Page Comparison

Problem

When running an Assessor scan against a Windows target, the scan stops unexpectedly while gathering networking parameters.

When Assessor is run with INFO-level logging, the /logs/assessor-cli.log file contains the following entry indicating the scan halts at the collect_ipconfig step:

INFO org.cisecurity.session.impl.BaseSession - Starting Execution for Command --> 
""C:\Windows\Temp\ccpa-temp-20220927T155943132\ciscat.exe" "collect_ipconfig""
ERROR org.cisecurity.wrapper.SessionUtilities - Exception Creating Session!
org.xml.sax.SAXParseException: Content is not allowed in prolog.

Solution

This particular issue can be caused by network interfaces (virtual or physical) that return insufficient data for the assessment to proceed.

To verify, open an administrative PowerShell terminal on the target Windows system and run the following Get-WmiObject command:

Get-WmiObject -Namespace "root\cimv2" -Query "SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IpEnabled='True'" | Select-Object Description, Index, IPAddress, MACAddress | ConvertTo-Csv -NoTypeInformation

The resulting output will indicate which adapters are affected, if any.

In the below example, the "Appgate Tunnel" interface does not return a corresponding MAC address value:

"Description","Index","IPAddress","MACAddress"
"Intel(R) Wi-Fi 6 AX201 160MHz","1","System.String[]","88:D8:2E:07:FC:C9"
"VirtualBox Host-Only Ethernet Adapter","5","System.String[]","0A:00:27:00:00:03""
"Appgate Tunnel","16","System.String[]", 

To allow the scan to complete, temporarily disable the affected interface in the system settings. The query used by Assessor only collects this data from adapters with enabled TCP/IP bindings.

Once the scan completes, the interface can be re-enabled.

Keywords; collect_ipconfig Windows

Content by Label