Subject: Re: [Openvas-discuss] Windows 8 EOL false positive



Thanks Christian



From: Openvas-discuss <[email protected]> on behalf of Christian Fischer <[email protected]>
Sent: August 1, 2017 9:13 AM
To: [email protected]
Subject: Re: [Openvas-discuss] Windows 8 EOL false positive   Hi Matt,

On 30.07.2017 13:00, Christian Fischer wrote:
> Hi Matt,
>
> On 26.07.2017 17:48, Matt Koivisto wrote:
>> Thanks Christian, you are correct, I was looking at two separate reports by mistake. I have noticed that this issue seems to "flap" sometimes - one scan will report the issue, then a subsequent scan it won't. When looking into the differences in the Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937) between the two runs, I notice that when it incorrectly identifies the host as windows 8 this is the result:
>>
>>> Best matching OS:
>>>
>>> OS: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 Update 1
>>> CPE: cpe:/o:microsoft:windows_8
>>> Found by NVT: 1.3.6.1.4.1.25623.1.0.108021 (Nmap OS Identification (NASL wrapper))
>>> Concluded from Nmap TCP/IP fingerprinting:
>>> OS details: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 Update 1
>>> OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_8
>>> Setting key "Host/runs_windows" based on this information
>>>
>>> Other OS detections (in order of reliability):
>>>
>>> OS: Microsoft Windows
>>> CPE: cpe:/o:microsoft:windows
>>> Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS Fingerprinting)
>>> Concluded from ICMP based OS fingerprint:
>>> (95% confidence)
>>>
>>> Microsoft Windows
>>
>> IE, it appears to not have used the NVT 1.3.6.1.4.1.25623.1.0.102011 (SMB NativeLanMan) to determine the OS. When SMB is used, it correctly identifies the host as windows 7.
>>
>> Looking into SMB NVT in the same runs, I see that in the false positive case the NVT 1.3.6.1.4.1.25623.1.0.90011 (SMB Test with 'smbclient') is getting errors:
>>
>>> OS Version = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM
>>> Domain = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM
>>> SMB Serverversion = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM
>>
>> But in the proper identification case:
>>
>>> OS Version = WINDOWS 7 PROFESSIONAL 7601 SERVICE PACK 1
>>> Domain = <expected domain>
>>> SMB Serverversion = WINDOWS 7 PROFESSIONAL 6.1
>
> Thanks for this additional info. I thought that the issue might related
> to the nmap OS detection and this info confirms that.
>
> That nmap based OS detection is more or less the "last" fallback as the
> ICMP based OS Fingerprinting isn't also that reliable, especially
> against virtual machines.
>
> I will update the nmap based OS detection in the next few days to only
> set a detailed CPE (e.g cpe:/o:microsoft:windows_8) if one single CPE
> was returned. If more then one CPE is returned (like in your posted
> example) we need to go for a generic cpe:/o:microsoft:windows CPE to
> avoid such false positives.

for this specific scenario a generic Windows should be detected now once
the following NVT is reaching the feed in revision r6289:

os_detection.nasl
OS Detection Consolidation and Reporting
OID: 1.3.6.1.4.1.25623.1.0.105937

>> So it looks like the root cause is SMB being intermittent on windows 7 when OpenVAS is accessing it.
>
> It looks like this is related to the memory management on the Windows 7
> machine:
>
> https://superuser.com/questions/857324/connecting-with-smbclient-to-windows-7-produces-error-protocol-negotiation-fai Connecting with SMBCLIENT to Windows 7 produces error ... superuser.com We've got a home network that has a mix of different operating systems, including two Windows 7 Ultimate PCs, a couple of Android phones, a MacBook Pro and two Linux PCs.

