Product Name
CIS-CAT Pro Assessor v4
Product Version
All
Date
Problem
Info |
---|
I’ve followed the WinRM troubleshooting Knowledge Base article available here: https://cisecurity.atlassian.net/l/c/HHh9qVJn but I am still unable to successfully run an Assessor scan |
Solution
Create Logs:
After producing Assessor logs and opening them in a text editing or viewing software (such as, but not limited to: Notepad++, Visual Studio Code, Brackets, BBEdit, or TextWrangler) look for the following code snippets inside of your Assessor-CLI.log file. (using the search feature of your Text Editor will speed along this process)
Searching for WSDL or WinRM:
we can see WinRM is struggling to connect and we are seeing an issue with the WDSL (a programming language):
Code Block |
---|
[timestamp] INFO org.apache.cxf.wsdl.service.factory.ReflectionServiceFactoryBean - Creating Service {http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmService from WSDL: jar:file:/C:/Path/to/your/Assessor-vx.x.x/Assessor-CLI/lib/winrm4j-client-0.8.0.jar!/wsdl/WinRmService.wsdl [timestamp] WARN org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmService#{http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}Create has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Could not send Message. |
Searching for WinRM:
After we see WinRM struggling to connect, further down the logs we see WinRM throwing out an exception in a similar form:
Code Block |
---|
[timestamp] WARN org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmService#{http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}Create has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Could not send Message. |
Searching for your WinRM port (here: 5986)
By default WinRM HTTP uses port 80. On Windows 7 and higher, the default port is 5985.
By default WinRM HTTPS uses port 443. On Windows 7 and higher, the default port is 5986.
Here is where we see the connection to WinRM over HTTPS using port 5986, but Assessor-CLI is still not connecting as anticipated:
Code Block |
---|
Caused by: java.net.ConnectException: ConnectException invoking https://your.remote.ip.address:5986/wsman: Connection timed out: no further information |
Searching for: Exception Unzipping
When the WinRM credentials are OK and the SMB connection works, CIS-CAT Pro Assessor (CCPA) is able to unzip its files and transfer them via the WinRM connection to the the remote ephemeral directory. This code snippet shows that the unzipping to the \temp directory on the remote host was unsuccessful.
Code Block |
---|
[timestamp] ERROR org.cisecurity.wrapper.SessionUtilities - Exception Unzipping C:\Temp\ccpa-temp-longstringofnumbers\scripts.zip java.lang.RuntimeException: failed task "create" after 2 attempt(s) |
When we see that very last section, after seeing WinRM and the WSDLs mentioned before them, often times the exception is thrown when trying to execute the first command using WinRM (that command is to run unzip.exe
to extract the scripts.zip
file).
This is what is failing and points to the fact that there's something malfunctioning with the WinRM service .config on the endpoint you're trying to scan.
Please
Verify, on the endpoint being scanned, that the
LocalAccountTokenFilterPolicy
registry setting is configured.Go through the flowchart within the Microsoft Windows Remote-Setup section of the CCPA Configuration Guide.
Then, the very last sub-section of those setup instructions is "Disable UAC remote restrictions" that's the registry setting mentioned in step 1 above
Verify that the username you’re using to remotely connect to the machine has admin access to run the assessment?
Keywords;
Related Content
Filter by label (Content by label) | ||||||
---|---|---|---|---|---|---|
|
Page Properties | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
|