Troubleshooting contents.gifindex.gif

Troubleshooting

Problem: My computer appears to hang during a scan

Explanation: When Windows NT attempts to make a socket connection, it sends out a SYN packet to the remote computer, and waits for a reply. If no reply occurs within the time out period (3 seconds by default), it then doubles the time out period, and retries the connection attempt. There is an internal limit to the number of sockets which Windows NT can maintain in this state, and once that limit is exceeded, kernel CPU usage approaches 100%, and the system appears to hang. If left alone, the system eventually recovers, but may have an extremely long response time until it recovers. Microsoft has been advised of this problem, and will hopefully correct it in a future service pack. This problem typically occurs while scanning a network where ICMP traffic is filtered. If ICMP traffic is not filtered, the host machine can reply to a connection attempt with either a SYN-ACK (success), or an ICMP port unreachable. In either case, the connection attempt can be resolved.

Fix: Open the Registry editor (either regedit.exe, or regedt32.exe), locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
\Parameters key, and insert the following values: TcpMaxConnectAttempts, with type REG_DWORD, and a value of 3, and TcpMaxConnectRetransmission, with type REG_DWORD, and a value of 3. You must restart your system before these changes will take effect. For additional information regarding these parameters, please consult your Windows NT Resource Kit.

Problem: No Windows vulnerabilities are found by the scanner.

Explanation: The scanner uses nbtstat.exe to read the NetBIOS name table on the scanned host. If a NetBIOS name table is not found, the scanner will skip further checks of Windows services unless the Scan Always option in the MS Windows tab of the settings template is enabled. Under certain circumstances, nbtstat can fail even if the scanned host is running NetBIOS services. To verify this, open a command prompt and type nbtstat -a IP, where IP is the numeric IP address of the scanned host. Nbtstat appears to depend on the messenger and alerter services, which should be disabled to avoid broadcasting the user name of the current console user. At this writing, it is not completely clear why nbtstat fails, and we are working to resolve the problem.

Fix: Choose Edit, Template Properties, select the MS Windows tab, and enable Scan Always.

Problem: The scanner terminates because the user is not a member of administrators.

Explanation: The scanner is capable of gathering a large amount of very sensitive information, as well as gathering password files. For this reason, it is required that the scanner be run by a user who is part of the administrators group.

Fix: Log in as an administrator level user.

Problem: The scanner terminates due to an incorrect version of Windows NT.

Explanation: The user interface requires items which were not available under Windows NT 3.5, and the scanner has not been tested under that version. Microsoft released an alpha version of the Windows 95 interface for Windows NT 3.51 which is known as the new shell beta. When that package is installed on Windows NT 3.51, it breaks a number of networking functions and the scanner is not supported under that configuration. The first beta of Windows NT 4.0 has been known to display a number of errors in the scanner. The scanner was not developed under the first beta, and has not been tested with that version of Windows NT. Due to these problems, the scanner will not run under Beta 1 of Windows NT 4.0. Due to a lack of support for security, the scanner also will not run under Windows 95.

Fix: Obtain a supported version of Windows NT. Windows NT 3.51 and 4.0 are currently supported. The scanner will run under beta 2 of Windows NT 4.0, but may display setup errors. It is strongly recommended that the scanner be run on release versions of Windows NT.