>
> I had scanned tons of Windows 7 machines in the past and never had such
> ERRDOS:ERRnomem messages. Currently quite unsure why this is showing up
> at your setup but it might worth to try the suggestion in the
> superuser.com thread linked above.
>
> Regards,
>
> --
>
> Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
> Greenbone Networks GmbH | http://greenbone.net
> Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
> Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
>
>> -----Original Message-----
>> From: Christian Fischer [mailto:[email protected]]
>> Sent: Wednesday, July 19, 2017 11:07 AM
>> To: Matt Koivisto <[email protected]>
>> Cc: openvas-discuss <[email protected]>
>> Subject: Re: [Openvas-discuss] Windows 8 EOL false positive
>>
>> Hey,
>>
>> On 18.07.2017 22:18, Matt Koivisto wrote:
>>> Thanks Christian,
>>>
>>> Here's the output of that nvt. It seems to report the expected value for best matching OS:
>>
>> thanks for passing this info. Unfortunately its technically not possible
>> that:
>>
>> OS End of Life Detection (http://plugins.openvas.org/nasl.php?oid=103674)
>>
>> is reporting Windows 8 as EOL with an output of Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937) you have passed to me below.
>>
>> All detected and registered OS types which are evaluated by the "OS End of Life Detection" are showing up there.
>>
>> Could you make sure that this is an output of a report / host you have seen this issue?
>>
>> Regards,
>> Christian
>>
>>>> Best matching OS:
>>>>
>>>> OS: Windows 7 Enterprise 7601 Service Pack 1
>>>> CPE: cpe:/o:microsoft:windows_7:-:sp1 Found by NVT:
>>>> 1.3.6.1.4.1.25623.1.0.102011 (SMB NativeLanMan) Concluded from
>>>> SMB/Samba banner on port 445/tcp: OS String: Windows 7 Enterprise
>>>> 7601 Service Pack 1; SMB String: Windows 7 Enterprise 6.1 Setting key
>>>> Host/runs_windows based on this information
>>>>
>>>> Other OS detections (in order of reliability):
>>>>
>>>> OS: Microsoft Windows Server 2008 SP2
>>>> CPE: cpe:/o:microsoft:windows_server_2008::sp2
>>>> Found by NVT: 1.3.6.1.4.1.25623.1.0.108021 (Nmap OS Identification
>>>> (NASL wrapper)) Concluded from Nmap TCP/IP fingerprinting:
>>>> OS details: Microsoft Windows Server 2008 SP2 OS CPE:
>>>> cpe:/o:microsoft:windows_server_2008::sp2
>>>>
>>>> OS: Microsoft Windows
>>>> CPE: cpe:/o:microsoft:windows
>>>> Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS
>>>> Fingerprinting) Concluded from ICMP based OS fingerprint:
>>>> (95% confidence)
>>>>
>>>> Microsoft Windows
>>
>> Regards,
>>
>>>
>>> -----Original Message-----
>>> From: Openvas-discuss
>>> [mailto:[email protected]] On Behalf Of
>>> Christian Fischer
>>> Sent: Tuesday, July 18, 2017 4:04 PM
>>> To: [email protected]
>>> Subject: Re: [Openvas-discuss] Windows 8 EOL false positive
>>>
>>> Hi,
>>>
>>> On 18.07.2017 21:16, Matt Koivisto wrote:
>>>> Hi,
>>>>
>>>> I am running openvas-9 on centos 7, all the feeds up to date. I have
>>>> seen some windows 7 hosts with SP1 installed and fully patched that
>>>> are being detected as windows 8 machines and thus get flagged as "OS
>>>> End of Life Detection" (http://plugins.openvas.org/nasl.php?oid=103674).
>>>>
>>>> Specifically, for verified windows 7 machines I get the false positive:
>>>>
>>>>> The "Windows 8" Operating System on the remote host has reached the
>>>> end of life.
>>>>
>>>>> CPE: cpe:/o:microsoft:windows_8
>>>>
>>>>> Installed version:
>>>>
>>>>> EOL date: 2016-01-12
>>>>
>>>>> EOL info:
>>>> https://support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Wi
>>>> n
>>>> dows%208&Filter=FilterNO
>>>>
>>>> Is anyone else seeing this on their network as well? Any suggestions?
>>>>
>>>> I tried to trace through a bit to verify what's coming back from the
>>>> remote registry using openvas-nasl directly, but without any success.
>>>
>>> thanks for your report. Could you post the output of the following NVT:
>>>
>>> OS Detection Consolidation and Reporting (OID:
>>> 1.3.6.1.4.1.25623.1.0.105937)
>>>
>>> This might give more info where the Windows 8 detection is coming from.
>>>
>>> Regards,

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss _______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss



Programming list archiving by: Enterprise Git Hosting