Scan Assistant Issues

Has anyone successfully set up Scan Assistant yet? I’ve tried twice now and the scan will result in “No Credentials Supplied”. If I do a CIFS account for credentials, there are no issues. I’m using ECDSA key.

edit:was trying this on my deployment call yesterday with a technical resource with no luck as well.

Hi @rl2022. Thanks for trying our Scan Assistant. These issues can be complex to troubleshoot. A few high-level items to check:

  1. That the Public Key (PEM) has been added to the supported target asset, as part of the Scan Assistant installation.
  2. That a Private Key (included in a PKCS12 file) has been added into the Security Console as a Scan Assistant scan credential.
  3. That Scan Engines are able to connect to port 21047 (TCP) on each Scan Assistant asset.

Failing these items, I would suggest you contact Support.

Thanks for the reply. 1 and 2 are good to go for sure. Item 3 is not working, but we validated that the service is running and the port is listening on the endpoint. Looks like I will be contacting support!

I was able to successfully set it up on a POC first try. The .pfx key is crucial, make sure its formatted correctly and has no extra spaces. I found it was easier to create the key pair in Linux (Ubuntu) and save in x.509 format. The easiest way to make a .pfx file is to import your public key and private keys into puttygen and export them as a PKCS #12 file.

Also, I found out sites with credentials will still try to pass credentials to hosts with the scan assistant. I recommend making a dynamic asset group for all assets with scan assistants or InsightVM agents and scanning them separately in their own site(s) to increase security by reducing the amount of creds being passed.

Good explanation of key formats: https://www.cryptosys.net/pki/rsakeyformats.html

Hello!!

the March 30th IVM product release now offers the option to generate the key for you.

Have you been able to try that new feature?

Not sure what the deal is, shouldn’t be this hard now that you can generate from the console. I still get a failed authentication result when testing credentials to my computer. Hopping over to CIFS credentials tests fine still. What could be going wrong?

Hi, do you have a link to this?

is it required to open windows firewall port 21047 (TCP) inbound for this to work?

Hi @ttobiasm. Yes, the Scan Assistant listens on port 21047 TCP on the asset.

https://docs.rapid7.com/nexpose/scan-assistant.md/

Hey,

Sorry for vamping that topic but I’m facing an issue with Scan Assistant.
I can’t make it running on my target server, the process is only polluting the eventlog with : “Failed to load client certificate: failed to decode client certificate block”. (The process is not even listening on the port 21047)

I installed the MSI with the generated certificate from the console. I had to remove all spaces within the key.

I have an open case with the support but no luck so far…

Thank you in advance

For me the problem was the MSI silent installer with msiexec, actually expected the auto-generated certificate parameter (CLIENT_CERTIFICATE) as a string, not as a file on the command line.
That probably explains why it comes out in that weird looking one line format with spaces instead of new lines when auto-generated.

finally found the problem…

First : When you reinstall the software, the cert won’t change in regedit, so you have to either edit the registry or uninstall/install the software

Second: While cleaning all spaces within the cert I also removed the space between END CERTIFICATE at then end so because of that the cert was marked as corrupted but because of first issue the cert was never replaced while trying to figure the issue.

Enjoy !

1 Like