Authenticated Scanning Using WinRM
Purpose
This document provides a complete technical procedure for Authenticated Scanning Using WinRM on OUTSCAN and HIABs
Introduction
Windows Remote Management (WinRM) is the Microsoft implementation of the WS-Management protocol, which is a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows interoperation between hardware and operating systems from different vendors.
Requirements
Technical Preview
This section is a technical preview of a feature that is currently under development. Some features are hidden behind a feature flag.
This document has been elaborated under the assumption the reader has access to the OUTSCAN/HIAB account and Portal Interface.
If another account than Domain Administrator is used, it needs to either be a Domain User Account or a local user part of the AdministratorGroup to succeed with the authentication. If a Domain User Account is used, it need to be a member of the Administrators group, this user will run with full administrator access enabled, therefore User Account Control (UAC) does not need to be disabled. If a Local User is used ensure that the local account is included in the Administrators Group.
In order for an authenticated scan on windows to succeed, the Windows Update service (wuauserv
) need to be enabled and running (it is by default). Without this service, the target cannot be queried for complete patch information which will cause reports to be incorrect.
Run-Time Requirements
WinRM is part of the operating system. However, to obtain data from remote computers, you must configure a WinRM listener. For more information, see Installation and configuration for Windows Remote Management. If a Baseboard Management Controller (BMC) is detected at system startup, then the Intelligent Platform Management Interface (IPMI) provider loads; but even if not, the WinRM scripting objects and the WinRM command-line tool are still available.
Installation
For WinRM scripts to run, and for the Winrm command-line tool to perform data operations, WinRM has to be both installed and configured.
However, WinRM is automatically installed with all currently-supported versions of the Windows operating system.
These elements also depend on WinRM configuration.
The Windows Remote Shell1 command-line tool, Winrs.
Windows PowerShell 2.0 remoting.
For more information about WinRM installation and configuration, see Installation and configuration for Windows remote management.2
Configuration
By default WinRM uses Kerberos for authentication so Windows never sends the password to the system requesting validation. To get a list of your authentication settings, type the following command:
winrm get winrm/config
The purpose of configuring WinRM for HTTPS is to encrypt the data being sent.
WinRM HTTPS requires a local computer Server Authentication certificate with a CN matching the hostname to be installed. The certificate must not be expired, revoked, or self-signed.
For more information about WinRM configuration, see How to configure WINRM for HTTPS.3
Certification
Installing a trusted root certificate is necessary only if you are notified that the certificate of authority is not trusted on any machine. This can occur when you use a private or custom certificate server instead of acquiring certificates from an established public certificate of authority.
For more information on how to export Root Certification Authority Certificate, see How to export Root Certification Authority Certificate.4
HIAB/OUTSCAN Setup
To set up OUTSCAN/HIAB to use WinRM follow the steps outlined in this section.
Create Target Group
To create a target group:
Go to Main Menu > Netsec > Manage Targets.
Click on + New in the Targets Groups field and name the group.
Create Target
To create a target:
Open the Manage Targets module in Main Menu > Netsec > Manage Targets.
Click on + New in the Targets field to display the Add New Targets window.
Format | Description |
---|---|
fc00::23 | IPv6 |
192.168.200.23|virtualhost,virtualhost | IPv4 |
192.168.200.1/24 | CIDR |
192.168.200.3-192.168.200.15 | IP range |
FQDN | |
\\netbios_host | netBIOS hostname |
Fill in the required information in the form fields and click Save.
Targets can also be imported from a Comma Separated Values (csv) file, LDAP/AD, or ServiceNow by clicking on respective Import/Upload button.
Option | Description |
---|---|
New Target List | Add one or multiple targets using the presented help text. Private IP addresses cannot be added when using OUTSCAN. |
DNS Lookup | Select if a DNS look-up should be performed when adding the IP addresses to the system to get the host name in the system. |
NetBIOS Lookup (HIAB only) | Select if a NetBIOS look-up should be performed when adding the IP addresses to the system to get the host name in the system. |
Scanner (HIAB only) | Set which scanner that should scan the defined targets. Default is set to local and that is referring to the machine that you are logged on to. If you have a distributed network with multiple scanners that is accepted by the scheduler, you will be able to choose which scanner to use in the drop-down menu. If you have a HIAB External license, the OUTSCAN scanner is also available in the drop-down and should be used if public IPs are to be scanned from the OUTSCAN SaaS solution. |
Attributes | This option is used to add additional information about the target. This is displayed as a column with the given field name in the Managed Targets grid. |
Upload From File | Import a previously exported target group file or custom Comma Separated Values (csv) file. |
Import from LDAP/AD | Import targets from LDAP/AD. |
Import From ServiceNow | Import targets from ServiceNow. |
Certain tasks like adding a large/multiple networks can take a long time. When it takes more than 90 seconds, the progress can be viewed in the Task Viewer tab located at the bottom right of the task bar. Task Viewer appears for a user only if there is at least one task in the list. The three possible states for a task appearing in Task Viewer are:
In Progress
Done
Error
Import from LDAP/AD
The Import from LDAP/AD button displays a window where you can select which targets to import into the HIAB.
Option | Description |
---|---|
Search Filter | Standard LDAP search filter. See Search Filter Syntax on Windows Dev Center for more information. |
Import From ServiceNow
The Import from ServiceNow button displays a window where you can select which targets to import into the HIAB from ServiceNow.
Option | Description |
---|---|
Table | Table name containing the targets in ServiceNow. |
Tag | Tags are text labels in ServiceNow associated with items such as records and pages. |
Asset Tag | The Asset tag refers to assets in ServiceNow Asset Management system. |
Query | Search query to retrieve the ServiceNow targets. |
Upload From File
Adding targets from a CSV-file.
Click the + New button in the Targets view.
Click the Upload From File button.
Import the exported target group file or custom Comma Separated Values (csv) file by clicking the + button to select a file.
Option | Description |
---|---|
Upload From File | Select a file to import. |
Separator | Define what separator is used in the file.
|
Text Delimiter | Define what text delimiter is used in the file.
|
Skip First Line | Select this to skip the first line. |
Click Next to continue.
Once uploaded, continue with mapping the files information to the target by selecting the appropriate subject in the drop-down menus.
Finish by clicking the Save button.
Create New WinRM Scan Policy
Go to Main Menu > NetSec > Scan Scheduling.
Select the Scan Policy tab.
Click + New to create a new policy.
Configure the SMB/WinRM credentials and the Port Scan settings.
Click Save.
Go to Main Menu > NetSec > Scan Scheduling.
Create new Scan schedule by clicking on + New.
and trigger it (choose the correct scan policy in Scan Settings)
Check the scan process/status in the tab Scan Status
After the scan has been completed, go to Main Menu > Reporting Tools and check whether there are vulnerabilities in port 5986
When performing authenticated scanning against Windows hosts, the scanner creates and starts a service called O24 Auth on the target machine.
This service is used to execute commands on the target and send the results back to the scanner.
Do not remove the service during scanning, it will stop and remove itself after it is done.
References
Related Articles
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.