Product Name
CIS-CAT Pro Assessor
Product Version
v4.*
Date
Problem
When running an Assessor scan against a Windows target, the scan stops unexpectedly while gathering networking parameters. The INFO-level assessor-cli.log file contains the following entry:
INFO org.cisecurity.session.impl.BaseSession - Starting Execution for Command --> ""C:\Windows\Temp\ccpa-temp-20220927T155943132\ciscat.exe" "collect_ipconfig"" ERROR org.cisecurity.wrapper.SessionUtilities - Exception Creating Session! org.xml.sax.SAXParseException: Content is not allowed in prolog.
A generic Unable to obtain connection to session: Null@null; Skipping error may be displayed as well (though this error is not exclusive to this case).
Solution
This particular issue can be caused by network interfaces that return insufficient data for the assessment to proceed. To verify this, open an administrative PowerShell terminal on the target Windows system and run the following Get-WmiObject command:
Get-WmiObject -Namespace "root\cimv2" -Query "SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IpEnabled='True'" | Select-Object Description, Index, IPAddress, MACAddress | ConvertTo-Csv -NoTypeInformation
The result will indicate which adapter is affected.
In the below example, the “Appgate Tunnel“ interface does not return a MAC address value:
"Description","Index","IPAddress","MACAddress" "Intel(R) Wi-Fi 6 AX201 160MHz","1","System.String[]","88:D8:2E:07:FC:C9" "VirtualBox Host-Only Ethernet Adapter","5","System.String[]","0A:00:27:00:00:03"" "Appgate Tunnel","16","System.String[]",
To allow the scan to complete, temporarily disable the affected interface. This query used by Assessor only collects data from adapters with enabled TCP/IP bindings. Once the scan completes, the interface can be re-enabled.
Add Comment