Open-AudIT
https://www.open-audit.org/phpBB3/

1.12.8.1 breaks remote audit
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6570
Page 1 of 1

Author:  AlanHoiland [ Wed Nov 30, 2016 4:29 am ]
Post subject:  1.12.8.1 breaks remote audit

Hello,

I have had a lot of trouble with the latest release. Now, it seems that remote audits are broken. No matter what credentials I enter the debug log says:
LOG - No working Windows credentials for 192.168.1.77 found.

and I don't get updates from the device.

Any suggestions? Is it just me? I've looked through the forum and don't see similar problems. There has been little change to my config other than the update to 12.8.1.

Thanks!
Alan

Author:  jpa [ Wed Nov 30, 2016 5:44 am ]
Post subject:  Re: 12.18.1 breaks remote audit

Select the debug check box when doing a discovery for the test IP. Anything interesting in the output around the "Testing Windows credentials for <your ip address>" line?

Author:  AlanHoiland [ Wed Nov 30, 2016 6:19 am ]
Post subject:  Re: 12.18.1 breaks remote audit

LOG - Testing Windows credentials for 192.168.1.78
DEBUG - Command Executed: %comspec% /c start /b wmic /Node:"192.168.1.78" /user:Administrator /password:"******" csproduct get uuid
DEBUG - Return Value: 1
DEBUG - Command Output:
Array
(
[0] =>
)

DEBUG ---------------
LOG - WMIC command '%comspec% /c start /b wmic /Node:"192.168.1.78" /user:Administrator /password:"******" csproduct get uuid' on 192.168.1.78 failed
DEBUG - Command Executed: %comspec% /c start /b wmic /Node:"192.168.1.78" /user:administrator /password:"******" csproduct get uuid
DEBUG - Return Value: 1
DEBUG - Command Output:
Array
(
[0] =>
)

DEBUG ---------------
LOG - WMIC command '%comspec% /c start /b wmic /Node:"192.168.1.78" /user:administrator /password:"******" csproduct get uuid' on 192.168.1.78 failed
LOG - No working Windows credentials for 192.168.1.78 found.

Author:  jpa [ Wed Nov 30, 2016 7:49 am ]
Post subject:  Re: 1.12.8.1 breaks remote audit

Can you get the following to work from the OpenAudit server cmd prompt given any combination of username/password?
[code]wmic /Node:"192.168.1.78" /user:Administrator /password:"******" csproduct get uuid[/code]

Should look like this:
[code]c:\>wmic /Node:"192.168.1.78" /user:administrator /password:"supersecret" csproduct get uuid
UUID
07031F42-C86C-A2B8-6B18-188819445928
[/code]

Author:  AlanHoiland [ Wed Dec 07, 2016 4:05 am ]
Post subject:  Re: 1.12.8.1 breaks remote audit

Hello -

Yes - when I run the wmi command from the cmd line, I get a UUID response. But Open-Audit is failing when I try to do an audit.

Author:  jpa [ Wed Dec 07, 2016 4:45 am ]
Post subject:  Re: 1.12.8.1 breaks remote audit

Are these domain joined machines? I'm not sure why the command would succeed at your command prompt and fail in OpenAudit. I'm not sure what user the openauidt apache service runs as. I don't use the standard install.

Author:  AlanHoiland [ Wed Dec 07, 2016 5:33 am ]
Post subject:  Re: 1.12.8.1 breaks remote audit

No domain - these are on a Windows workgroup network.

The Apache service is running under the Local System user, if that helps.

Author:  jpa [ Wed Dec 07, 2016 7:19 am ]
Post subject:  Re: 1.12.8.1 breaks remote audit

So what happens if you start a cmd prompt as the local system user and then try the wmic command again? Error? What if you try different username/passwords?

[url=https://technet.microsoft.com/en-us/sysinternals/pxexec.aspx]PSExec[/url] for cmd prompt as SYSTEM:
[code]psexec -i -s cmd.exe[/code]

Author:  AlanHoiland [ Wed Dec 07, 2016 7:46 am ]
Post subject:  Re: 1.12.8.1 breaks remote audit

Now I get -
ERROR:
Description = Access is denied.

Author:  jpa [ Wed Dec 07, 2016 8:07 am ]
Post subject:  Re: 1.12.8.1 breaks remote audit

So there's the problem but I don't know the fix. Most likely something to do with User Account Control and WMI rights and all that. I'm not sure what OpenAudit was doing before that allowed it to work.

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/