Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Dec 09, 2022 9:37 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 30 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Thu Sep 13, 2007 7:44 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
OOPS! :oops: I am having trouble with the NMAP.VBS script.... Seems I may have broken things slightly.

[code]
W:\htdocs\OpenAuditSVN\scripts>cscript nmap.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

nmap.exe -O -v -oN temp.txt 192.168.42.1
... \nmap.vbs(78, 5) Microsoft VBScript runtime error:
Object required: 'oAdd'
[/code]

This is due to the LDAP Authentication, and will need to be fixed ASAP. In the mean time, you may want to switch off the ldap authentication prior to doing an audit or nmap scan, alternatively, leave IE logged in to OA on the auditing workstation. The active logged in session on the same workstation as the nmap has the effect of allowing us to post, if you log off the session, we see the above error again.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 13, 2007 8:49 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
... This has however exposed another issue.

It seems there is a bug in the nmap script (or most likely in the admin_nmap_input.php script)

As the NMAP takes place, it adds lots of records to the database, however it goes about half way through my lan and then starts to Zero the IP address of some of the records which have already been created.

This results in lots of machines who's IP address is wrong, but who's network name is correct (010.00.00.014 for example has an IP address of 0.0.0.0)

The problem may well lie with include_functions.php specifically function ip_trans_to($ip) I will have to investigate.

Seems the problem is a little more subtle than this.
Because I am attempting to nmap a remote site, the mac address is never returned by nmap. This seems to have the effect of always matching the mac address when we update, and since we have a slight logic problem we then zero the IP address of all of the machines with no mac address, during the next update.

In short, we write the correct record to the database, then when we look at the next record, we seem to update all of the IP addresses to zero
if the mac address is zero.

Help ? What is going on.

(I know I could probably fix this by running the nmap from the remote site, and posting the data back here, but I don't want to do things this way).

NOTE: This does NOT fix the problem, seems there may be an issue with subnets, this works (or seems to work) for the 192.168.042 network, however it doesn't work for the 010.000.000 subnet. In the former case I managed to nmap the network without any issues. I then nmapped my 10.0.0 network from the server at the remote site, and it didn't work (same version of the script, same OA host, LDAP authentication switched off)

Anybody have any ideas?
:?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 20, 2007 6:11 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
It seems I don't have this issue, only I had to use this in my audit.config (it's not my real network ID) to let nmap.vbs work:
[code]
nmap_subnet = "10.99.8."
nmap_subnet_formatted = "010.099.008.000"
[/code]
If I use nmap_subnet = "10.99.8.0", the script add a "0" before every host ip and fails to scan it.

Using LDAP and SSL on IIS6 the only problem I have is that I need to interactively accept the untrusted self-signed certificate to let nmap.vbs post data to admin_nmap_input.php.
Probably, it could be useful to let admin_nmap_input.php accept http data like admin_pc_add_x.php pages do...


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 20, 2007 11:53 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
[quote="ef"]It seems I don't have this issue, only I had to use this in my audit.config (it's not my real network ID) to let nmap.vbs work:
[code]
nmap_subnet = "10.99.8."
nmap_subnet_formatted = "010.099.008.000"
[/code]
If I use nmap_subnet = "10.99.8.0", the script add a "0" before every host ip and fails to scan it.

Using LDAP and SSL on IIS6 the only problem I have is that I need to interactively accept the untrusted self-signed certificate to let nmap.vbs post data to admin_nmap_input.php.
Probably, it could be useful to let admin_nmap_input.php accept http data like admin_pc_add_x.php pages do...


I think you might have just hit the nail on the head.. I will try this later. Thanks.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Mon Sep 24, 2007 11:54 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Hi, did you find a solution to fix the LDAP/SSL authentication issue with admin_nmap_input.php?


Top
 Profile  
Reply with quote  
PostPosted: Sat Sep 29, 2007 6:31 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Andrew, to further narrow what the issue could be:

1. the vbs error
[code]
... \nmap.vbs(78, 5) Microsoft VBScript runtime error: Object required: 'oAdd'
[/code]
is showed only if "Use https://: " in the Admin Config page is checked, even if "Use LDAP for Open Audit Login" is checked or not. So it seems due to SSL only, not to LDAP auth.

