>> >>>> Is anyone else seeing this on their network as well? Any suggestions? >>>> >>>> I tried to trace through a bit to verify what's coming back from the >>>> remote registry using openvas-nasl directly, but without any success. >>> >>> thanks for your report. Could you post the output of the following NVT: >>> >>> OS Detection Consolidation and Reporting (OID: >>> 1.3.6.1.4.1.25623.1.0.105937) >>> >>> This might give more info where the Windows 8 detection is coming from. >>> >>> Regards, Regards, -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks GmbH | http://greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
![https://cdn.sstatic.net/Sites/superuser/img/[email protected]?v=e869e4459439](https://cdn.sstatic.net/Sites/superuser/img/apple-touch-i...@2.png?v=e869e4459439){kind=link}