Scan Assit Agent not listening on port 21047

We have the Scan Assist agent installed on our Windows 10 device and the agent is running, but is not listening on port 21047 as the documentation states. Every policy scan we run fail with and error and no details on what that error might be…

2022-11-30T19:41:23 [INFO] [Thread: WP-Policy-Evaluation@10.200.1.107] [Site: WP-Policy-Evaluation] [10.200.1.107] Finalizing policy check result data.

2022-11-30T19:41:23 [INFO] [Thread: WP-Policy-Evaluation@10.200.1.107] [Site: WP-Policy-Evaluation] xccdf_org.cisecurity.benchmarks_benchmark_1.10.1_CIS_Microsoft_Windows_10_Enterprise_Release_20H2_Benchmark:1.10.1:xccdf_org.cisecurity.benchmarks_profile_Level_1_L1__Next_Generation_Windows_Security_NG:xccdf_org.cisecurity.benchmarks_rule_18.9.46.4_NG_Ensure_Allow_files_to_download_and_save_to_the_host_operating_system_from_Microsoft_Defender_Application_Guard_is_set_to_Disabled (CIS-1.10.1/CIS_WINDOWS_10_20H2/CIS_Microsoft_Windows_10_Enterprise_Release_20H2_Benchmark_v1.10.1-oval.xml/oval-org.cisecurity.benchmarks.windows_10-def-1638254) - ERROR

Does the scan result clearly state that there was a failed authentication or no credentials provided?

something like this:
Screen Shot 2022-11-30 at 5.31.42 PM

We are using Scan Assist so no credentials are provided, the agent is installed on the OS Instance and communication between the scanner and the device is supposed to be done with a Certificate of port 21047, but the agent is not listening on port 21047 for some reason…
The attached file show the service is running, but the service is not listening on port 21047, so I can only assume that is the cause of the error, but the scan log has now information pointing at the cause of the failure

snippet from the log…
2022-11-19T05:02:03 [INFO] [Thread: Scan 59] [Site: WP-Policy-Evaluation] NMAP: IPV4 ARGUMENTS: /opt/rapid7/nexpose/nse/nmap/nmap --privileged -n -PS21047 -PU21047 -sS -sU -p T:1-1040,1080,1098-1099,1125,1194,1214,1220,1352,1433,1500,1503,1521,1524,1526,1720,1723,1731,1812-1813,1818-1819,1895,1953,1959,1981,2000,2002,2030,2049,2100,2200,2222,2301,2375,2379,2381,2401,2433,2456,2500,2556,2745,3000-3001,3121,3127-3128,3230-3235,3268-3269,3306,3339,3389,3460,3527,4000,4045,4100,4242,4430,4443-4444,4505-4506,4661-4662,4711,4786,4848,5000,5010,5059-5061,5101,5180,5190-5193,5250,5432,5554-5555,5560,5566,5631,5678,5800-5803,5900-6009,6101,6106,6112,6346,6379,6588,6777,7001-7002,7070,7100,7510,7777-7778,7990,8000-8001,8004-8005,8008,8080-8083,8095,8098-8100,8153-8154,8180-8181,8383-8384,8443-8444,8470-8480,8500,8787,8866,8888,9090,9100-9102,9343,9443,9470-9476,9480,9495,9996,9999-10000,10025,10168,11211,12345-12346,13659,16080,18181-18185,18207-18208,18231-18232,18983,19190-19191,20034,21047,22226,27000-27010,27017,27374,27665,31337,32764,32771,33333,49152,49400,50000,51080,51443,54320,60000,60148,63148,U:7,9,11,13,17,19,37,53,67-69,88,111,123,135,137-139,161-162,177,213,259-260,445,464,500,514,520,523,623,631,749-751,1194,1434,1701,1812-1813,1900,2049,2746,3230-3235,3401,4045,4500,4665-4666,4672,5059-5061,5351,5353,5632,6429,7777,9100-9102,11211,17185,18233,21047,23945,26000-26004,26198,27015-27030,27444,27960-27964,30720-30724,31337,31400,32771,34555,44400,47545,49152,54321 --max-retries 3 --min-rtt-timeout 500ms --max-rtt-timeout 3000ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000 --script-args=vulns.showall --script=mobileiron-sentry-detection.nse,ssh-hostkey.nse,ssh2-enum-algos.nse,mobileiron-core-detection.nse,codemeter-detection.nse,microsoft-exchange-server-detection.nse,pulse-connect-secure-detection.nse,kaseya-vsa-detection.nse,accellion-fta-detection.nse --script-timeout 180 --datadir /opt/rapid7/nexpose/plugins/nmap-config -oX - -v
2022-11-19T05:02:03 [INFO] [Thread: Scan 59] [Site: WP-Policy-Evaluation] NMAP: IPV6 ARGUMENTS: /opt/rapid7/nexpose/nse/nmap/nmap --privileged -n -PS21047 -PU21047 -sS -sU -p T:1-1040,1080,1098-1099,1125,1194,1214,1220,1352,1433,1500,1503,1521,1524,1526,1720,1723,1731,1812-1813,1818-1819,1895,1953,1959,1981,2000,2002,2030,2049,2100,2200,2222,2301,2375,2379,2381,2401,2433,2456,2500,2556,2745,3000-3001,3121,3127-3128,3230-3235,3268-3269,3306,3339,3389,3460,3527,4000,4045,4100,4242,4430,4443-4444,4505-4506,4661-4662,4711,4786,4848,5000,5010,5059-5061,5101,5180,5190-5193,5250,5432,5554-5555,5560,5566,5631,5678,5800-5803,5900-6009,6101,6106,6112,6346,6379,6588,6777,7001-7002,7070,7100,7510,7777-7778,7990,8000-8001,8004-8005,8008,8080-8083,8095,8098-8100,8153-8154,8180-8181,8383-8384,8443-8444,8470-8480,8500,8787,8866,8888,9090,9100-9102,9343,9443,9470-9476,9480,9495,9996,9999-10000,10025,10168,11211,12345-12346,13659,16080,18181-18185,18207-18208,18231-18232,18983,19190-19191,20034,21047,22226,27000-27010,27017,27374,27665,31337,32764,32771,33333,49152,49400,50000,51080,51443,54320,60000,60148,63148,U:7,9,11,13,17,19,37,53,67-69,88,111,123,135,137-139,161-162,177,213,259-260,445,464,500,514,520,523,623,631,749-751,1194,1434,1701,1812-1813,1900,2049,2746,3230-3235,3401,4045,4500,4665-4666,4672,5059-5061,5351,5353,5632,6429,7777,9100-9102,11211,17185,18233,21047,23945,26000-26004,26198,27015-27030,27444,27960-27964,30720-30724,31337,31400,32771,34555,44400,47545,49152,54321 --max-retries 3 --min-rtt-timeout 500ms --max-rtt-timeout 3000ms --initial-rtt-timeout 500ms --defeat-rst-ratelimit --min-rate 450 --max-rate 15000 --script-args=vulns.showall --script=mobileiron-sentry-detection.nse,ssh-hostkey.nse,ssh2-enum-algos.nse,mobileiron-core-detection.nse,codemeter-detection.nse,microsoft-exchange-server-detection.nse,pulse-connect-secure-detection.nse,kaseya-vsa-detection.nse,accellion-fta-detection.nse --script-timeout 180 --datadir /opt/rapid7/nexpose/plugins/nmap-config -oX - -v -6