2. the following notice is logged on the php error log after a successful nmap audit (LDAP auth ON, SSL OFF):
[code]
PHP Notice: Undefined variable: _SESSION in ...\OpenAudit\include.php on line 175
[/code]


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 09, 2007 6:23 pm 
Offline
Newbie

Joined: Tue Oct 09, 2007 7:49 am
Posts: 2
I have the same problem. I got passed the oAdd object error by setting the ip address as mentioned above.

[code]nmap_subnet = "010.010.202." ' The subnet you wish to scan
nmap_subnet_formatted = "192.168.010.000" [/code]

But the problem is now when nmap finds a device and tries to post to IE. It finds a device and posts it as MAC 00:00:00:00:00 and IP as 0.0.0.0.0.

I set the config to display IE as its writing the data and managed to capture the SQL with a quick press of ctrl a and ctrl c. As you can see each time its posting a record its putting the MAC and IP as 0s.

This then just adds one record to the DB and then just keeps righting over it.

[code]SELECT net_uuid FROM network_card WHERE net_mac_address = '00:00:00:00:00:00'
SELECT other_id, other_mac_address FROM other WHERE other_mac_address = '00:00:00:00:00:00' OR other_ip_address = '000.000.000.000' ORDER BY other_timestamp
UPDATE other SET other_ip_address = '000.000.000.000', other_mac_address = '00:00:00:00:00:00', other_timestamp = '20071009090833' WHERE other_id = '30'
UUID: 30
Process: update_other
DELETE FROM nmap_ports WHERE nmap_other_id = '30'

DELETE FROM nmap_ports WHERE nmap_other_id = '30'

[/code]

I am I doing something wrong in running nmap? Is there something else I'm missing?


Top
 Profile  
Reply with quote  
PostPosted: Wed Oct 10, 2007 6:31 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
[quote]
OOPS! I am having trouble with the NMAP.VBS script.... Seems I may have broken things slightly.


Code: Select all
W:\htdocs\OpenAuditSVN\scripts>cscript nmap.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

nmap.exe -O -v -oN temp.txt 192.168.42.1
... \nmap.vbs(78, 5) Microsoft VBScript runtime error:
Object required: 'oAdd'


This is due to the LDAP Authentication, and will need to be fixed ASAP. In the mean time, you may want to switch off the ldap authentication prior to doing an audit or nmap scan, alternatively, leave IE logged in to OA on the auditing workstation. The active logged in session on the same workstation as the nmap has the effect of allowing us to post, if you log off the session, we see the above error again.
OOPS! :oops: I am having trouble with the NMAP.VBS script.... Seems I may have broken things slightly.

[code]
W:\htdocs\OpenAuditSVN\scripts>cscript nmap.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

nmap.exe -O -v -oN temp.txt 192.168.42.1
... \nmap.vbs(78, 5) Microsoft VBScript runtime error:
Object required: 'oAdd'
[/code]

This is due to the LDAP Authentication, and will need to be fixed ASAP. In the mean time, you may want to switch off the ldap authentication prior to doing an audit or nmap scan, alternatively, leave IE logged in to OA on the auditing workstation. The active logged in session on the same workstation as the nmap has the effect of allowing us to post, if you log off the session, we see the above error again.

Hi Andrew, using LDAP authentication and SSL, I fixed the nmap.vbs script bug (no more the "Object required: 'oAdd'" error) setting "nmap_ie_form_page" in audit.config to a https URL instead of the http one:
[code]
nmap_ie_form_page = "https://MY_OA_SITE/admin_nmap_input.php"
[/code]
Also, as I wrote before, it seems necessary to not specify the last octet of "nmap_subnet":
[code]
nmap_subnet = "10.99.8."
nmap_subnet_formatted = "010.099.008.000"
[/code]
Still, is present on the php error log the following notice:
[code]
PHP Notice: Undefined variable: _SESSION in ...\include.php on line 175
[/code]
I can confirm the dummy "other" host creation with a 0.0.0.0 IP address.

