0
()

It is recommended that you verify the functionality of the new account from a remote host before using the account for Windows authenticated scanning.

Note: Run the commands described in steps 1 – 5 directly on the target machine. This verifies that Windows Remote Management (WinRM) is configured properly on that machine and has sufficient permissions so that Windows is ready for the authenticated scan.

    1. Make sure that PowerShell 5 or newer is installed:

Get-Host | Select-Object Version

    1. Check the WinRM permissions for user groups or the individual user account:

(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission

    1. Make sure that the WinRM service is running:

Get-Service -Name “WinRM”

    1. Make sure that the WinRM HTTPS listener is configured:

winrm enumerate winrm/config/listener

    1. Check the detailed WinRM configuration:

winrm get winrm/config/service

    1. Run the corresponding PowerShell script for your configuration from a remote host (for example, from the Radar Scan Node if possible):

      Note: If possible, run this command on a machine with Scan Node Agent installed. This shows you if it is possible to set the remote session and run the command from a Scan Node to a target Windows IP ($ip) using the credentials for the authenticated scan account.

        • Windows scan node with explicit credentials and WinRM HTTPS listener in use:

      $ip = “{ip}”
      $user = “{username}”
      $pass = “{password}” | ConvertTo-SecureString -AsPlainText -Force
      $cred = New-Object System.Management.Automation.PSCredential ($user, $pass)

      $pso = New-PSSessionOption -SkipCACheck -SkipCNCheck
      Invoke-Command -ComputerName $ip -Credential $cred -Authentication Negotiate -Port 5986 -UseSSL -SessionOption $pso {
      if ((Get-Item -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion’).Property.Contains(‘ProductName’))
      {
      (Get-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion’ -Name ‘ProductName’).ProductName
      }
      }

        • Linux scan node with explicit credentials and WinRM HTTPS listener in use:

      $ip = “{ip}”
      $user = “{username}”
      $pass = “{password}” | ConvertTo-SecureString -AsPlainText -Force
      $cred = New-Object System.Management.Automation.PSCredential ($user, $pass)

      $pso = New-PSSessionOption -SkipCACheck -SkipCNCheck
      Invoke-Command -ComputerName $ip -Credential $cred -Authentication Basic -Port 5986 -UseSSL -SessionOption $pso {
      if ((Get-Item -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion’).Property.Contains(‘ProductName’))
      {
      (Get-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion’ -Name ‘ProductName’).ProductName
      }
      }

        • Windows scan node with explicit credentials and WinRM HTTP listener in use:

      $ip = “{ip}”
      $user = “{username}”
      $pass = “{password}” | ConvertTo-SecureString -AsPlainText -Force
      $cred = New-Object System.Management.Automation.PSCredential ($user, $pass)

      $pso = New-PSSessionOption -SkipCACheck -SkipCNCheck
      Invoke-Command -ComputerName $ip -Credential $cred -Authentication Negotiate -Port 5985 -SessionOption $pso {
      if ((Get-Item -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion’).Property.Contains(‘ProductName’))
      {
      (Get-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion’ -Name ‘ProductName’).ProductName
      }
      }

        • Windows scan node with scan node service account credentials and WinRM HTTPS listener in use:

      $ip = “{ip}”

      $pso = New-PSSessionOption -SkipCACheck -SkipCNCheck
      Invoke-Command -ComputerName $ip -Authentication NegotiateWithImplicitCredential -Port 5986 -UseSSL -SessionOption $pso {
      if ((Get-Item -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion’).Property.Contains(‘ProductName’))
      {
      (Get-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion’ -Name ‘ProductName’).ProductName
      }
      }

        • Windows scan node with scan node service account credentials and WinRM HTTP listener in use:

      $ip = “{ip}”

      $pso = New-PSSessionOption -SkipCACheck -SkipCNCheck
      Invoke-Command -ComputerName $ip -Authentication NegotiateWithImplicitCredential -Port 5985 -SessionOption $pso {
      if ((Get-Item -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion’).Property.Contains(‘ProductName’))
      {
      (Get-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion’ -Name ‘ProductName’).ProductName
      }
      }

Each of these scripts outputs the OS version of the target host.

Known issues:

  • Scanning for Windows updates fails on Windows 10 (versions 1703, 1709 and 1803) – Due to a bug related to accessing WMI remotely in these versions of Windows 10, scanning for Windows updates may fail. It results in the Microsoft Windows updates scanning failed (1023713) finding in the System Scan report and Access is denied (0x80070005) errors in the System Scan log file. To solve the issue, install the recent cumulative update on the target machine. The issue is not present in the earlier and later versions of Windows 10.

Source : Official F-Secure Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

(Visited 2 times, 1 visits today)
Discover More help  Troubleshooting Windows authenticated scanning (RPC) (F-Secure)