SNMP credential test passes but Discovery does not see port 161 open

Bob D
Tera Expert

‎10-21-2019 08:25 AM

SNMP Credential Test works OK, but Discovery/Shazzam does not see port 161 open. 

Using same MID server for both credential test and Quick Discovery

Discovery is checking the port. From Shazzam payload:  wmi,snmp,ssh,http,wins,dns,slp,wbem,vmapp,winrm,winrm_ssl

but no results from SNMP/161 in the XML payload:

<result active="true" alive="true" ip_address="10.xxx.xxx.xxx">
  <scanner name="HTTPS" port="5986" portprobe="winrm_ssl" protocol="tcp" result="timed_out" service="winrm_ssl"/>
  <scanner name="BannerTCP" port="22" portprobe="ssh" protocol="tcp" result="open" service="ssh">
  <banner_text>SSH-2.0-OpenSSH_6.2 FIPS  </banner_text>
    <banner_bytes>
     ......
    </banner_bytes>
  </scanner>
  <scanner name="SLP" port="427" portprobe="slp" protocol="udp" result="timed_out" service="slp"/>
  <scanner name="NBT" port="137" portprobe="wins" protocol="udp" result="unresolved" service="ms-nb-ns"/>
  <scanner name="DNS" port="53" portprobe="dns" protocol="udp" result="resolved" service="dns">
  <host_names>xxxxx.xxxx.com</host_names>
  </scanner>
  <scanner name="HTTP" port="80" portprobe="http" protocol="tcp" result="open" service="http">
  <response_code>200</response_code>
  <Server>Apache</Server>
  <http_version>HTTP/1.1</http_version>
  <response_text>OK</response_text>
  </scanner>
  <scanner name="HTTP" port="443" portprobe="http" protocol="tcp" result="open" service="https"/>
</result>
 
thanks for any suggestions
Labels:
0 Helpfuls
  • 1,551 Views
6 REPLIES 6

tompowe
Tera Expert

‎10-21-2019 09:30 AM

Are you MID Servers clustered?  If so, even though you specify a MID Server when doing Test Credential, it will actually use any server within the same cluster.  So....you don't really know if it is the same MID Server you are dealing with (unless you've looked in the ECC Queue and verified).  To do your Test credential again, remove the MID From the cluster, and then do the test again.

doug_schulze
ServiceNow Employee
ServiceNow Employee

‎10-21-2019 09:33 AM

You might also try stepping outside the product meaning from your midserver install a tool like iReasoning (free edition) and see if it can query the target with your credential.  There might be a issue with the local Access Control List (ACL) not allowing queries.. If it can't do it, neither can we.

Bob D
Tera Expert
In response to doug_schulze

‎10-21-2019 01:54 PM

Thank you Doug.  I understand what you're suggesting.

But I'm wondering what's the point of the credential test if I can't trust it.  I understand that my credential can be valid but then it attempts to perform an action that maybe it does not have permission to do during the Classify phase, but if the credential test is successful, shouldn't the Shazzam probe at least find port 161 open?  I'm not getting even that far.

0 Helpfuls

DaveHertel
Kilo Sage
Kilo Sage

‎10-21-2019 09:34 AM

Hi Bob -- what does the outbound Shazzam probe show for protocols being scanned?  I'm wondering if a behavior has been implemented to limit the protocol's being scanned.   an example of a outbound probe that includes SNMP port 161

 

find_real_file.png

Preview file
407 KB