Index out of range error when scanning a Windows 10 Enterprise target via WinRM

[djtek1234]

Using cnspec 10.1.6. Trying to do a scan using the standard Windows policy of another target machine on the network. WinRM is enabled, basic auth is configured, unencrypted is allowed, and port 5985 is open.

Command: "cnspec.exe scan winrm [email protected]:5985 --ask-pass -v"

Output:

I have had success scanning a different Windows target and noticed that there was a "platform_id" field shown that the above target does not seem to have. I tried setting one manually with the "--platform-id" flag with no luck. Perhaps I did not use that flag properly.

One last thing to note. I can connect to the above target if I do "cnspec.exe shell winrm ...". That tells me that this is not a WinRM issue.

[chris-rock]

@djtek1234 Thank you for the report. Can you run the following in powershell

$env:DEBUG=1
cnspec.exe scan winrm [email protected]:5985 --ask-pass -v

I think you are right, that the platform id was not properly detected in https://github.com/mondoohq/cnspec/blob/v10.2.0/policy/scan/local_scanner.go#L555. This should not happen.

To figure out why that is, can you run the following commands on the windows machine:

hostname

[djtek1234]

@chris-rock Thank you for the speedy reply. I ran cnspec within Powershell with the commands you supplied. The results are below. Apologies for using screen grabs, I do not have copy-paste setup on this VM.

The result for the hostname command on the WinRM machine is "DESKTOP-ABC" (I renamed this from DESKTOP- followed by random numbers and letters to see if things would change).

[chris-rock]

That is an iteressting one. clearly the hostname command returns an empty string, hence the empty asset name. We need to identify why hostname is return an empty result. Can you help and share the results of the following mql queries?

cnspec> os.hostname
os.hostname: "chris.fritz.box"
cnspec> asset.ids
asset.ids: [
  0: "//platformid.api.mondoo.app/hostname/chris.fritz.box"
]

[djtek1234]

[chris-rock]

Ok, are you on latest cnspec? The output of cnspec status would be interesting.

[djtek1234]