Skip to main content
Skip table of contents

Authenticated Scanning Using WinRM



Purpose

This document provides a complete technical procedure for Authenticated Scanning Using WinRM on OUTSCAN and HIABs

Introduction

Windows Remote Management (WinRM) is the Microsoft implementation of the WS-Management protocol, which is a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows interoperation between hardware and operating systems from different vendors.

Requirements

This document has been elaborated under the assumption the reader has access to the OUTSCAN/HIAB account and Portal Interface.

If another account than Domain Administrator is used, it needs to either be a Domain User Account or a local user part of the AdministratorGroup to succeed with the authentication. If a Domain User Account is used, it need to be a member of the Administrators group, this user will run with full administrator access enabled, therefore User Account Control (UAC) does not need to be disabled. If a Local User is used ensure that the local account is included in the Administrators Group.

In order for an authenticated scan on windows to succeed, the Windows Update service (wuauserv) need to be enabled and running (it is by default). Without this service, the target cannot be queried for complete patch information which will cause reports to be incorrect.

Run-Time Requirements

WinRM is part of the operating system. However, to obtain data from remote computers, you must configure a WinRM listener. For more information, see Installation and configuration for Windows Remote Management. If a Baseboard Management Controller (BMC) is detected at system startup, then the Intelligent Platform Management Interface (IPMI) provider loads; but even if not, the WinRM scripting objects and the WinRM command-line tool are still available.

Installation

For WinRM scripts to run, and for the Winrm command-line tool to perform data operations, WinRM has to be both installed and configured.

However, WinRM is automatically installed with all currently-supported versions of the Windows operating system.

These elements also depend on WinRM configuration.

For more information about WinRM installation and configuration, see Installation and configuration for Windows remote management.2

Configuration

By default WinRM uses Kerberos for authentication so Windows never sends the password to the system requesting validation. To get a list of your authentication settings, type the following command:

CODE 
winrm get winrm/config

The purpose of configuring WinRM for HTTPS is to encrypt the data being sent.

WinRM HTTPS requires a local computer Server Authentication certificate with a CN matching the hostname to be installed. The certificate must not be expired, revoked, or self-signed.

For more information about WinRM configuration, see How to configure WINRM for HTTPS.3

Certification

Installing a trusted root certificate is necessary only if you are notified that the certificate of authority is not trusted on any machine. This can occur when you use a private or custom certificate server instead of acquiring certificates from an established public certificate of authority.

For more information on how to export Root Certification Authority Certificate, see How to export Root Certification Authority Certificate.4

HIAB/OUTSCAN Setup

To set up OUTSCAN/HIAB to use WinRM follow the steps outlined in this section.

Create Target Group

To create a target group:

  1. Go to Main Menu > Netsec > Manage Targets.

  2. Click on + New in the Target Groups field and name the group.

Create Target

To create a target:

  1. Open the Manage Targets module in Main Menu > Netsec > Manage Targets.

  2. Click on + New in the Targets field to display the Add New Targets window.



    FormatDescription
    fc00::23IPv6
    192.168.200.23|virtualhost,virtualhostIPv4
    192.168.200.1/24CIDR
    192.168.200.3-192.168.200.15IP range
    host.domain.comFQDN
    \\netbios_hostnetBIOS hostname

  3. Fill in the required information in the form fields and click Save.

Targets can also be imported from a Comma Separated Values (csv) file, LDAP/AD, or ServiceNow by clicking on respective Import/Upload button.

OptionDescription
New Target List

Add one or multiple targets using the presented help text.

Note

Private IP addresses cannot be added when using OUTSCAN.

DNS Lookup

Select if a DNS look-up should be performed when adding the IP addresses to the system to get the host name in the system.

NetBIOS Lookup (HIAB only)Select if a NetBIOS look-up should be performed when adding the IP addresses to the system to get the host name in the system.

Scanner

(HIAB only)

Set which scanner that should scan the defined targets. Default is set to local and that is referring to the machine that you are logged on to. If you have a distributed network with multiple scanners that is accepted by the scheduler, you will be able to choose which scanner to use in the drop-down menu. If you have a HIAB External license, the OUTSCAN scanner is also available in the drop-down and should be used if public IPs are to be scanned from the OUTSCAN SaaS solution.
AttributesThis option is used to add additional information about the target. This is displayed as a column with the given field name in the Managed Targets grid.
Upload From FileImport a previously exported target group file or custom Comma Separated Values (csv) file.
Import from LDAP/ADImport targets from LDAP/AD.
Import From ServiceNowImport targets from ServiceNow.


Important

Certain tasks like adding a large/multiple networks can take a long time. When it takes more than 90 seconds, the progress can be viewed in the Task Viewer tab located at the bottom right of the task bar. Task Viewer appears for a user only if  there is at least one task in the list. The three possible states for a task appearing in Task Viewer are:

  • In Progress
  • Done
  • Error

Import from LDAP/AD

The Import from LDAP/AD button displays a window where you can select which targets to import into the HIAB.



OptionDescription
Search FilterStandard LDAP search filter. See Search Filter Syntax on Windows Dev Center for more information.

Import From ServiceNow

The Import from ServiceNow button displays a window where you can select which targets to import into the HIAB from ServiceNow.


Import From ServiceNow


OptionDescription
TableTable name containing the targets in ServiceNow.
TagTags are text labels in ServiceNow associated with items such as records and pages.
Asset TagThe Asset tag refers to assets in ServiceNow Asset Management system.
Query

Search query to retrieve the ServiceNow targets.

Upload From File

Adding targets from a CSV-file.

  1. Click the + New button in the Targets view.




  2. Click the Upload From File button.



  3. Import the exported target group file or custom Comma Separated Values (csv) file by clicking the + button to select a file.

    Add New Targets Upload


    OptionDescription
    Upload From FileSelect a file to import.
    Separator

    Define what separator is used in the file.

    • Tab
    • Comma ( , )
    • Semicolon ( ; )
    • Colon ( : )
    Text Delimiter

    Define what text delimiter is used in the file.

    • Single Quote ( ' )
    • Double Quote ( " )
    Skip First LineSelect this to skip the first line.
    Ex. for a header line.
  4. Click Next to continue.
  5. Once uploaded, continue with mapping the files information to the target by selecting the appropriate subject in the drop-down menus.



  6. Finish by clicking the Save button.

Create New WinRM Scan Policy

  1. Go to Main Menu > NetSec > Scan Scheduling.



  2. Select the Scan Policy tab.
  3. Click + New to create a new policy.



  4. Configure the SMB/WinRM credentials and the Port Scan settings.
  5. Click Save.
  6. Go to Main Menu > NetSec > Scan Scheduling.
  7. Create new Scan schedule by clicking on + New.



  8. and trigger it (choose the correct scan policy in Scan Settings)
  9. Check the scan process/status in the tab Scan Status



After the scan has been completed, go to Main Menu > Reporting Tools  and check whether there are vulnerabilities in port 5986


When performing authenticated scanning against Windows hosts, the scanner creates and starts a service called O24 Auth on the target machine.
This service is used to execute commands on the target and send the results back to the scanner.
Do not remove the service during scanning, it will stop and remove itself after it is done.


References

  1. Windows Remote Management Glossary
  2. Installation and configuration for Windows remote management
  3. How to configure WINRM for HTTPS
  4. How to export Root Certification Authority Certificate




Copyright

© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.




JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close