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 12, 2007 8:04 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
I imported the self-signed SSL certificate I used for my OA site to the Computer's Trusted Root Certification Authorities for my workstation (just to avoid that annoying alert about his trustworthiness).
Now, the nmap script works fine (with no more the "Object required: 'oAdd'" error) even if I set "nmap_ie_form_page" in audit.config to a http URL instead of https, as I wrote in my previous post...
Also, now 2 PHP Notices at the same time...
[code]
PHP Notice: Undefined variable: _SESSION in ...\OpenAudit\include.php on line 176
[/code]

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Mon Oct 15, 2007 7:31 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
:? To avoid the "Object required: 'oAdd'" error, nmap.vbs has to be run with administrator credentials on the scanned host also.
I used to run nmap.vbs with administrator credentials on my workstation only (nmap.exe requires administrator privileges to be run), but it seems that it's not enough...
So now, if I run it as a domain admin (my workstation and scanned hosts are in the same domain), it works fine.

_________________
Edoardo


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 26, 2007 9:08 pm 
Offline
Contributor

Joined: Fri Sep 28, 2007 12:07 am
Posts: 189
I am experiencing issues with nmap displaying 0.0.0.0 as IP and the showing a correct padded IP.

Thanks

Jason

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 01, 2007 3:14 am 
Offline
Helper

Joined: Thu Jun 14, 2007 4:06 am
Posts: 96
Location: Georgia, USA
What seems to be happening is that the nmap script is hitting the force redirect to https in include.php. The way include.php tells if a page is for input is it has $page = "add_pc"; at the top of the page, for example admin_pc_add_2.php and admin_nmap_input.php. I've relocated the redirect so that https is voluntary on the data submission pages but mandatory for general web viewing. Here is the modified section of include.php. Replace the entire top section between and including the "<?php" and "?>" This would be right before the "<!DOCTYPE" declaration. Will someone test this?

[code]<?php
include_once "include_config.php";
include_once "include_lang.php";
include_once "include_functions.php";
include_once "include_col_scheme.php";
$is_refreshable = false ;
$refresh_period = 10;
$jscript_count = 0;
if ($show_other_discovered == 'y'){ $jscript_count = $jscript_count + 1; }
if ($show_system_discovered == 'y'){ $jscript_count = $jscript_count + 1; }
if ($show_systems_not_audited == 'y'){ $jscript_count = $jscript_count + 1; }
if ($show_partition_usage == 'y'){ $jscript_count = $jscript_count + 1; }
if ($show_software_detected == 'y'){ $jscript_count = $jscript_count + 1; }
if ($show_patches_not_detected == 'y'){ $jscript_count = $jscript_count + 1; }
if ($show_detected_servers == 'y'){ $jscript_count = $jscript_count + 5; }

if (!isset($page)) {$page = ""; }

if ($page == "add_pc"){
$use_pass = "n";
} else {
if (isset($use_https) AND $use_https == "y") {
if ($_SERVER["SERVER_PORT"]!=443){ header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']); exit(); }
}
if ((isset($use_ldap_login) and ($use_ldap_login == 'y'))) {
include "include_ldap_login.php";
}else {}
}

if ($use_pass != "n") {
// If there's no Authentication header, exit
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Basic realm="PHP Secured"');
exit('This page requires authentication');
}
// If the user name doesn't exist, exit
if (!isset($users[$_SERVER['PHP_AUTH_USER']])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Basic realm="PHP Secured"');
exit('Unauthorized!');
}
// Is the password doesn't match the username, exit
if ($users[$_SERVER['PHP_AUTH_USER']] != md5($_SERVER['PHP_AUTH_PW']))
{
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Basic realm="PHP Secured"');
exit('Unauthorized!');
}
} else {}

// ob_start();
?>
[/code]


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 01, 2007 7:01 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Seems to have done the trick. I have put it in SVN 877. Can the rest of you give it a try. Thanks.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 02, 2007 7:36 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Last fix is OK for me (although I still receive the following warning on the php error log:
[code]
PHP Notice: Undefined variable: _SESSION in ...\OpenAudit\include.php on line 154
[/code]
But, probably I found 2 bugs:
- when a scanned host is down, a record is added (or updated, if exists) to the "other" table with MAC 00:00:00:00:00:00 and IP 000.000.000.000
- when all scanned ports are filtered or closed on a scanned host, a record is added (or updated, if exists) with the right MAC, but with IP 000.000.000.000.

I fixed them as follows:
- deleted from the "other" table (if exists) the record with IP 000.000.000.000
- changed admin_nmap_input.php with the attached one.


Attachments:
admin_nmap_input.zip [2.12 KiB]
Downloaded 386 times

_________________
Edoardo
Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 02, 2007 7:57 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Thanks for that. Added at SVN 880

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 30 posts ]  Go to page 1, 2  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group