Unable to perform a remote scan on a Windows machine

Owned by
Amanda McGown
, created
Last updated: Apr 30, 2024 by
Andrew Dannenberger
2 min read

Product Name

CIS-CAT Pro Assessor v4

Product Version

All

Date

Mar 11, 2021

 

Problem

I’ve followed the WinRM troubleshooting Knowledge Base article available here: https://cisecurity.atlassian.net/l/c/HHh9qVJn but I am still unable to successfully run an Assessor scan

 

Solution

  1. Create Logs:

    1. https://cisecurity.atlassian.net/l/c/hfS8F33e

  2. After producing Assessor logs and opening them in a text editing or viewing software (such as, but not limited to: Notepad++, Visual Studio Code, Brackets, BBEdit, or TextWrangler) look for the following code snippets inside of your Assessor-CLI.log file. (using the search feature of your Text Editor will speed along this process)

 

Searching for WSDL or WinRM:

we can see WinRM is struggling to connect and we are seeing an issue with the WDSL (a programming language):

[timestamp] INFO org.apache.cxf.wsdl.service.factory.ReflectionServiceFactoryBean - Creating Service {http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmService from WSDL: jar:file:/C:/Path/to/your/Assessor-vx.x.x/Assessor-CLI/lib/winrm4j-client-0.8.0.jar!/wsdl/WinRmService.wsdl [timestamp] WARN org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmService#{http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}Create has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Could not send Message.


Searching for WinRM:

After we see WinRM struggling to connect, further down the logs we see WinRM throwing out an exception in a similar form:

[timestamp] WARN org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmService#{http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}Create has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: Could not send Message.

 

Searching for your WinRM port (here: 5986)

  • By default WinRM HTTP uses port 80. On Windows 7 and higher, the default port is 5985.

  • By default WinRM HTTPS uses port 443. On Windows 7 and higher, the default port is 5986.

Here is where we see the connection to WinRM over HTTPS using port 5986, but Assessor-CLI is still not connecting as anticipated:

Caused by: java.net.ConnectException: ConnectException invoking https://your.remote.ip.address:5986/wsman: Connection timed out: no further information


Searching for: Exception Unzipping

When the WinRM credentials are OK and the SMB connection works, CIS-CAT Pro Assessor (CCPA) is able to unzip its files and transfer them via the WinRM connection to the the remote ephemeral directory. This code snippet shows that the unzipping to the \temp directory on the remote host was unsuccessful.


When we see that very last section, after seeing WinRM and the WSDLs mentioned before them, often times the exception is thrown when trying to execute the first command using WinRM (that command is to run unzip.exe to extract the scripts.zip file). 
This is what is failing and points to the fact that there's something malfunctioning with the WinRM service .config on the endpoint you're trying to scan.

Please

  1. Verify, on the endpoint being scanned, that the LocalAccountTokenFilterPolicy registry setting is configured.

  2. Go through the flowchart within the Microsoft Windows Remote-Setup section of the CCPA Configuration Guide.

  3. Then, the very last sub-section of those setup instructions is "Disable UAC remote restrictions"  that's the registry setting mentioned in step 1 above.

  4. Verify that the username you’re using to remotely connect to the machine has admin access to run the assessment.

 

Keywords;

 

Related Content

Copyright © 2020

Center for Internet Security®