Rapid7-agent-netstat

Ok so I think there is some confusion here around the difference between the Insight Agent and the Scan Assistant.

The Scan Assistant does use the certificate as you mentioned that it displays on port 21047. However, it is not the Insight Agent service that is listening on that port.

The scan assistant is the “credentials” used as far as InsightVM is concerned. So if you’re scanning an asset and using the Scan Assistant as the credentials then the scan result page will tell you whether or not they succeeded.

Everything you need to know regarding the scan assistant should be in the link above, keep in mind that this is completely separate from the InsightAgent.

Rapid7 scan assist error

No SiteSynopsis entry has ID: 3

Testing the Scan Assist from port fails with invalid Credentials

I’m not sure the “test Credentials” in the setup actually works the way it should for certificate type credentials like the SSH Key and Scan Assistant.

The Site Synopsis error can most likely be ignored, I assume that the credentials was set to be shared with all sites or something and was trying to apply to the Rapid7 Insight Agents or something.

Can you show a screenshot of the endpoint where the scan assistant is installed showing the installed applications? The scan assistant should be listed there.

Also the scan template you’re using to scan with should have port 21047 listed in both the Asset and Service discovery portions.

If that’s all set, we can look at the actual scan result and see what it’s saying for the credentials.

Screenshot 2022-11-30 at 10.47.43 PM
Portal settings for Scan assistant

Screenshot 2022-11-30 at 10.50.32 PM

So the issue now may be the Cert/PEM file…

msiexec /i ScanAssistantInstaller.msi CLIENT_CERTIFICATE="-----BEGIN CERTIFICATE----- PEM from Rapid7 Console -----END CERTIFICATE----- "

Yea so when you install the scan certifiacte you have to do it with the CLI and replace that PEM with the certificate you were showing in the scan assistant credential

msiexec /i ScanAssistantInstaller.msi CLIENT_CERTIFICATE="-----BEGIN CERTIFICATE----- PEM from Portal -----END CERTIFICATE-----"

C:\Gemini-Setup\Rapid7-agent>netstat -a |find “21047”
TCP 0.0.0.0:21047 GT-4Q22:0 LISTENING
TCP [::]:21047 GT-4Q22:0 LISTENING

Scan is running now, we shall see what happens

Much better now

2022-12-01T04:12:34 [DEBUG] [Thread: September-Scan@10.200.1.107] [Site: September-Scan] PolicyResults: Policy rule count: 469
2022-12-01T04:12:34 [DEBUG] [Thread: September-Scan@10.200.1.107] [Site: September-Scan] PolicyResults: Policy rule pass count: 402
2022-12-01T04:12:34 [DEBUG] [Thread: September-Scan@10.200.1.107] [Site: September-Scan] PolicyResults: Policy rule fail count: 67

More work to do, but much better

@john_hartman - Thanks for the assistenance, we are now seeing Policy results
Gemini-Base-OS-Template-Compliance.pdf (218.2 KB)

1 Like

I am having the same issue, but from what I read in here, I don’t see an distinct resolution that resolved my issue. I followed everything in here.

I used the install command with the PEM from the instructions. I check to see if the computer is listening on port 21047 and find that it is not. The ScanAssistant service is running and still not listening on port 21047.

1 Like

Good morning ntorres,

If you see the Scan Assistant in Add/Remove programs and listed as a service on your endpoints but it is still not listening on 21047, that is usually a good indicator that the install did not complete correctly and the most common cause is that the install didn’t accept the PEM during the install. If you add the following switch to the install command the installer will generate an install log and let you see where the process is failing:

/le install_log.txt