Scan Assistant Issues

Has anyone successfully set up Scan Assistant yet? I’ve tried twice now and the scan will result in “No Credentials Supplied”. If I do a CIFS account for credentials, there are no issues. I’m using ECDSA key.

edit:was trying this on my deployment call yesterday with a technical resource with no luck as well.

Hi @rlowary. Thanks for trying our Scan Assistant. These issues can be complex to troubleshoot. A few high-level items to check:

  1. That the Public Key (PEM) has been added to the supported target asset, as part of the Scan Assistant installation.
  2. That a Private Key (included in a PKCS12 file) has been added into the Security Console as a Scan Assistant scan credential.
  3. That Scan Engines are able to connect to port 21047 (TCP) on each Scan Assistant asset.

Failing these items, I would suggest you contact Support.

Thanks for the reply. 1 and 2 are good to go for sure. Item 3 is not working, but we validated that the service is running and the port is listening on the endpoint. Looks like I will be contacting support!

I was able to successfully set it up on a POC first try. The .pfx key is crucial, make sure its formatted correctly and has no extra spaces. I found it was easier to create the key pair in Linux (Ubuntu) and save in x.509 format. The easiest way to make a .pfx file is to import your public key and private keys into puttygen and export them as a PKCS #12 file.

Also, I found out sites with credentials will still try to pass credentials to hosts with the scan assistant. I recommend making a dynamic asset group for all assets with scan assistants or InsightVM agents and scanning them separately in their own site(s) to increase security by reducing the amount of creds being passed.

Good explanation of key formats: https://www.cryptosys.net/pki/rsakeyformats.html

Hello!!

the March 30th IVM product release now offers the option to generate the key for you.

Have you been able to try that new feature?

Not sure what the deal is, shouldn’t be this hard now that you can generate from the console. I still get a failed authentication result when testing credentials to my computer. Hopping over to CIFS credentials tests fine still. What could be going wrong?

Hi, do you have a link to this?

is it required to open windows firewall port 21047 (TCP) inbound for this to work?

Hi @ttobiasm. Yes, the Scan Assistant listens on port 21047 TCP on the asset.

https://docs.rapid7.com/nexpose/scan-assistant.md/